Skip to main navigationSkip to main contentSkip to footer

Data Processing Agreement

This data processing agreement (the "DPA") is entered into by and between Juyo BV (registered under number 0552.628.004) (the "Processor") and the Customer as set out above (the "Controller"). The Controller and the Processor are hereinafter together referred to as the "Parties" and each individually as a "Party".

Relationship to the Principal Agreement

This DPA forms part of, supplements and is incorporated by reference into the Principal Agreement, meaning the agreement between the Parties pursuant to which the Processor provides the Services to the Controller, whether concluded by signature or by the Controller's acceptance of the Processor's GTCs by electronic or other means. In the event of any conflict or inconsistency between this DPA and the Principal Agreement on any matter relating to the Processing or protection of Personal Data, this DPA shall prevail; on all other matters, the Principal Agreement shall govern. This DPA shall apply for so long as the Principal Agreement remains in force and the Processor processes Personal Data on behalf of the Controller pursuant thereto. Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Principal Agreement.

Interpretation and Definitions

The terms Data Subject, Personal Data, and Personal Data Breach shall have the meaning given to them in the GDPR. The following terms, when used with a capital letter in this DPA shall have the following meaning:

(a)  Applicable Data Law means any law, statute, regulation, rule, code, ordinance, decree, order, judgment, treaty, international convention, or other legal requirement of any Competent Authority that is binding on a Party, the performance of that Party's obligations under this DPA, or the subject matter of this DPA, in each case as amended or replaced and in force from time to time. Applicable Data Law includes the GDPR and all national implementing acts.

(b)  Article means any numbered article in this DPA.

(c)  Business Day means any day on which commercial banks in Belgium are generally open for business, other than a Saturday, Sunday, or public holiday.

(d)  Competent Authority means any supervisory, regulatory, judicial or administrative authority competent under Applicable Data Law.

(e)  DPA means this data processing agreement, including the Schedules attached hereto.

(f)  GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data, as may be amended from time to time.

(g)  GTCs means the Processor's general terms and conditions applicable to its Services.

(h)  Schedule means any document attached to this DPA.

(i)  Services means all services, functions, responsibilities and outputs provided by the Processor as described in the Principal Agreement.

(j)  Sub-Processor means any third party engaged by the Processor who processes Personal Data on behalf of the Controller.

Scope of Processing

1.  The Processor shall process Personal Data as necessary for the performance of the Services and in accordance with this DPA, unless the Processor is required by Applicable Data Law to process Personal Data beyond the Controller's instructions. The Processing will cover the categories of Data Subjects, categories of Personal Data, and purposes set out in Schedule 1 of this DPA.

2.  This DPA and any other agreement entered into between the Parties in relation to the Services constitute the Controller's instructions to the Processor regarding the Processing of Personal Data. Any additional or alternative instructions shall require the prior written agreement of both Parties and shall be commercially reasonable and technically feasible. The Processor shall be entitled to suspend execution of any instruction that it reasonably believes infringes Applicable Data Law, until the Controller modifies or withdraws such instruction.

Obligations of the Parties

3.  The Controller shall: (a) comply with all Applicable Data Law in relation to the Processing of Personal Data under this DPA; (b) be solely responsible for determining the purposes and means of the Processing of Personal Data, including identifying a valid legal basis under Applicable Data Law and, where required, obtaining any necessary consents, notices, or authorizations from Data Subjects or third parties; (c) ensure that any Personal Data provided to the Processor are accurate, complete, up to date and adequate for the intended Processing, and promptly notify the Processor of any relevant changes or inaccuracies; (d) implement and maintain appropriate technical and organizational measures for the protection of Personal Data in respect of all components, systems and credentials under its control, including user workstations, data transfer mechanisms, and access credentials.

4.  The Processor shall: (a) process Personal Data only on documented instructions from the Controller, unless required to do so by Applicable Data Law; (b) not process Personal Data for its own purposes; (c) ensure that persons authorized to process Personal Data are subject to confidentiality obligations under contract, policy, or law; (d) implement and maintain technical and organizational measures as described in Articles 17 and 18; (e) provide reasonable assistance to the Controller in fulfilling the Controller's obligations under Applicable Data Law; (f) make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Law.

Assistance to the Controller

5.  The Controller shall be solely responsible for enabling Data Subjects to exercise their rights under Applicable Data Law. If a Data Subject contacts the Processor directly, the Processor shall, within a reasonable period, inform the Controller of the request and redirect the Data Subject to the Controller, unless expressly and reasonably otherwise instructed by the Controller or required by Applicable Data Law.

6.  The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and consultations with Competent Authorities that are required under Applicable Data Law in connection with the processing carried out under this DPA, subject always to reimbursement of the Processor's reasonable costs.

7.  Unless prohibited under Applicable Data Law, the Processor shall inform the Controller without undue delay if it or any Sub-Processor: (a) receives an inquiry, subpoena, inspection request, or audit demand from a Competent Authority relating to the Processing; (b) is required to disclose Personal Data to a Competent Authority outside the scope of the Services; or (c) receives an instruction that the Processor reasonably believes infringes Applicable Data Law.

