1. Overview

This DPA forms part of the Master Subscription Agreement between you (“Customer” or “Controller”) and SwiftGuest (“Processor”). It sets out the terms on which SwiftGuest processes personal data on Customer’s behalf when delivering the SwiftGuest hotel property management platform. It applies in addition to, and prevails over, any conflicting terms in the Master Subscription Agreement that relate to the processing of personal data.

2. Roles and Scope

Customer is the Controller of personal data submitted to the Services, and SwiftGuest is the Processor. SwiftGuest acts as an independent Controller only with respect to account administration data, billing records, aggregated service telemetry, and security logs, each of which is governed by the SwiftGuest Privacy Policy rather than this DPA.

3. Processing Purposes

SwiftGuest processes Customer personal data solely to:

Provide, maintain, support, and improve the Services;
Perform contractual obligations under the Master Subscription Agreement;
Implement the technical and organizational security measures set out in Section 5;
Investigate and mitigate personal data breaches and other security incidents;
Comply with applicable law, including lawful requests from public authorities;
Deliver Customer-initiated features such as channel distribution, payment tokenization, and email delivery.

4. Categories of Data Subjects and Personal Data

Data subjects include Customer personnel and authorized users, hotel guests and prospective guests, guest companions, and corporate travel bookers. Processed data includes identification and contact data, reservation and stay data, tokenized payment references, communications data, and access logs. SwiftGuest does not solicit, and Customer must not submit, special categories of personal data except to the limited extent required by local guest registration law.

5. Security Measures

SwiftGuest implements the technical and organizational measures required by Article 32 GDPR, including:

TLS 1.3 encryption in transit and AES-256 encryption at rest in Cloudflare D1 and R2;
Tokenization of payment data through PCI DSS Level 1 certified processors;
Role-based access control with least-privilege defaults and mandatory MFA for personnel with production access;
Audit logging of administrative access to Customer personal data;
Quarterly disaster recovery drills and a documented incident response process;
Annual third-party penetration testing covering application, API, and infrastructure.

6. Sub-processing

Customer provides general written authorization for SwiftGuest to engage sub-processors. A current list is maintained at swiftguest.com/legal/sub-processors. SwiftGuest will provide at least 30 days’ prior notice of any addition or replacement and Customer may object on reasonable data protection grounds. SwiftGuest remains fully liable for the performance of sub-processors.

Sub-processor	Processing activity	Location
Cloudflare, Inc.	Hosting, edge compute, CDN, D1 database, R2 object storage	Global edge
Channex	Channel management and OTA distribution	Estonia / UK
Checkout.com	Global payment processing and tokenization	UK / EU
Resend, Inc.	Transactional email delivery	United States

7. International Transfers

Where SwiftGuest transfers Customer personal data from the EEA, United Kingdom, or Switzerland to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Modules 2 and 3, as applicable) and the UK International Data Transfer Addendum, each incorporated by reference into this DPA. SwiftGuest has conducted a transfer impact assessment and applies supplementary measures, including strong encryption and documented contractual commitments from sub-processors.

8. Data Subject Rights

SwiftGuest provides self-service tooling within the Services to enable Customer to respond to data subject requests under GDPR and other applicable laws, including access, rectification, erasure, restriction, portability, and objection. Where a data subject contacts SwiftGuest directly regarding Customer data, SwiftGuest will forward the request to Customer without undue delay and will not respond except on Customer’s documented instructions.

9. Breach Notification

SwiftGuest will notify Customer without undue delay, and in any event within 48 hours, of becoming aware of a confirmed personal data breach affecting Customer personal data. The notification will include the nature of the breach, approximate scope, likely consequences, and measures taken or proposed to address it. Determining whether to notify a supervisory authority or affected data subjects under Articles 33 and 34 GDPR rests with Customer.

10. Return and Deletion of Personal Data

On termination or expiry of the Master Subscription Agreement, SwiftGuest will, at Customer’s choice made within 60 days, return or delete all Customer personal data in its possession and certify completion in writing. Backups are purged on their normal rotation cycle, and residual copies are deleted within 90 days. SwiftGuest may retain personal data only to the extent required by applicable law, subject to continued confidentiality and security obligations.

11. How to Execute This DPA

This DPA is automatically incorporated into your Master Subscription Agreement when you subscribe to SwiftGuest. No separate signature is required for the DPA itself. If you require a counter-signed version for your records, email privacy@swiftguest.com with your account details and we will return a signed PDF within two business days.

For the full 18-section contractual text including annexes, definitions, CCPA addendum, audit rights, and governing law, see the complete DPA.

Questions about this DPA: privacy@swiftguest.com. See also our Privacy Policy, GDPR Compliance page, and Security Overview.

Core Platform

Guest Experience

Revenue & Analytics

Operations

By property type

By scale

Integrations

Learn

For developers

Company

Tools