This Data Processing Agreement ("DPA") forms an integral part of the T&Cs entered into between the Customer ("Controller") and Heroes PMS SAS ("Heroes PMS", "Processor"). It governs, within the meaning of Article 28 GDPR, the processing by Heroes PMS of personal data on behalf of the Customer.
1. Roles & duration
The Customer remains the controller of the data it processes through the Service (notably its guests' data). Heroes PMS acts as a processor and processes such data only on the Customer's documented instructions. This DPA applies throughout the term of the contract and for as long as Heroes PMS processes data on the Customer's behalf.
2. Description of the processing
- Nature & purpose: hosting, storage, organisation and retrieval of data solely to provide the PMS Service (planning, reservations, operations, messaging, billing, distribution).
- Categories of data subjects: the Customer's guests/clients, prospects, and the Customer's staff (Users).
- Categories of data: identity and contact details, reservation and stay data, exchanges and messages, billing data. The Service is not intended to receive sensitive data; the Customer refrains from entering any outside the designated fields.
3. Documented instructions
Heroes PMS processes data only on the Customer's documented instructions (including for transfers), as set out in the T&Cs, the Service configuration and any subsequent written request. If Heroes PMS considers that an instruction infringes the GDPR, it informs the Customer.
4. Staff confidentiality
Heroes PMS ensures that persons authorised to process the data are bound by confidentiality and trained in data protection. Access is limited on a need-to-know basis.
5. Security measures (art. 32 GDPR)
- Encryption in transit (TLS) and at rest.
- Strong authentication and robust password policy (hashing).
- Logging (audit log) of access and changes.
- Logical segregation of data per property.
- Regular encrypted backups with retention.
- Continuity and restoration procedures, access control, and periodic security reviews.
6. Sub-processors
The Customer authorises Heroes PMS to use the following sub-processors, each bound by equivalent protection obligations:
- OVHcloud — infrastructure hosting (European Union)
- Stripe — payment processing (EU)
- Amazon Web Services (SES) — transactional emails (EU)
- Aiosell — channel manager sync (India, framed by Standard Contractual Clauses)
Any addition or replacement of a sub-processor is notified to the Customer at least 30 days in advance, allowing the Customer to object on legitimate grounds; failing a reasonable alternative, the Customer may terminate the affected part of the Service.
7. Assistance to the Controller
Heroes PMS assists the Customer, insofar as possible and taking into account the nature of the processing, in: (a) responding to data-subject rights requests (access, rectification, erasure, restriction, portability, objection); (b) ensuring security, notifying breaches and, where applicable, carrying out a data protection impact assessment (DPIA) and prior consultation of the supervisory authority.
8. Breach notification
Heroes PMS notifies the Customer of any personal data breach without undue delay after becoming aware of it, with the relevant information (nature, categories and approximate volume of data and data subjects, likely consequences, measures taken or proposed), to enable the Customer to meet its own notification obligations (art. 33 and 34 GDPR).
9. International transfers
Any transfer of data outside the European Union by Heroes PMS or its sub-processors occurs only with appropriate safeguards (adequacy decision or standard contractual clauses), together with the necessary supplementary measures.
10. Audit
Heroes PMS makes available to the Customer the information necessary to demonstrate compliance with Article 28 obligations and allows for audits, including inspections, by the Customer or a mandated auditor, subject to reasonable notice, a confidentiality undertaking, and respect for the security of other customers.
11. Fate of data at contract end
At the Customer's choice and upon termination of the contract, Heroes PMS returns the data in a structured, machine-readable format, then deletes it (and existing copies) within 30 days, save for any legal retention obligation.
12. Contact
For any question regarding this DPA: hello@heroespms.com.