Last updated · 2026-05-04 · Pre-launch alpha (Rev. 1.0)
Data Processing Agreement.
This Data Processing Agreement (“DPA”) forms part of the Conforme terms of service between you (the operator — the “Controller”) and Conforme (the “Processor”) and governs every activity in which Conforme processes personal data on your behalf under Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).
Where this DPA conflicts with the terms of service, the DPA prevails for matters concerning the processing of personal data. Capitalised terms not defined here have the meanings given in the privacy notice and the terms of service.
1. Roles and scope
For the purposes of GDPR Article 4(7) and 4(8):
- The operator (the customer named in the Conforme account) is the data controller for all personal data uploaded to, generated by, or transmitted via the Conforme service in connection with the operator’s short-term rental business — including but not limited to guest names, identification documents, dates of stay, and contact details.
- Conforme is the data processor acting on documented instructions from the operator. The operator’s instructions are constituted by the terms of service, this DPA, the operator’s in-product configuration (e.g. the authorities you direct us to file with), and any further written instructions you give us.
Conforme will process personal data only as necessary to provide the service. We will not process personal data for our own purposes, sell or share personal data with third parties for their own purposes, or combine personal data across operators for any purpose other than aggregated, non-identifiable benchmark statistics.
2. Subject-matter and processing details
- Subject-matter
- The provision of the Conforme regulatory and operator-intelligence service to the operator, including authority submissions, registration lifecycle management, and (Pro tier) listing-health monitoring and market intelligence.
- Duration
- For the term of the contract between the operator and Conforme, plus any post-termination period required by law (see section 8).
- Nature and purpose
- Receipt, storage, transformation, and onward transmission of guest and operator data to authorities the operator has directed us to file with; ancillary support and security operations; and audit-trail generation.
- Categories of data subjects
- The operator’s authorised users; the operator’s guests; and (where the operator has authorised it) public information about competitor listings.
- Categories of personal data
- Operator account data (name, email, role); guest identification data (full name, document type and number, document scan, date of birth, nationality, address, dates of stay, payment method); and limited public listing metadata (titles, descriptions, prices — not guest data).
- Special categories
- None systematically. Identification document scans may incidentally contain biometric reference templates encoded in the document. We minimise exposure by encrypting at rest, restricting access to the duration of an authority submission, and applying the retention rule in section 8.
3. Sub-processors
The operator authorises Conforme to engage the sub-processors listed below. Each sub-processor is bound by a written contract imposing data-protection obligations equivalent in substance to those imposed on Conforme by this DPA.
| Sub-processor | Purpose | Region | Privacy / DPA |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Subscription billing and card processing. | IE (some processing US) | Privacy · DPA |
| Resend (and AWS SES, eu-west-1) | Transactional and product email delivery. AWS SES is Resend’s sub-processor configured in eu-west-1. | US (control plane) / EU (delivery) | Privacy · DPA |
| Cloudflare, Inc. | DNS, CDN, WAF, DDoS mitigation. Edge nodes serving European traffic are in the EU. | US (EU edge) | Privacy · DPA |
| Hetzner Online GmbH | Primary application hosting, database, and snapshots. | DE (Falkenstein) | Privacy · DPA |
| Sentry (Functional Software, Inc.) | Error monitoring with PII scrubbing. Hosted on Sentry’s EU region. | DE (Frankfurt) | Privacy · DPA |
| ScrapingBee | Public OTA listing pages for Pro-tier listing-health and market-intel features. | FR (Paris) | Privacy |
| Apify Technologies s.r.o. | Public OTA listing pages and host-profile pages for Pro-tier comp-set sourcing. | CZ (Prague) | Privacy · DPA |
| Migadu | Email mailbox hosting for staff inboxes (e.g. [email protected]). |
CH (Switzerland — EU adequacy) | Privacy |
| Inside Airbnb | Public quarterly snapshot dataset for market benchmarks. No operator or guest PII is sent to Inside Airbnb — we ingest their public dataset. | US (public dataset) | About |
3.1 Adding or replacing a sub-processor
Conforme will give the operator at least 30 days’ prior written notice (by email to the billing address on file, or via in-product banner) before adding a new sub-processor or replacing an existing one. If the operator objects on reasonable data-protection grounds within the notice period, the operator may terminate the affected service without penalty.
4. International transfers
Conforme’s primary infrastructure is in the European Union. Where a sub-processor causes a transfer of personal data outside the European Economic Area, Conforme relies on one of the following safeguards:
- The European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor) of 4 June 2021 between Conforme and the sub-processor; and / or
- An applicable European Commission adequacy decision — specifically the EU–US Data Privacy Framework adequacy decision of 10 July 2023 for certified US recipients (Stripe, Cloudflare); and the adequacy decision for Switzerland for the Migadu mailbox host.
