Data Processing Agreement

Preamble

The parties acknowledge that in the course of delivering the SwiftGuest platform, SwiftGuest processes Personal Data on behalf of the Customer. The parties enter into this DPA to ensure that such processing is conducted in compliance with applicable Data Protection Laws and to document the appropriate technical and organizational measures that protect the rights and freedoms of Data Subjects.

Where a conflict arises between this DPA and the Master Subscription Agreement, this DPA prevails with respect to matters of personal data processing. Where a conflict arises between this DPA and the European Commission Standard Contractual Clauses incorporated by reference in Section 9, those clauses prevail.

1. Definitions

Capitalized terms not otherwise defined in this DPA have the meaning assigned to them in the Master Subscription Agreement or the applicable Data Protection Laws. In this DPA:

• “Applicable Data Protection Laws” means all laws and regulations relating to the processing of Personal Data that apply to a party, including without limitation the GDPR, the United Kingdom General Data Protection Regulation (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the CCPA/CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Brazilian Lei Geral de Proteção de Dados (“LGPD”), the Singapore Personal Data Protection Act, and the Israeli Protection of Privacy Law, each as amended or superseded.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Special Categories of Personal Data” and “Supervisory Authority” have the meanings set out in the GDPR.
• “Customer Personal Data” means Personal Data submitted to, stored on, or generated by the Services by or on behalf of Customer, its Affiliates, or its Authorized Users, including guest data, reservation data, and employee data processed on Customer’s behalf.
• “Service” or “Services” means the SwiftGuest hotel property management system and related APIs, integrations, and services made available to Customer under the Master Subscription Agreement.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• “Sub-processor” means any third-party Processor engaged by SwiftGuest to process Customer Personal Data in the course of delivering the Services.
• “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.

2. Data Roles and Scope

2.1 Controller and Processor

For the purposes of this DPA and the GDPR, Customer is the Controller of Customer Personal Data and SwiftGuest is the Processor. SwiftGuest will process Customer Personal Data solely on behalf of Customer and in accordance with Customer’s documented instructions, except where required to do so by European Union or Member State law to which SwiftGuest is subject. In such a case, SwiftGuest will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2 Independent Processing

SwiftGuest acts as an independent Controller only with respect to: (i) account administration data relating to Customer’s personnel necessary to manage the business relationship; (ii) billing and invoicing data; (iii) aggregated and anonymized service metrics that do not identify any Data Subject; and (iv) security and fraud prevention logs required to protect the integrity of the Services. Such processing is governed by the SwiftGuest Privacy Policy and not this DPA.

2.3 Scope

This DPA applies to all Processing of Customer Personal Data carried out by SwiftGuest and its Sub-processors under the Master Subscription Agreement. The subject matter, nature, duration, and purposes of Processing, together with the categories of Data Subjects and Personal Data, are set out in Annex A.

3. Processing Purposes

SwiftGuest will Process Customer Personal Data only for the following purposes and in accordance with the written instructions of Customer:

• To provide, maintain, support, and improve the Services and any associated technical support;
• To perform contractual obligations set out in the Master Subscription Agreement, including issuing invoices, collecting payment, and servicing Customer queries;
• To implement appropriate technical and organizational measures designed to ensure the security and integrity of the Services;
• To monitor, investigate, prevent, and mitigate Personal Data Breaches and other security incidents;
• To comply with applicable laws and respond to legally binding requests from public authorities;
• To exercise Customer-initiated features that necessitate the Processing of Customer Personal Data, including channel distribution, payment tokenization, email delivery, and third-party integrations enabled by Customer.

4. Controller Instructions

4.1 Documented Instructions

Customer instructs SwiftGuest to process Customer Personal Data as reasonably necessary to: (a) provide the Services to Customer; (b) fulfil SwiftGuest’s obligations under the Master Subscription Agreement and this DPA; and (c) comply with applicable law. The Master Subscription Agreement, this DPA, and Customer’s configuration of the Services constitute Customer’s complete and final instructions to SwiftGuest. Additional instructions require prior written agreement between the parties, including agreement on the additional fees, if any, payable by Customer.

4.2 Infringing Instructions

SwiftGuest will immediately inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws. SwiftGuest is not obliged to conduct a legal review of Customer’s instructions beyond a prima facie check for compliance.

5. Categories of Personal Data and Data Subjects

The Personal Data Processed under this DPA concerns the following categories of Data Subjects: Customer’s personnel and Authorized Users; hotel guests and prospective guests; guest companions and third parties identified on reservations; corporate travel bookers; and any other individuals whose Personal Data Customer elects to submit to the Services.

