Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between Agufy ("Processor") and the Customer ("Controller"). It governs the processing of personal data by Agufy on behalf of the Customer in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Spanish data protection laws (LOPDGDD).

1. Definitions and Scope

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given to them in the GDPR. This DPA applies to all Personal Data that Agufy processes on behalf of the Customer through the Service. The Customer is the Controller who determines the purposes and means of processing. Agufy is the Processor who processes Personal Data solely on behalf of and under the documented instructions of the Controller.

2. Processing Details

Subject matter: Provision of the Agufy cleaning management platform.

Duration: For the term of the Customer's subscription, plus any retention period specified herein.

Nature and purpose: Synchronising booking data from Beds24 to generate and manage cleaning tasks, assigning cleaners, tracking task completion, and generating operational reports.

Categories of Data Subjects

• Accommodation guests (whose booking data is synced from Beds24)
• Cleaning staff and managers (users of the platform)

Types of Personal Data

• Guest data: first name, last name, arrival/departure dates, number of guests, booking comments and notes
• Staff data: username, email address, display name, login activity (IP addresses, timestamps), role, task assignments and completion records
• Billing data: Stripe customer ID and subscription status (payment card details are held exclusively by Stripe and never stored by Agufy)

3. Obligations of the Processor

Agufy shall:

1. Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law — in which case Agufy shall inform the Controller before processing, unless that law prohibits such information on important grounds of public interest.
2. Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement and maintain appropriate technical and organisational security measures as described in Section 5.
4. Respect the conditions for engaging sub-processors as set out in Section 6.
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights.
6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Agufy.
7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the Personal Data.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, as described in Section 10.

4. Obligations of the Controller

The Controller shall:

1. Ensure that the processing of Personal Data through the Service has a valid legal basis under the GDPR (such as legitimate interest for operational coordination of cleaning tasks, or contractual necessity).
2. Provide all necessary information and obtain any required consents from Data Subjects before their Personal Data is processed through the Service.
3. Be responsible for the accuracy, quality, and legality of Personal Data provided to Agufy.
4. Ensure that the instructions given to Agufy comply with applicable data protection laws.
5. Notify Agufy promptly of any changes that may affect Agufy's processing obligations.

5. Security Measures

Agufy implements and maintains the following technical and organisational measures to protect Personal Data:

Access control: Role-based access (administrator, manager, cleaner) with minimum-privilege principles. Password hashing using bcrypt. Account lockout after repeated failed login attempts. Session management with role-based timeouts.

Encryption: All data in transit encrypted via TLS/HTTPS. Beds24 API tokens encrypted at rest using AES-256. Database credentials stored separately from application code.

Data minimisation: Guest names and comments are automatically anonymised 90 days after departure. Cleaning tasks are deleted after 6 months. Audit logs are deleted after 1 year. Issue photos are deleted after 1 year.

Availability: Automated database backups. Infrastructure hosted on professionally managed servers with redundancy.

Audit trail: All administrative actions (login, user creation, configuration changes, impersonation) are logged with timestamps and IP addresses.

CSRF protection: All state-changing operations protected against cross-site request forgery.

6. Sub-processors

The Controller grants Agufy general written authorisation to engage the sub-processors listed below. Agufy shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days. If the Controller objects on reasonable grounds, the parties shall discuss the concern in good faith. If no resolution can be reached, the Controller may terminate the affected services.

Current sub-processors

Sub-processor	Purpose	Location
Beds24	Booking data synchronisation via API	EU (Germany)
Stripe, Inc.	Payment processing and subscription management	USA (with EU Standard Contractual Clauses)
Hosting provider	Infrastructure, server hosting, database storage	EU

Agufy shall impose on each sub-processor data protection obligations no less protective than those set out in this DPA. Agufy remains fully liable to the Controller for the performance of each sub-processor's obligations.

7. International Data Transfers

Agufy stores and processes Personal Data within the European Economic Area (EEA). Where a sub-processor is located outside the EEA (currently: Stripe, Inc. in the USA), Agufy ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as the EU Standard Contractual Clauses or an adequacy decision by the European Commission. The Controller may request information about the specific safeguards applied to any international transfer.

8. Data Subject Rights

Agufy shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, and objection). If Agufy receives a request directly from a Data Subject, Agufy shall promptly redirect the request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller. The platform provides administrators with tools to view, export, and delete user data to facilitate compliance with Data Subject requests.

9. Data Breach Notification

Agufy shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach. The notification shall include:

1. A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
2. The name and contact details of a point of contact for further information.
3. A description of the likely consequences of the breach.
4. A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects.

Agufy shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach. Agufy shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial actions taken.

10. Audit and Inspection

Agufy shall make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR. The Controller (or a mandated auditor bound by confidentiality) may conduct an audit of Agufy's processing activities, subject to the following conditions:

1. The Controller shall provide at least 30 days' written notice.
2. Audits shall be conducted during normal business hours and shall not unreasonably disrupt Agufy's operations.
3. Audits shall be limited to once per calendar year, unless a data breach has occurred or a Supervisory Authority requires additional inspection.
4. The Controller shall bear the costs of the audit.
5. Audit findings and all information obtained shall be treated as confidential.

11. Term, Deletion and Return of Data

This DPA shall remain in effect for as long as Agufy processes Personal Data on behalf of the Controller. Upon termination of the Service, Agufy shall:

1. Cease all processing of Personal Data on behalf of the Controller.
2. At the Controller's choice (to be communicated within 30 days of termination): return all Personal Data to the Controller in a standard, machine-readable format, or delete all Personal Data and existing copies.
3. If the Controller does not communicate a choice within 30 days, Agufy shall delete the Personal Data in accordance with its standard retention schedule.
4. Agufy may retain Personal Data to the extent required by EU or Member State law, in which case Agufy shall inform the Controller and ensure continued confidentiality and security.

For questions about this DPA, contact us at legal@agufy.com.