Data Processing Agreement (DPA)

1. Parties

Data Processor:

Stellar Tourism Innovations GmbH
Torstrasse 105-107
10119 Berlin, Germany
Email: hello@myxentra.com
Commercial Register: HRB 259754 B (Amtsgericht Charlottenburg)

Data Controller: The customer who has entered into a service agreement with the Processor for the use of Xentra.

2. Subject Matter and Duration

2.1 The Processor processes personal data on behalf of the Controller as part of the provision of the Xentra vacation rental management platform ("Services").

2.2 The duration of this DPA corresponds to the duration of the underlying service agreement. Processing begins upon activation of the Services and ends upon termination of the service agreement and deletion or return of all personal data.

2.3 The subject matter of processing includes the operation of the Xentra SaaS platform, including but not limited to property management, guest communication, booking management, access control, check-in services, and financial reporting.

3. Type and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Services as described in the service agreement. This includes:

• Storage and management of booking and reservation data
• Guest communication (email, SMS, WhatsApp) via integrated messaging services
• Guest registration and check-in processing, including identity verification
• Synchronization of data with connected Property Management Systems (PMS)
• Generation and transmission of access codes for smart locks
• Financial reporting, invoicing, and accounting
• Compliance with legal guest registration obligations (e.g., police reporting)
• Dynamic pricing optimization

4. Categories of Data Subjects

The following categories of data subjects are affected by the processing:

• Guests of vacation rental properties managed by the Controller
• Employees and staff of the Controller
• Business contacts of the Controller (owners, service providers)

5. Types of Personal Data

The following types of personal data may be processed:

• Name, date of birth, nationality
• Contact details (email, phone number, address)
• Identity document data (passport/ID number, date of issue, issuing authority)
• Booking data (check-in/check-out dates, number of guests, pricing)
• Payment data (processed via Stripe - not stored by the Processor)
• Communication data (messages, timestamps)
• Access logs (smart lock access events, PIN codes)
• Biometric data for identity verification (processed via Stripe Identity)
• IP addresses and usage data (platform analytics)

6. Obligations of the Processor

6.1 The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by applicable EU or Member State law.

6.2 The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS) and at rest
• Role-based access control with principle of least privilege
• Regular security assessments and vulnerability testing
• Automated backups with encrypted storage
• Logging and monitoring of data access
• Incident response procedures

6.4 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Art. 32-36 GDPR, taking into account the nature of processing and the information available to the Processor.

6.5 At the choice of the Controller, the Processor shall delete or return all personal data after the end of the provision of Services and delete existing copies unless applicable law requires further storage.

6.6 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits and inspections.

7. Sub-processors

7.1 The Controller grants general authorization for the engagement of sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

7.2 The Processor currently engages the following sub-processors:

• Twilio Inc. (San Francisco, USA) - SMS, WhatsApp, and voice messaging
• Stripe Inc. (San Francisco, USA) - Payment processing and identity verification
• Chekin Soluciones Digitales S.L. (Sevilla, Spain) - Guest registration and online check-in
• Smoobu GmbH (Berlin, Germany) - PMS synchronization
• Guesty Inc. (New York, USA) - PMS synchronization
• Hostaway Oy (Helsinki, Finland) - PMS synchronization
• Beds24 GmbH (Fürstenberg, Germany) - PMS synchronization
• Octorate S.r.l. (Rome, Italy) - PMS synchronization
• Lodgify S.L. (Barcelona, Spain) - PMS synchronization
• Hostfully Inc. (San Francisco, USA) - PMS synchronization
• Nuki Home Solutions GmbH (Graz, Austria) - Smart lock access control
• igloohome Pte. Ltd. (Singapore) - Smart lock access control
• SALTO Systems S.L. (Oiartzun, Spain) - Access control
• Ring LLC (Amazon) (Santa Monica, USA) - Intercom access control
• PriceLabs Inc. (Chicago, USA) - Dynamic pricing optimization
• Google LLC (Mountain View, USA) - AI language model processing (Gemini API) for guest messaging, content generation, invoice scanning, and natural language queries

7.3 The Processor shall impose the same data protection obligations on sub-processors as set out in this DPA by way of contract or other legal instrument.

7.4 An up-to-date list of sub-processors and their privacy policies is available in our Privacy Policy (Section 10).

8. Data Transfers to Third Countries

8.1 Where personal data is transferred to countries outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR.

8.2 For transfers to the United States, the Processor relies on the EU-U.S. Data Privacy Framework (DPF) where applicable, or Standard Contractual Clauses (SCCs) adopted by the European Commission.

8.3 Transfers to sub-processors in third countries currently apply to: Twilio Inc., Stripe Inc., Guesty Inc., Hostfully Inc., Ring LLC, PriceLabs Inc., Google LLC (all USA), and igloohome Pte. Ltd. (Singapore).

9. Data Breach Notification

9.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

9.2 The notification shall include:

• A description of the nature of the personal data breach
• The categories and approximate number of data subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach

9.3 The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Subject Rights

10.1 The Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).

10.2 If a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller.

11. Audit Rights

11.1 The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. Audits may be carried out by the Controller or an independent auditor mandated by the Controller.

11.2 The Processor shall provide reasonable assistance and access to relevant information, premises, and systems during such audits.

11.3 Audits shall be conducted during normal business hours with reasonable prior notice (at least 14 days) and shall not unreasonably interfere with the Processor's operations.

12. Liability

12.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying service agreement.

12.2 The Processor is liable for damages caused by processing that violates the obligations specifically directed to processors under the GDPR or that deviates from the Controller's lawful instructions.

13. Term and Termination

13.1 This DPA shall remain in effect for the duration of the underlying service agreement.

13.2 Upon termination, the Processor shall, at the Controller's election, return or delete all personal data within 30 days, unless retention is required by applicable law.

13.3 The Processor shall provide the Controller with a written confirmation of deletion upon request.

14. Final Provisions

14.1 This DPA is governed by the laws of the Federal Republic of Germany.

14.2 The place of jurisdiction is Berlin, Germany.

14.3 If any provision of this DPA is found to be invalid, the remaining provisions shall remain in full force and effect.

14.4 This DPA may be updated from time to time to reflect changes in applicable data protection legislation or our processing activities. We will notify active Controllers of material changes.