Note: In case of conflict between language versions, the German version prevails.

Data Processing Agreement (DPA)

pursuant to Art. 28 General Data Protection Regulation (GDPR)

Version 1.0 | Effective from: 2026-05-05

Controller (Client / Host)

Name / Company: completed at contract conclusion

Address: completed at contract conclusion

Email: completed at contract conclusion

Processor (Service Provider)

Better Projects Faster GmbH

Pariser Platz 5A, 70173 Stuttgart

Email: [email protected]

Represented by: Karsten Silz

Contents

  1. Preamble
  2. Subject Matter and Duration
  3. Instructions
  4. Obligations of the Processor
  5. Obligations of the Controller
  6. Sub-processors
  7. Third-country Transfers
  8. Technical and Organisational Measures
  9. Audit Rights
  10. Data Backup and Deletion
  11. Rights of Data Subjects
  12. Term and Termination
  13. Liability
  14. Final Provisions
  15. Annex 1 – TOMs
  16. Annex 2 – Sub-processors

Preamble and Formation

This DPA forms part of the platform's terms of use and becomes effective automatically upon conclusion of the main contract (registration / subscription). By using the platform, the host agrees to the content of this DPA. A separate signature is not required provided that consent is documented as part of the digital onboarding process.

The processor provides the controller with a web-based platform for managing holiday properties (hereinafter "Platform"). In the course of using the Platform, the processor processes personal data of third parties (in particular the host's guests) on behalf of and under the instructions of the controller.

Art. 1 – Subject Matter and Duration of Processing

  1. The processor processes personal data exclusively on behalf of the controller and in accordance with its instructions (Art. 28(3)(a) GDPR).
  2. Processing takes place for the duration of the existing main contract (service contract) between the parties. After termination, the further handling of data is governed by Art. 9 of this DPA.

1.1 Categories of Data Processed

  • Master data of guests: name, address, email address, telephone number
  • Booking data: check-in/check-out dates, booked accommodation, price
  • Payment-related data: invoice amounts, payment status (no complete payment instrument information)
  • Communication data: email correspondence between host and guests, insofar as processed via the Platform
  • Registration form data: names, nationality, document numbers (where legally required)
  • Tourist tax-relevant information

1.2 Categories of Data Subjects

  • Guests of the controller
  • Other contact persons entered by the controller

1.3 Purposes of Processing

  • Operation of the booking platform and property management system
  • Calendar and availability management
  • Invoice creation and management for the controller
  • Guest communication and automated email templates
  • Fulfilment of statutory registration and tax requirements
  • Provision of analyses and evaluations for the controller

Art. 2 – Controller's Right to Issue Instructions

  1. The processor processes personal data solely in accordance with the controller's documented instructions, unless required to do otherwise by EU or Member State law.
  2. Instructions are issued primarily through the configuration and use of the Platform. Instructions beyond this require written form (email suffices).
  3. The processor shall inform the controller without undue delay if it considers an instruction to violate the GDPR or other data protection provisions.

Art. 3 – Obligations of the Processor

The processor undertakes in particular:

Confidentiality (Art. 28(3)(b), Art. 29 GDPR)

To ensure that persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.

Technical and organisational measures (Art. 32 GDPR)

To implement all measures required pursuant to Art. 32 GDPR (see Annex 1).

Sub-processing (Art. 28(2),(4) GDPR)

To engage further processors only with the prior written consent of the controller (see Art. 5).

Assistance (Art. 28(3)(e),(f) GDPR)

To assist the controller in fulfilling data subjects' rights and the obligations under Art. 32–36 GDPR.

Data Protection Officer

To appoint a Data Protection Officer where required by law.

Notification of data breaches (Art. 33, 34 GDPR)

To notify the controller without undue delay (where possible within 24 hours) of any personal data breaches.

Art. 4 – Obligations of the Controller

  1. The controller is solely responsible as the data controller within the meaning of Art. 4(7) GDPR for the lawfulness of processing, in particular for obtaining any required consents.
  2. The controller shall notify the processor without undue delay if it identifies errors or irregularities when reviewing the processing results.
  3. The controller shall designate a contact person for data protection enquiries.
  4. The controller shall ensure that only lawfully obtained personal data is entered into the Platform.

Art. 5 – Sub-processors

  1. The controller grants the processor general authorisation to engage further processors (sub-processors) in accordance with Annex 2 of this agreement.
  2. The processor shall notify the controller of any intended change (addition or replacement) of sub-processors with at least 30 days' advance notice. The controller has the right to object to such changes.
  3. The processor shall ensure that sub-processors enter into data protection obligations equivalent to those agreed in this DPA.

The sub-processors currently engaged are listed in Annex 2.

Art. 6 – Third-country Transfers

  1. Transfers of personal data to third countries (outside the EU/EEA) are made exclusively on the basis of appropriate safeguards pursuant to Art. 44 ff. GDPR (in particular standard contractual clauses pursuant to Art. 46(2)(c) GDPR or adequacy decision).
  2. Cloudflare Inc. is certified under the EU-U.S. Data Privacy Framework (DPF). The processor documents the legal basis for each third-country transfer and makes it available upon request.

