Data Processing Agreement
Last updated: March 29, 2026
This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service between Konuk ("Processor," "we," "us") and the hotel customer ("Controller," "you," "Customer") who has agreed to the Terms of Service. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Konuk platform (the "Service").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service, including guest data.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates (primarily hotel guests).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Applicable Data Protection Law" means all applicable laws relating to the processing of Personal Data, including GDPR, CCPA, and any applicable state privacy laws.
2. Roles and Responsibilities
Controller (Customer)
- You are the data controller for all guest Personal Data processed through the Service.
- You determine the purposes and means of processing guest data.
- You are responsible for the lawfulness of processing, including obtaining all necessary consents from guests.
- You are responsible for compliance with all applicable telecommunications laws, including the TCPA, regarding messages sent through the Service.
- You are responsible for responding to Data Subject rights requests from guests (with our assistance as described in Section 7).
Processor (Konuk)
- We process guest Personal Data solely on your behalf and in accordance with your documented instructions.
- We do not determine the purposes of processing guest data independently.
- We do not sell, rent, or disclose guest Personal Data for any purpose other than providing the Service.
- We do not use guest data for our own commercial purposes, including model training, advertising, or analytics beyond what is necessary to provide the Service to you.
3. Scope of Processing
Categories of Data Subjects
- Hotel guests (current, past, and future reservation holders)
- Customer staff members (authorized users of the Service)
Categories of Personal Data
| Category | Data Elements |
|---|---|
| Guest identity | Name, title, language preference |
| Guest contact | Phone number, email address, WhatsApp identifier |
| Reservation details | Check-in/out dates, room number, booking source, number of guests |
| Communication content | SMS, WhatsApp, email, OTA, and social media message content |
| Consent records | Messaging consent status, consent timestamps, opt-out records |
| Satisfaction data | Survey responses, feedback ratings |
| Staff data | Name, email, role, login activity |
Processing Activities
- Receiving and storing guest data from PMS integrations and manual entry
- Sending and receiving messages across SMS, WhatsApp, email, OTA, and social channels
- Processing message content through AI systems to generate draft replies
- Executing automated guest journey sequences (WhatsApp and email)
- Tracking and enforcing messaging consent status
- Generating analytics and reports for the Customer
- Maintaining audit logs for compliance purposes
4. Processing Instructions
- We process Personal Data only in accordance with your documented instructions, which include the configuration you set in the Service (message templates, journey rules, broadcast settings, AI settings).
- If we believe an instruction violates Applicable Data Protection Law, we will promptly inform you.
- We will not process Personal Data for any purpose other than as described in this DPA and the Terms of Service, unless required by applicable law (in which case we will inform you of such requirement before processing, unless legally prohibited).
5. Security Measures
We implement and maintain appropriate technical and organizational security measures, including:
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access control: Role-based access with per-Customer data isolation via row-level security
- Authentication: Secure session management with device tracking
- Credential storage: PMS tokens and API keys stored with application-layer encryption
- Audit logging: Immutable audit trail of all data access, message operations, and consent changes
- Monitoring: Security monitoring and alerting for suspicious activity
- Personnel: All personnel with access to Personal Data are bound by confidentiality obligations
- Incident response: Documented security incident response procedures
6. Sub-processors
Authorized Sub-processors
You authorize the use of the following categories of sub-processors to provide the Service:
| Category | Purpose | Data Processed |
|---|---|---|
| Telecommunications provider | SMS and WhatsApp delivery | Phone numbers, message content |
| Email delivery provider | Email sending | Email addresses, email content |
| Database infrastructure | Data storage | All platform data (encrypted) |
| AI processing provider | Draft reply generation | Message content (not retained for training) |
| Payment processor | Billing | Billing data only |
| Cache and queue provider | Performance and job processing | Message metadata, job payloads |
| OTA connectivity provider | OTA message routing (if OTA add-on active) | OTA message content, guest identifiers |
Sub-processor Obligations
- We enter into written agreements with all sub-processors imposing data protection obligations no less protective than those in this DPA.
