← Back to Home

Data Processing Agreement

pursuant to Art. 28 of the General Data Protection Regulation (GDPR)

Processor

GuestHive

Robert Roppenecker

7901 4th St N Ste 300
St. Petersburg, FL 33702, USA

Email: support@guesthive.ai

(hereinafter: "Processor")

Controller

The respective User

who has registered on the GuestHive platform

(hereinafter: "Controller" or "Host")

This Data Processing Agreement (DPA) automatically becomes part of the service agreement between the Controller and the Processor upon registration and use of the GuestHive platform. It specifies the data protection obligations pursuant to Art. 28 GDPR.

§ 1 Subject Matter and Duration of Processing

(1) This Agreement governs the processing of personal data by GuestHive on behalf of the Controller in connection with the use of the GuestHive SaaS platform for automated, AI-powered guest communication.

(2) Processing shall take place exclusively within the framework of the main contract (Terms of Service) concluded between the parties and for the purposes specified therein.

(3) The term of this DPA corresponds to the term of the service agreement and ends automatically upon termination thereof, unless provisions regarding data deletion require otherwise.

§ 2 Nature and Purpose of Processing

(1) GuestHive processes personal data of the Controller's guests in order to provide the following services:

Automated AI-powered responses to guest inquiries (chatbot functionality)
Personalized communication based on booking data and guest profiles
Creation and maintenance of a knowledge base about the Controller's property
Synchronization of booking data via connected Property Management Systems (e.g., Smoobu)
Provision of conversation histories and analytics features in the dashboard

(2) The Processor does not process data for its own purposes. GuestHive does not use guests' personal data for its own business purposes, advertising, or profiling.

§ 3 Categories of Personal Data

The following categories of personal data may be processed under this Agreement:

Data Category	Examples	Purpose
Identity data	First name, last name	Personalized guest communication
Contact data	Email address, phone number	Communication channel for guest inquiries
Booking data	Check-in/check-out dates, booking reference, number of guests, property	Contextual communication, personalization
Communication content	Text messages, inquiries, conversation histories	AI-powered response generation, conversation history
Usage data	Message timestamps, platform interactions	Analytics, communication optimization

No special categories of personal data within the meaning of Art. 9 GDPR are processed, unless the Controller explicitly enters such data into the platform.

§ 4 Categories of Data Subjects

The following categories of individuals are affected by this processing:

Guests of the Controller: Individuals who have made a booking with the Controller or submitted a booking inquiry
Prospective guests: Individuals communicating with the Controller via messaging channels without having completed a binding booking

Data of the Controller's employees or other third parties is only processed to the extent that it has been explicitly entered into the platform (e.g., as contact persons in the knowledge base).

§ 5 Rights and Obligations of the Controller

(1) The Controller bears sole responsibility for the lawfulness of data processing, in particular for the existence of an appropriate legal basis under Art. 6 GDPR for processing guest data.

(2) The Controller is entitled to issue instructions to the Processor at any time regarding the processing of personal data. Instructions must be communicated in writing or by email.

(3) The Controller shall ensure that:

guests are informed appropriately about the use of GuestHive and the associated data processing (e.g., in the Controller's privacy policy)
only data for whose processing a legal basis exists is entered into the platform
requests from data subjects (access, erasure, rectification, etc.) pursuant to Art. 15–22 GDPR are processed

(4) The Controller may at any time instruct the Processor to delete, restrict, or export data.

§ 6 Obligations of the Processor

6.1 Processing on Instructions

(1) The Processor processes personal data only on documented instructions from the Controller, unless required to do so by European Union or Member State law to which the Processor is subject.

(2) If the Processor is of the opinion that an instruction infringes the GDPR or other data protection provisions, it shall immediately inform the Controller thereof.

6.2 Confidentiality

The Processor shall ensure that all persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The confidentiality obligation survives termination of the contractual relationship.

6.3 Technical and Organizational Measures (TOMs)

The Processor shall implement all measures required pursuant to Art. 32 GDPR. The specific measures implemented are set out in Annex 2 to this Agreement.

6.4 Sub-Processors

(1) The Processor is authorized to engage sub-processors listed in Annex 1 to this Agreement. The Controller hereby grants general authorization for the engagement of these sub-processors.

(2) The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors with at least 30 days' prior notice. The Controller may object to such changes on reasonable grounds.

(3) Sub-processors shall be subject to the same data protection obligations as the Processor under this Agreement.

6.5 Assistance Obligations

The Processor shall assist the Controller to the extent possible, by appropriate technical and organizational measures, in:

fulfilling data subject rights requests (access, rectification, erasure, restriction, data portability, objection) pursuant to Art. 15–22 GDPR
complying with obligations under Art. 32–36 GDPR (security, breach notification, data protection impact assessments, prior consultation)
responding to inquiries from supervisory authorities

6.6 Data Breaches

The Processor shall notify the Controller of any personal data breach (Art. 4(12) GDPR) without undue delay and in any event within 48 hours of becoming aware of it. The notification shall include at minimum the information required under Art. 33(3) GDPR, to the extent available.

6.7 Deletion and Return after Termination

(1) Upon completion of the processing — at the latest upon termination of the service agreement — the Processor shall delete or return all personal data of the Controller, unless a retention obligation under EU or Member State law applies.

(2) The Controller may request a data export via the platform itself or by written request at any time before termination.

(3) Data will be permanently deleted within 90 days of contract termination at the latest. The Processor shall confirm deletion in writing upon request.

