Staytus

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is by and between Staytus, Inc. and Customer, and reflects the Parties’ agreement related to Processing of Personal Data.

All capitalized terms not defined herein shall have the meaning set forth in the agreement for services between Staytus, Inc. and Customer pursuant to the Member Terms of Service Agreement (the “Agreement”).

How this DPA Applies

This DPA is subject to the terms of, and fully incorporated and made part of, the Agreement. This DPA is subject to section 17 (Amendments) of the Member Terms of Service Agreement, and shall replace any existing data processing addendum to the Agreement unless otherwise explicitly stated herein. In the event of a conflict between the terms of the Agreement and the DPA, the terms of the DPA shall prevail in relation to the Processing of Personal Data.

DATA PROCESSING TERMS

  1. Definitions
  2. For the purposes of this DPA, the following terms shall have the following meanings:

    Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

    Business” is sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information.

    Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. This term 

    Data Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

    Data Privacy and Protection Law” means any applicable data protection or privacy laws, including: means any and all applicable law, regulation, directive, or other binding requirements (each as may be implemented, amended, extended, superseded, or re-enacted from time to time, related to data protection, data security, marketing, privacy, or the Processing of Personal Data, including but not limited to the Regulation (EU) 2016/679 (“GDPR”), Directive 2002/58/EC, Directive 2009/136/EC, UK GDPR, together with any local, amending or replacement legislation in any EU Member State or the UK, and the California Consumer Privacy Act (“CCPA”), together with any implementing regulation.

    Data Subject” means an identified or identifiable natural person.

    Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed under this DPA.

    Processing”, “Process” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    “Share”, “Shared”, or “Sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for targeted advertising. 

    Sell,” “selling,” “sale,” or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

    Services” means the service(s) to be performed (if any) by Stayus, Inc. pursuant to the Agreement.

    Service Provider” means a for-profit sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that Processes Personal Data on behalf of a Business and to which the Business discloses Personal Data for a Business Purpose pursuant to a written contract.

    Sub-Processor” means any Processor that is engaged by Service Provider as a sub-contractor for the performance of the services or parts of the services on behalf of Company, where such Sub-Processor may Process Company Personal Data.

    Supervisory Authority” means the relevant supervisory authority having jurisdiction over the Processing of Personal Data under this DPA.

  3. General Provisions Relating to Personal Data Processing
    1. The Parties represent and warrant that each Party will comply with applicable Data Privacy Protection Laws related to the Services.
    2. Except as otherwise provided in Section 2.3, below, each Party is a Data Controller or Business, as applicable, in relation to the Processing of Personal Data pursuant to the Agreement.
    3. To the extent provided in the Agreement, if Staytus, Inc. Processes Personal Data on behalf of the Customer in connection with the Agreement, then Sections 3, 4, and 5 apply.
  4. Processing Personal Data on Customer’s Behalf

      Applicability and Processing Relationship

    1. This Section 3 only applies if Staytus, Inc. Processes Personal Data on behalf of Customer in connection with the Agreement, and the obligations under this Section 3 shall be limited to only the Personal Data that Staytus, Inc. Processes on Customer’s behalf as a Data Processor or Service Provider, as applicable. 
    2. Customer shall be the Data Controller or Business, as applicable, and Staytus, Inc. shall be the Data Processor or Service Provider, as applicable, and, as such, will Process Personal Data only for the purpose of fulfilling its obligations under the Agreement or as otherwise instructed in writing by the Customer and in accordance with all applicable Data Privacy and Protection Laws and the terms of this DPA. 
    3. For the avoidance of doubt, Staytus, Inc. only acts as a Data Processor or Service Provider, as applicable, in relation to the Personal Data provided directly from the Customer and on the Customer’s behalf. Staytus, Inc. continues to act as a Data Controller or Business, as applicable, for any Personal Data collected directly from the Data Subject or Consumer, as applicable.
    4. Processing Limitations

    5. Staytus, Inc. will Process Personal Data only pursuant to Customer instructions.
    6. Staytus, Inc. will not:
      1. Sell or Share Personal Data Processed on behalf of Customer; 
      2. Retain, use, or disclose Personal Data Processed on behalf of Customer: (i) for any purpose, including any commercial purpose, other than for the specific purposes of performing the Services provided under the Agreement and this DPA; (ii) outside of the direct business relationship between Staytus, Inc. and Customer. 
      3. Combine Personal Data Processed on behalf of Customer with Personal Data received from another source unless directed to specifically by the Data Subject or Customer. 
    7. Communication with Customer

