Data Processing Agreement (DPA)

Between:
Binary Chronicles N° 302220120, with registered office at Chitaia Street, No. 38, Apartment 1, Chugureti District, Tbilisi, Georgia (hereinafter the “Provider” or “Processor”);

and

Customer, the individual or legal entity subscribing to the Lestis SaaS software (hereinafter the “Customer” or “Controller”).

1. Purpose

This Agreement governs the processing of personal data carried out by the Provider on behalf of the Customer under Article 28 GDPR, exclusively in relation to:

Personal data of end guests and other individuals whose data are entered into or generated within the Lestis Platform by the Customer in the context of its own business.
Technical and operational data processed for the Customer’s account.

For the avoidance of doubt, this DPA does not govern the processing of personal data of the Customer’s own administrators/users of the SaaS (billing contact, login account, etc.), for which the Provider acts as an independent Controller, as described in the Provider’s Privacy Policy.

The Provider acts solely under documented instructions from the Customer and does not determine the purposes or means of the processing of the Customer’s end‑guest data.

2. Roles

Customer: Controller of the personal data of its end guests and any other individuals whose data it enters into the Lestis Platform.
Provider: Processor in relation to such data, processing them only on behalf of the Customer and according to this DPA and the main SaaS Agreement.

For personal data of the Customer’s own SaaS account users (e.g., admin account, billing contact, login credentials), the Provider acts as an independent Controller, and such processing is regulated by the Provider’s Privacy Policy, not by this DPA.

3. Categories of Data Processed (as Processor)

A. End Guests and Other Individuals (Controller = Customer)

Identification data: name, surname, contact details (email, phone).
Booking and stay information: reservation details, dates, room/structure, services, preferences.
Financial/transactional data: payment-related information via Stripe Connect (tokens/metadata only; no full card numbers are stored by the Provider).
Any additional notes or information entered by the Customer in free-text fields.

B. Technical and Operational Data (Controller = Customer)

System and security logs related to the Customer’s use of the platform.
Backups and storage of the Customer’s data.
Technical cookies or session identifiers strictly necessary for the functioning of the platform.

Note: Data concerning the Customer’s own SaaS account (e.g., admin username, email, billing contact) are processed by the Provider as Controller and are regulated by the Provider’s Privacy Policy, not by this DPA.

4. Purpose of Processing (as Processor)

Provision, maintenance, and technical operation of the Lestis Platform for the Customer’s business.
Hosting, backup, and security of the Customer’s data.
Technical integrations needed to provide the service (e.g., Stripe Connect for payments, transactional email delivery).
Technical support and troubleshooting upon documented request of the Customer.
Compliance with legal obligations of the Provider as Processor in relation to the services rendered to the Customer.

The Provider is not authorized to:

Use the Customer’s end‑guest data for its own purposes or for marketing.
Combine or cross-use end‑guest data between different Customers.
Profile end guests or monitor their behavior beyond what is strictly necessary to provide the service requested by the Customer.

5. Obligations of the Provider

Process personal data only under documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in line with Article 32 GDPR (e.g., TLS encryption in transit, authenticated access, logging, backups, access control).
Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Ensure that any sub-processors are bound by the same data protection obligations as set out in this DPA.
Assist the Customer in fulfilling its obligations to respond to requests for exercising the data subject’s rights (access, rectification, deletion, restriction, portability, objection).
Assist the Customer in ensuring compliance with obligations regarding security, personal data breaches, DPIA, and prior consultation with supervisory authorities.
Notify the Customer without undue delay and within 48 hours after becoming aware of a personal data breach concerning data processed on behalf of the Customer.
At the Customer’s choice, delete or return all personal data at the end of the provision of services, unless applicable law requires storage.
Maintain records of DPA acceptance, including timestamp, IP address, and version of the Agreement accepted, and allow audits by the Customer within reasonable limits.

6. Sub‑processors

The Customer authorizes the Provider to use the following sub‑processors for the processing activities described:

Sub‑processor	Purpose	Location / Note
Google Cloud Platform	Platform hosting and database	EU – Belgium
Stripe Payments Europe	Payment processing (tokens/metadata only)	EU
Spaceship / Spacemail	Transactional email delivery	See Spaceship DPA

Spaceship Clause:
Where the Provider uses “Spaceship” for transactional email delivery or other technical functions, the Customer acknowledges that Spaceship acts as a Processor under its own Data Processing Addendum (DPA). The Provider ensures that, regarding the use of Spaceship as a sub-processor, the same data protection obligations as set out in this Agreement and GDPR are applied, and that any transfers outside the EU/EEA are covered by appropriate safeguards, including, where applicable, Standard Contractual Clauses.

The Provider will keep the list of sub-processors updated and notify the Customer of any intended additions or replacements, thereby giving the Customer the opportunity to object, where reasonably justified, in accordance with Article 28(2)–(4) GDPR.

7. Data Transfers Outside the EU

The Provider hosts the platform and databases within the EU (e.g., Google Cloud Platform, Belgium).
There are no systematic transfers of the Customer’s data outside the EU/EEA.
The Provider may occasionally access the Customer’s data from locations outside the EU/EEA for the purposes of support, maintenance, or business operations. Such access is covered by appropriate safeguards in accordance with GDPR, including Standard Contractual Clauses where applicable.
If the Provider engages any non-EU/EEA sub-processor in the future, appropriate safeguards will be implemented and the Customer informed accordingly.

8. Duration

This DPA takes effect upon electronic acceptance by the Customer at the time of SaaS registration and remains valid for the entire duration of the SaaS subscription and any period during which the Provider processes personal data on behalf of the Customer. Upon termination of the SaaS Agreement, the Provider shall return or delete all personal data processed on behalf of the Customer, according to the main Contract and Section 5 of this DPA.

9. Changes

Any amendments to this DPA shall be communicated to the Customer at least 30 days in advance. Continued use of the platform after the effective date of the changes constitutes acceptance of such amendments.

10. Governing Law

This DPA is governed by the law of the Republic of Georgia, without prejudice to mandatory provisions of EU data protection law applicable to the Customer, and any dispute shall be resolved according to the terms of the main SaaS Agreement between the Parties.

Electronic Acceptance

The Customer confirms having read and accepted this Data Processing Agreement (DPA) by registering for the Lestis Platform SaaS and ticking the relevant acceptance box.