The Personal Data Processed under this DPA may include: identification and contact data (name, email address, phone number, postal address, nationality, date of birth, identification or passport numbers where required for local registration obligations); reservation and stay data (arrival and departure dates, room preferences, loyalty information, special requests); financial data (tokenized payment instrument references, invoice history, chargeback status); communication data (email correspondence, support tickets, chat transcripts); access logs (IP addresses, device fingerprints, timestamps of access); and such other Personal Data as Customer configures the Services to collect.

SwiftGuest does not solicit, and Customer agrees not to submit, Special Categories of Personal Data except to the limited extent necessary to comply with legally mandated guest registration requirements (for example, nationality or passport data required by local authorities).

6. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SwiftGuest will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The measures in force as of the Effective Date are set out in Annex C. SwiftGuest may update such measures from time to time provided that the updates do not materially decrease the overall level of security of the Services.

SwiftGuest measures include, at a minimum: (a) encryption of Customer Personal Data in transit using TLS 1.2 or above; (b) encryption of Customer Personal Data at rest; (c) pseudonymization of Personal Data where technically feasible; (d) the ability to restore the availability of and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; (e) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures; (f) role-based access control, least-privilege principles, and multi-factor authentication for privileged access; and (g) comprehensive audit logging of administrative access to Customer Personal Data.

7. Confidentiality and Personnel

SwiftGuest will ensure that any person authorized to process Customer Personal Data is bound by a contractual or statutory obligation of confidentiality, has received appropriate training on the protection of Personal Data, and processes Customer Personal Data only on documented instructions from SwiftGuest. SwiftGuest will limit access to Customer Personal Data to personnel who require such access to perform their duties.

8. Sub-processing

8.1 General Authorization

Customer provides general written authorization for SwiftGuest to engage Sub-processors to process Customer Personal Data. A current list of authorized Sub-processors is maintained at swiftguest.com/legal/sub-processors and is reproduced, for convenience, in Annex B.

8.2 Notice of Changes

SwiftGuest will provide Customer with at least 30 days’ prior notice of the addition or replacement of a Sub-processor by updating the sub-processors page and, if Customer has subscribed to updates, sending an email notification. Customer may object to the engagement of a new Sub-processor on reasonable grounds relating to data protection by sending a written objection to privacy@swiftguest.com within 15 days of such notice. If the parties cannot resolve the objection within a further 30 days, Customer may terminate the affected portion of the Services for cause and receive a pro rata refund of prepaid fees for the unused portion of the subscription term.

8.3 Sub-processor Obligations

SwiftGuest will enter into a written agreement with each Sub-processor that imposes data protection obligations that are no less protective than those set out in this DPA, including obligations to implement appropriate technical and organizational measures. SwiftGuest remains fully liable to Customer for the performance of any Sub-processor’s obligations.

9. International Transfers

9.1 Transfer Mechanisms

To the extent that SwiftGuest transfers Customer Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the parties will rely on the following transfer mechanisms:

• For transfers subject to GDPR, Module Two (controller-to-processor) or Module Three (processor-to-processor) of the Standard Contractual Clauses, which are hereby incorporated into this DPA by reference;
• For transfers subject to the UK GDPR, the UK Addendum, which is hereby incorporated into this DPA by reference;
• For transfers subject to Swiss law, the SCCs as modified by the Swiss Federal Data Protection and Information Commissioner’s guidance.

9.2 Transfer Impact Assessment

The parties acknowledge that SwiftGuest has conducted a transfer impact assessment in respect of transfers to third countries and has implemented supplementary technical, contractual, and organizational measures where necessary. Such measures include strong encryption in transit and at rest, pseudonymization, contractual commitments from Sub-processors to challenge disproportionate government access requests, and transparency reports regarding government data requests received by SwiftGuest.

9.3 Selection of Clauses

For purposes of Annex I to the SCCs, the information set out in Annex A applies. For purposes of Clause 7 (Docking Clause), the clause is deemed to apply. For purposes of Clause 9(a) (Use of Sub-processors), Option 2 applies with the 30-day notice period specified in Section 8.2 of this DPA. For purposes of Clause 11 (Redress), independent dispute resolution is deemed not selected. For purposes of Clause 17 (Governing Law), the SCCs are governed by the law of the Member State in which the Customer is established, or the law of Ireland if the Customer is not established in a Member State. For purposes of Clause 18 (Choice of Forum and Jurisdiction), the courts of the same jurisdiction have exclusive jurisdiction.

