Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Webonweb B.V. (trading as TwikPMS) and you (the "Client" or "Controller") and governs the processing of Personal Data in accordance with the General Data Protection Regulation (GDPR).

1. Controller and Processor Relationship

This DPA establishes the roles and responsibilities for the processing of Personal Data under the TwikPMS service agreement. The parties acknowledge and agree to the following relationship:

Data Controller - The Client (you, the hotel or property) acts as the Data Controller, determining the purposes and means of processing Personal Data of your guests and employees.
Data Processor - TwikPMS (Webonweb B.V.) acts as the Data Processor, processing Personal Data solely on behalf of and according to the documented instructions of the Controller.

As your Data Processor, we commit to processing Personal Data only as instructed by you and in compliance with GDPR Article 28. We will not process Personal Data for any purpose other than those specified in our service agreement and your documented instructions.

If we believe any instruction violates the GDPR or other applicable data protection laws, we will immediately inform you and may suspend the processing activity until the instruction is confirmed or modified.

2. Data Flow Models

TwikPMS supports two distinct cooperation models that determine how payment and booking data flows between parties. Understanding your model is essential for proper data protection compliance.

Agency Model

Under the Agency Model, the Partner (hotel/property) is the merchant of record for all guest transactions. In this arrangement:

The Partner controls all guest payment data and payment processing relationships
TwikPMS processes booking and guest data solely as instructed by the Partner
The Partner bears full responsibility for the accuracy of guest data entered into the system
The Partner is responsible for obtaining all necessary consents and legal bases for data processing

Reseller Model

Under the Reseller Model, TwikPMS acts as the seller of record to the guest for certain transactions. In this arrangement:

TwikPMS collects payment from guests on behalf of the Partner
Both parties may have Data Controller responsibilities for transaction-related data
The Partner remains the Data Controller for guest stay information and preferences
TwikPMS acts as Data Controller for payment transaction records as required by financial regulations
Clear delineation of Controller duties is established in the service agreement

Regardless of the model, both parties commit to cooperating fully to ensure GDPR compliance and to respond promptly to data subject requests.

3. Scope of Processing

This section defines the scope of Personal Data processing activities that TwikPMS undertakes on behalf of the Controller.

Subject Matter - Processing of guest and employee data necessary for hotel management operations, including reservations, check-in/check-out procedures, payment processing, and service delivery.
Duration - Processing occurs for the term of the service agreement and continues during applicable retention periods as specified by law or the Controller's instructions.
Nature and Purpose - To provide comprehensive hotel management software services, including property management, booking management, guest communication, payment processing, reporting, and analytics.
Types of Personal Data - Guest names, contact information (email, phone, address), payment details, identification documents, booking history, preferences, special requests, dietary requirements, accessibility needs, biometric data (for identity verification), and employee training records.
Categories of Data Subjects - Hotel guests, prospective guests, partner employees, and partner contacts.

4. Processing Special Categories of Data (Article 9)

The Controller explicitly instructs TwikPMS to process Special Categories of Personal Data as defined under Article 9 of the GDPR. This processing is essential for delivering hospitality services and ensuring guest comfort and safety.

TwikPMS is authorized to process the following Special Categories of Data on behalf of the Controller:

Identity Documents - Photographs of passports, driver's licenses, and other government-issued identification documents for identity verification during check-in. Where required by national law, this processing falls under legal obligation (Article 9(2)(b)).
Biometric Data - Selfie images and facial recognition data for identity verification purposes, processed based on the Data Subject's explicit consent (Article 9(2)(a)).
Health Data - Information concerning disabilities, mobility requirements, and other accessibility needs to ensure appropriate accommodations, processed based on explicit consent (Article 9(2)(a)).
Dietary Preferences - Information about food allergies, dietary restrictions, and preferences that may reveal religious beliefs or philosophical convictions, processed based on explicit consent (Article 9(2)(a)).