Art. 7 – Technical and Organisational Measures (TOMs)

The processor implements at least the following technical and organisational measures pursuant to Art. 32 GDPR:

7.1 Confidentiality

  • Encryption of data in transit (TLS 1.2 or higher)
  • Encryption of data at rest (AES-256 or equivalent)
  • Access control via role-based authorisation
  • Strong password policies and two-factor authentication for administrative access

7.2 Integrity

  • Logging of access to and changes in personal data
  • Database integrity checks and regular backups
  • Input validation and protection against injection attacks (OWASP standard)

7.3 Availability

  • Regular encrypted data backups
  • Disaster recovery plan and documented business continuity management
  • Cloudflare-based hosting with high availability (SLA ≥ 99.5 %)

7.4 Resilience

  • Scalable infrastructure via Cloudflare Workers / Pages
  • Regular penetration tests and security audits
  • Procedures for regularly reviewing the effectiveness of the TOMs

Art. 8 – Controller's Audit Rights

  1. The controller has the right to verify compliance with data protection requirements at the processor's premises through its own inspections or by engaging qualified third parties.
  2. Inspections must be notified with at least 14 days' advance notice. The processor is entitled to refuse participation by persons in a competitive relationship.
  3. The processor shall provide the controller with all information necessary to demonstrate compliance with its obligations (Art. 28(3)(h) GDPR), in particular current TOM documentation and any certifications (e.g. ISO 27001).

Art. 9 – Data Backup and Deletion after Contract End

  1. After termination of the main contract, the processor shall make all processed personal data available to the controller for export in a commonly used machine-readable format (e.g. CSV, JSON). The export function is available for at least 30 days after contract end.
  2. After expiry of the 30-day period, the processor shall delete or destroy all personal data of the controller unless statutory retention obligations apply.
  3. Invoices from the processor to the controller (subscription fees) are retained in accordance with statutory retention periods (DE: 8 years; AT: 7 years).
  4. Deletion will be confirmed in writing at the controller's request.

Art. 10 – Rights of Data Subjects

  1. The processor shall assist the controller in fulfilling data subjects' rights (access, rectification, erasure, restriction, portability, objection pursuant to Art. 15–21 GDPR) to the extent technically possible.
  2. Requests from data subjects received directly by the processor will be forwarded to the controller without undue delay. The processor shall not handle such requests independently unless expressly instructed to do so by the controller.

Art. 11 – Term and Termination

  1. This DPA enters into force upon conclusion of the main contract and terminates automatically upon its termination.
  2. The right to extraordinary termination for good cause remains unaffected. Good cause exists in particular where a party seriously breaches material data protection obligations under this DPA.

Art. 12 – Liability

  1. The liability of the parties is governed by Art. 82 GDPR. In the internal relationship: each party is liable for the damage it caused through a breach of this DPA.
  2. The processor is not liable for processing carried out by the controller without or contrary to an instruction.

Art. 13 – Final Provisions

  1. The law of the country in which the processor is domiciled applies (DE: German law; AT: Austrian law). GDPR rights remain unaffected.
  2. Amendments and additions to this DPA require written form. The processor may announce DPA amendments with at least 30 days' notice by email; continued use of the Platform constitutes consent.
  3. Should individual provisions of this DPA be or become invalid, the validity of the remaining DPA shall not be affected.
  4. This DPA supersedes all prior agreements between the parties on data processing.

Annex 1 – Technical and Organisational Measures (TOMs)

Measure Implementation
Physical access control Server access exclusively via Cloudflare infrastructure; no physical servers on own premises
System access control Strong password policy, two-factor authentication for all administrative access
Data access control Role-based access control (RBAC); principle of least privilege
Separation of data Logical separation of tenant data; no transfer of data between customer accounts
Transmission encryption TLS 1.2+ for all data transfers; HTTPS enforced via HSTS
Storage encryption AES-256 encryption for data at rest in the database
Input control Logging of all material data changes with timestamp and user
Availability control Daily automated backups; 30 days retention; recoverability tested
Order control Written agreements with all sub-processors pursuant to Art. 28 GDPR
Data Protection Impact Assessment Regular review; DPIA for material changes to processing

Annex 2 – List of Approved Sub-processors

March 2026 – This list is updated with 30 days' advance notice when changes are made.

Provider Service Domicile / Country Legal basis
Cloudflare, Inc. Hosting, CDN, network security USA EU-U.S. DPF + SCCs
Brevo SAS (formerly Sendinblue) Transactional email delivery France (EU) DPA pursuant to Art. 28 GDPR
Payment service provider Payment processing to be added to be added

Digital Contract Conclusion

This agreement is accepted in digital form as part of the onboarding process. A separate signature is not required.