6.8 Audit Rights and Accountability

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and shall allow for and contribute to audits and inspections, including those conducted by the Controller or a mandated auditor. Audits must be announced with at least 30 days' notice and must not disproportionately disrupt the Processor's operations.

§ 7 International Data Transfers

(1) Primary data storage is on Hetzner Cloud servers located in Germany (EU). Transfer of personal data to third countries outside the EU/EEA takes place only to the extent necessary for the operation of sub-processors.

(2) Where personal data is transferred to sub-processors in third countries (particularly the USA), this is carried out on the following legal basis:

Anthropic, PBC (USA): Standard Contractual Clauses (SCCs) pursuant to EU Implementing Decision 2021/914, Module 2 (Controller → Processor) and Module 3 (Processor → Sub-Processor) — available at anthropic.com/legal/data-processing-addendum
Google LLC (USA): Standard Contractual Clauses (SCCs) pursuant to EU Implementing Decision 2021/914, and certification under the EU-US Data Privacy Framework — available at cloud.google.com/terms/data-processing-addendum

Details regarding the sub-processors engaged and the applicable legal bases for international data transfers are set out in Annex 1.

§ 8 Liability

(1) The parties shall be liable for damages caused to a data subject by non-GDPR-compliant processing in accordance with Art. 82 GDPR.

(2) As between the parties: where damage was caused by an instruction of the Controller, the Processor shall not be liable. The Processor shall only be liable to the extent it has breached obligations specifically imposed on it by this Agreement or the GDPR.

§ 9 General Provisions

(1) This DPA shall prevail over any conflicting provisions in other agreements between the parties regarding data protection matters.

(2) Should any individual provision of this Agreement be or become invalid, the validity of the remaining provisions shall not be affected.

(3) Amendments to this Agreement require written or text form (email). GuestHive may update this DPA in the event of material changes to the processing situation or legal requirements and will notify the Controller in a timely manner.

(4) This Agreement is governed by the law of the Federal Republic of Germany and the GDPR as applicable from time to time.

Annex 1 — List of Sub-Processors

The following sub-processors are engaged at the time of conclusion of this Agreement:

Company	Location	Purpose	Third-Country Transfer & Legal Basis
Hetzner Online GmbH	Germany (EU) Industriestr. 25, 91710 Gunzenhausen	Cloud hosting, data storage, server infrastructure	No — data remains in Germany (EU)
Anthropic, PBC	USA 548 Market St, PMB 90375, San Francisco, CA 94104	AI language model (Claude API) for generating guest responses	Yes (USA) — Basis: EU Standard Contractual Clauses pursuant to EU Decision 2021/914, Module 2 & 3 DPA & SCCs → anthropic.com/legal/dpa
Google LLC	USA 1600 Amphitheatre Pkwy, Mountain View, CA 94043	Gemini Embeddings API for semantic knowledge base search	Yes (USA) — Basis: EU Standard Contractual Clauses pursuant to EU Decision 2021/914 + EU-US Data Privacy Framework Cloud DPA → cloud.google.com/terms/dpa
Smoobu GmbH	Germany (EU) Pappelallee 78/79, 10437 Berlin	PMS integration: booking data synchronization	No — data remains in the EU DPA → smoobu.com/en/terms/dpa

GuestHive is obligated to inform the Controller of any planned changes to this list (addition or replacement of sub-processors) with at least 30 days' prior notice.

Annex 2 — Technical and Organizational Measures (TOMs)

GuestHive implements the following technical and organizational measures to protect personal data pursuant to Art. 32 GDPR:

1. Physical Access Control

Server infrastructure is operated exclusively in ISO 27001-certified Hetzner data centers in Germany
Physical access to servers is restricted to authorized data center personnel

2. Logical Access Control (Authentication)

Password-protected access for all systems with strong password policies
User accounts in the dashboard are protected by strong passwords and optionally two-factor authentication (2FA)
SSH key-based authentication for server access — password login disabled
Individually assigned credentials — no shared accounts

3. Authorization Control

Role-based access control (RBAC) — data access on a need-to-know basis
Strict multi-tenancy: each host can only access their own guest data
Database access through dedicated, minimally privileged database users
No direct database access from the public internet — only via internal network interfaces

4. Encryption

In transit: All data transfers are encrypted via TLS 1.2 or higher (HTTPS)
At rest: Database volumes are encrypted (AES-256)
API communication: All requests to sub-processors (Anthropic, Google) are made exclusively over HTTPS
Passwords: User passwords are stored exclusively as bcrypt hashes — no plaintext passwords

5. Availability and Resilience

Regular automated database backups with defined retention periods
System availability monitoring with automated alerts on failures
Operation on scalable cloud infrastructure (Hetzner Cloud) with redundant connectivity

6. Pseudonymization and Data Minimization

Internal logs and analytics data contain no directly identifying data where possible
Only the minimum data required for response generation is transmitted to AI models
Conversation histories are maintained with configurable retention periods

7. Separation Control (Multi-Tenancy)

All records are isolated by tenant ID at the database level
Application-level queries always include a tenant filter
Technical measures prevent unauthorized cross-tenant data access

8. Incident Management

Logging and auditing of security-relevant events
Defined process for detecting, reporting, and remedying security incidents
Notification of the Controller in the event of a data breach within 48 hours

Version: March 2026 | Privacy Policy | Terms of Service | Deutsche Version (AVV)