The Controller warrants that it has obtained all necessary legal bases (including explicit consent where required) for the processing of Special Categories of Data before providing such data to TwikPMS. The Controller is responsible for documenting these legal bases and making them available upon request.

TwikPMS applies enhanced security measures for Special Categories of Data, including:

End-to-end encryption for data in transit and at rest
Strict role-based access controls limiting access to authorized personnel only
Automated deletion protocols that remove Special Categories of Data after check-out plus applicable legal retention periods
Regular security audits and penetration testing
Segregated storage systems with additional authentication requirements

5. Sub-processors

The Controller provides general authorization for TwikPMS to engage sub-processors to assist in providing the services. TwikPMS maintains a list of all sub-processors and their processing activities.

Current Sub-processors

Below is our current list of sub-processors, including information about each sub-processor's identity, location, and processing activities:

Entity name	Subprocessing activity	Entity country
Google Cloud	Cloud Service Provider	United States
Cloudflare	Content Delivery Network	United States
Postmarkapp	Email	United States
Crisp chat	Support requests	France
Stripe	Payment processing	United States
Asperion	Accounting	Netherlands
Posthog	Event analytics	United States

Last updated: 11 August 2025

Notification of Changes: TwikPMS will provide the Controller with at least 14 days' advance notice via email before adding any new sub-processor or replacing an existing sub-processor. This notice will include the sub-processor's identity, location, and the processing activities they will perform. The updated list will be reflected in this document and on our dedicated Subprocessors page.

Right to Object: The Controller may object to the appointment of a new sub-processor on reasonable grounds relating to data protection compliance. Such objections must be raised in writing within 10 days of receiving the notification. If TwikPMS cannot accommodate the objection, the Controller may terminate the affected services without penalty.

Sub-processor Obligations: TwikPMS ensures that all sub-processors are bound by written agreements imposing data protection obligations equivalent to those in this DPA, including appropriate technical and organizational security measures. TwikPMS remains fully liable to the Controller for the performance of any sub-processor's obligations.

6. Accuracy of Information and Indemnity

Both parties acknowledge their respective responsibilities for data accuracy and agree to the following allocation of liability:

Controller Responsibilities

The Controller is responsible for ensuring the accuracy, quality, and legality of Personal Data provided to TwikPMS. This includes:

Verifying that all Personal Data entered into the TwikPMS system is accurate and up-to-date
Obtaining all necessary consents and legal bases before providing Personal Data to TwikPMS
Ensuring compliance with data minimization principles
Responding promptly to Data Subject rights requests
Providing clear and accurate privacy notices to Data Subjects

Processor Responsibilities

TwikPMS is responsible for processing Personal Data in accordance with the Controller's instructions and maintaining appropriate security measures. This includes:

Implementing and maintaining technical and organizational security measures
Processing data only as instructed by the Controller
Assisting the Controller with data subject rights requests
Notifying the Controller of any data breaches
Ensuring sub-processors meet equivalent data protection standards

Indemnification

Controller Indemnity: The Controller agrees to indemnify and hold harmless TwikPMS from any regulatory fines, penalties, or claims arising from:

Inaccurate, incomplete, or unlawfully obtained Personal Data provided by the Controller
The Controller's failure to obtain proper consent or establish a legal basis for processing
The Controller's failure to respond to Data Subject rights requests within required timeframes
The Controller's instructions that violate applicable data protection laws

Processor Indemnity: TwikPMS agrees to indemnify and hold harmless the Controller from any regulatory fines, penalties, or claims arising from:

Security breaches resulting from TwikPMS's negligence or failure to implement appropriate security measures
Processing Personal Data beyond the scope of the Controller's documented instructions
TwikPMS's failure to comply with its obligations under this DPA or applicable data protection laws
Unauthorized disclosure of Personal Data by TwikPMS or its sub-processors

7. International Data Transfers

TwikPMS is committed to protecting Personal Data regardless of where it is processed. Our primary data processing infrastructure is located within the European Union and European Economic Area (EEA).

