Data Processing Agreement (DPA)

Version 1.1

Last update: 2026-01-03

Data Processing Agreement according to Art. 28 GDPR

Executive Summary

  • This DPA complements our Terms and Conditions for business customers
  • We comply with Art. 28 of the GDPR in the processing of personal data
  • You are the Data Controller; we are the Data Processor
  • We implement technical and organizational measures to protect data
  • We do not transfer data outside the EEA without adequate safeguards

1. Definitions

For the purposes of this Data Processing Agreement (hereinafter, "the Agreement"), the following shall be understood as:

Data Controller (Client):
The natural or legal person who contracts Itineramio services and who determines the purposes and means of personal data processing.
Data Processor (Itineramio):
Alejandro Santalla Sanchez, who processes personal data on behalf of the Controller in the context of providing the service.
Personal Data:
Any information about an identified or identifiable natural person that the Controller enters into the Itineramio platform.
Processing:
Any operation performed on personal data: collection, recording, organization, structuring, storage, adaptation, modification, extraction, consultation, use, communication, dissemination or any other form of enabling access, comparison, interconnection, limitation, deletion or destruction.
GDPR:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.
Data Subject:
Natural person whose personal data is being processed (e.g., guests, end users).

2. Object of the Agreement

This Agreement establishes the conditions under which Alejandro Santalla Sanchez (Data Processor) will process personal data on behalf of the Client (Data Controller) in the context of providing digital manual services for tourist accommodations.

Relationship with Other Documents:

This DPA complements and forms an integral part of:

In case of conflict between this DPA and other documents, the provisions of this DPA shall prevail regarding the processing of personal data.

3. Scope and Nature of Processing

3.1 Purpose of Processing

The Processor will process personal data exclusively for the following purposes:

  • Store and process Client property information
  • Process content of digital manuals created by the Client
  • Generate QR codes and access URLs for guests
  • Collect and process guest reviews
  • Provide usage analytics and metrics
  • Send service-related notifications
  • Provide technical support to the Client

3.2 Nature of Processing

Processing operations:

Collection, recording, organization, structuring, storage, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination (to guests with authorized access), limitation, deletion and destruction of data.

3.3 Categories of Personal Data

Client Data

  • Name and surname
  • Email and phone
  • Postal address
  • Billing and payment data

Guest Data

  • Name (optional)
  • Email (optional)
  • IP address
  • Reviews and comments

3.4 Categories of Data Subjects

  • Tourist accommodation owners and managers (Clients)
  • Guests accessing the digital manuals
  • Client personnel with platform access

4. Processor Obligations

The Processor commits to:

Processing According to Instructions

Process personal data only following documented instructions from the Controller, including regarding transfers of data to third countries or international organizations, unless required to do so by Union or Member State law.

Confidentiality

Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security Measures

Implement all appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, pseudonymization where appropriate, confidentiality, integrity, availability and permanent resilience of processing systems.

Assistance to the Controller

Assist the Controller as far as possible so that it can comply with its obligations to respond to requests for the exercise of data subject rights: access, rectification, erasure, objection, restriction, portability.

Impact Assessments

Help the Controller ensure compliance with obligations relating to data protection impact assessments and prior consultations with the supervisory authority, taking into account the nature of processing and information available.

Data Deletion

Delete or return all personal data to the Controller after the end of the provision of processing services, and delete existing copies, unless retention of the data is required under Union or Member State law.

Audit Information

Make available to the Controller all information necessary to demonstrate compliance with the obligations of Article 28 of the GDPR, as well as allow for and contribute to audits, including inspections, by the Controller or another auditor authorized by the Controller.

5. Sub-processors

The Processor may engage other Processors (Sub-processors) to perform specific processing activities. The Controller authorizes the Processor to engage the following Sub-processors:

Sub-processorServiceLocation
Supabase Inc.Database storageEU (Stockholm)
Stripe Inc.Payment processingEEA / USA (DPF)
Resend Inc.Transactional email deliveryUSA (DPF)
Vercel Inc.Hosting and infrastructureGlobal (EU priority)
Anthropic PBCAsistente virtual con IA (chatbot)USA (DPF)

Sub-processor Guarantees:

  • All Sub-processors have signed GDPR-compliant data processing agreements
  • The same data protection obligations as those established in this DPA apply
  • The Processor remains fully responsible to the Controller for Sub-processor compliance

Changes to Sub-processors:

The Processor will inform the Controller of any planned change regarding the addition or replacement of Sub-processors with at least 30 days notice, giving the Controller the opportunity to object to such changes for legitimate data protection reasons.

6. Security Measures

The Processor implements the following technical and organizational measures to ensure the security of personal data:

Encryption and Pseudonymization

  • SSL/TLS (HTTPS) encryption in transit
  • AES-256 encryption of data at rest
  • Bcrypt hash for passwords (factor 12)
  • Signed JWT tokens for authentication

Access Control

  • Multi-factor authentication for administrators
  • Principle of least privilege
  • Granular role and permission management
  • Periodic access review

Monitoring and Audit

  • Access and activity logs
  • Anomaly detection
  • Real-time security alerts
  • Quarterly security audits

Backup and Recovery

  • Automatic daily backups
  • Backup retention for 30 days
  • Disaster recovery plan
  • RTO < 4 hours, RPO < 1 hour

Training and Awareness

  • Annual data protection training
  • Documented security policies
  • Signed confidentiality agreements
  • Incident response procedures

Secure Infrastructure

  • Firewalls and network segmentation
  • DDoS protection (Cloudflare/Vercel)
  • Automatic security updates
  • Monthly vulnerability scanning

Certifications: Our infrastructure providers (Supabase, Vercel, Stripe) have SOC 2 Type II, ISO 27001 and PCI DSS (Stripe) certifications. We review these certifications annually to ensure ongoing compliance.

