Demo gratuita

Acuerdo de procesamiento de datos
SuiteOp Inc

Last Updated: January 21, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between SuiteOp Inc. ("Processor") and the Customer ("Controller") (collectively, the "Parties").

This DPA applies where and only to the extent that SuiteOp processes Personal Data on behalf of the Customer in the course of providing the Service and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Data Protection Laws" means all applicable legislation of the European Union, the European Economic Area and their member states, the UK and Switzerland, including the General Data Protection Regulation (2016/679) ("GDPR").
  • "Standard Contractual Clauses" or "SCCs" means the clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Processing of Personal Data

2.1 Role of the Parties. The Parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Controller and SuiteOp is the Processor.

2.2 Instructions. SuiteOp shall process Personal Data only in accordance with the Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by law.

3. Personnel

SuiteOp shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data and have committed themselves to confidentiality.

4. Security

SuiteOp shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2.

5. Sub-processing

5.1 Authorization. Customer grants a general written authorization to SuiteOp to engage Sub-processors (listed in Annex 3) to process Personal Data on Customer's behalf.

5.2 Notification. SuiteOp shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors via email or the platform.

6. Data Subject Rights

SuiteOp shall, to the extent legally permitted, assist the Customer by appropriate technical and organizational measures for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights.

7. Personal Data Breach

SuiteOp shall notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach.

8. Return and Deletion

Upon termination of the Service, SuiteOp shall, at the choice of the Customer, delete or return all Personal Data to the Customer, unless applicable law requires storage of the Personal Data.

ANNEX 1: Details of Processing

1. Categories of Data Subjects

  • Guests of the Customer (Property Managers/Hotels).
  • Employees and staff of the Customer.

2. Categories of Personal Data

  • Contact Information: Name, email address, phone number.
  • Stay Details: Reservation dates, property addresses.
  • Verification Data (SuiteVerify): ID/Passport copies, selfies (including biometric data for identity verification).
  • Sensor Data (SuiteMonitor): Noise levels (decibels), temperature, CO2, humidity, and environment levels.
  • Transaction Data: Payment information (via Stripe) and records of purchases/upsells.

3. Nature and Purpose of Processing

  • Automating guest check-in and check-out workflows.
  • Verifying guest identity for security and safety using AI-assisted matching (e.g., matching selfies against government-issued IDs).
  • Monitoring property environment to prevent damage or nuisance.
  • Facilitating communication between hosts and guests.

ANNEX 2: Security Measures

SuiteOp implements the following technical and organizational security measures:

Technical Measures:

  • Encryption:
    • AES-256 encryption at rest for all Restricted data (Guest PII, biometric data)
    • TLS 1.2/1.3 for all data in transit
  • Access Control:
    • Multi-Factor Authentication (MFA) enforced for all administrative access
    • Google Workspace as primary identity provider with Cloudflare Zero Trust for SSO
    • Role-based access control (RBAC) and least-privilege principles
    • Mandatory use of 1Password for credential management
  • Infrastructure Security:
    • Secure cloud hosting on Bubble.io (SOC 2 Type II certified) and AWS (US regions)
    • Network segmentation (production, staging, development environments)
    • Web Application Firewall (WAF) via Cloudflare
  • Monitoring & Logging:
    • Continuous vulnerability scanning in CI/CD pipeline
    • Security event logging with 90-day retention minimum
    • Real-time alerting for security incidents

Organizational Measures:

  • Policies: Comprehensive Information Security Policy framework (see internal policies)
  • Personnel: All personnel sign confidentiality agreements and complete security training
  • Audits: Annual penetration testing by third-party security firm
  • Incident Response: Documented Incident Response Plan with 48-hour breach notification commitment
  • Vendor Management: All sub-processors are assessed for security and GDPR compliance

ANNEX 3: List of Sub-processors

Infrastructure & Hosting:

  • AWS - Cloud Infrastructure & Hosting (USA)
  • Bubble.io - Application Platform & Hosting (USA)
  • Cloudflare - Security & CDN (Global)
  • Google / Gemini AI - Cloud Storage, Analytics & AI Models (USA)

Identity Verification:

  • Authenticate.com - Guest Identity Verification (USA)
  • Chekin.io - Guest Identity Verification (EU)
  • Persona - Guest Identity Verification (USA)

Payment Processing:

  • Stripe - Payment Processing (USA)
  • Guesty / GuestyPay - PMS Integration & Payments (Global)
  • Juspay (Hyperswitch) - Payment Orchestration (Global)

Integration & Communication:

  • Calry - PMS Integration Middleware (Global)
  • Sendgrid - Email Communication (USA)
  • Twilio - SMS Communication (USA)

Internal Tools:

  • 1Password - Password Management (USA)
  • Apple - Device Management (ABM) (USA)

Note: Additional PMS providers connected via suiteop.com/integrations are considered sub-processors to the extent they process data synchronized via the SuiteOp platform. Customer will be notified via email or platform notification of any new sub-processor additions, with at least 30 days' notice to allow for objection.