📌 Legal precedence: this document is a courtesy translation of the Italian original. In case of any discrepancy between this translation and the Italian version,
the Italian version shall prevail as the legally binding reference. Italian original available here:
https://vezpa.it/dpa/.
Purpose of this document: this Data Processing Agreement (
DPA) governs the processing of personal data of
guests of the accommodation facilities that use the Vezpa platform. The facility (
Data Controller) entrusts Vezpa (
Processor) with the processing of such data. The DPA is an integral part of the
Terms of Service and is accepted contextually with the registration of the facility.
Who it applies to: this DPA applies whenever the facility uses Vezpa to process personal data of subjects other than the facility itself (typically: guests, their companions, booking contacts).
It does not apply to the processing of data of the facility's professional users, for which Vezpa acts as independent Data Controller (see
Privacy Policy).
1. Parties
| Data Controller ("Controller") |
The accommodation facility that subscribes to the Vezpa service, as identified in its account (company name, VAT number, registered office, legal representative). |
| Data Processor ("Processor" / "Vezpa") |
Vezpa di Paolo Vezzola, VAT No. 04449070988, registered office at via San Zeno 67, 25015 Desenzano del Garda (BS), Italy. PEC: [email protected] · Email: [email protected] |
2. Subject matter and duration (art. 28.3 GDPR)
The Controller instructs the Processor to process personal data on its behalf through the Vezpa platform. The processing has the duration of the subscription contract between the parties and ends upon its termination, without prejudice to §14.
3. Nature, purposes and categories of data processed
3.1 Purposes
- Management of bookings, stays and check-in/check-out
- Fulfilment of the Controller's legal obligations towards public authorities (AlloggiatiWeb, ISTAT, PayTourist, Feratel/Meldeamt, SES.HOSPEDAJES, NTAK, eVisitor, SEF, UbyPort, eTurizem)
- Transmission of booking data to OTA channels and the channel manager activated by the facility
- Issuing communications to the guest (confirmations, pre-check-in, payments)
- Processing payments via Booking Engine or Stripe link
- Production of reports and statistics for the Controller
3.2 Categories of data subjects
- Guests of the facilities and their companions
- Persons who book on behalf of others
- Emergency contacts possibly provided by the guest
3.3 Types of personal data processed
- Identification and personal data (first name, last name, date and place of birth, citizenship, gender)
- Identity documents (type, number, date of issue, issuing authority, scanned or photographed image)
- Text data extracted from the document via automatic OCR
- Contact data (email, phone, address)
- Booking and stay data
- Payment data (managed by Stripe, not stored on Vezpa)
Special categories of data (art. 9 GDPR): the identity document may contain special category data (e.g. place of birth). The Controller declares to have a suitable legal basis under art. 9.2 GDPR (typically letters b, f or g) and instructs the Processor to limit the processing of such data to the communications required by law to public authorities and to retention within the prescribed terms.
4. Controller's instructions (art. 28.3.a GDPR)
The Processor processes personal data exclusively on the basis of documented instructions of the Controller. General instructions are contained in this DPA, in the Privacy Policy, in the GDPR Notice and in the Terms of Service. Specific instructions may be issued by the Controller through:
- Settings in its own account (activation/deactivation of governmental connectors, OTAs, retention)
- Written communication to [email protected] or via PEC to [email protected]
Should the Processor consider that an instruction infringes the GDPR or other applicable provisions, it shall immediately inform the Controller.
5. Obligations of the Processor (art. 28.3.b-h GDPR)
The Processor undertakes to:
- Confidentiality: process data confidentially and ensure that persons authorised to process the data are bound by a confidentiality obligation;
- Security: adopt the technical and organisational measures set out in Annex B, appropriate to the risk;
- Sub-processors: comply with the conditions of §6;
- Assistance to the Controller: assist the Controller in fulfilling its obligations, in particular:
- Response to data subject requests (articles 15-22 GDPR) within time frames that allow the Controller to respond within the statutory 30 days;
- Notification of data breaches to the Controller within 24 hours of discovery (§7);
- Support for DPIAs (art. 35) and prior consultations (art. 36);
- Demonstration of compliance through documentation and, where requested, audits (§9).
- Return / deletion of data at the end, as provided for in §14;
- Information: make available to the Controller all information necessary to demonstrate compliance with this DPA.
6. Sub-processors (art. 28.2 and 28.4 GDPR)
6.1 General authorisation
The Controller authorises the Processor to appoint the sub-processors listed at vezpa.it/subprocessors and those that will subsequently be added according to the procedure described here.
6.2 Prior notice of changes
The Processor shall notify the Controller of its intention to add or replace a sub-processor with at least 30 days' notice, by email to the registered address and/or notice in the dashboard. Within that period the Controller may object with reasons. In case of an unresolvable objection, either party may terminate the contract with cessation of the processing concerned.
6.3 Obligations towards sub-processors
The Processor shall impose in writing on sub-processors data protection obligations equivalent to those set out here, and shall be liable to the Controller for the performance of the sub-processors.
7. Data breach (art. 33 GDPR)
In case of personal data breach affecting data processed on behalf of the Controller, the Processor shall:
- Notify the Controller without undue delay and in any case within 24 hours of discovery;
- Provide the information required by art. 33.3 GDPR (nature, categories and approximate number of data subjects and data, likely consequences, measures taken or proposed);
- Cooperate with the Controller in communications to data subjects and to the supervisory authority;
- Document the incident and the actions taken.
Notification to the Controller takes place via email to the registered address and PEC, if available. The Controller remains responsible for external notifications (Italian Data Protection Authority (Garante), data subjects) pursuant to articles 33-34 GDPR.