    8. Staytus shall without undue delay but not later than 3 Business Days notify the Customer in writing: (a) in the event it reasonably believes an instruction it receives from the Customer does not comply with applicable Data Privacy and Protection Laws or (b) upon making a determination that it has not met, or can no longer meet, its obligations of this Section 3, and, in such case, will abide by the Customer’s written instructions, including instructions to cease further Processing of the Personal Data and take any necessary steps to remediate any Processing of such Personal Data not in accordance with this Section 3 without any penalty to Staytus, Inc.
    9. Staytus, Inc. shall without undue delay but not later than 3 Business Days notify the Customer in writing it receives: (a) a request from a Data Subject or Consumer to exercise her/his rights under applicable Data Privacy and Protection Laws related to his/her Personal Data being Processed by Staytus, Inc. on the Customer’s behalf; (b) a complaint or request relating to the Customer’s obligations under applicable Data Privacy and Protection Law; or (c) any other communication relating directly or indirectly to Staytus, Inc.’s Processing of Personal Data hereunder. In such scenarios, Customer, as the Data Controller or Business, as applicable, shall be solely responsible for responding to any Data Subject rights requests or complaints and/or any regulatory or Supervisory Authority inquiries or communications related to Personal Data Processed by Staytus, Inc. on the Customer’s behalf. 
    10. Staytus, Inc. shall without undue delay but not later than 3 Business Days notify the Customer if it receives a demand from any court, government agency, Supervisory Authority, or law enforcement agency for the Customer’s data, including demands for Personal Data that Staytus, Inc. processes on the Customer’s behalf, and Staytus, Inc. will direct the court, government agency, Supervisory Authority, or law enforcement agency to request such information directly from the Customer. As part of this effort, Staytus, Inc. may provide the Customer’s basic contact information to the requesting entity. If compelled to disclose the Customer’s data to any court, government agency, Supervisory Authority, or law enforcement agency, Staytus, Inc. will without any undue delay but not later than 3 Business Days notify the Customer and deliver a copy of the request (except where Staytus, Inc. is legally prohibited from doing so) to allow sufficient time, not less than seven 5 Business Days, for the Customer to seek a protective order or any other appropriate remedy prior to such disclosure by Staytus, Inc.
    11. Service Provider Personnel 

    12. Staytus, Inc. shall only disclose the minimum Personal Data necessary to its personnel in order to provide the Services. 
    13. Staytus, Inc. shall ensure its personnel that are authorized to access the Personal Data have committed themselves to maintaining the confidentiality of such Personal Data, are informed of the confidential nature of the Personal Data, and comply with the obligations set out in the Agreement and this DPA.
    14. Sub-Processors 

    15. Customer acknowledges that Staytus, Inc. has provided a current list of Sub-Processors to which Staytus, Inc. discloses Personal Data or otherwise allows Sub-Processors to access or Process Personal Data, and that Customer has provided approval for such Sub-Processors.
    16. In the event Staytus, Inc. adds or changes a Sub-Processor, Staytus, Inc. will provide notice to Customer. Customer will have 5 Business Days to object to the Sub-Processor otherwise the Sub-Processor will be deemed approved.
    17. Staytus, Inc. shall: (i) impose by a written agreement the same or greater privacy and security requirements on any such Sub-Processor to which Service Provider is subject under this DPA; and (ii) remain fully liable for any such Sub-Processor’s actions with respect to the Personal Data.
    18. Data Security

    19. With respect to the Personal Data Processed on behalf of the Customer under the Agreement, Staytus, Inc. has implemented, and will maintain, a written information security program that includes appropriate physical, technical, and organizational measures designed to protect such Personal Data against unauthorized access, use, disclosure, alteration, or destruction and to ensure a level of security appropriate to the risk for the rights and freedoms of natural persons.
    20. Staytus, Inc. shall without undue delay but not later than 48 hours after becoming aware of a Personal Data Breach, notify Customer in writing if it discovers, is notified of, or reasonably suspects that a Personal Data Breach has occurred or may occur. Staytus, Inc. shall reasonably cooperate in the investigation of any such Personal Data Breach. To the extent that a Personal Data Breach gives rise to a need to provide notification to authorities and/or Data Subjects, Staytus, Inc. shall provide reasonable assistance the Customer. Staytus, Inc. shall not be liable for other remedial measures, including, without limitation, notice distribution, credit monitoring services, or the establishment of a call center to respond to inquiries. Staytus, Inc. shall document (and shall maintain such documentation available for Customer) Personal Data Breaches subject to the Agreement, including the facts related to the Personal Data Breach, its effects, and the corrective measures taken.
    21. Audit Rights 

