Data Processing Agreement

Preamble

This Data Processing Agreement ("DPA" or "Agreement") is entered into between White Town LLC, a Wyoming limited liability company operating the Gostify platform ("Processor" or "Company"), and the Customer who has accepted the Gostify Terms of Service ("Controller" or "Customer"), together referred to as the "Parties."

This DPA forms part of, and is incorporated by reference into, the Gostify Terms of Service available at https://www.gostify.app/. In the event of any conflict between this DPA and the Terms of Service with respect to the processing of personal data, the terms of this DPA shall prevail.

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under the UK GDPR and other applicable data protection legislation, with respect to the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Gostify Service.

By accepting the Terms of Service, the Customer agrees to the terms of this DPA. No separate signature is required; acceptance of the Terms of Service constitutes acceptance of this DPA.

1. Definitions

For the purposes of this DPA, the following definitions apply, in addition to those set out in the Gostify Terms of Service:

• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "UK GDPR" means the GDPR as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, the Swiss Federal Act on Data Protection (nFADP), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other applicable national or state data protection legislation.
• "Personal Data" has the meaning given to it under Applicable Data Protection Law and, for the purposes of this DPA, refers specifically to Guest Data processed by the Processor on behalf of the Controller in connection with the Service.
• "Processing" has the meaning given to it under Applicable Data Protection Law and includes any operation performed on Personal Data, whether or not by automated means.
• "Data Subject" means a natural person whose Personal Data is processed under this DPA, specifically a Guest who interacts with a Customer\'s AI assistant deployed through the Platform.
• "Sub-Processor" means any third party engaged by the Processor to carry out specific processing activities on Personal Data on behalf of the Controller, as listed in Annex B of this DPA.
• "Supervisory Authority" means an independent public authority established under Article 51 of the GDPR or equivalent authority under applicable national law, responsible for monitoring the application of data protection legislation.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed under this DPA.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR, as currently in force and as may be updated from time to time.
• "Technical and Organizational Measures" or "TOMs" means the security measures described in Annex C of this DPA, implemented by the Processor to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

2. Scope and Role of the Parties

2.1 Controller Responsibilities

The Controller determines the purposes and means of processing Personal Data in connection with the use of the Gostify Service. As the data controller, the Customer is solely responsible for:

• Ensuring that a lawful basis exists for the processing of Guest Data through the Platform, as required by Applicable Data Protection Law
• Providing Guests with a transparent and adequate privacy notice before they interact with the Customer\'s AI assistant, informing them of the processing activities described in this DPA
• Responding to Data Subject rights requests submitted by Guests with respect to the Customer\'s processing activities, with reasonable assistance from the Processor as described in Section 7
• Ensuring that any instructions given to the Processor regarding the processing of Personal Data are lawful and compliant with Applicable Data Protection Law
• Implementing appropriate measures to ensure and demonstrate that processing carried out under the Customer\'s direction complies with Applicable Data Protection Law

2.2 Processor Responsibilities

The Processor processes Personal Data only on behalf of the Controller and strictly in accordance with the Controller\'s documented instructions, except where otherwise required by applicable law. The Processor\'s obligations under this DPA apply to all personnel and sub-processors engaged in processing Personal Data under this Agreement.

2.3 Nature of Processing

The nature, purpose, subject matter, duration, and categories of Personal Data processed under this DPA are set out in Annex A of this DPA.

3. Processor Obligations

3.1 Processing on Instructions Only

The Processor shall process Personal Data only on documented instructions from the Controller, unless processing is required by applicable law to which the Processor is subject. In such cases, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits such notification on grounds of public interest. The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes Applicable Data Protection Law.

3.2 Confidentiality of Personal Data

The Processor shall ensure that all personnel authorized to process Personal Data under this DPA are bound by appropriate obligations of confidentiality, whether by contract or by statutory obligation. The Processor shall ensure that access to Personal Data is limited to those personnel who require access for the purposes of performing the Service.