8.  The Processor shall provide such cooperation as is reasonably required to enable the Controller to comply with its statutory obligations, subject always to reimbursement of the Processor's reasonable costs, except where the relevant request or investigation results directly from a fault or negligence of the Processor.

Disclosure

9.  The Processor shall not disclose Personal Data to any third party, public authority, or other recipient except: (a) on the documented instructions of the Controller; (b) to authorized Sub-Processors in accordance with Articles 11 to 13; or (c) where required by Applicable Data Law, provided that, where legally permitted, the Processor shall use reasonable efforts to inform the Controller in advance.

10.  The Processor shall ensure that any person acting under its authority who has access to Personal Data: (a) is bound by appropriate confidentiality obligations under contract, policy, or law; and (b) accesses Personal Data only where necessary for the performance of their duties.

Use of Sub-Processors

11.  The Controller acknowledges and agrees to the Sub-Processors listed in Schedule 2 of this DPA. The Processor may engage additional or replacement Sub-Processors to support the provision of the Services, The Processor shall maintain an up-to-date list of Sub-Processors in Schedule 2, published at https://juyo.ai/data-processing-agreement. The Controller acknowledges that changes to Sub-Processors will be notified by means of an update to the published list. The Controller may object to a new Sub-Processor on reasonable grounds based on compliance with Applicable Data Law by providing written notice within 30 days of the update being published. If the Controller does not object within that period, the Sub-Processor shall be deemed approved.

12.  The Processor shall ensure that each Sub-Processor is bound by written obligations providing a level of protection for Personal Data not less than that required under Applicable Data Law.

13.  The Processor shall make available to the Controller an up-to-date list of contracted Sub-Processors as set out in Schedule 2 of this DPA, published at https://juyo.ai/data-processing-agreement and updated in accordance with Article 11.

Location of Processing

14.  The Processor may process and store Personal Data within the European Economic Area (EEA) and, where required for the provision of the Services, in other jurisdictions, provided that such processing complies with Applicable Data Law.

15.  Where the Processing of Personal Data involves a transfer outside the EEA, the Processor shall implement and rely on an appropriate transfer mechanism recognized under Applicable Data Law and shall inform the Controller of the transfer and the mechanism relied upon.

16.  If the Processor becomes aware that a transfer mechanism relied upon is no longer valid or effective, it shall inform the Controller. The Processor may continue the relevant transfer for as long as permitted under Applicable Data Law.

Technical and Organizational Measures

17.  The Processor shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing. Such measures may include, where appropriate, encryption, access controls, backup and recovery procedures, and regular testing and evaluation.

18.  Upon receiving written notice from the Controller, the Processor shall, within a reasonable period, provide a general description of its technical and organizational measures sufficient to demonstrate compliance with Applicable Data Law. The Processor may fulfill this obligation by providing, where available, relevant third-party certifications, audit reports, or equivalent documentation.

Personal Data Breaches

19.  In the event of a known or reasonably suspected Personal Data Breach, the Processor shall inform the Controller without undue delay and in any event within 48 hours of becoming aware. At such time, the Processor shall communicate the information then available to it. The Processor shall inform the Controller as further information is obtained, and shall cooperate with the Controller to investigate the Personal Data Breach, take appropriate steps to mitigate its adverse effects, and assist with any notifications to Competent Authorities or Data Subjects as required by Applicable Data Law.

Audit Rights

20.  The Processor shall make available to the Controller, upon written request, information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Law. Where available, the Processor may satisfy this obligation by providing up-to-date third-party audit or certification reports.

21.  The Controller may carry out an audit (including inspections) only where the information provided under Article 20 is not reasonably sufficient to demonstrate compliance. Any such audit shall: (a) be conducted no more than once in any 12-month period; (b) be subject to at least 30 days' prior written notice; (c) take place during normal business hours; and (d) be strictly limited to documents and systems relevant to the processing of Personal Data under this DPA.

22.  Each Party shall bear its own costs in connection with any audit. Any additional cooperation or resources required from the Processor beyond providing existing information or reports shall be subject to reimbursement of the Processor's reasonable costs.

Liability

23.  Each Party shall be liable for breaches of its own obligations under this DPA and Applicable Data Law. The Processor shall not be liable for: (a) fines or penalties imposed directly on the Controller, unless and to the extent such fines or penalties result from the Processor's own breach of this DPA or Applicable Data Law; (b) indirect, consequential, punitive or exemplary damages; or (c) losses arising from the Controller's own failure to comply with Applicable Data Law or to give lawful instructions. Notwithstanding the foregoing, the aggregate liability of either Party arising out of or in connection with this DPA shall be subject to the liability cap set out in Article 10 of the Principal Agreement, to the extent permitted by Applicable Data Law.