    22. The Customer may request, upon ten (10) Business Days written notice to Staytus, Inc. (unless a shorter period is required to meet a legal requirement or request by a Supervisory Authority or government authority), that Staytus, Inc. provide the Customer, the Customer’s independent third-party auditor, or a Supervisory Authority as requested by the Customer, records or supporting documentation in order to provide reasonable assurances to Customer of Staytus, Inc.’s compliance with its obligations under or related to Section 3 of this DPA.
    23. Audits shall be subject to all applicable confidentiality obligations agreed to by Staytus, Inc. and Customer unless otherwise required by a Supervisory Authority or other government authority.
    24. Return and Deletion of Personal Data 

    25. When the purpose of Processing Personal Data hereunder no longer applies, unless specified differently in the Agreement or otherwise in writing by Customer, or unless otherwise required by applicable law otherwise requiring storage of the Personal Data, the Customer may instruct Staytus, Inc. to delete the Personal Data Processed on behalf of Customer. 
    26. Upon termination or expiration of the Agreement, Staytus, Inc. shall destroy all Personal Data Processed on behalf of Customer and shall certify in writing to Customer that it has done so, or, at the Customer’s request, Staytus, Inc. shall return all Personal Data Processed on Customer’s behalf. 
    27. Transfers of Personal Data Outside of the EEA 

    28. To the extent that Customer transfers Personal Data to Staytus, Inc. outside of the European Economic Area to a third country that lacks and adequacy decision by the Commission of the European Union, Staytus, Inc. and Customer agree that the provisions in the European Commission Standard Contractual Clauses (“SCCs”), Module 2: Controller to Processor, for the Transfer of Personal Data, along with the Appendix to this DPA, shall apply and are integrated into and form a part of the Agreement. The Customer is the “data export” and Staytus, Inc. shall be the “data importer.”
  5. Privacy Contact

    The Parties shall designate a contact person to respond to inquiries concerning Processing of Personal Data and to receive required notices and reasonably cooperate concerning all such inquiries or notices, if so requested. Unless otherwise designated in writing, the Parties’ contact person shall be the contact used to consummate this DPA.

  6. Miscellaneous
    1. Service Provider shall promptly execute supplemental data processing agreement(s), including, but not limited to, SCCs, with the Company or any of its Affiliates or take other appropriate steps to address cross-border transfer and requirements to address situations where applicable Data Privacy and Protection Laws concerning Personal Data have been superseded, invalidated, changed, or amended to the extent legally necessary.
    2. This DPA is governed by the law which governs the Agreement and any dispute between the Parties is to be handled as set out in the Agreement.
    3. Either Party may terminate this DPA as outlined in the Agreement.
    4. Notwithstanding the amendment made herein, the parties confirm that all other terms and conditions of the Agreement remains as stated in the Agreement and are in full force and effect.
Appendix
SCC, Module 2, Annex 1
  1. LIST OF PARTIES
  2. Data exporter(s): Customer, as set forth in the Agreement

    Customer will provide to Staytus in writing the designated contact person’s name, position and contact details.

    Activities relevant to the data transferred under these Clauses:

    Transfer of guest Personal Data to Processor to facilitate performance of Services under the Agreement

    Role (controller/processor): Controller

    Data importer(s): Staytus, Inc.

    Name: Troy Simoni

    Address: 16192 Coastal Highway, Lewes Delaware 19958-3608, United States of America

    Contact person’s name, position and contact details: 

    Troy Simoni

    Chief Executive Officer

    Office: +1.949.427.0011

    Direct: +1.949.427.0010

    Dubai: +971 55 550 5649

    [email protected]

    Activities relevant to the data transferred under these Clauses:

    Processing of guest Personal Data to provide the Services under the Agreement

    Role (controller/processor): Processor

  3. DESCRIPTION OF TRANSFER
  4. This Section B sets out the following information regarding the Processing of Personal Data:

    Categories of data subjects whose personal data is transferred

    Customer Guests

    Customer Representatives

    Categories of personal data transferred

    Demographic information, which may include first name, last name, salutation, telephone number, email address, date of birth, passport data, loyalty program status, loyalty program number, and booking-related information such as room number, rate code, package code, check-in date, check-out date, number of adults, and number of children in the booking.

    Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

    N/A

    The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

    Continuous for the lifetime of the Agreement

    Nature of the processing

    The nature of the Processing is limited to providing the Services pursuant to the Agreement.

    Purpose(s) of the data transfer and further processing

    The purpose of the transfer of Personal Data is for Data Importer to provide the Services to Data Exporter in connection with the Agreement.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    The Personal Data will be retained for the lifetime of the Agreement and as required by law thereafter.

    For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

    Transfer to Data Importer’s Sub-Processors is for the purpose of supporting the Services, and the duration of the Processing is continuous for the lifetime of the Agreement. 

  5. COMPETENT SUPERVISORY AUTHORITY
  6. Europe

    Staytus, Inc. operates worldwide and maintains servers in Germany. For all business within Europe, Staytus, Inc. nominates as its lead supervisory authority the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) is the Data Protection Authority for telecommunication service providers and represents Germany in the European Data Protection Board (EDPB). In addition, Germany has 16 data protection authorities for each of the 16 States. You can identify competent authority on the official BfDI site.

    The office of Federal Commissioner for Data Protection and Freedom of Information

    Prof. Ulrich Kelber Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit Graurheindorfer Straße 153 53117 Bonn Tel. +49 228 997799 0; +49 228 81995 0 Fax +49 228 997799 550; +49 228 81995 550 [email protected]

    Outside of Europe

    Staytus, Inc. operates worldwide and provides service to Customers located in California, which is currently the US state with the most stringent consumer data privacy laws outside of Europe. California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)

    Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].) Any breach is to be reported online here.  

ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Staytus, Inc. respects the rights and privacy of its customers and guests for which we process personal data in connection with the offering of our products and services.

Staytus has implemented and maintains a comprehensive written information security program (“Information Security Program”) that includes technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect the confidentiality, security, integrity, and availability of Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Personal Data. Staytus has developed this Information Security Program taking into account (1) the state of the art; (2) the costs of implementation; (3) the nature, scope, context and purposes of processing; and (4) the risk of varying likelihood and severity for the rights and freedoms of natural persons, 

In particular, the Information Security Program includes the following measures to ensure the protection of Personal Data:

  • Encryption – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access, consistent with industry standards.
  • Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Personal Data or information relating thereto to unauthorized individuals; and (iv) upon termination of an employee or contractor, to revoke access to the employee or contractor’s access to any Personal Data.  
  • Asset Management and Audit Controls – appropriate controls to address (i) critical asset identification and asset management, (ii) third-party risk management, (iii) configuration and change management for software systems, and (iv) hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate maintenance, monitoring and analysis of audit logs. 
  • Security Awareness and Training – a security awareness and training program for all members of Staytus’ workforce (including management), which includes training on how to implement and comply with its Information Security Program.
  • Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. 
  • Assigned Security Responsibility – designated security official responsible for the development, implementation, and maintenance of its Information Security Program. Staytus shall, upon the request of any customer, provide the name and contact details of the person responsible for security.
  • Contingency Planning – policies and procedures for responding to an emergency or other occurrence that damages Personal Data or systems that contain Personal Data, including policies and procedures that are designed to ensure products and services are uninterrupted, a data backup plan and a disaster recovery plan (including regular testing on the effectiveness of such plans).
  • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.
  • System Configurations – policies and procedures for managing changes to production systems, applications and databases, including without limitation, processes for documenting testing and approval of changes into production, security patching, and authentication. 
  • Secure Development – policies and procedures to ensure that development environments are protected from malicious or accidental development or code updates that may create vulnerabilities or compromise the confidentiality, integrity, and availability of Personal Data. 
  • Testing – processes to regularly test the key controls, systems and procedures of the Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. 
  • Risk Assessment Program – a risk assessment program to help identify foreseeable internal and external risks to the confidentiality, integrity, and availability of Personal Data and to determine if existing controls, policies, and procedures are adequate.
ANNEX III: LIST OF SUB-PROCESSORS

The Controller has authorised the use of the following sub-processors: 

As of the date of publication, Staytus, Inc. does not use any sub-processors for the handling of any data received from Customer.