- We remain fully liable for the acts and omissions of our sub-processors.
- We will notify you of any intended changes to sub-processors at least 30 days in advance. If you object, you may terminate the affected Service within 30 days.
7. Data Subject Rights
- As the Controller, you are responsible for responding to Data Subject (guest) rights requests, including access, rectification, erasure, restriction, portability, and objection requests.
- We will assist you in fulfilling these requests by providing data export tools, deletion capabilities, and consent management features within the Service.
- If we receive a request directly from a Data Subject, we will promptly redirect them to you (the Controller) and notify you of the request.
- We will provide reasonable assistance within 10 business days of your request.
8. Data Breach Notification
- We will notify you of any confirmed data breach affecting Personal Data within 72 hours of becoming aware of it.
- Notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
- We will cooperate with you in investigating the breach and meeting any notification obligations under Applicable Data Protection Law.
- We will document all breaches including facts, effects, and remedial actions taken.
9. Data Return and Deletion
- Upon termination of the Service, we will make all Customer data available for export for 30 days.
- After the 30-day retention period, we will permanently delete all Personal Data, except where retention is required by applicable law.
- SMS opt-out records (phone number and opt-out date) are retained indefinitely as required for TCPA compliance.
- Audit logs are retained for 12 months post-termination for compliance purposes, then deleted.
- Upon request, we will provide written confirmation of deletion.
10. International Data Transfers
- Personal Data may be transferred to and processed in the United States.
- For transfers of Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision 2021/914).
- We will implement supplementary measures where necessary to ensure an adequate level of protection for transferred data.
11. CCPA Provisions
For purposes of the California Consumer Privacy Act (CCPA):
- We act as a "service provider" as defined in the CCPA.
- We process Personal Data solely for the business purposes specified in this DPA and the Terms of Service.
- We do not sell Personal Data as defined by the CCPA.
- We do not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA, including any commercial purpose other than providing the Service.
- We certify that we understand the restrictions in this Section and will comply with them.
12. TCPA Responsibility Allocation
This section clarifies the allocation of responsibility for compliance with the Telephone Consumer Protection Act (TCPA) and similar telecommunications laws:
- Customer responsibility: You are solely responsible for obtaining and maintaining all required consents from guests before sending messages through the Service, including prior express consent for transactional messages and prior express written consent for marketing messages.
- Customer responsibility: You are solely responsible for the content, timing, and recipient selection of all messages sent through the Service.
- Platform safeguards: We provide consent tracking tools, automatic opt-out keyword processing, and message blocking for opted-out guests as compliance aids, but these tools do not transfer your TCPA compliance obligations to us.
- Automated journeys: Guest journey automation is delivered via WhatsApp and email only. Automated SMS is not available for journey messages. This is a platform design decision to reduce TCPA risk, but does not eliminate your obligation to obtain appropriate consent for WhatsApp and email communications.
- Indemnification: As stated in the Terms of Service, you agree to indemnify us against any claims, fines, or penalties arising from your messaging practices, including TCPA violations.
13. Audit Rights
- You may request information about our data processing activities and security measures to verify compliance with this DPA.
- We will make available all information reasonably necessary to demonstrate compliance with our obligations.
- Upon reasonable request (no more than once per year), and subject to confidentiality obligations, you may audit our compliance with this DPA. Audits must be conducted with reasonable advance notice and during normal business hours.
- We may satisfy audit requests by providing relevant third-party audit reports or certifications.
14. Term and Termination
- This DPA remains in effect for the duration of the Terms of Service.
- Obligations regarding data deletion, retention, and confidentiality survive termination.
- This DPA automatically terminates when all Personal Data has been deleted or returned in accordance with Section 9.
15. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of confidentiality obligations, indemnification obligations, or violations of Applicable Data Protection Law.
16. Contact
For questions about this Data Processing Agreement or to exercise any rights under it, contact us at:
- Privacy: privacy@konuk.us
- Legal: legal@konuk.us