Hotel Response LLC – Data Processing Addendum (DPA)

Effective Date: October 4, 2025
Last Updated: October 4, 2025

This DPA forms part of the Terms of Service (“Agreement”) between Hotel Response LLC (“Processor,” “we,” “our”) and the Customer (“Controller,” “you,” “your”).

1. Purpose

This DPA governs how we process personal data on your behalf when you use the Hotel Response™ SaaS platform.
It is intended to meet requirements of the EU/UK GDPR, CCPA/CPRA, and similar global data-protection laws.

2. Roles of the Parties

• Controller: You, the Customer, determine the purpose and means of processing personal data.

• Processor: Hotel Response LLC processes that data solely to deliver the services under the Agreement.

• Sub-Processors: We use trusted third-party service providers (e.g., HighLevel, Twilio, Mailgun, AWS, Stripe) to support the platform.

3. Scope of Processing

We process personal data such as:

• contact information (e.g., names, emails, phone numbers, company/hotel info),

• booking/event details,

• communications data (e.g., SMS, email, call records),

• metadata for performance, analytics, and troubleshooting.

Processing is limited to:

• providing, maintaining, and improving the SaaS platform,

• enabling messaging, CRM, reporting, and billing features,

• meeting legal obligations (e.g., tax, fraud prevention, security).

We will not:

• sell or rent Customer Data, or

• process Customer Data for our own marketing or unrelated purposes.

4. Controller Obligations

You are responsible for:

• ensuring you have a lawful basis (e.g., consent or legitimate interest) for all personal data imported or collected via the Service,

• maintaining an up-to-date privacy notice for your contacts,

• honoring all data-subject rights requests (access, deletion, correction, objection), and

• configuring forms and workflows to comply with TCPA/A2P, CAN-SPAM, GDPR, and other laws.

5. Processor Obligations

1. Process Customer Data only on your documented instructions.

2. Keep Customer Data confidential and restrict access to authorized personnel.

3. Maintain appropriate technical and organizational security measures, including encryption in transit (HTTPS/SSL), role-based access, and multi-factor authentication.

4. Provide reasonable assistance to you in fulfilling data-subject requests and legal obligations related to processing.

5. Notify you without undue delay and no later than 72 hours of any personal-data breach that is likely to require reporting to authorities or affected individuals.

6. Delete or anonymize Customer Data within 30 days of account termination, except as required by law.

6. Sub-Processors

You grant us general authorization to engage sub-processors needed to deliver the Service.

A current list includes:

• HighLevel (platform infrastructure)

• Twilio (SMS/MMS/voice)

• Mailgun (email delivery)

• AWS (cloud hosting)

• Stripe (payment processing)

• Other vendors as reasonably necessary for support, security, and analytics.

We will ensure all sub-processors are bound by written agreements with equivalent data-protection obligations.

7. International Transfers

We primarily process data in the United States.
If data is transferred internationally, we will rely on lawful transfer mechanisms (e.g., SCCs – Standard Contractual Clauses) to ensure adequate protection.

8. Confidentiality

All Customer Data is treated as confidential information.
We will not disclose it to third parties except as necessary to provide the Service or comply with law.

9. Liability

Liability for any breach of this DPA is limited as described in the Terms of Service.

10. Duration

This DPA remains in force for as long as we process personal data on your behalf under the Agreement.

11. Contact

For privacy and data-protection inquiries:

📧 [email protected] | 📧 [email protected] | 📞 +1-404-800-7036