Data Processing Agreement
This Data Processing Agreement (the DPA) governs the processing of personal data carried out by JLabs, digitalne rešitve, Nika Vrečič s.p. on behalf of the user of the Gostly service in accordance with Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, the GDPR) and applicable data protection legislation.
This DPA forms an integral part of the Terms of Use and applies whenever the user processes personal data through the Gostly service for which the user acts as controller. By registering for or using the service, the user accepts this DPA. In the event of a conflict between this DPA and the Terms of Use regarding the processing of personal data, this DPA prevails.
1. Roles of the parties and subject matter
With respect to the personal data of guests and other individuals that the user enters or processes through the Gostly service, the user acts as the controller and JLabs, digitalne rešitve, Nika Vrečič s.p. acts as the processor.
The subject matter, nature, purpose, and duration of the processing, the types of personal data, and the categories of data subjects are described in Annex A. The processor processes personal data solely to provide the Gostly service and only to the extent necessary for that purpose.
2. Processing on the controller's instructions
The processor processes personal data only on the documented instructions of the controller, which include this DPA, the Terms of Use, and the settings the controller configures in the user account. The processor does not process the data for its own purposes.
Where the processor is required to process by EU or Member State law, it informs the controller of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest. If the processor considers that an instruction infringes data protection legislation, it informs the controller without delay.
3. Confidentiality
The processor ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that personal data is accessed only by persons who need it to provide the service.
4. Security of processing
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, the processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. An overview of these measures is set out in Annex C.
5. Sub-processors
The controller gives the processor a general written authorisation to engage sub-processors. The list of sub-processors used by the processor at the time this DPA is concluded is set out in Annex B.
The processor concludes a contract with each sub-processor imposing data protection obligations at least equivalent to those under this DPA. The processor remains fully liable to the controller for the performance of the sub-processor's obligations.
The processor informs the controller in advance of any intended replacement or addition of a sub-processor (for example by email or via a notice in the service) and allows a reasonable period to object. If the controller objects on reasonable grounds, the parties endeavour to find a reasonable solution; if none is possible, the controller may terminate the relevant part of the service.
6. Transfers outside the EEA
The processor does not transfer personal data outside the European Economic Area without a valid legal basis. Where such a transfer occurs (for example via a sub-processor), the processor ensures appropriate safeguards under Chapter V GDPR, such as an adequacy decision, standard contractual clauses, or another lawful mechanism.
7. Assistance to the controller
Taking into account the nature of the processing and the information available to it, the processor assists the controller through appropriate technical and organisational measures with:
- responding to requests from individuals exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection),
- fulfilling obligations regarding the security of processing, breach notification, data protection impact assessments, and prior consultation (Articles 32–36 GDPR).
If a request from an individual is received directly by the processor, it forwards it to the controller without undue delay and does not respond to it itself, except on the controller's instructions.
8. Personal data breaches
The processor notifies the controller without undue delay, and no later than 48 hours after becoming aware of a personal data breach, and provides the information reasonably necessary for the controller to fulfil its notification obligations under Articles 33 and 34 GDPR.
9. Deletion and return of data
Upon termination of the provision of the service, the processor, at the controller's choice, deletes or returns all personal data and deletes existing copies, unless EU or Member State law requires retention. The processor may set a reasonable period to carry out the deletion and to routinely delete backups in line with its retention cycles.
10. Demonstrating compliance and audits
The processor makes available to the controller all information necessary to demonstrate compliance with the obligations under Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the controller or an auditor mandated by it. Audits are carried out to a reasonable extent, on prior notice, during regular business hours, and in a manner that does not disrupt the processor's operations; the processor may also satisfy such requests by providing relevant certifications or compliance reports.
11. Liability
Liability of the parties under this DPA is assessed in accordance with the provisions of the GDPR and with the limitations of liability agreed in the Terms of Use, to the extent not prohibited by mandatory law.
12. Term and changes
This DPA remains in effect for as long as the processor processes personal data for the controller, or for the duration of the contractual relationship between the parties. The processor may update the DPA due to changes in the service, sub-processors, or legislation; material changes are communicated in advance in an appropriate manner.
Annex A — Description of processing
| Subject matter | processing of personal data to provide the Gostly service (communication with guests, in-stay information and assistance, guest notifications, issue reporting, automatic message translation). |
|---|---|
| Nature and purpose | storage, display, transmission, and technical processing of content the controller enters or creates in the service, and enabling communication between host and guest. |
| Duration | for the duration of the contractual relationship and in accordance with retention settings and the controller's instructions. |
| Categories of data subjects | guests of the accommodation provider and users who access the controller's account. |
| Types of personal data | first and last name, contact details, content of communications, stay information, issue reports and attached photographs (with metadata stripped), and other data the controller enters into the service. |
| Special categories of data | the service is not intended for processing special categories of personal data; the controller undertakes not to enter such data into the service unless expressly agreed and lawful. |
Annex B — Sub-processors
| Hetzner | hosting of infrastructure and the database; location of processing: EU. |
|---|---|
| DeepL | machine translation of message content between guest and host; location of processing: EU. |
| Neoserv | sending of system and notification emails; location of processing: EU. |
An up-to-date list of sub-processors is available to the user on request or via the user account.
Annex C — Technical and organisational measures
- encryption of data in transit (TLS) between clients, the service, and sub-processors,
- storage of passwords in hashed form,
- logical separation of data between tenants (multi-tenant isolation) and access control on a least-privilege basis,
- authentication via a dedicated identity and access management system,
- automatic stripping of metadata (e.g. location) from uploaded photographs,
- regular backups and the ability to restore data,
- maintenance of security and diagnostic records (audit trails),
- monitoring and updating of system and application security.
Contact
For questions regarding this Data Processing Agreement, write to us at hello@gostly.si.