Where required, Conforme will perform and document a transfer impact assessment for each non-EEA recipient and apply supplementary measures (encryption in transit and at rest, pseudonymisation in error-monitoring streams) to address identified risks.
5. Security measures
Conforme implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk (GDPR Art. 32). The current measures include:
- Encryption in transit (TLS 1.2+) on every customer-facing endpoint and every sub-processor link.
- Encryption at rest of guest identification data using a per-tenant key, decrypted only for the duration of an authority submission.
- Role-based access control to the production estate, with least-privilege defaults; named-user access only; SSH access via ed25519 key.
- Daily VM snapshots and hourly database dumps; tested restore procedure.
- Centralised structured logging with PII scrubbing at the Sentry boundary.
- Automated vulnerability scanning of dependencies via pip-audit on every CI run; published patch SLA in section 5.2 below.
- Cryptographic per-organisation audit chain (SHA-256 hash chain over every authority submission attempt) so any post-hoc tampering with the submission record is detectable.
5.1 Personnel
Conforme personnel with access to personal data are bound by contractual confidentiality obligations and have received documented training on the GDPR and on Conforme’s information-security policies.
5.2 Vulnerability patching
Conforme commits to apply security patches to all in-scope software within the following SLA from disclosure:
- Critical (CVSS ≥ 9.0) — 72 hours.
- High (CVSS 7.0–8.9) — 7 days.
- Medium / low — next regular release cycle.
6. Personal data breach notification
Conforme will notify the operator without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting the operator’s data. The notification will include, to the extent then known:
- The nature of the breach, including (where possible) the categories and approximate number of data subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach, including (where appropriate) measures to mitigate possible adverse effects.
- A point of contact for further information.
Where the full information is not available within 72 hours, Conforme will provide an initial notification within that window and follow up with further information as soon as it becomes available.
7. Data subject rights
Conforme will, taking into account the nature of the processing, assist the operator by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the operator’s obligation to respond to requests from data subjects to exercise their rights under Chapter III of the GDPR (Articles 15–22).
The dashboard provides operator-side tools for the most common requests — data export (Art. 20), erasure (Art. 17), and rectification (Art. 16). For any request not satisfiable directly through the dashboard, Conforme will respond to the operator’s onward request within 30 days of receipt.
8. Deletion and return of data
On termination of the contract, the operator may instruct Conforme — via the in-dashboard “Cancel + Delete” flow or by emailing [email protected] — either:
- To return all personal data to the operator (structured JSON / CSV export); and / or
- To delete all personal data, except where Conforme is required by EU or member-state law to retain particular records (e.g. tax and statutory record-keeping under Portuguese and Spanish law, which can require up to 7 years).
In the absence of an explicit instruction, Conforme will delete all personal data within 60 days of contract end, retaining only the records that are subject to the statutory retention obligations referenced above.
9. Audit rights
The operator may audit Conforme’s compliance with this DPA once per calendar year on at least 30 days’ prior written notice (more frequently in the event of a personal data breach materially affecting the operator).
- The audit may be conducted by the operator or by an independent third-party auditor bound by appropriate confidentiality obligations.
- The audit will be conducted during normal business hours, with reasonable advance scheduling, and in a manner that does not interfere unreasonably with Conforme’s operations.
- Where a recognised security certification (ISO 27001, SOC 2 Type II) covers the relevant control area, Conforme may satisfy the audit obligation by providing the most recent certification report under NDA.
- Each party bears its own costs unless the audit reveals material non-compliance, in which case Conforme will reimburse the operator’s reasonable audit costs.
10. Liability and indemnity
Each party’s liability under or in connection with this DPA is governed by the limitation-of-liability clause in the Conforme terms of service, save that nothing in this DPA limits a party’s liability for its own infringement of the GDPR in respect of personal data subject to this DPA where such liability cannot be limited under applicable law.
11. Term and termination
This DPA takes effect on the earlier of (i) the operator’s acceptance of the Conforme terms of service or (ii) Conforme’s first processing of personal data on behalf of the operator, and continues in force until the contract between the operator and Conforme terminates and Conforme has fulfilled its deletion / return obligations under section 8.
12. Governing law
This DPA is governed by the law of the Portuguese Republic, without prejudice to the data subject’s right to bring proceedings before the courts of the EU member state in which the data subject habitually resides, or to lodge a complaint with the data subject’s local supervisory authority.
Questions about this DPA, or to request a counter-signed paper copy on the operator’s letterhead: [email protected].