This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Corco Labs d.o.o. ("Processor", operating Guestavo) for the provision of the Guestavo service. It reflects the parties' obligations under Regulation (EU) 2016/679 (the "GDPR") and equivalent applicable data protection laws.
1. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Guestavo service as described in the main agreement (the "Service Agreement"). Processing continues for the duration of the Service Agreement and any agreed post-termination period for data return or deletion.
2. Nature and Purpose of Processing
The Processor processes personal data to deliver the contracted service, which includes:
- Hosting and storing guest, reservation, and event data
- Sending transactional and marketing communications on behalf of the Controller
- Providing analytics, reporting, and dashboards
- Operating customer support and incident response
- Maintaining backups, monitoring, and security of the platform
3. Types of Personal Data and Categories of Data Subjects
Types of personal data processed
- Identification data (name, email, phone number)
- Reservation and event attendance data
- Communication history (emails, SMS, messages)
- Preferences, dietary requirements, and notes recorded by the Controller
- Account and authentication data of Controller's staff users
- Technical data (IP address, device, browser) where relevant for security and analytics
Categories of data subjects
- The Controller's guests, customers, and prospects
- The Controller's employees, staff, and authorised users
- Event attendees and contacts uploaded or captured through the platform
4. Obligations and Rights of the Controller
The Controller is responsible for ensuring that:
- It has a valid legal basis under Article 6 GDPR for all personal data submitted to or generated through the service
- It has provided required notices and obtained any necessary consents from data subjects
- Its instructions to the Processor comply with applicable data protection laws
- It maintains its own records of processing activities as required by Article 30 GDPR
- It promptly informs the Processor of any changes affecting the lawfulness of processing
The Controller retains all rights and control over the personal data and may issue documented instructions to the Processor regarding its processing.
5. Obligations of the Processor
The Processor undertakes to:
- Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR)
- Assist the Controller in responding to data subject requests, where reasonably possible
- Assist the Controller in complying with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation)
- Make available all information necessary to demonstrate compliance with Article 28 GDPR
- Notify the Controller without undue delay if it believes an instruction infringes applicable data protection law
6. Technical and Organisational Measures
The Processor maintains a security programme that includes, at minimum, the following measures:
- Encryption of data in transit using TLS
- Encryption of data at rest for databases and backups
- Role-based access controls and least-privilege administration
- Multi-factor authentication for administrative access
- Regular patching of operating systems, dependencies, and infrastructure
- Continuous monitoring, logging, and alerting for security events
- Documented incident response and business continuity procedures
- Background-checked personnel bound by confidentiality
7. Sub-Processors
The Controller authorises the Processor to engage the sub-processors listed below to provide the service. The Processor remains fully liable to the Controller for the performance of any sub-processor's obligations.
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting, managed PostgreSQL database, object storage | EU / United States |
| Resend | Transactional and marketing email delivery | United States |
| Stripe | Subscription billing and payment processing | Ireland / United States |
| TODO: confirm full sub-processor list | Add remaining vendors (analytics, error tracking, SMS, etc.) before signing | TBD |
The Processor will give the Controller at least 30 days' prior notice of any intended addition or replacement of sub-processors. The Controller may object on reasonable data protection grounds, in which case the parties will work in good faith to find a resolution.
8. International Data Transfers
Where personal data is transferred outside the European Economic Area, the Processor relies on appropriate safeguards under Chapter V of the GDPR, including the European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by additional technical and organisational measures where required. Sub-processors located outside the EEA are bound by equivalent obligations through the relevant transfer mechanism.
9. Data Subject Rights
Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts the Processor directly, the Processor will forward the request to the Controller without undue delay.
10. Personal Data Breach Notification
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification will include, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
11. Audit Rights
The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audits will be conducted at the Controller's expense, with reasonable prior notice (at least 30 days, except where required earlier by a supervisory authority), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Processor may satisfy audit obligations by providing current third-party certifications (e.g. SOC 2, ISO 27001) where applicable.
12. Return and Deletion of Data
Upon termination of the Service Agreement, the Processor will, at the Controller's choice, return or delete all personal data processed on behalf of the Controller, and delete existing copies, unless retention is required by applicable law. The Controller may request an export of its data at any time during the term using the service's standard export functionality. Backups containing personal data will be deleted in line with the Processor's documented backup retention schedule, typically within 90 days of termination.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Service Agreement. Nothing in this DPA limits either party's liability where such limitation is not permitted by applicable data protection law, including for fines imposed by a supervisory authority directly on a party for its own breach of the GDPR.
14. Governing Law and Order of Precedence
This DPA is governed by the law specified in the Service Agreement. In the event of a conflict between this DPA and the Service Agreement on data protection matters, this DPA prevails. All other terms of the Service Agreement remain in full force and effect.
15. Contact
For questions about this DPA, to request a counter-signed copy, or to exercise audit or notification rights, please contact us at info@guestavo.com.
Corco Labs d.o.o.
Kolodvorska ulica 4, 9241 Veržej, Slovenia
Signature Block
Processor: Corco Labs d.o.o., Kolodvorska ulica 4, 9241 Veržej, Slovenija — signed by Borut Balažek, Managing Director. Controller: name, signatory, title, and date to be completed on counter-signature. A counter-signed PDF is available on request.