8. Rights of data subjects (art. 28.3.e GDPR)
If a data subject contacts the Processor directly to exercise rights relating to data processed on behalf of the Controller, the Processor shall forward the request to the Controller without delay and shall not respond on behalf of the Controller unless otherwise instructed.
The Processor makes available to the Controller, in the dashboard and via API, features for:
- Export of a data subject's data (access and portability)
- Rectification
- Erasure or anonymisation
- Restriction of processing
For requests requiring manual technical intervention, the Processor shall respond within 10 working days of receipt of the Controller's instruction.
9. Audit (art. 28.3.h GDPR)
The Processor shall provide the Controller, upon request, with information and documentation demonstrating compliance with this DPA, including:
- Summary of the security measures implemented
- List of sub-processors with locations and transfer bases
- Records of processing activities (relevant extracts)
- Certifications of sub-processors (ISO 27001, SOC 2, DPF) where available
The Controller may conduct audits (directly or through independent third parties bound by confidentiality) with at least 30 days' notice, during business hours, without disrupting operations and no more than once a year (except in case of data breach). Each party bears its own costs.
10. Extra-EU transfers (Chapter V GDPR)
The list of sub-processors with indication of location and legal basis for the transfer is published at vezpa.it/subprocessors. For transfers not covered by an adequacy decision, the Processor adopts:
- Standard Contractual Clauses 2021/914 and supplementary measures where necessary (documented Transfer Impact Assessment);
- Or other appropriate safeguards provided for by art. 46 GDPR.
11. Role of the Controller
The Controller declares and warrants that it:
- Has provided data subjects with the information notice required by articles 13-14 GDPR;
- Has obtained any legal bases (consent, contract, legal obligation) necessary for the processing;
- Issues lawful instructions to the Processor;
- Ensures the proper storage and deletion of data after withdrawal from the Vezpa platform.
12. Confidentiality
Each party shall keep strictly confidential all information received from the other party in the performance of this DPA, for the entire duration of the contract and for 5 years thereafter.
13. Liability
The liability of each party under art. 82 GDPR towards data subjects remains governed by law. In the relations between the parties, the contractual liability regime is that established in the Terms of Service (§9-10), without prejudice to the mandatory allocation provided for by art. 82 GDPR.
14. Termination of processing
Upon termination of the contract for any reason, the Processor shall:
- Make available to the Controller the tools to export its own data in a structured format (CSV/JSON) for 30 days following termination;
- After 30 days have elapsed, delete or anonymise the data processed on behalf of the Controller from production systems;
- Delete the data from backups within the following rotation cycle (typically within 90 days);
- Retain data that Vezpa is required to retain by law (typically: invoicing data and security logs) only for the time imposed by the applicable legislation, maintaining adequate security measures on them.
15. Changes
The Processor may amend this DPA to reflect regulatory developments (e.g. new SCCs, measures of the Italian Data Protection Authority (Garante)) or organisational changes. Substantial changes shall be communicated to the Controller with at least 30 days' notice. If the Controller does not accept, it may withdraw without penalty for the unused portion of the subscription.
16. Governing law
This DPA is governed by Italian law. For disputes, §16 of the Terms of Service applies.
Annex A - Summary description of the processing
| Item |
Description |
| Nature of processing |
Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission to OTA channels and public authorities, erasure |
| Purposes |
See §3.1 |
| Categories of data subjects |
See §3.2 |
| Categories of data |
See §3.3 |
| Duration |
For the entire duration of the contract. Specific retention for categories of data as per the Privacy Policy §6 |
Annex B - Technical and organisational security measures (art. 32 GDPR)
Technical measures
- Encryption in transit: HTTPS/TLS 1.2+, HSTS
- At-rest encryption: sensitive fields with django-cryptography, volumes and snapshots encrypted at infrastructure level (DigitalOcean)
- Password hashing with salted PBKDF2 (Django default)
- Authentication: rotating JWT (access 15 min, refresh 180 days with blacklist), optional 2FA TOTP
- Bot blocker and rate limiting to prevent automated attacks
- Role-based access control (manager/assistant/housekeeper/observer)
- Backups managed by the infrastructure provider in the EU
- Application and access logs for anomaly detection
- Secure Storage on the app side: Keychain iOS/macOS, EncryptedSharedPreferences Android, DPAPI Windows
Organisational measures
- Vezpa currently operates as a sole proprietorship without employees; any external collaborators are designated in writing as Processors or Authorised Persons with confidentiality obligations
- Documented incident response procedure
- Records of processing activities (art. 30) kept up to date
- DPA with the main sub-processors
- Privacy by Design and by Default in development phases
- Separation of production / staging / development environments
Annex C - Authorised sub-processors
The current list is published and kept up to date at vezpa.it/subprocessors. At the time of entering into the contract, the list includes (among others):
- DigitalOcean LLC - infrastructure (EU Frankfurt + USA DPF)
- Stripe - payments (EU/USA DPF)
- Google LLC - Firebase Cloud Messaging (USA DPF)
- IONOS SE - email (DE)
- STAAH Limited - OTA channel manager (NZ, adequacy)
- Apple Distribution International Ltd (IE) / Apple Inc. - in-app purchase (Apple does not participate in the DPF, USA transfers via SCC 2021/914)
- Google LLC / Microsoft Corp. - in-app purchase (USA DPF certified active)
- Tuya Smart - smart locks (CN, only if activated by the facility, SCC)
© 2022-2026 Vezpa - All rights reserved |
Privacy Policy |
Terms of Service |
Cookie Policy |
GDPR |
DPA |
Sub-processors