3.3 Security Measures

The Processor shall implement and maintain the Technical and Organizational Measures described in Annex C of this DPA to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, at minimum:

• Encryption of Personal Data in transit using TLS 1.2 or higher
• Encryption of Personal Data at rest using AES-256 or equivalent industry-standard encryption
• Access controls and authentication mechanisms ensuring that only authorized personnel can access Personal Data
• Logging and monitoring of access to systems processing Personal Data
• Regular review and testing of security measures
• Physical security controls for data center and infrastructure facilities operated by the Processor or its sub-processors

3.4 Sub-Processing

The Controller provides general authorization for the Processor to engage Sub-Processors as listed in Annex B of this DPA. The Processor shall:

• Notify the Controller of any intended changes to the list of Sub-Processors, including additions or replacements, by providing at least thirty (30) days\' prior written notice via email or through a notice published on the Gostify website
• Give the Controller the opportunity to object to changes in Sub-Processors. If the Controller reasonably objects to a new Sub-Processor, the Parties shall discuss the objection in good faith. If the Parties cannot agree, and the Processor proceeds with the Sub-Processor change, the Controller may terminate the affected services without penalty
• Impose data protection obligations on each Sub-Processor that are at least equivalent to those set out in this DPA, by way of a written contract
• Remain fully liable to the Controller for the performance of any Sub-Processor\'s obligations to the extent that the Sub-Processor fails to fulfill its data protection obligations

3.5 Assistance to the Controller

Taking into account the nature of the processing, the Processor shall assist the Controller, by implementing appropriate Technical and Organizational Measures, insofar as possible, in fulfilling the Controller\'s obligations to respond to requests for exercising Data Subjects\' rights as laid down in Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

The Processor shall also assist the Controller in ensuring compliance with the Controller\'s obligations under Articles 32 to 36 of the GDPR, namely: security of processing; notification of Personal Data Breaches to the Supervisory Authority; communication of Personal Data Breaches to Data Subjects; data protection impact assessments; and prior consultation with the Supervisory Authority.

3.6 Deletion or Return of Personal Data

Upon termination or expiry of the Terms of Service, or upon written request from the Controller, the Processor shall, at the Controller\'s election: (a) delete all Personal Data processed under this DPA and confirm deletion in writing; or (b) return all Personal Data to the Controller in a structured, commonly used, machine-readable format and delete all existing copies thereafter. Deletion shall occur within thirty (30) days of the termination date or receipt of the deletion request, except to the extent that applicable law requires the Processor to retain certain data, in which case the Processor shall notify the Controller of the legal basis for retention and restrict further processing of the retained data.

3.7 Records of Processing Activities

The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, as required by Article 30(2) of the GDPR, containing at minimum: the name and contact details of the Processor and each sub-processor; the categories of processing carried out on behalf of the Controller; transfers of Personal Data to a third country or international organization; and a general description of the Technical and Organizational Measures implemented.

3.8 Cooperation with Supervisory Authorities

The Processor shall cooperate, on request, with the competent Supervisory Authority in the performance of its tasks, to the extent required by Applicable Data Protection Law. The Processor shall promptly notify the Controller of any inquiry, investigation, or audit initiated by a Supervisory Authority in relation to the processing of Personal Data under this DPA.

4. Personal Data Breach Notification

4.1 Notification to Controller

In the event the Processor becomes aware of a Personal Data Breach affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and, where feasible, within forty-eight (48) hours of becoming aware of the breach. This notification timeline is designed to allow the Controller sufficient time to meet its own seventy-two (72) hour notification obligation to the Supervisory Authority under Article 33 of the GDPR.

4.2 Content of Breach Notification

The Processor\'s breach notification to the Controller shall include, to the extent available at the time of notification:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor\'s point of contact from whom further information can be obtained
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

Where all the above information is not available at the time of initial notification, the Processor shall provide the information in phases as it becomes available, without undue further delay.

4.3 Remediation

The Processor shall take all reasonable steps to contain and remediate the Personal Data Breach, minimize its impact on Data Subjects, and prevent recurrence. The Processor shall keep the Controller informed of material developments in the investigation and remediation process. The Controller is solely responsible for determining whether notification to the relevant Supervisory Authority and to affected Data Subjects is required under Applicable Data Protection Law and for carrying out such notifications.

4.4 No Acknowledgment of Liability

Notification of a Personal Data Breach by the Processor to the Controller under this Section does not constitute an acknowledgment of fault, negligence, or liability by the Processor.

