Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between VeriStay Ltd ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data in connection with the Services.

1. Definitions

In this DPA:

• "Controller" means the Customer who determines the purposes and means of processing Personal Data
• "Data Protection Laws" means UK GDPR, the Data Protection Act 2018, and any applicable data protection legislation
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Processor" means VeriStay Ltd
• "Sub-processor" means any third party engaged by VeriStay to process Personal Data
• "UK GDPR" means the General Data Protection Regulation as it forms part of UK law

2. Scope and Roles

2.1 Controller-Processor Relationship

You are the Controller of Personal Data uploaded to or processed through the Services. VeriStay acts as your Processor when processing Personal Data on your behalf.

2.2 Categories of Data

The categories of Personal Data processed may include:

• Contact information (names, email addresses, phone numbers)
• Property and inspection data
• Images and videos (which may incidentally contain Personal Data)
• Usage data and device information

2.3 Data Subjects

Data subjects may include:

• Your employees and staff
• Property occupants and guests
• Contractors and service providers

3. Processing Instructions

3.1 Purpose Limitation

VeriStay will process Personal Data only:

• For the purpose of providing the Services as described in the Terms
• In accordance with your documented instructions
• As required by applicable law (we will inform you before processing unless prohibited by law)

3.2 Documented Instructions

Your use of the Services constitutes your instructions for processing. Additional instructions must be provided in writing and may be subject to additional fees if they require changes to the Services.

4. Security Measures

VeriStay implements appropriate technical and organisational measures to protect Personal Data, including:

4.1 Technical Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication
• Firewalls and network security
• Regular vulnerability scanning and penetration testing
• Secure software development practices

4.2 Organisational Measures

• Employee confidentiality agreements
• Security awareness training
• Access limited to authorised personnel on a need-to-know basis
• Incident response procedures
• Business continuity and disaster recovery plans

5. Sub-processors

5.1 Authorisation

You provide general authorisation for VeriStay to engage Sub-processors to assist in providing the Services. VeriStay will:

• Enter into written agreements with Sub-processors imposing data protection obligations no less protective than this DPA
• Remain liable for Sub-processor compliance

5.2 Current Sub-processors

5.3 Changes to Sub-processors

VeriStay will notify you at least 30 days before engaging a new Sub-processor. If you have a reasonable objection, you may notify us within 14 days. If we cannot resolve the objection, you may terminate the affected Services.

6. Data Subject Rights

VeriStay will assist you in responding to requests from data subjects exercising their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction
• Right to data portability
• Right to object

Where possible, you can fulfil requests using self-service features in the Services. For requests requiring our assistance, contact info@veristay.app.

7. Data Breach Notification

7.1 Notification

VeriStay will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data.

7.2 Breach Information

Notification will include (to the extent known):

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

7.3 Assistance

VeriStay will cooperate with you and provide reasonable assistance to fulfil your breach notification obligations to supervisory authorities and data subjects.

8. International Transfers

Personal Data is primarily stored and processed in the United Kingdom and European Economic Area.

Where transfers occur outside the UK/EEA, VeriStay ensures appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Adequacy decisions where available
• Supplementary measures where required

9. Data Retention and Deletion

9.1 During the Agreement

VeriStay will retain Personal Data for the duration of the agreement and in accordance with your retention settings in the Services.

9.2 Upon Termination

Upon termination of the agreement:

• You may export your data for 30 days after termination
• After 30 days, VeriStay will delete or anonymise Personal Data unless retention is required by law
• On request, VeriStay will provide certification of deletion

10. Audit Rights

VeriStay will make available information necessary to demonstrate compliance with this DPA and allow for audits.

10.1 Third-Party Audits

VeriStay maintains SOC 2 Type II certification (in progress) and will provide audit reports on request under NDA.

10.2 Customer Audits

For Enterprise customers, on-site audits may be conducted with at least 30 days' notice, during business hours, no more than once per year, and subject to confidentiality requirements. Audit costs are borne by the Customer.

11. Data Protection Impact Assessments

VeriStay will provide reasonable assistance if you are required to conduct a Data Protection Impact Assessment (DPIA) in relation to your use of the Services.

12. Confidentiality

VeriStay ensures that persons authorised to process Personal Data:

• Are bound by confidentiality obligations
• Process Personal Data only as instructed
• Receive appropriate data protection training

13. Term and Termination

This DPA remains in effect for as long as VeriStay processes Personal Data on your behalf. Termination of the main agreement automatically terminates this DPA.

14. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms and Conditions.

15. Contact Us

For questions about this DPA or to request an executed copy:

VeriStay Ltd
Data Protection Officer
128 City Road
London EC1V 2NX
United Kingdom

Email: info@veristay.app

Related Documents

• Terms and Conditions
• Privacy Policy
• Acceptable Use Policy