10. Data Subject Rights

SwiftGuest will, taking into account the nature of the Processing, provide reasonable assistance to Customer, at Customer’s expense where provision of such assistance requires more than de minimis effort, to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws. Where a Data Subject submits a request directly to SwiftGuest concerning Customer Personal Data, SwiftGuest will, without undue delay, forward such request to Customer and will not respond to the request except on documented instructions from Customer or as required by applicable law. Standard self-service tooling is provided within the Services at no additional cost.

11. Personal Data Breach Notification

11.1 Notification

SwiftGuest will notify Customer without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will be sent to the primary security contact on record for Customer and will include, to the extent known at the time of notification: (a) the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; and (d) the name and contact details of the Data Protection Officer or other contact point from whom further information can be obtained.

11.2 Cooperation

SwiftGuest will provide reasonable cooperation to Customer’s efforts to comply with its notification obligations under Applicable Data Protection Laws, including Articles 33 and 34 of the GDPR. Such cooperation includes providing information reasonably required to evaluate the scope of the breach, preparing drafts of notifications to Supervisory Authorities and Data Subjects, and coordinating remedial actions.

11.3 Responsibility for Notifications

The determination whether to notify a Supervisory Authority or Data Subjects of a Personal Data Breach affecting Customer Personal Data rests with Customer. SwiftGuest will not make such notifications on behalf of Customer without Customer’s prior written consent, except where required by applicable law.

12. Data Protection Impact Assessments and Prior Consultation

SwiftGuest will provide reasonable assistance to Customer with any data protection impact assessment and prior consultation with Supervisory Authorities that Customer is required to carry out under Applicable Data Protection Laws, in each case solely in relation to the Processing of Customer Personal Data by SwiftGuest and taking into account the nature of the Processing and the information available to SwiftGuest.

13. Audit Rights

13.1 Information Provided

SwiftGuest will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including summary-level information concerning SwiftGuest’s policies, procedures, and controls. This obligation is satisfied by: (a) making available the most recent SOC 2 Type II report or equivalent third-party certification; (b) completing industry-standard security questionnaires such as the Cloud Security Alliance Consensus Assessment Initiative Questionnaire; and (c) responding to reasonable security and privacy inquiries submitted in writing.

13.2 On-Site Audit

Where the information described in Section 13.1 is not sufficient to demonstrate compliance with this DPA or where required by a Supervisory Authority, SwiftGuest will, at Customer’s reasonable request and expense, allow for audits to be conducted by Customer or an independent third-party auditor mandated by Customer. Such audits will be conducted at reasonable times, on at least 30 days’ prior written notice (except in the case of an audit required by a Supervisory Authority or following a confirmed Personal Data Breach), no more than once in any 12-month period, and in a manner that does not unreasonably interfere with SwiftGuest’s normal business operations. The auditor must sign a confidentiality agreement acceptable to SwiftGuest and must not be a competitor of SwiftGuest.

13.3 Confidentiality of Audit Results

Any audit findings are the confidential information of SwiftGuest and may not be shared with third parties except as required by applicable law or with SwiftGuest’s prior written consent. Customer will promptly share any audit findings with SwiftGuest so that SwiftGuest may remediate deficiencies in a timely manner.

14. Return and Deletion of Personal Data

Upon termination or expiration of the Master Subscription Agreement, SwiftGuest will, at the choice of Customer, return to Customer or delete all Customer Personal Data in its possession, together with any copies of such data, and certify in writing to Customer that it has done so. Customer may exercise this choice within 60 days of the effective date of termination by submitting a written request to privacy@swiftguest.com. If Customer does not elect return or deletion within this period, SwiftGuest will delete all Customer Personal Data in accordance with its standard data deletion practices.

SwiftGuest may retain Customer Personal Data to the extent required by applicable law, provided that SwiftGuest continues to ensure the confidentiality of such Personal Data and processes it only as necessary for the purposes required by applicable law. SwiftGuest’s backup systems are subject to routine rotation; residual copies of Customer Personal Data in backups are purged within 90 days after deletion from the production environment and remain subject to the confidentiality and security obligations of this DPA until such purging.

15. California Consumer Privacy Act (CCPA/CPRA) Addendum

15.1 Service Provider Role

Where Customer is a business subject to the CCPA and SwiftGuest processes Personal Information (as defined in the CCPA) of California Consumers on behalf of Customer, SwiftGuest will act as a Service Provider. The parties intend that, in respect of such processing, the following provisions apply and override conflicting provisions elsewhere in this DPA to the extent necessary to achieve compliance with the CCPA.