5. International Data Transfers

5.1 Transfers from the EEA, UK, or Switzerland

Where Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or another third country in connection with the Processor\'s provision of the Service, such transfers shall be conducted in accordance with Chapter V of the GDPR and equivalent provisions under applicable national law. The Processor shall rely on one or more of the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): the Processor shall enter into the applicable module of the SCCs adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) with the Controller and with relevant Sub-Processors, as required. The Processor may make the applicable SCCs available to the Controller upon written request.
• UK International Data Transfer Agreement (IDTA): for transfers subject to the UK GDPR, the Processor shall rely on the IDTA or the UK Addendum to the EU SCCs, as applicable.
• Swiss nFADP mechanisms: for transfers subject to the Swiss Federal Act on Data Protection, the Processor shall rely on appropriate safeguards as recognized under Swiss law.
• Adequacy decisions: where the European Commission or relevant national authority has adopted an adequacy decision with respect to the destination country, the Processor may rely on that decision as the transfer mechanism.

5.2 Sub-Processor Transfers

The Processor shall ensure that any international transfers of Personal Data carried out by Sub-Processors are subject to equivalent transfer mechanisms as those described in Section 5.1. The Processor shall include appropriate transfer provisions in its agreements with Sub-Processors and shall make relevant documentation available to the Controller upon request.

5.3 Transfer Impact Assessments

Where required by Applicable Data Protection Law, or where the Controller reasonably requests, the Processor shall cooperate with the Controller in conducting a Transfer Impact Assessment (TIA) to evaluate whether the level of protection afforded to Personal Data in the destination country is essentially equivalent to that provided within the EEA. The Processor shall provide relevant documentation and information to support such assessments.

6. Audits and Compliance Verification

6.1 Audit Rights

The Controller has the right to audit the Processor\'s compliance with this DPA, at the Controller\'s expense and upon reasonable prior written notice of at least thirty (30) days. Audits shall be conducted during normal business hours, in a manner that minimizes disruption to the Processor\'s operations, and no more than once per calendar year, unless a Personal Data Breach or a finding of non-compliance by a Supervisory Authority justifies an additional audit.

6.2 Information and Documentation

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including relevant certifications, security assessment summaries, and audit reports prepared by qualified third parties. The Controller agrees to treat all audit findings and Processor documentation as Confidential Information, as defined in the Terms of Service.

6.3 Third-Party Audit Reports

Where the Processor holds current and relevant security certifications or has undergone recent third-party security audits (such as SOC 2 Type II, ISO 27001, or equivalent), the Processor may satisfy all or part of an audit request by providing the Controller with a copy of the relevant audit report or certification summary, subject to confidentiality obligations.

7. Data Subject Rights Assistance

Upon receiving a request from a Data Subject to exercise any right under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, or objection), the Controller is responsible for responding to such requests within the applicable statutory timeframes.

The Processor shall, upon written request from the Controller, provide reasonable technical assistance to facilitate the Controller\'s response to Data Subject rights requests, including: providing the Controller with access to relevant Personal Data stored in the Platform; assisting in the deletion or rectification of Personal Data as instructed by the Controller; and providing confirmation of processing activities to support the Controller\'s response.

The Processor shall forward to the Controller without delay any Data Subject rights request received directly by the Processor in connection with Personal Data processed under this DPA, and shall not respond to such requests directly except at the documented instruction of the Controller or as required by applicable law.

The Processor may charge reasonable fees for technical assistance provided under this Section where the volume or complexity of requests imposes a material administrative burden, provided that the Processor notifies the Controller in advance of any applicable fees.

8. Data Protection Impact Assessments

Where the Controller determines that a Data Protection Impact Assessment (DPIA) is required under Article 35 of the GDPR in connection with the processing activities described in Annex A of this DPA, the Processor shall provide reasonable cooperation and assistance to the Controller in conducting such assessment, including by: providing relevant information about the Processor\'s processing activities, security measures, and Sub-Processor arrangements; making available relevant documentation; and participating in consultations with the Controller\'s data protection officer or legal advisors where necessary.

The Controller is responsible for determining when a DPIA is required and for conducting and documenting the assessment. The Processor\'s cooperation under this Section does not constitute an assumption of the Controller\'s DPIA obligations.

9. Liability and Indemnification

Each Party shall be liable to the other for damages arising from its breach of this DPA in accordance with the liability limitations set out in the Gostify Terms of Service. Nothing in this DPA shall limit the liability of either Party to Data Subjects or to Supervisory Authorities as provided under Applicable Data Protection Law.

