SUB-PROCESSORS

Vezpa - Property Management System

List pursuant to art. 28.4 GDPR

Last updated: 19 April 2026

📌 Legal precedence: this document is a courtesy translation of the Italian original. In case of any discrepancy between this translation and the Italian version, the Italian version shall prevail as the legally binding reference. Italian original available here: https://vezpa.it/subprocessors/.
Purpose of this page: it lists the providers (sub-processors) that Vezpa uses to deliver the service, each with location, purpose and legal basis for data transfer. The list is an integral part of the Data Processing Agreement.
Prior notice of changes: any additions or replacements are communicated to Data Controllers (customer facilities) with at least 30 days' notice by email and dashboard, allowing exercise of the right to object (art. 28.2 GDPR).

1. Active sub-processors

1.1 Infrastructure and storage

Provider Location Purpose Data processed Transfer basis
DigitalOcean LLC
101 Ave of the Americas, New York, NY 10013, USA
EU servers (Frankfurt - FRA1) + USA headquarters Hosting servers, PostgreSQL database, Redis, Spaces object storage, CDN All platform data EU DPF SCC as fallback

1.2 Payments

Provider Location Purpose Data processed Transfer basis
Stripe Payments Europe Ltd
1 Grand Canal Street Lower, Dublin, Ireland
(with Stripe Inc., San Francisco, CA, USA)
EU (IE) + USA Card payment processing, anti-fraud, guest payment links Card data (managed by Stripe, not stored by Vezpa), email, amount, reference booking EU DPF

1.3 Communications

Provider Location Purpose Data processed Transfer basis
IONOS SE
Elgendorfer Str. 57, 56410 Montabaur, Germany
EU (DE) Transactional emails, vezpa.it email server, PEC Recipient email address, email content, metadata EU
Google LLC - Firebase Cloud Messaging
1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA
(via Google Ireland Ltd)
EU (IE) + USA Sending push notifications to mobile and desktop devices Device FCM token, technical identifiers, notification payload (booking metadata only, no sensitive PII) EU DPF

1.4 OTA Channel Manager

Provider Location Purpose Data processed Transfer basis
STAAH Limited
Auckland, New Zealand
New Zealand Synchronisation of bookings, availability and rates with ~60 OTA channels Booking data (guest name, dates, room, rate, contacts) EU Adequacy (Decision 2013/65/EU)

1.5 In-app purchase and app distribution

Provider Location Purpose Data processed Transfer basis
Apple Distribution International Ltd
Hollyhill Industrial Estate, Hollyhill, Cork, Ireland
(with Apple Inc., Cupertino, CA, USA)
EU (IE) + USA App Store distribution iOS/macOS, subscription management (StoreKit) Store account ID, purchase token, subscription status EU SCC — Apple does not participate in the DPF; USA transfers are governed by SCC 2021/914
Google Ireland Ltd / Google LLC
Gordon House, Barrow Street, Dublin 4, Ireland
(with Google LLC, USA)
EU (IE) + USA Play Store Android distribution, subscription management (Play Billing) Store account ID, purchase token, subscription status EU DPF
Microsoft Ireland Operations Ltd / Microsoft Corp.
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
EU (IE) + USA Microsoft Store Windows distribution, subscription management Store account ID, subscription status EU DPF

1.6 Optional integrations (only if activated by the facility)

Provider Location Purpose Data processed Transfer basis
Tuya Smart (Hangzhou Tuya Information Technology Co., Ltd.)
Hangzhou, China
China Management of smart locks and home automation Device identifiers, access events SCC Optional

2. Independent Data Controller recipients

The following subjects are not sub-processors but independent Data Controllers that receive data for legal obligations or their own relationship with the data subject. They are listed here for transparency:

2.1 Public authorities (legal obligation of the Controller)

Governmental connectors are activated only if the facility is located in the corresponding State. Connection credentials are configured by the facility itself; Vezpa does not store credentials in clear text.

2.2 OTAs and metasearch (contractual relationship with the traveller)

The OTA channels activated by the facility receive booking and inventory data. They fall into the category:

Each OTA applies its own privacy notice. Transfers to extra-EU OTAs are governed by their direct contracts with the facility and/or with the traveller.

3. Legend

4. Change history

Date Change
19 April 2026 First publication of the public list

Contacts

For questions about sub-processors or to object to a change:

[email protected]
PEC: [email protected]


© 2022-2026 Vezpa - All rights reserved | Privacy Policy | Terms of Service | Cookie Policy | GDPR | DPA | Sub-processors