15.2 CCPA Obligations

SwiftGuest will:

• Not sell or share Personal Information, as those terms are defined in the CCPA;
• Not retain, use, or disclose Personal Information outside of the direct business relationship between the parties, except as permitted by the CCPA;
• Not retain, use, or disclose Personal Information for any purpose other than the specific purposes set out in the Master Subscription Agreement, including for any commercial purpose other than providing the Services;
• Not combine the Personal Information with Personal Information received from or on behalf of another person, or collected from SwiftGuest’s own interaction with a Consumer, except to perform a business purpose permitted by the CCPA;
• Notify Customer if SwiftGuest determines that it can no longer meet its obligations under the CCPA;
• Allow Customer to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information;
• Comply with Consumer rights requests forwarded by Customer, including requests to delete, correct, limit the use of, or provide access to Personal Information.

15.3 Certification

SwiftGuest certifies that it understands the restrictions set out in this Section 15 and will comply with them. Customer retains the right, upon written notice, to take reasonable and appropriate steps to ensure that SwiftGuest uses Personal Information transferred under this DPA in a manner consistent with Customer’s obligations under the CCPA.

16. Liability

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions set out in the Master Subscription Agreement. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under Applicable Data Protection Laws.

17. Term and Termination

This DPA takes effect on the Effective Date and will remain in effect for the term of the Master Subscription Agreement. The obligations in Sections 6 (Security), 7 (Confidentiality), 11 (Breach Notification), 13 (Audit), 14 (Return and Deletion), and 16 (Liability) survive termination to the extent necessary to give effect to their intent.

18. Miscellaneous

18.1 Order of Precedence

In the event of a conflict between this DPA and the Master Subscription Agreement, this DPA prevails with respect to matters of personal data processing.

18.2 Amendments

SwiftGuest may amend this DPA from time to time to reflect changes in Applicable Data Protection Laws, guidance from Supervisory Authorities, or the evolution of SwiftGuest’s Services, provided that no such amendment will materially decrease the protection afforded to Customer Personal Data. Amendments will be posted to this page and become effective 30 days thereafter unless a shorter or longer period is required by applicable law.

18.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full force and effect. The parties will negotiate in good faith to replace the invalid provision with a valid provision that most closely approximates the original intent.

18.4 Governing Law

Except as required by the SCCs, this DPA is governed by the governing law specified in the Master Subscription Agreement.

Annex A — Details of Processing

A.1 Nature and Purpose of Processing

SwiftGuest Processes Customer Personal Data to provide the SwiftGuest hotel property management system to Customer, including reservation management, channel distribution, payment tokenization, guest communications, housekeeping coordination, reporting, and related services.

A.2 Duration of Processing

The duration of Processing corresponds to the term of the Master Subscription Agreement plus any applicable data retention period determined by Customer, subject to the deletion obligations in Section 14.

A.3 Frequency of Transfer

Continuous, for the duration of the Master Subscription Agreement.

A.4 Categories of Data Subjects

• Customer personnel and Authorized Users;
• Hotel guests, prospective guests, and guest companions;
• Corporate travel bookers and travel agents;
• Individuals whose contact details are stored in Customer’s customer relationship management records within the Services;
• Any other individuals whose Personal Data Customer submits to the Services.

A.5 Categories of Personal Data

• Identification and contact data, including name, email, phone, postal address, nationality, date of birth, and, where required for local registration, passport or identification numbers;
• Reservation data, including arrival and departure dates, room type, rate plan, special requests, and loyalty identifiers;
• Payment data, limited to tokenized payment instrument references; SwiftGuest does not store raw payment card data;
• Communications data, including email correspondence, support tickets, and chat transcripts;
• Access logs, including IP address, device information, and timestamps of actions taken within the Services.

A.6 Special Categories of Personal Data

None by default. To the limited extent necessary for legally mandated guest registration, nationality or passport data may be processed. Customer must not submit other Special Categories of Personal Data to the Services without first notifying SwiftGuest and agreeing on additional safeguards.

A.7 Competent Supervisory Authority

For transfers subject to GDPR, the competent Supervisory Authority is the authority of the Member State in which the Data Exporter is established or, where the Data Exporter is not established in a Member State, the Irish Data Protection Commission.

Annex B — Authorized Sub-processors

The current list of authorized Sub-processors is maintained at swiftguest.com/legal/sub-processors. The following table reproduces that list as of the Last Updated date at the top of this DPA.