7. International Transfers

Personal data is stored primarily in the European Union (Supabase eu-north-1 region in Stockholm).

7.1 Transfers Outside the EEA

For some complementary services, it may be necessary to transfer data to third countries:

Stripe Inc. (USA)

Legal basis: Adequacy decision - EU-US Data Privacy Framework

Stripe is certified under the EU-US Data Privacy Framework, recognized by the European Commission as providing adequate data protection.

Resend Inc. (USA)

Legal basis: European Commission Standard Contractual Clauses (SCC)

We have signed the standard SCCs approved by the European Commission with Resend to ensure an adequate level of data protection.

Anthropic PBC (USA)

Base legal: Cláusulas Contractuales Tipo (SCC) de la Comision Europea

Anthropic proporciona el servicio de IA para el asistente virtual (chatbot) de los manuales digitales. Las consultas de los huespedes se procesan de forma anonimizada y no se almacenan permanentemente en los servidores de Anthropic.

The Client may request a copy of the safeguards implemented for international transfers by contacting hola@itineramio.com

8. Data Subject Rights

The Processor will assist the Controller in the exercise of data subject rights:

Assistance Procedure:

  1. 1. If the Processor receives a direct request from a data subject, it will forward it to the Controller within 48 hours
  2. 2. The Processor will provide the Controller with the necessary information and technical assistance to respond to the request
  3. 3. The Controller is solely responsible for responding to the data subject within the legal deadlines (1 month, extendable by 2 months)

Self-Service Tools:

To facilitate compliance, the Processor provides the Controller with self-service tools for:

  • Access: Export data in JSON/CSV format from the control panel
  • Rectification: Edit data directly on the platform
  • Erasure: Delete data from account settings
  • Restriction: Deactivate properties without deleting them

9. Security Breach Notification

In case of a personal data security breach, the Processor will follow this protocol:

24h

Immediate Notification

The Processor will notify the Controller without undue delay and, at the latest, within 24 hours of becoming aware of the security breach.

Notification Information:

The notification will include, at a minimum:

  • Description of the nature of the security breach
  • Categories and approximate number of affected data subjects
  • Categories and approximate number of affected data records
  • Likely consequences of the breach
  • Measures taken or proposed to remedy the breach
  • Measures proposed to mitigate possible negative effects
  • Contact point for more information

Cooperation:

The Processor will fully cooperate with the Controller and provide all necessary assistance so that it can comply with its obligation to notify the breach to the supervisory authority (AEPD) within 72 hours, and to data subjects when appropriate.

10. Audits and Inspections

The Controller has the right to audit the Processor's compliance with this DPA.

Documentary Audits:

The Processor will provide the Controller, upon request and annually:

  • SOC 2 Type II certifications from infrastructure providers
  • Security audit reports (redacted)
  • Evidence of compliance with security measures
  • Documentation of staff data protection training

On-Site Audits:

The Controller may request an on-site audit with the following conditions:

  • Prior notice of at least 30 days
  • Maximum frequency of one audit per year (unless there is a security breach)
  • Normal business hours and without interfering with Processor operations
  • May be performed by the Controller or qualified external auditor
  • Audit costs borne by the Controller
  • Confidentiality agreement signed by auditors

Access to Facilities:

Since the Processor uses cloud services, physical access to servers is not applicable. Audits will focus on logical controls, policies and procedures.

11. Duration and Termination

11.1 Duration

This DPA will come into force on the date of acceptance of the Terms and Conditions by the Client and will remain in force as long as the Processor provides services involving the processing of personal data.

11.2 Termination of Processing

Once the provision of processing services has ended, the Processor will:

Option 1: Data Return

At the Controller's request, the Processor will return all personal data in structured format (JSON/CSV) within 30 days of contract termination.

Option 2: Data Deletion

If the Controller does not request return:

  • Personal data will be retained for 90 days after termination
  • After this period, secure and irreversible deletion will proceed
  • A data destruction certificate will be issued at the Controller's request

11.3 Legal Retention

Notwithstanding the above, the Processor may retain personal data to the extent and for the time necessary to comply with legal obligations (e.g., retention of invoices for 6 years according to the Commercial Code), always limiting access to them.

12. Contact

For any questions related to this Data Processing Agreement, you can contact us at:

Data Processor: Alejandro Santalla Sanchez

Data Protection Officer: hola@itineramio.com

Contact email: hola@itineramio.com

Address: Calle Músico Pau Casals 16, 3ºA, 03010 Alicante, España

Other legal policies:

Terms and ConditionsPrivacy PolicyCookies PolicyBilling TermsLegal Notice
Back to home
Manual Digital Apartamentos Turísticos | Software Gestión Airbnb | Itineramio