Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between the Customer (the "Controller") and ZILLION TECHNOLOGY SOLUTIONS S.L.U. (the "Processor"), CIF B24801383, with registered address at Calle Son Puig, Núm 8, Planta 2, Puerta 5, 07011 Palma (Illes Balears), Spain.

This DPA is incorporated into and forms part of the Terms of Service and governs the processing of personal data carried out by the Processor on behalf of the Controller under Article 28 of Regulation (EU) 2016/679 ("GDPR") and the Spanish Organic Law 3/2018 on Data Protection ("LOPDGDD").

1. Subject Matter and Duration

The Processor shall process personal data only to provide the Zillion Services as set out in the Terms of Service and any Order Form. The processing lasts for the duration of the subscription and any post-termination period required for data return or deletion.

2. Nature, Purpose and Categories

Nature of processing: collection, storage, structuring, use, transmission, hosting, and deletion.

Purpose: to deliver the Guest Intelligence Platform services subscribed to by the Controller (CDP, marketing automation, revenue analytics, WiFi marketing, reputation, AI tools, website building).

Categories of data subjects: hotel guests, prospects, website visitors, and staff users designated by the Controller.

Categories of personal data: identification data (name, email, phone); reservation data (stay dates, room type, preferences); marketing data (consent, communication history); technical data (IP address, device, browser); and any other data the Controller chooses to upload to the platform.

3. Obligations of the Processor (Article 28.3 GDPR)

The Processor undertakes to:

a) Processing on documented instructions. Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by Union or Member State law.

b) Confidentiality. Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

c) Security. Implement the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk (Article 32 GDPR), including encryption in transit (TLS), access controls, segregation by tenant, regular backups, and incident monitoring.

d) Sub-processing. Engage sub-processors only under the conditions set out in Clause 4.

e) Assistance to the Controller. Assist the Controller, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights under Chapter III of the GDPR, by providing appropriate technical and organisational measures.

f) Assistance with security, breach notification, DPIAs. Assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR, including notifying the Controller of any personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it.

g) Return or deletion. At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage.

h) Audit and information. Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, subject to confidentiality and reasonable notice (no more than once per year unless a breach has occurred).

4. Sub-processors (Article 28.2 GDPR)

The Controller grants the Processor general written authorisation to engage sub-processors, subject to the following conditions:

- The Processor maintains a current list of sub-processors at 1zill.com/legal/subprocessors.
- The Processor shall inform the Controller of any intended additions or replacements of sub-processors at least 30 days in advance, giving the Controller the opportunity to object on reasonable grounds.
- If the Controller objects, the parties shall discuss in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.
- The Processor imposes on each sub-processor the same data protection obligations as those set out in this DPA, by way of a written contract.
- The Processor remains fully liable to the Controller for the performance of its sub-processors.

5. International Transfers

Personal data is hosted within the European Economic Area (EEA). Where a sub-processor is located outside the EEA, transfers are made subject to appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses ("SCCs") in the form adopted by Commission Implementing Decision (EU) 2021/914 and, where applicable, supplementary measures.

6. Liability

Each party's liability under this DPA is governed by the limitation of liability provisions of the Terms of Service, subject to mandatory law.

7. Precedence

In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA shall prevail.

8. Governing Law and Jurisdiction

This DPA is governed by Spanish law. Any dispute shall be submitted to the courts of Palma de Mallorca, Spain.

Annex I — Details of Processing

Controller: the Customer identified in the Order Form.

Processor: ZILLION TECHNOLOGY SOLUTIONS S.L.U. (CIF B24801383).

Subject matter: provision of the Zillion Guest Intelligence Platform.

Duration: for the term of the subscription plus up to 30 days post-termination for data export and secure deletion.

Nature and purpose: see Clause 2.

Categories of data subjects and data: see Clause 2.

Annex II — Technical and Organisational Measures

1. Access control. Role-based access control (RBAC) with tenant isolation; mandatory strong passwords and support for SSO/OAuth (Google, Microsoft, GitHub); session tokens signed with HS256.
2. Encryption. TLS 1.2+ for data in transit; database encryption at rest; encryption of sensitive secrets at the application layer.
3. Logical segregation. Multi-tenant architecture with row-level security (RLS) and tenant_id scoping on every database table containing personal data.
4. Backups. Daily automated backups of the production database with at least 14 days of retention.
5. Monitoring. Centralised log aggregation (Loki/Grafana), uptime monitoring, intrusion detection, and anomaly alerting on authentication events.
6. Incident response. 24/7 on-call rotation; formal incident-response runbook; notification to the Controller within 72 hours of confirming a personal data breach.
7. Personnel. All staff sign confidentiality agreements; periodic training on data protection and secure development.
8. Secure development. Code review, automated dependency scanning, least-privilege service accounts, infrastructure as code.
9. Right to audit. See Clause 3(h).

Annex III — Sub-processors

The up-to-date list of sub-processors is maintained at 1zill.com/legal/subprocessors and forms an integral part of this DPA.

For questions about this DPA or to exercise the audit right, contact the Data Protection Officer at dpo@1zill.com.