Legal
Data Processing Agreement
Effective June 7, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Openfolio ("Processor") and the Tenant ("Controller") and applies whenever the Processor processes Personal Data on behalf of the Controller. It is drafted to satisfy Article 28 of the EU/UK GDPR and is compatible with the Pakistan Personal Data Protection Bill once enacted.
1. Scope + Roles
The Controller decides the purposes and means of processing Personal Data uploaded to the Service (guest details, booking records, folios, etc.). The Processor processes that Personal Data only as instructed by the Controller through configuration of the Service and on the documented instructions in this DPA and the Terms.
2. Subject matter, duration, nature, purpose
- Subject matter: hospitality bookings management (calendar, rates, channel sync, guest comms, folio + billing).
- Duration: for as long as the Controller's subscription is active, plus the 30-day post-termination data-access window.
- Nature: storage, retrieval, alteration, transmission, automated decision making is NOT performed.
- Purpose: deliver the Service features the Controller has activated.
3. Types of Personal Data + categories of data subjects
- Personal Data: name, contact details, government ID copies, payment status, booking history, in-stay communications, room preferences, dietary requirements.
- Data subjects: guests of the Controller, staff of the Controller invited to the operations dashboard.
4. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed in our public sub-processor registry (kept current on the Openfolio site). New sub-processors are notified at least 14 days before they begin processing Personal Data, and the Controller has the right to object on reasonable grounds.
5. International transfers
Where Personal Data is transferred to a country outside Pakistan or the EU/UK without an adequacy decision, the Processor relies on the EU Standard Contractual Clauses (Module 2 - Controller-to-Processor) incorporated by reference.
6. Security measures
The Processor maintains the technical and organisational measures listed in the Privacy Policy section 7, which form Annex II to this DPA. The Controller acknowledges those measures provide a level of security appropriate to the risk of processing the Personal Data described above.
7. Personal Data breach notification
On becoming aware of a Personal Data breach affecting the Controller's data, the Processor notifies the Controller without undue delay and in any event within 72 hours, with: a description of the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; the measures taken or proposed to address the breach and mitigate possible adverse effects.
8. Data subject rights
The Processor provides tooling within the Service (CSV export, guest delete, audit log) sufficient for the Controller to respond to data subject rights requests within 30 days. For requests that cannot be fulfilled via self-serve tooling, the Processor assists at no additional cost where the request is in scope of the standard DPA.
9. Audits + inspections
The Processor makes available to the Controller all information necessary to demonstrate compliance with this DPA, including the latest SOC 2 Type II report (when available) and penetration test summary. On-site audits may be conducted once per calendar year with 30 days' notice and at the Controller's expense, subject to a reasonable scope agreed in advance.
10. Return + deletion
On termination of the Controller's subscription, the Processor either deletes or returns all Personal Data to the Controller at the Controller's option. Deletion is completed within 90 days of termination, subject to backup retention windows documented in the Privacy Policy.
11. Liability + indemnity
Liability under this DPA is governed by the limitation of liability clause in the Terms of Service. Nothing in this DPA limits a data subject's right of action against either party under applicable data protection law.
12. Signing this DPA
By signing or accepting the Terms of Service - or by continuing to use the Service after the effective date of this DPA - the Controller is deemed to have entered into this DPA with the Processor. An executed copy is available on request: legal@openfolio.app.