This Data Processing Agreement ("DPA") supplements the T&Cs and formalises Heroes PMS obligations as a data processor under the GDPR.
1. Subject matter
Heroes PMS processes your guests' personal data (reservations, guest profiles, messages) for the sole purpose of providing the PMS service.
2. Sub-processors
- OVHcloud — infrastructure hosting (France)
- Stripe — payment processing (Ireland, EU)
- Amazon Web Services (SES) — transactional emails (Ireland, EU)
- Aiosell — channel manager sync (India, Standard Contractual Clauses)
Any change to this list will be notified by email.
3. Security measures
- TLS 1.3 encryption in transit, AES-256 at rest
- Mandatory two-factor authentication for admin accounts
- Full audit log of every change
- Daily encrypted backups, kept for 30 days
- Annual penetration tests
- Strong password policy (bcrypt 12 rounds)
4. Breach notification
In the event of a data breach, Heroes PMS notifies you within 48 hours with: nature of the breach, categories of affected data, remediation measures taken.
5. Data subject rights
Heroes PMS assists you in responding to rights requests from your own guests (access, rectification, erasure, portability).
6. Contract end
Upon contract termination, your data is returned in a structured format (CSV/Excel) then erased from our systems within 30 days, except where required by law.