Where both Parties are responsible for the same damage suffered by a Data Subject, each Party shall be responsible for the portion of the damage attributable to its own processing activities. The Controller shall indemnify and hold harmless the Processor from and against any claims, fines, penalties, or losses arising from the Controller\'s failure to fulfill its own obligations as data controller under Applicable Data Protection Law.

The Processor shall indemnify and hold harmless the Controller from and against any claims, fines, penalties, or losses arising directly from the Processor\'s breach of its obligations as data processor under this DPA, limited to the extent of damage attributable to the Processor\'s processing activities.

10. Term and Termination

This DPA enters into force on the Effective Date and remains in effect for the duration of the Gostify Terms of Service. This DPA automatically terminates upon termination or expiry of the Terms of Service.

Termination of this DPA does not affect the obligations of either Party with respect to Personal Data that was processed prior to the date of termination. Upon termination, the Processor shall fulfill its obligations under Section 3.6 with respect to deletion or return of Personal Data.

Any provisions of this DPA that by their nature are intended to survive termination, including Sections 4, 5, 9, and this Section, shall survive the termination of this DPA.

11. Updates to This DPA

The Processor may update this DPA from time to time to reflect changes in Applicable Data Protection Law, Sub-Processor arrangements, or Technical and Organizational Measures. The Processor shall provide the Controller with at least thirty (30) days\' prior written notice of any material changes. If a change is required to comply with a mandatory legal requirement, shorter notice may be given where necessary. The Controller\'s continued use of the Service following the effective date of any update constitutes acceptance of the updated DPA.

12. Governing Law

This DPA shall be governed by the laws of the State of Wyoming, United States, except to the extent that Applicable Data Protection Law of the EEA, UK, or another jurisdiction mandatorily applies. Where the Standard Contractual Clauses or other transfer mechanisms are incorporated into this DPA, the governing law specified in those instruments shall apply to those specific provisions.

For Customers located in the EEA or UK, nothing in this DPA limits any rights available to the Controller or to Data Subjects under mandatory provisions of Applicable Data Protection Law in their jurisdiction.

Annex A: Description of Processing Activities

This Annex describes the processing activities carried out by the Processor on behalf of the Controller under this DPA, as required by Article 28(3) of the GDPR.

A.1 Subject Matter of Processing

The Processor processes Personal Data on behalf of the Controller for the purpose of operating the Gostify AI assistant platform, specifically to enable automated guest communication for the Controller\'s short-term rental accommodation property.

A.2 Duration of Processing

Personal Data is processed for the duration of the active Gostify Subscription and for such additional period as is required to fulfill deletion obligations upon termination, as described in Section 3.6 of this DPA.

A.3 Nature and Purpose of Processing

The processing activities carried out by the Processor include: receiving and storing Guest messages submitted to the AI assistant; processing Guest messages using third-party AI model services to generate automated responses; detecting the language of Guest messages to enable multilingual responses; storing session interaction data for the duration of the session and for the retention period described in the Privacy Policy; generating aggregated and anonymized analytics data for reporting to the Controller; and maintaining logs of system activity for security and technical support purposes.

A.4 Categories of Personal Data

The categories of Personal Data processed under this DPA include:

• Message content: text submitted by Guests to the AI assistant during an interaction session
• Session and technical data: session identifiers, timestamps, session duration, and interaction counts
• Device and network data: IP address (which may be anonymized or truncated), browser type and version, operating system, and device type
• Language data: the language detected from the Guest\'s query
• Approximate geographic data: country or city-level location inferred from IP address, where technically generated

The Processor does not knowingly process special categories of personal data as defined in Article 9 of the GDPR. Customers must not configure their AI assistant to solicit such data from Guests.

A.5 Categories of Data Subjects

The Data Subjects whose Personal Data is processed under this DPA are Guests: third-party individuals who interact with the Customer\'s AI assistant deployed through the Gostify Platform. Guests are typically guests, visitors, or prospective guests of the Customer\'s short-term rental accommodation property.

A.6 Controller Purposes

The Controller processes Guest Personal Data for the purpose of providing automated guest communication services in connection with the Controller\'s short-term rental accommodation business, including answering common guest inquiries, reducing the manual workload of property management, and improving guest satisfaction.