Primary Processing Location

All core TwikPMS services and databases are hosted on Google Cloud Platform servers located in the Netherlands and Germany. This ensures that the primary processing of your data occurs within the EU/EEA under the full protection of the GDPR.

Sub-processors Outside the EEA

Certain sub-processors are located outside the EEA, primarily in the United States. These include Stripe (payment processing), Postmarkapp (transactional email), Cloudflare (content delivery network), Google Cloud (cloud infrastructure), and Posthog (event analytics).

See the complete sub-processors list in Section 5 above, which includes all country locations.

Transfer Safeguards

For all data transfers to sub-processors outside the EEA, TwikPMS has implemented appropriate safeguards as required by GDPR Chapter V:

Standard Contractual Clauses (SCCs) - We have executed the European Commission's Standard Contractual Clauses with all non-EEA sub-processors, providing contractual guarantees for data protection.
Transfer Impact Assessments (TIA) - Following the Schrems II decision, we have conducted Transfer Impact Assessments for all transfers to the United States and other third countries, evaluating the legal framework and implementing supplementary measures where necessary.
Technical Safeguards - All data transfers are protected by encryption in transit (TLS 1.3), encryption at rest (AES-256), and strict access controls.
Contractual Obligations - All sub-processors are contractually obligated to process data only as instructed and to implement appropriate security measures.
Data Minimization - We transfer only the minimum Personal Data necessary for the sub-processor to perform its specific function.

Controller Rights

Upon request, TwikPMS will provide the Controller with copies of the Standard Contractual Clauses and Transfer Impact Assessments for any sub-processor. The Controller may object to specific data transfers on reasonable grounds relating to data protection compliance.

8. Data Subject Rights Support

TwikPMS will assist the Controller in fulfilling its obligations to respond to Data Subject rights requests under GDPR Articles 15-22. These rights include access, rectification, erasure, restriction of processing, data portability, and objection to processing.

Request Handling Process: If TwikPMS receives a Data Subject rights request directly, we will forward it to the Controller within 2 business days. The Controller is responsible for verifying the identity of the Data Subject and determining the appropriate response.

Technical Assistance: Upon the Controller's request, TwikPMS will provide technical assistance to facilitate the Data Subject's exercise of their rights, including:

Providing data exports in commonly used formats (CSV, JSON, PDF)
Assisting with data rectification or deletion within the TwikPMS system
Restricting processing of specific Data Subject records
Providing logs and documentation of processing activities

Response Time: TwikPMS will respond to Controller requests for assistance within 5 business days. Technical assistance for Data Subject rights requests is provided at no additional cost as part of the service agreement.

Your Rights as an Individual: For comprehensive information about your personal data rights as a Data Subject, please refer to the "Your Data Protection Rights" section in our Privacy Policy.

9. Security Measures (Article 32)

TwikPMS implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. These measures are designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Technical Measures

Encryption - All Personal Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3 or higher.
Access Controls - Role-based access control (RBAC) ensures that only authorized personnel can access Personal Data, with access limited to what is necessary for their role.
Authentication - Multi-factor authentication (MFA) is required for all administrative access to systems containing Personal Data.
Network Security - Firewalls, intrusion detection systems, and regular vulnerability scanning protect our infrastructure.
Backup and Recovery - Automated encrypted backups are performed daily with tested recovery procedures.
Logging and Monitoring - Comprehensive audit logs track all access to and modifications of Personal Data.

Organizational Measures

Staff Training - All employees receive regular data protection and security training.
Confidentiality Obligations - All personnel with access to Personal Data are bound by confidentiality obligations.
Security Policies - Comprehensive information security policies govern data handling practices.
Incident Response - A documented incident response plan ensures rapid response to security events.
Vendor Management - All sub-processors are assessed for security compliance before engagement.
Regular Audits - Security measures are reviewed and tested regularly, including annual penetration testing.

