Data Processing Agreement

Terms used here have the meaning given in GDPR Art. 4. In particular:

• Controller — the Customer, who determines the purposes and means of processing Personal Data via the Platform.
• Processor — Polynoos, who processes Personal Data on the Controller’s behalf.
• Personal Data — information relating to identified or identifiable natural persons that the Controller processes through the Platform.
• Data Subject — the natural person to whom Personal Data relates (typically a guest, employee, or partner of the Controller).
• Sub-processor — a third party engaged by Polynoos to process Personal Data on the Controller’s behalf.
• Personal Data Breach — a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

The subject matter of the processing is the operation of the Polynoos hospitality platform for the Controller. The processing continues for the duration of the Order Form and ceases on termination, subject to the return / deletion obligations in Section 10.

The nature, purpose, categories of data, and categories of data subjects are set out in Annex I.

Polynoos will:

• Process Personal Data only on the Controller’s documented instructions, including with regard to international transfers, unless required to do so by EU or Member-State law (in which case Polynoos will inform the Controller before processing, unless prohibited)
• Ensure persons authorised to process Personal Data are under appropriate confidentiality obligations
• Implement the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk
• Assist the Controller in fulfilling Data Subject requests under GDPR Chapter III
• Assist the Controller in complying with security, breach-notification, DPIA, and prior-consultation obligations (Arts. 32–36)
• At the Controller’s choice, return or delete Personal Data after the end of the services (see Section 10)
• Make available to the Controller information necessary to demonstrate compliance and allow audits as set out in Section 11

The Controller grants Polynoos general written authorisation to engage sub-processors. The current list is published at polynoos.com/sub-processors.

Polynoos will inform the Controller of additions or replacements at least 30 days before the change takes effect, giving the Controller the opportunity to object on reasonable data-protection grounds. If an objection cannot be resolved, the Controller may terminate the affected services with pro-rated refund for prepaid fees.

Polynoos imposes data-protection obligations on each sub-processor that are no less protective than this DPA.

Where Personal Data is transferred outside the European Economic Area, Polynoos relies on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), adequacy decisions, or other lawful transfer mechanisms under GDPR Chapter V, supplemented as necessary by additional safeguards identified in a transfer-impact assessment.

Polynoos will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures (including self-service tooling within the Platform where available) to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection.

Where a Data Subject contacts Polynoos directly, Polynoos will, without undue delay, forward the request to the Controller and (unless legally required) will not respond substantively to the Data Subject.

Polynoos will notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data, and provide:

• The nature of the breach, including categories and approximate number of Data Subjects and records affected
• The name and contact of Polynoos’s privacy contact
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate adverse effects

The Controller is responsible for notifying the relevant supervisory authority and affected Data Subjects where required under GDPR Arts. 33 and 34.

Polynoos implements the technical and organisational measures set out in Annex II. Polynoos may update the measures from time to time, provided the level of protection is not materially reduced.

Polynoos will treat all Personal Data as confidential. Persons authorised to access Personal Data must be subject to a binding confidentiality obligation and trained in data-protection practices proportionate to their role.

Within 30 days of termination of the Order Form, Polynoos will, at the Controller’s written choice:

• Return all Personal Data to the Controller in a structured, commonly used machine-readable format; or
• Delete all Personal Data, unless EU or Member-State law requires retention

In the latter case, Polynoos will inform the Controller of the applicable retention obligation and continue to protect the retained Personal Data in accordance with this DPA.

Polynoos will make available all information necessary to demonstrate compliance with this DPA and GDPR Art. 28, and will allow for and contribute to audits conducted by the Controller or a mandated independent auditor:

• Subject to reasonable advance notice (at least 30 days, except in case of a confirmed breach)
• At the Controller’s cost (unless the audit reveals material non-compliance, in which case Polynoos bears reasonable costs)
• Conducted under confidentiality and in a manner that does not unreasonably disrupt operations or compromise other customers’ data

Polynoos may satisfy the audit obligation by providing third-party attestations (e.g. SOC 2, ISO 27001) where available.

The liability provisions of the Order Form / Terms of Service apply to this DPA. Each party’s liability for breach of this DPA is subject to the limitations and exclusions set out there, except where prohibited by applicable law.

This DPA is governed by the laws of Greece, with exclusive jurisdiction in the courts of Athens, consistent with the Order Form / Terms of Service.

Categories of Data Subjects

• The Controller’s guests (current, prospective, and former)
• The Controller’s employees and contractors authorised to use the Platform
• The Controller’s business partners (vendors, suppliers, intermediaries)

Categories of Personal Data

• Identification data (name, contact, ID document where collected)
• Reservation and stay data (dates, room types, preferences, notes)
• Communication content and metadata (email, SMS, WhatsApp, voice, push)
• Transaction and billing data
• Operational records (housekeeping, maintenance, transfers, appointments, reputation feedback)
• Account credentials (hashed) and audit logs for authorised Users

Special categories of Personal Data

Special categories under GDPR Art. 9 (e.g. health, dietary requirements that imply religious belief) may be processed only where the Controller has a lawful basis under Art. 9(2) and has documented it accordingly. The Controller is responsible for ensuring such basis exists before inputting such data into the Platform.

Nature and purpose of processing

Provision of the Polynoos platform: hosting, transmission, storage, retrieval, analysis (operational, not behavioural profiling of Data Subjects), and routing of Personal Data through the Platform’s modules and into authorised third-party integrations chosen by the Controller.

Duration of processing

For the duration of the Order Form and as required for the return / deletion obligations in Section 10.

Polynoos implements the following measures (non-exhaustive):

Pseudonymisation and encryption

• TLS 1.2+ for all data in transit
• AES-256 (or equivalent) encryption at rest for managed databases and object storage
• Encrypted backups with key rotation

Confidentiality, integrity, availability, resilience

• Role-based access control with least-privilege defaults
• Multi-factor authentication for administrative access
• Audit logging of administrative and high-privilege actions
• Network segmentation and Web-Application-Firewall protection at edge
• DDoS protection via cloud provider
• Regular vulnerability scanning and dependency monitoring

Availability and restoration

• Daily automated backups with documented restore procedures
• Multi-zone hosting with cloud-provider managed failover
• Documented Business Continuity and Disaster Recovery plans, tested at least annually

Regular testing, assessment, evaluation

• Annual third-party penetration testing of the Platform
• Internal quarterly security reviews
• Continuous logging review for anomalous activity

Personnel

• Background checks where lawful and proportionate
• Security and data-protection training on hire and annually
• Confidentiality obligations binding all personnel

The current detailed measures are described at polynoos.com/security.

The current list of sub-processors is published at polynoos.com/sub-processors and incorporated into this DPA by reference. The Controller is deemed to be on notice of changes when they are published on that page (with email or in-app notification for material additions, as set out in Section 4).

• Privacy / DPA enquiries: privacy@polynoos.com
• Postal: Portes Melathron SA, Nea Moudania, Halkidiki, Greece, 63200