Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person, including hotel guest names, contact details, booking history and payment references.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure and deletion.
• "Controller" means the hotel, property or business entity that determines the purposes and means of processing Personal Data.
• "Processor" means DJUBO, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by DJUBO to process Personal Data on behalf of the Controller.
• "Data Subject" means the individual whose Personal Data is being processed — typically a hotel guest or staff member.
• "Applicable Law" means all laws and regulations applicable to the processing of Personal Data, including the Information Technology Act 2000 (India) and where applicable the GDPR.

2.1 Controller obligations

The Controller (your hotel) is responsible for:

• Ensuring there is a lawful basis for processing guest Personal Data
• Providing guests with appropriate privacy notices
• Responding to data subject requests from guests
• Ensuring accuracy of data entered into the DJUBO platform
• Compliance with all applicable data protection laws in your jurisdiction

2.2 Processor obligations

DJUBO as Processor will:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorised to process Personal Data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Assist the Controller in fulfilling data subject rights requests
• Delete or return Personal Data upon termination of the agreement
• Make available all information necessary to demonstrate compliance with this DPA
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach

3.1 Subject matter

DJUBO processes Personal Data for the purpose of providing hotel management software services including property management, channel management, booking engine, revenue management and related tools as described in the License Agreement.

3.2 Categories of data

DJUBO may process the following categories of Personal Data on behalf of the Controller:

• Guest identification data: name, nationality, passport or ID number
• Contact information: email address, phone number, postal address
• Reservation data: check-in and check-out dates, room type, booking source, booking reference
• Payment references: partial card numbers, payment method (full card data is handled by payment processors, not stored by DJUBO)
• Communication records: guest preferences, special requests, complaints
• Staff data: login credentials, activity logs for platform users

3.3 Duration

DJUBO processes Personal Data for the duration of the active subscription. Upon termination, DJUBO will retain data for a maximum of 90 days during which the Controller may export their data. After this period, data will be securely deleted unless retention is required by law.

DJUBO implements the following security measures to protect Personal Data:

4.1 Encryption

• Data in transit: TLS 1.2 or higher for all data transmitted to and from the platform
• Data at rest: AES-256 encryption for stored data
• Database encryption at the storage layer

4.2 Infrastructure

• Hosted on Amazon Web Services (AWS) in the Singapore region (ap-southeast-1)
• AWS data centres are ISO 27001 certified and SOC 2 Type II compliant
• Physical access controls and 24/7 monitoring at data centres
• Automated backups with geographic redundancy

4.3 Access controls

• Role-based access control — staff access only the data necessary for their role
• Multi-factor authentication (MFA) required for all DJUBO staff accessing production systems
• Access logs maintained and reviewed regularly
• Background checks for staff with access to Personal Data

4.4 Incident response

• 24/7 security monitoring and alerting
• Incident response plan with defined escalation paths
• Controller notification within 72 hours of becoming aware of a Personal Data breach that poses risk to data subjects

The Controller authorises DJUBO to engage the following sub-processors to assist in providing the services:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and data hosting	Singapore
ZeptoMail (Zohocorp)	Transactional email delivery	India / Global
Razorpay	Payment processing (India)	India
PayU	Payment processing (India & International)	India / Netherlands
PayPal	Payment processing (International)	United States
Airpay	Payment processing (India)	India
Authorize.net	Payment processing (International)	United States
iPay88	Payment processing (Southeast Asia)	Malaysia
PayMaya	Payment processing (Philippines)	Philippines
Google Analytics	Website analytics	United States

DJUBO will notify the Controller of any intended addition or replacement of sub-processors by updating this page. The Controller may object to new sub-processors within 14 days of notification. Continued use of the services after this period constitutes acceptance.

DJUBO's primary data processing infrastructure is located in Singapore (AWS ap-southeast-1). Some sub-processors, including Google Analytics, PayPal and Authorize.net, may transfer data to and process data in countries outside India and Singapore.

Where Personal Data is transferred to countries that may not provide an equivalent level of data protection, DJUBO ensures appropriate safeguards are in place including:

• Standard Contractual Clauses (SCCs) with relevant sub-processors
• Adequacy decisions where recognised by applicable law
• Data Processing Agreements with all sub-processors

The Controller is responsible for handling data subject requests from guests. DJUBO will assist the Controller in responding to such requests within the platform capabilities.

7.1 Supported rights

• Right of access: DJUBO provides data export functionality allowing the Controller to retrieve guest data
• Right to erasure: DJUBO provides guest record deletion tools within the platform
• Right to rectification: Controllers can update guest records directly in the platform
• Right to portability: Data export in standard formats (CSV, JSON) available in the platform

7.2 Response timelines

DJUBO will respond to Controller requests related to data subject rights within:

• Access and portability requests: within 30 days
• Erasure requests: within 30 days, subject to legal retention requirements
• Data breach notifications: within 72 hours of discovery

The Controller has the right to audit DJUBO's compliance with this DPA subject to the following conditions:

• Audits may be conducted no more than once per calendar year
• The Controller must provide 30 days' written notice
• Audits must be conducted during normal business hours and must not disrupt DJUBO's operations
• DJUBO may satisfy audit requests by providing relevant third-party audit reports (e.g. AWS SOC 2 reports) in lieu of direct access

Upon termination of the agreement for any reason:

• DJUBO will make the Controller's data available for export for 90 days following termination
• After 90 days DJUBO will securely delete all Personal Data unless retention is required by applicable law
• DJUBO will provide written confirmation of deletion upon request
• Backups containing Personal Data will be deleted within 180 days of termination

For questions about this DPA or to exercise your rights as a Controller:

• Data Protection Officer: privacy@djubo.com
• Legal enquiries: legal@djubo.com
• Address: DJUBO, First Floor, H62, Sector 63, Noida 201301
• Phone: +91-8595159159

To request a signed copy of this DPA for your records, email legal@djubo.com with the subject line "DPA Signature Request".