Ongoing Security

TwikPMS continuously monitors and updates security measures to address emerging threats and vulnerabilities. We maintain certifications and compliance with industry security standards and participate in responsible disclosure programs for security researchers.

10. Data Breach Notification

TwikPMS has implemented procedures to detect, investigate, and respond to Personal Data breaches in accordance with GDPR Article 33.

Notification Timeline: In the event of a Personal Data breach, TwikPMS will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.

Breach Notification Contents: The notification will include, to the extent possible:

The nature of the Personal Data breach, including the categories and approximate number of Data Subjects and Personal Data records affected
The likely consequences of the breach
The measures taken or proposed to be taken to address the breach and mitigate its potential adverse effects
Contact details for obtaining further information
A timeline of events related to the breach

Controller Responsibilities: The Controller is responsible for determining whether the breach must be reported to the relevant supervisory authority and/or to affected Data Subjects. TwikPMS will provide reasonable assistance to the Controller in fulfilling these obligations.

Cooperation: TwikPMS will cooperate fully with the Controller's investigation of the breach and will implement any reasonable measures requested by the Controller to prevent future breaches.

11. Deletion and Return of Data

Upon termination or expiration of the service agreement, TwikPMS will delete or return all Personal Data to the Controller as instructed.

Controller's Choice: Within 30 days of termination, the Controller must instruct TwikPMS to either:

Return Data - Export and provide all Personal Data in a commonly used, machine-readable format (CSV, JSON, or SQL dump), or
Delete Data - Securely delete all Personal Data from TwikPMS systems and backups

Deletion Process: If deletion is requested, TwikPMS will:

Permanently delete all Personal Data from production systems within 30 days
Delete Personal Data from backup systems within 90 days (as backups cycle through retention periods)
Provide written certification of deletion upon completion

Legal Retention: TwikPMS may retain Personal Data to the extent required by applicable law (e.g., financial records, audit trails) and will inform the Controller of any such retention requirements. Retained data will continue to be protected in accordance with this DPA.

No Response: If the Controller does not provide instructions within 30 days of termination, TwikPMS will securely delete all Personal Data within 60 days of termination.

12. Audit Rights

The Controller has the right to audit TwikPMS's compliance with this DPA and applicable data protection laws, as required by GDPR Article 28(3)(h).

Audit Frequency: The Controller may conduct or commission an audit once per calendar year during the term of the agreement.

Audit Process:

The Controller must provide at least 30 days' advance written notice of any intended audit
Audits must be conducted during normal business hours and in a manner that minimizes disruption to TwikPMS operations
The Controller may conduct the audit itself or engage a qualified independent third-party auditor
Any third-party auditor must execute a confidentiality agreement before accessing TwikPMS systems or documentation

Audit Scope: Audits may include:

Review of policies, procedures, and documentation related to data protection
Inspection of technical and organizational security measures
Review of sub-processor agreements and compliance
Testing of data breach response procedures
Verification of data deletion and retention practices

Audit Costs: The Controller bears all costs associated with audits, including fees for any third-party auditors. If an audit reveals a material breach of this DPA by TwikPMS, TwikPMS will reimburse the Controller's reasonable audit costs.

Alternative Compliance Evidence: In lieu of an on-site audit, TwikPMS may provide the Controller with copies of recent independent audit reports, security certifications (e.g., SOC 2, ISO 27001), or other evidence of compliance that satisfies the Controller's audit objectives.

Extraordinary Audits: In addition to the annual audit right, the Controller may conduct an extraordinary audit if there is reasonable evidence of a material breach of this DPA or if required by a supervisory authority.

Contact Information

For questions regarding this Data Processing Agreement or to exercise your rights under this DPA, please contact us:

Email: [email protected]
Data Protection Officer: [email protected]

Changes to this DPA

TwikPMS may update this DPA from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify Controllers of any material changes via email at least 30 days before the changes take effect. Continued use of the services after changes become effective constitutes acceptance of the updated DPA.

This page was last updated: 21 December 2024