Data Processing Agreement (DPA)

This is the standard Data Processing Agreement (DPA) by which Filip Ivanović PR PrimeStay (as Processor) governs the processing of personal data on behalf of the Client (as Controller) in the context of the PrimeStay SaaS Platform.

It automatically takes effect upon acceptance of the PrimeStay Terms of Service for any Client who enters third-party data (most commonly guest data) into the Service.

The Client may request a signed (eIDAS-compatible) version by contacting support@primestay.rs.

Domain: SaaS scenario (Layers B and C in the Privacy Policy). For Managed Service joint controllership, see the Property Management Agreement.

Processor: Filip Ivanović PR PrimeStay, Katanićeva 18, 11000 Belgrade, VAT ID 115504426. Contact: support@primestay.rs.

Controller: The Client who has registered an account on the PrimeStay SaaS Platform and accepted the Terms of Service.

Roles: Client = Controller. PrimeStay = Processor.

Subject: Processing of personal data the Client enters into the PrimeStay SaaS Platform to perform the Main Agreement.

Duration: The Client's SaaS subscription duration + 30-day export grace period + statutory retention obligations (accounting).

Nature and purpose: Hosting, storage, display, backup, indexing, sending notifications (email, push, in-app), audit log, billing via Paddle.

Categories of data: Guest identifiers (name, phone), notes, booking metadata, Client employee (subuser) identifiers, property owners.

Special categories: Not processed. The Client undertakes not to enter special categories of data into PrimeStay (health, biometric, religious, political, trade union, sexual orientation, criminal records).

PrimeStay processes personal data exclusively on the Client's documented instructions. The Client's acceptance of these terms and the Client's configuration in the SaaS constitute the Client's documented instructions.

PrimeStay will inform the Client if, in its opinion, an instruction infringes GDPR or other law.

Technical measures: TLS 1.2+ (preferred 1.3); backups encrypted at rest; bcrypt cost factor 12; short-lived JWT access + refresh rotation with reuse-detection; iOS Keychain (kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, NOT in iCloud Keychain backup) and Android EncryptedSharedPreferences (AES256-GCM, master key in Keystore TEE/StrongBox); multi-tenant isolation on every query; auth route rate-limiting; local MaxMind GeoLite2-City lookup (IP never leaves our infrastructure).

Organisational measures: Need-to-know access; SSH keys (no password log-in); AdminAuditLog (append-only, 5-year retention — automated cron); SecurityAuditLog (per-user security events, append-only, 5-year retention); global rate-limiting on every API endpoint (60 req/min default, tighter overrides on auth/billing); internal privacy training; documented incident response procedure.

Hosting: Hetzner Online GmbH (Germany, EU) — DPA in place. Backups stored encrypted on the same EU VPS.

The Client gives general written authorisation for the use of sub-processors listed in the Annex (live list at primestay.rs/legal/sub-processors).

PrimeStay notifies the Client at least 30 days before introducing a new sub-processor that processes personal data.

The Client may, within that period, raise a reasonable written objection. If the objection is not resolved by negotiation within 14 days, the Client has the right to terminate the Main Agreement without penalty.

PrimeStay concludes with each sub-processor an agreement with at least the same level of protection as in this DPA, and remains fully liable to the Client.

PrimeStay will reasonably assist the Client (taking into account the nature of processing and information available to PrimeStay) to respond to requests from data subjects under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection).

If a data subject contacts PrimeStay directly, PrimeStay will confirm to the subject that it is a processor and refer them to the Client as Controller, notify the Client of the request without undue delay, and will not respond directly on the substance of the request except on the Client's express instruction.

PrimeStay will notify the Client without undue delay, no later than 48 hours after becoming aware of a breach concerning personal data we process on the Client's behalf.

The notification includes: nature of the breach, categories and approximate number of affected subjects, likely consequences, measures taken or proposed, contact person at PrimeStay.

PrimeStay assists the Client in fulfilling its obligations under Articles 33–34 GDPR.

The Client has the right, once per year with 30 days' prior written notice, to conduct an audit: review of written documentation, written queries, a third-party auditor under NDA.

PrimeStay may currently not hold SOC 2 Type II or ISO 27001 certification — certification is planned before the first Enterprise client. In the meantime, audit rights are exercised as above.

The Client bears its own audit costs; PrimeStay bears the cost of responding to reasonable audit requests.

Certain sub-processors are outside the EU/EEA. PrimeStay relies on: European Commission Standard Contractual Clauses (SCC, Implementing Decision 2021/914) or adequacy decisions (UK).

PrimeStay has conducted a Transfer Impact Assessment (TIA) for each US sub-processor in line with Schrems II requirements. TIA results are available to the Client on request under NDA.

The DPA takes effect upon acceptance of the Main Agreement and continues for as long as PrimeStay processes personal data on the Client's behalf.

Upon termination of the Main Agreement and expiry of the 30-day grace period, PrimeStay will return all personal data to the Client in JSON (on written request within 30 days) or permanently delete it (default if no export is requested), except to the extent GDPR or national law requires further retention.

Database backups rotate over 30 days. PrimeStay guarantees personal data from backups will not be used except in operational disaster recovery, prior to full deletion.

PrimeStay's aggregate liability under this DPA is limited to the limit set in the Main Agreement (12-month fee).

If both the Client and PrimeStay are liable for the same damage, they bear it proportionally.

Governing law: Law of the Republic of Serbia + GDPR.

Jurisdiction: Competent court in Belgrade.

Conflict: In case of inconsistency between the DPA and the Main Agreement, the DPA prevails as regards the processing of personal data.