Data Processing Agreement
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the HOSTELELLA Terms and governs personal data processing carried out by HERMANOS VARELA LUIS SL ("HOSTELELLA") on behalf of the Customer when providing the Service.
Processor: HERMANOS VARELA LUIS SL, VAT / Tax ID B67073320, Travessera de les Corts 356, Local 2, 08029 Barcelona, Spain.
Commercial Registry: Commercial Registry of Barcelona, Section 8, Sheet B-509004, entry 4 (I/A 4); background: Volume 46087, Folio 53.
Legal contact: legal@hostelella.com
Controller: the business Customer using or subscribing to HOSTELELLA.
Acceptance of the Terms or HOSTELELLA legal flow constitutes acceptance of this DPA by the Customer when made by a person with sufficient authority to bind the Customer. Users without such authority accept their own user, confidentiality, security and compliance obligations to the maximum extent permitted by law, without replacing the Customer's responsibility as Controller.
2. Roles
For personal data included in Customer documents, records, messages or business information, the Customer acts as Controller and HOSTELELLA acts as Processor. HOSTELELLA acts as an independent Controller for accounts, security, billing, support and Service communications.
3. Subject Matter, Duration and Nature
| Subject matter | B2B SaaS platform for operational, document, analytics and team management. |
|---|---|
| Duration | For as long as the account, agreement or Service use exists, plus retention required by law, this DPA, retention rules or valid Customer instructions. |
| Nature | Hosting, storage, retrieval, classification, OCR/AI extraction, transformation, transmission, support, backup, security and deletion. |
| Purpose | To provide, maintain, secure and support the Service under Customer instructions and the Terms. Service improvement does not authorize AI model training with Customer Data unless expressly authorized or specifically contracted. |
4. Data Subjects and Data Categories
| Data subjects | Customer Users, employees, candidates or collaborators, customers, suppliers, professional contacts, representatives and other third parties included in Customer documents or records. |
|---|---|
| Data | Identification, professional contact details, roles, employment/operational data, commercial/accounting documents, amounts, taxes, orders, communications, technical metadata, logs and security data. |
| Special categories | The Service is not designed for Article 9 GDPR special categories. Customer must not upload such data unless it has a lawful basis, necessity and adequate safeguards. |
5. Customer Instructions
HOSTELELLA will process personal data only under: (i) the Terms and this DPA, (ii) Customer settings and actions, (iii) reasonable documented instructions, and (iv) applicable legal obligations. HOSTELELLA will inform Customer if it believes an instruction infringes data protection law, unless legally prohibited.
Instructions must be documented in writing or by verifiable means, including Service configuration, support tickets, order forms, contracts or communications from an authorized administrator. HOSTELELLA may reject instructions that are unreasonable, insecure, unlawful, incompatible with the Service architecture or that compromise other customers.
6. Customer Obligations
- Provide notices and maintain lawful bases for employees, customers, suppliers and third parties.
- Do not upload unnecessary, unlawful, excessive or sensitive data without lawful basis and safeguards.
- Configure roles, permissions and access using least privilege.
- Handle data subject rights where HOSTELELLA acts as Processor.
- Maintain independent copies or exports when required by law or operational risk.
7. Authorized Personnel and Confidentiality
HOSTELELLA will restrict access to authorized personnel who need access to provide or protect the Service. Such personnel are subject to contractual or statutory confidentiality obligations.
8. Security Measures
HOSTELELLA will apply technical and organizational measures appropriate to the risk, including access control, least privilege, encryption in transit, secrets management, activity logging, monitoring, backups, continuity, logical segregation and incident response. The Security Policy describes the main measures and is incorporated by reference.
Measures may evolve to improve security, compliance or resilience, provided that the level of protection for data processed as processor is not materially reduced.
9. Subprocessors
Customer authorizes HOSTELELLA to use subprocessors to provide the Service, provided they are bound by substantially equivalent data protection obligations and at least the obligations required by Article 28 GDPR. The main list is maintained in the Subprocessors Annex.
HOSTELELLA will notify material subprocessor changes at least thirty (30) days in advance where reasonably possible. For urgent changes required for security, continuity or provider replacement, notice may be given as soon as practicable. Customer may object on documented data protection grounds within ten (10) business days after notice; if the objection prevents provision of the Service, the parties will cooperate to seek a reasonable alternative or terminate the affected Service. HOSTELELLA remains liable to Customer for subprocessors' compliance with their GDPR obligations.
10. International Transfers
Where an international transfer outside the EEA occurs, HOSTELELLA will use a valid mechanism under Articles 44 to 49 GDPR, including adequacy decisions, Standard Contractual Clauses, the EU-US Data Privacy Framework where applicable and supplementary measures where appropriate. For processor-to-subprocessor transfers, the relevant SCC module or other valid mechanism will be used.
11. Assistance to Customer
Taking into account the nature of processing, HOSTELELLA will reasonably assist Customer with:
- data subject rights;
- processing security and personal data breaches;
- DPIAs and prior consultations where required;
- reasonable deletion, export or return of data.
12. Personal Data Breaches
HOSTELELLA will notify Customer without undue delay after becoming aware of a personal data breach affecting data processed as Processor. HOSTELELLA aims to provide an initial notice within forty-eight (48) hours where reasonably possible. Notice will include reasonably available information and may be supplemented in phases.
13. Deletion and Return
Upon termination, HOSTELELLA will delete or return data processed as Processor according to reasonable Customer instructions, unless retention is required by law, security, audit, fraud prevention or legal claims. Backup deletion follows the technical backup cycle, normally up to ninety (90) days unless legal retention, incident investigation or documented technical limitation applies.
14. Audits
HOSTELELLA will make reasonable information available to demonstrate compliance with this DPA. Direct audits must be requested with reasonable notice, limited to what is necessary, must not compromise security or other customers' confidentiality, and may be subject to reasonable costs. Except in case of a relevant incident or authority requirement, no more than one direct audit may be performed per calendar year.
15. Liability
Liability under this DPA is governed by the liability limits in the Terms, unless applicable law requires otherwise. Customer remains responsible for its instructions, uploaded data and lawful bases as Controller.