Data Processing Addendum
Effective date: [EFFECTIVE_DATE]
This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between [LEGAL_ENTITY_NAME] (“Staying API”, “we”, “us”) and the customer (“Customer”, “you”). It applies to the extent we process Personal Data on your behalf in the course of providing the Service, and reflects the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws. Capitalized terms not defined here have the meaning given in the Agreement or in applicable data protection law.
1. Roles of the parties
For Personal Data you submit to or generate through the Service as part of your own application (“Customer Personal Data”), you act as the Controller and we act as the Processor, processing only on your documented instructions (which include the Agreement and your configured use of the Service). For Personal Data we collect to operate our business — such as your account and billing data — we act as an independent Controller, as described in our Privacy Policy.
2. Scope and instructions
We will process Customer Personal Data only to provide and support the Service, as instructed by you through the Agreement, and as required by applicable law. If we believe an instruction violates data protection law, we will inform you. The subject matter, duration, nature, and purpose of processing, and the categories of data subjects and Personal Data, are described in Annex A.
3. Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access data only as needed to deliver the Service.
4. Security measures
We implement appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art and the risks of processing. These include, at a minimum: encryption of data in transit (TLS); access controls and least-privilege scoped credentials; network and infrastructure hardening; logging and monitoring; and regular review of our security practices. A summary of current measures is set out in Annex C.
5. Sub-processors
You provide general authorization for us to engage sub-processors to deliver the Service. We impose data protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance. Our current sub-processors are listed in Annex B. We will give you notice of any intended addition or replacement of a sub-processor with at least [SUBPROCESSOR_NOTICE_PERIOD] notice via [SUBPROCESSOR_NOTICE_CHANNEL, e.g. email to the account owner], during which you may reasonably object on data protection grounds.
6. Data subject requests
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If we receive a request directed at Customer Personal Data, we will, unless legally prohibited, refer the data subject to you.
7. Personal data breach
We will notify you without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and provide information reasonably available to us to help you meet your own notification obligations.
8. International transfers
Where our processing of Customer Personal Data involves a transfer out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties agree that the European Commission’s Standard Contractual Clauses (SCCs) (Module Two: Controller-to-Processor, and Module Three where onward transfer applies) are incorporated by reference and apply to that transfer. For transfers subject to UK law, the UK International Data Transfer Addendum to the SCCs applies. For transfers subject to Swiss law, the SCCs apply as adapted by the Swiss Federal Data Protection and Information Commissioner. The operative clause selections and parties’ details are set out in Annex D.
9. Audit
We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, frequency, scope, and notice limits set out in [AUDIT_TERMS].
10. Deletion and return
Upon termination of the Service, we will delete or return Customer Personal Data in accordance with the Agreement and this DPA, and delete existing copies unless retention is required by law. Our standard retention windows are described in our Privacy Policy.
11. Liability and precedence
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In the event of a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA controls.
Annex A — Details of processing
- Subject matter: provision of the Staying API REST and MCP Service.
- Duration: the term of the Agreement plus applicable retention periods.
- Nature and purpose: [DESCRIBE — e.g. transmitting, storing, and logging API requests so the Customer can retrieve stay data within its application].
- Categories of data subjects: [e.g. Customer’s end users / authenticated developers].
- Categories of Personal Data: [e.g. account identifiers, API request metadata]. Do not include special-category data unless agreed in writing.
Annex B — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| [AUTH_PROVIDER] | Authentication / account database | [REGION] |
| [PAYMENT_PROCESSOR] | Billing and payments | [REGION] |
| [HOSTING_PROVIDER] | Application / edge hosting | [REGION] |
| [EMAIL_PROVIDER] | Transactional and support email | [REGION] |
| [ANALYTICS_PROVIDER, if used] | Aggregate site analytics | [REGION] |
Annex C — Security measures
[SUMMARIZE technical and organizational measures: encryption in transit, access control and least privilege, secrets management, logging and monitoring, backup and recovery, vulnerability management, personnel confidentiality.]
Annex D — Transfer mechanism details
[SPECIFY: SCC modules in effect, the parties as data exporter/importer, the optional docking clause, the governing-law and forum selections within the SCCs, and the completed UK Addendum tables where applicable.]
StayingAPI is not affiliated with, endorsed by, or sponsored by Airbnb, Inc. Airbnb is a registered trademark of Airbnb, Inc.