Legal
Data Processing Agreement
Effective: 1 June 2026 · Version 1.0 · Escapra OY · Espoo, Finland · GDPR-compliant
1. Introduction
This Data Processing Agreement ("DPA") supplements and is incorporated into the Escapra Terms of Service and the Hotel Connectivity Agreement (together, the "Principal Agreements"). It governs Escapra OY's processing of personal data on behalf of the Hotel Partner in connection with the Escapra platform. This DPA reflects the requirements of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and applicable Finnish data protection law. In the event of a conflict between this DPA and the Principal Agreements, this DPA prevails in respect of data protection matters.
2. Definitions
For the purposes of this DPA: • "Controller" means the Hotel Partner — the entity that determines the purposes and means of processing personal data in connection with guest bookings. • "Processor" means Escapra OY — the entity that processes personal data on behalf of the Controller. • "Personal Data" means, in the context of this DPA: guest full name, email address, and phone number transmitted in connection with booking confirmations. • "Processing" has the meaning given in GDPR Article 4(2): any operation or set of operations performed on personal data, including collection, recording, organisation, storage, retrieval, use, disclosure, or erasure. • "Sub-processor" means any third party engaged by Escapra to process personal data in connection with the services.
3. Scope of Processing
Purpose of processing: transmission of guest booking details from the Escapra platform to the Hotel Partner's PMS for the purpose of booking confirmation and fulfilment. Categories of data subjects: hotel guests making bookings through Escapra's B2B distribution channel. Categories of personal data: full name, email address, phone number. Duration: for the term of the Hotel Connectivity Agreement. Upon termination, Escapra will retain personal data only as long as required by applicable law (see Section 5 of this DPA), after which it will be deleted or anonymised.
4. Processor Obligations
Escapra (as Processor) shall: (a) Process personal data only on documented instructions from the Controller (Hotel Partner), unless required to do so by applicable EU or Finnish law, in which case Escapra will inform the Controller before processing unless prohibited by law. (b) Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations. (c) Implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as set out in Section 7 of this DPA. (d) Assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR, taking into account the nature of the processing. (e) Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities. (f) Delete or return all personal data to the Controller at the end of the provision of services, and delete existing copies unless retention is required by applicable law. (g) Make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and allow for audits conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.
5. Sub-processors
The Controller provides general authorisation for Escapra to engage sub-processors. The following sub-processors are currently authorised: • Amazon Web Services EMEA SARL — cloud hosting and infrastructure (EU-West region, Frankfurt, Germany) • Stripe Technology Europe Limited — payment processing (Dublin, Ireland) Escapra will notify the Controller of any intended changes to the list of sub-processors (additions or replacements) at least 30 days in advance. The Controller may object to such changes on reasonable grounds by written notice to Escapra within that period. Escapra shall ensure that sub-processors are bound by data protection obligations equivalent to those in this DPA by way of a written contract.
6. Data Transfers
All personal data covered by this DPA is processed within the European Economic Area (EEA). Escapra does not transfer personal data to third countries (outside the EEA) in connection with the services described in this DPA. Should a transfer outside the EEA become necessary (for example, due to a change in infrastructure), Escapra will ensure that appropriate safeguards are in place as required by GDPR Chapter V before any such transfer occurs, and will notify the Controller in advance.
7. Security Measures
Escapra implements and maintains the following technical and organisational security measures: • Encryption in transit: TLS 1.3 for all data transmission; HTTPS enforced on all API endpoints. • Encryption at rest: AES-256 encryption for all personal data stored in Escapra's databases. • Access controls: Role-based access control; principle of least privilege enforced; multi-factor authentication (MFA) required for staff access to production systems; no shared credentials. • Incident notification: In the event of a personal data breach, Escapra will notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware, providing sufficient information to enable the Controller to meet its own notification obligations to the relevant supervisory authority. • Security assessments: Regular internal and third-party security assessments of infrastructure and application security.
8. Data Subject Rights
Where Escapra receives a request directly from a data subject exercising their rights under GDPR (including rights of access, rectification, erasure, restriction, portability, and objection), Escapra will forward the request to the Controller without undue delay. Escapra will provide the Controller with reasonable assistance to enable the Controller to fulfil its obligations to respond to data subject requests within the timeframes required by applicable law (generally 30 days under GDPR Article 12).
9. Governing Law
This DPA is governed by the laws of Finland and the GDPR. Any disputes arising out of or in connection with this DPA that cannot be resolved by good-faith negotiation shall be referred to the District Court of Espoo (Espoon käräjäoikeus), Finland, without prejudice to either party's right to lodge a complaint with a supervisory authority.
10. Contact
For questions regarding this DPA or data protection matters: dpa@escapra.com Escapra OY, Rummunlyöjänkatu 11 E 034, 02600 Espoo, Finland