Annex C — Technical and Organizational Security Measures

SwiftGuest has implemented and maintains the following measures. These measures may be updated from time to time provided that the updates do not materially decrease the overall level of security afforded to Customer Personal Data.

C.1 Measures of pseudonymization and encryption of Personal Data

• TLS 1.2 or above for all data in transit between Customer, SwiftGuest, and Sub-processors;
• AES-256 encryption of data at rest in Cloudflare D1 and R2;
• Tokenization of payment card data through PCI DSS Level 1 certified Sub-processors; no raw card data is stored on SwiftGuest-managed systems;
• Pseudonymization of guest identifiers in analytics pipelines.

C.2 Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

• Multi-region replication of production data within the Cloudflare network;
• Automated daily snapshots of the production database with point-in-time recovery capability;
• Quarterly disaster recovery drills including controlled failover exercises;
• Service-level monitoring with automated alerting on error rate, latency, and availability thresholds.

C.3 Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

• Recovery Time Objective (RTO): 4 hours;
• Recovery Point Objective (RPO): 1 hour;
• Documented and rehearsed incident response runbooks;
• Immutable backup copies stored in a separate availability region.

C.4 Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures

• Annual third-party penetration testing covering web application, API, and infrastructure;
• Continuous vulnerability scanning on container images and dependencies;
• Internal security review at each change management gate;
• Annual risk assessment aligned with ISO 27005 methodology.

C.5 Measures for user identification and authorization

• Single sign-on with SAML 2.0 and OIDC for enterprise customers;
• Mandatory multi-factor authentication for all SwiftGuest personnel accessing production systems;
• Role-based access control with least-privilege by default;
• Quarterly access review for all privileged roles.

C.6 Measures for the protection of data during transmission

• TLS 1.2 or above with modern cipher suites and HTTP Strict Transport Security;
• Certificate pinning on the SwiftGuest mobile applications;
• Signed webhooks with HMAC-SHA256 for all outbound event notifications.

C.7 Measures for the protection of data during storage

• Encryption at rest on all persistent stores;
• Segregation of Customer Personal Data across logical tenancy boundaries;
• Key management with automated rotation on a 90-day cycle.

C.8 Measures for ensuring physical security of locations at which Personal Data are processed

• Reliance on Cloudflare’s SOC 2 Type II and ISO 27001 certified data centers;
• SwiftGuest maintains no on-premises servers or data centers.

C.9 Measures for ensuring events logging

• Centralized audit log of administrative access to production systems;
• Retention of audit logs for no less than 12 months in a tamper-evident store;
• Log-based anomaly detection with alerting to the SwiftGuest security team.

C.10 Measures for ensuring system configuration, including default configuration

• Infrastructure-as-code with automated drift detection;
• Secure-by-default configuration baselines derived from the Center for Internet Security benchmarks;
• Mandatory peer review for all production configuration changes.

C.11 Measures for internal IT and IT security governance and management

• Documented information security policy approved by executive leadership;
• Annual security awareness training for all personnel;
• Incident response team with defined escalation paths and on-call rotation.

C.12 Measures for certification / assurance of processes and products

• Annual SOC 2 Type II examination;
• Annual ISO 27001 surveillance audit;
• PCI DSS SAQ-A attestation (card data is tokenized by Sub-processors).

C.13 Measures for ensuring data minimization

• Configurable data collection scopes within the Services;
• Periodic review of Personal Data fields collected to confirm continued necessity.

C.14 Measures for ensuring data quality

• Customer-facing tools for Data Subjects to view and correct their Personal Data;
• Validation checks to prevent the ingestion of malformed or duplicate records.

C.15 Measures for ensuring limited data retention

• Configurable retention windows for guest communications and reservation records;
• Automated purge jobs that enforce the configured retention schedule.

C.16 Measures for ensuring accountability

• Appointment of a Data Protection Officer reachable at dpo@swiftguest.com;
• Records of Processing activities maintained in accordance with Article 30 GDPR;
• Vendor risk management program governing engagement with Sub-processors.

C.17 Measures for allowing data portability and ensuring erasure

• Export tools that produce machine-readable reports of Customer Personal Data;
• Deletion workflows that propagate erasure instructions to primary, replica, and backup stores;
• Certification of deletion upon request.

This DPA was last reviewed by SwiftGuest’s legal team in April 2026. For questions, contact dpo@swiftguest.com. See also our Privacy Policy, GDPR Compliance page, and Sub-processors List.