Legal

Data Processing Agreement

Standard processor terms under which Digibeds processes personal data on behalf of its customers — GDPR Article 28 and India DPDP aligned.

Effective date: July 19, 2026

Company: Digibeds Technologies Private Limited (“Digibeds”, “we”, “us”), India

1. Application and Roles

This Data Processing Agreement (“DPA”) forms part of the agreement between Digibeds and each customer of the Service. For personal data the customer submits to the platform (guest, booking and operational data), the customer is the controller (or a processor acting for another controller) and Digibeds is the processor. A countersigned copy of this DPA, including the EU Standard Contractual Clauses where required, is available on request.

2. Subject Matter, Duration, Nature and Purpose

Processing covers hosting, storage, transmission, display, backup and related technical operations needed to provide the Digibeds hospitality Service, for the duration of the customer agreement plus the post-expiry export and deletion window. Data subjects: guests, customer staff and contacts. Data categories: identification and contact details, stay and reservation details, billing records and operational notes. No special-category data is required by the Service.

3. Processor Obligations (GDPR Art. 28(3))

  • Process personal data only on the customer’s documented instructions (including regarding international transfers), unless required by law — in which case Digibeds informs the customer unless prohibited;
  • Ensure persons authorised to process the data are bound by confidentiality;
  • Implement the technical and organisational measures described in the Security Policy;
  • Respect the subprocessor conditions in Section 4;
  • Assist the customer, insofar as possible, in responding to data-subject requests and in meeting its obligations regarding security, breach notification and data protection impact assessments;
  • Delete or return all personal data at the end of the services, at the customer’s choice, and delete existing copies unless law requires storage;
  • Make available information necessary to demonstrate compliance and allow for and contribute to audits as set out in Section 6.

4. Subprocessors

  • The customer provides general authorisation for Digibeds to engage subprocessors (hosting, email delivery, support tooling, payment routing) under written contracts imposing equivalent data-protection obligations;
  • A current list of material subprocessors is available on request; customers can subscribe to change notifications;
  • Digibeds gives advance notice of intended additions or replacements, and the customer may object on reasonable data-protection grounds; if no resolution is found, the customer may terminate the affected service.

5. International Transfers

Where personal data protected by the GDPR/UK GDPR is transferred to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2/3, with the UK Addendum where applicable) or other valid mechanisms. Transfers of data governed by India’s DPDP Act follow the transfer rules and any government notifications under that Act.

6. Audits

Digibeds makes available compliance information, summaries of security assessments and completed questionnaires. Where the customer requires an audit, it may be conducted no more than once annually (absent a regulator requirement or a material incident), on reasonable notice, during business hours, without disrupting operations, and subject to confidentiality.

7. Personal Data Breach

Digibeds notifies the customer without undue delay after becoming aware of a personal data breach affecting the customer’s data, and provides information reasonably required for the customer’s own notification obligations, followed by remediation updates.

8. India DPDP Act 2023

As a data processor under the DPDP Act, Digibeds processes personal data only under the customer’s valid contract, maintains reasonable security safeguards, deletes data as instructed or when the purpose is served, and supports the customer’s obligations to data principals and the Data Protection Board of India.

9. Liability and Order of Precedence

Liability under this DPA is subject to the limitations in the customer agreement and the Software as a Service Policy, except where applicable data-protection law does not permit such limitation. In case of conflict regarding personal data, this DPA prevails over other terms.

Contact

Questions about this document: email [email protected] or call 08040265786. This document is part of the Digibeds legal framework — see the Legal Center for all policies.