Data Processing Agreement

Last updated: 24 April 2026

This Data Processing Agreement ("DPA") forms part of the XenoHost Terms of Service between XenoHost ("Processor") and the hotel customer ("Controller") and governs the processing of personal data under Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR").

1. Subject matter & duration

Processor processes personal data on behalf of Controller to provide the XenoHost AI concierge Service. This DPA remains in force for as long as Processor processes personal data for Controller.

2. Nature & purpose of processing

Processor hosts the chat widget, stores guest conversation transcripts, generates AI replies, forwards lead notifications, and provides analytics to Controller.

3. Categories of data subjects & data

Data subjects: guests and prospective guests of Controller.

Categories of personal data: chat messages, language preference, session identifiers, optional contact details (name, email, phone) submitted in lead forms, IP address and user-agent (up to 30 days). Processor does not process special-category personal data.

4. Processor obligations

  • Process personal data only on Controller's documented instructions (including as set out in the Terms and this DPA).
  • Ensure that persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see Section 7).
  • Assist Controller, where reasonably possible, in responding to data-subject requests.
  • Notify Controller without undue delay (and within 72 hours where feasible) of any confirmed personal data breach.
  • On termination, delete or return all personal data within 30 days, unless EU or Member State law requires storage.
  • Make available information necessary to demonstrate compliance with Article 28 GDPR.

5. Sub-processors

Controller grants Processor general authorisation to engage sub-processors. Current sub-processors:

  • Vercel Inc. — hosting (EU / Global).
  • Supabase Inc. — database & auth (EU region).
  • Anthropic PBC — AI inference (USA). API data is not used to train models.
  • Stripe Payments Europe, Ltd. — billing (Ireland).

Processor will notify Controller by email of any intended addition or replacement of sub-processors at least 30 days in advance. Controller may object on reasonable grounds.

6. International transfers

Where personal data is transferred outside the EEA, Processor relies on the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where applicable, the EU–US Data Privacy Framework.

7. Security measures

  • Encryption in transit (TLS 1.2+) and at rest.
  • Role-based access control; production access limited to authorised engineers using multi-factor authentication.
  • Automated daily backups with 7-day retention; disaster recovery procedures documented.
  • Rate limiting and abuse detection on the chat endpoint.
  • Audit logging of administrative actions.
  • Annual review of vendor security posture.

8. Audits

Controller may, at its own cost and with 30 days' written notice, request an audit of Processor's processing activities, not more than once per 12 months except after a confirmed data breach. Processor may satisfy audit requests by providing an independent third-party audit report if available.

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

10. Governing law

This DPA is governed by the laws of the Hellenic Republic. Disputes are subject to the exclusive jurisdiction of the courts of Athens.

11. Signing this DPA

By accepting the XenoHost Terms of Service and using the Service, Controller accepts this DPA. A countersigned PDF is available on request at xenohostinfo@gmail.com.