Deletion and Return of Personal Data

24.  The Processor shall retain Personal Data only for as long as necessary to perform the Services or as required by Applicable Data Law. Upon expiry or termination of the Agreement, the Processor shall, at the Controller's choice and within a reasonable period: (a) make available for download to the Controller a copy of the Personal Data in a commonly used format; or (b) securely delete the Personal Data, except to the extent retention is required by Applicable Data Law.

25.  Any additional data export, migration, or assistance requested by the Controller beyond the Processor's minimum obligations under the Agreement, this DPA, or applicable law shall be subject to the Processor's standard professional services terms and reimbursement of its reasonable costs.

Term and Termination

26.  This DPA shall enter into force on the Effective Date of the Principal Agreement and shall supersede any previously signed Data Processing Agreement. It shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller in the context of the Services.

27.  Each Party may terminate this DPA, or the affected part of the Services, with immediate effect by written notice to the other Party if that other Party is in material breach of this DPA and fails to remedy such breach within a reasonable period (not less than 60 days) of receiving written notice thereof.

28.  The provisions of this DPA that are expressly stated to survive, or that by their nature should reasonably survive termination or expiry, will remain in effect. This includes the confidentiality, deletion, and liability provisions.

Miscellaneous

This DPA constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior agreements, whether written or oral, relating thereto. Any amendment must be in writing and signed by both parties. If any provision is held invalid or unenforceable, the remainder remains in force, and the parties shall replace the affected provision with one that best reflects its original intent. Notices shall be validly given by email or registered letter. This DPA is governed by Belgian law. The parties shall first seek to resolve disputes amicably and through mediation on a confidential basis; failing resolution within 30 days, the courts of Brussels shall have exclusive jurisdiction.


Schedule 1 — Details of the Processing

Categories of Data Subjects: Customer's employees, contractors, and authorized users of the Services; Customer's customers or end-users (e.g., hotel guests), where such data is uploaded or integrated by the Customer into the Services; other individuals whose data may appear in Customer Data uploaded to the Services.

Categories of Personal Data: (a) user account and authentication data (e.g., name, email address, login credentials); (b) usage data and system interaction data; (c) technical metadata and logs; (d) booking, reservation, or stay-related data; (e) operational or transactional data relating to hotel services; (f) identifiers such as name, contact details, or customer IDs where included in the data sources integrated by the Customer; (g) content of queries, prompts, and AI-generated responses submitted through or generated by the Service, where such content contains personal data.

Purposes of Processing: Provision, operation, security, support, maintenance, and improvement of the SaaS analytics platform; hosting, ingestion, aggregation, analysis, visualization, and reporting of hotel operational and commercial performance data through the analytics platform; technical processing necessary to integrate data sources, generate analytics dashboards, and provide insights through the Services. The Processor also processes Customer Data in order to generate anonymized and aggregated data for benchmarking, market analysis, research, product improvement, and the development of new services. For the purpose of product improvement and AI Feature development, the Processor may also analyse anonymized interaction data, including queries, prompts, and AI-generated responses submitted through the Service, provided that such data is irreversibly de-identified before use for this purpose.

Duration of Processing: For the duration of the Agreement and this DPA, plus any retention period required under Applicable Data Law.


Schedule 2 — List of Current Sub-Processors


  • Hetzner Online GmbH — Server infrastructure | Hotel data, analytics data | EU (Germany / Finland)
  • Amazon Web Services (AWS) — Server infrastructure | Hotel data, analytics data | EU (Ireland / Germany)
  • Anthropic PBC — AI/LLM processing | Hotel data in AI queries | USA (GDPR compliant; EU processing planned 2026)*
  • OpenAI OpCo LLC — AI/LLM processing | Hotel data in AI queries | USA* (GDPR compliant)
  • Heap Analytics — Product analytics / user behavior analytics | Usage data, analytics data (e.g. user interactions, session data) | USA (GDPR compliant)
  • Google Workspace (Google LLC) — Email, docs, meetings | Business comms & collaboration | USA/EU (EU–US Data Privacy Framework / SCCs)*
  • Pipedrive OÜ — CRM | Contact & deal data | EU/USA* (SCCs)
  • Planhat AB — Customer success platform | Usage & engagement data | EU/USA* (SCCs)
  • Slack Technologies LLC — Team communication | Internal comms | USA* (SCCs)
  • Zoom Video Communications — Video conferencing | Meeting data | USA* (SCCs)
  • Fathom Video Inc. — AI meeting notes | Meeting recordings (internal) | USA* (SCCs)
  • Mailchimp (Intuit Inc.) — Email marketing | Customer contact data | USA* (SCCs)
  • Hatch BV — Infrastructure support | System data | EU (Netherlands)
  • Intercom, Inc. — Customer support & onboarding | User data, account & hotel configuration data; incidentally PMS data samples/screenshots in support communications | EU (Ireland)* (SCCs)

* Data transfers are governed by Standard Contractual Clauses (SCCs) per Art. 46 GDPR pending EU data residency availability.

Ready to Ask Your First question?

Book a demo and see Kassandra answer it live, with your own data.

Book a demoCompare tiers