Annex B: Approved Sub-Processors

The following categories of Sub-Processors are approved by the Controller as of the Effective Date of this DPA. The Processor shall maintain a current and complete list of named Sub-Processors and shall make it available to the Controller upon written request. Changes to Sub-Processors are subject to the notice requirements in Section 3.4 of this DPA.

B.1 Artificial Intelligence Services

Third-party AI model providers engaged to power the conversational AI functionality of the Platform, including the generation of automated responses to Guest queries. These providers process message content submitted by Guests as part of inference operations. The Processor restricts such providers from using Guest data for their own model training or commercial purposes and maintains data processing agreements with each such provider.

B.2 Cloud Infrastructure and Hosting

Third-party cloud infrastructure and hosting providers used to store data, host the Platform, and ensure service availability. These providers process Personal Data incidentally as part of hosting and infrastructure services. Infrastructure providers are selected from established providers with recognized security certifications including SOC 2 Type II and ISO 27001 equivalents.

B.3 Payment Processing

Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, United States. Stripe processes billing and payment data for Subscription management. Stripe is PCI DSS Level 1 certified. Stripe does not process Guest Personal Data as defined in this DPA; its sub-processing role relates solely to Customer billing data.

B.4 Email Delivery Services

Third-party transactional email delivery services used to send operational communications to Customers, including Subscription confirmations, activation notices, and account notifications. These providers process Customer email addresses and message content strictly for delivery purposes.

B.5 Analytics Services

Third-party analytics tools used to collect and analyze aggregated and anonymized usage data for Platform improvement purposes. Where such tools process Personal Data, appropriate controls including IP anonymization, data minimization, and contractual data protection obligations are implemented.

Annex C: Technical and Organizational Measures

The Processor implements the following Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk presented by the processing activities described in Annex A.

C.1 Access Control

• Role-based access controls (RBAC) limiting access to Personal Data to authorized personnel based on the minimum necessary access principle
• Multi-factor authentication (MFA) required for all internal administrative access to systems processing Personal Data
• Regular review and revocation of access rights for personnel who no longer require access
• Unique user credentials for all personnel; shared credentials are prohibited

C.2 Data Encryption

• All Personal Data transmitted between users and the Platform is encrypted in transit using TLS 1.2 or higher
• Personal Data stored at rest is encrypted using AES-256 or equivalent industry-standard encryption
• Encryption keys are managed using secure key management practices and are rotated periodically

C.3 System and Network Security

• Firewalls, intrusion detection systems, and network segmentation implemented to protect infrastructure processing Personal Data
• Regular vulnerability scanning and penetration testing of Platform infrastructure
• Security patches and updates applied to all systems processing Personal Data in a timely manner
• Logging and monitoring of access to and activity within systems processing Personal Data

C.4 Physical Security

• Personal Data is processed and stored exclusively in data centers operated by sub-processors with physical access controls, including badge-based entry, CCTV, and 24/7 security monitoring
• The Processor does not operate physical data centers directly; physical security responsibilities are delegated to infrastructure sub-processors subject to contractual security requirements

C.5 Data Minimization and Pseudonymization

• Personal Data collected and processed under this DPA is limited to what is strictly necessary for the purposes described in Annex A
• IP addresses are anonymized or truncated where technically feasible
• Analytics data is aggregated and anonymized to the extent possible without compromising the functionality of analytics reporting

C.6 Incident Response

• A documented Personal Data Breach response procedure is maintained and tested periodically
• All suspected or confirmed Personal Data Breaches are escalated to designated internal personnel immediately upon detection
• Breach notification procedures comply with the timelines described in Section 4 of this DPA

C.7 Personnel Measures

• All personnel with access to Personal Data receive data protection training appropriate to their role
• Personnel are bound by confidentiality obligations that survive termination of employment or contract
• Background screening is conducted for personnel with privileged access to systems processing Personal Data, to the extent permitted by applicable law

C.8 Business Continuity

• Regular backups of data processed under this DPA are maintained, encrypted, and stored in geographically redundant locations
• Business continuity and disaster recovery plans are documented and tested periodically to ensure restoration of data availability within defined recovery time objectives

Contact for Data Protection Matters

For all inquiries, requests, or communications relating to this DPA, please contact:

White Town LLC

75 E 3rd St, Sheridan, WY 82801, United States

Email: info@gostify.app

Website: https://www.gostify.app/

We aim to respond to all data protection inquiries within five (5) business days.