Data Processing Agreement
Last updated July 2, 2026
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the Staymaker Terms of Service (the “Principal Agreement”) between:
Emil Dellert, trading as Staymaker, Haarweg 11, 48485 Neuenkirchen, Germany (the “Processor”, “Staymaker”)
and
the Customer, being the host entity or individual that has created a Staymaker account and agreed to the Principal Agreement (the “Company”, “Customer”)
(together, the “Parties”).
This DPA takes effect automatically, for each Customer, on the date that Customer accepts the Principal Agreement (the “Effective Date”), without requiring any further signature.
WHEREAS
(A) The Company acts as a Data Controller with respect to the personal data of its team members (cleaners, maintenance staff) and its own account data.
(B) The Company uses the Staymaker Platform, which involves the Processor processing personal data on the Company’s behalf.
(C) The Parties seek to implement a data processing agreement that complies with Regulation (EU) 2016/679 (the “GDPR”) and, to the extent applicable, other Data Protection Laws.
(D) The Parties wish to lay down their rights and obligations accordingly.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Company Personal Data” means any Personal Data Processed by Processor or a Subprocessor on behalf of Company in connection with the Principal Agreement;
1.1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country, including Germany’s Bundesdatenschutzgesetz (BDSG);
1.1.4 “EU Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “Data Transfer” means a transfer of Company Personal Data from the Company or Processor to a Subprocessor, or an onward transfer between a Subprocessor and its own sub-subprocessor, in each case where such transfer would otherwise be restricted by Data Protection Laws;
1.1.7 “Services” means the Staymaker software-as-a-service platform, being cloud-based software for vacation-rental hosts to manage property cleaning and maintenance operations, including automatic task generation from booking calendars, staff scheduling and assignment, in-app team chat, and push notifications (the “Staymaker Platform”);
1.1.8 “Subprocessor” means any third party appointed by Processor to process Company Personal Data in connection with the Services, as listed in Schedule 2.
1.2 The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” have the same meaning as in the GDPR.
2. Processing of Company Personal Data
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 only Process Company Personal Data on the Company’s documented instructions, which the Parties agree are given by the Company’s use of the Services in accordance with the Principal Agreement and the processing details set out in Schedule 1, unless required to do otherwise by law.
2.2 The Company instructs Processor to process Company Personal Data as necessary to provide the Services described in Schedule 1.
3. Processor Personnel
Processor shall ensure that access to Company Personal Data is limited to personnel and contractors who need it to provide the Services, and that all such individuals are bound by confidentiality obligations.
4. Security
4.1 Taking into account the state of the art, cost of implementation, and the nature, scope, context and purpose of the Processing, Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, consistent with Article 32(1) GDPR.
4.2 These measures include, at minimum: encryption of data in transit and at rest, row-level access controls, authenticated API access to all backend functions, and rate-limiting on sensitive operations.
5. Subprocessing
5.1 The Company grants Processor a general written authorization to engage the Subprocessors listed in Schedule 2 to process Company Personal Data.
5.2 Processor shall give the Company at least 30 days’ advance notice before engaging any new Subprocessor or replacing an existing one, by posting an update to Schedule 2 (or an equivalent published subprocessor list) and notifying the Company by email or in-app notice.
5.3 The Company may object to a new Subprocessor on reasonable data protection grounds within 14 days of notice. If the Parties cannot resolve the objection, the Company may terminate the Services affected by that Subprocessor.
5.4 Processor remains fully liable to the Company for the acts and omissions of its Subprocessors as though they were Processor’s own.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Company, insofar as reasonably possible, in responding to requests to exercise Data Subject rights under Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify the Company if it receives a request from a Data Subject regarding Company Personal Data; and
6.2.2 not respond to that request itself, except on the Company’s documented instructions or as required by law, in which case Processor will inform the Company of that legal requirement first if permitted to do so.
7. Personal Data Breach
7.1 Processor shall notify the Company without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting Company Personal Data, with sufficient information to allow the Company to meet its own notification obligations.
7.2 Processor shall cooperate with the Company and take reasonable steps to assist in investigating, mitigating, and remediating any such breach.
8. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Company with any data protection impact assessments and related consultations with Supervisory Authorities that the Company reasonably considers required under Articles 35 or 36 GDPR, to the extent these relate to Processor’s Processing of Company Personal Data.
9. Deletion or Return of Company Personal Data
9.1 Within 30 days of the Company’s account being closed or the Principal Agreement otherwise ending (the “Cessation Date”), Processor shall delete all Company Personal Data, except to the extent retention is required by law.
9.2 Processor shall confirm deletion to the Company in writing on request.
10. Audit Rights
10.1 Processor shall make available to the Company, on reasonable request, the information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits by the Company or its mandated auditor, subject to reasonable notice and confidentiality.
10.2 Given Processor’s size, audits under 10.1 may be satisfied by Processor providing written responses to a security questionnaire and evidence of its Subprocessors’ own certifications, rather than an on-site audit, unless the Company reasonably requires otherwise (e.g. following a Personal Data Breach).
11. Data Transfer
11.1 Company Personal Data may be transferred to and processed by the Subprocessors listed in Schedule 2, including in the United States, where such transfer is necessary to provide the Services.
11.2 Where a Subprocessor is located outside the EEA, Processor shall ensure the transfer is protected by an adequate safeguard recognized under GDPR Chapter V, such as the EU-US Data Privacy Framework, Standard Contractual Clauses, or an adequacy decision, as already provided in each Subprocessor’s own data processing terms (see Schedule 2).
12. General Terms
12.1 Confidentiality. Each Party shall keep confidential all information received about the other Party in connection with this Agreement, and shall not disclose it except as required by law or where it is already public.
12.2 Notices. Notices under this Agreement shall be sent to the contact details on file for the Company’s account, or to info@staymaker.app for notices to Processor.
13. Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of Germany.
13.2 Any dispute arising from this Agreement that the Parties cannot resolve amicably shall be submitted to the exclusive jurisdiction of the courts of Münster, Germany, subject to appeal to the Oberlandesgericht Hamm.
Schedule 1: Details of Processing
- Subject matter: Provision of the Staymaker Platform to the Company.
- Duration: For as long as the Company has an active Staymaker account, plus the deletion period in Section 9.
- Nature and purpose of processing: Hosting, storage, transmission, and display of data needed to run cleaning and maintenance task assignment, scheduling, team chat, and push notifications for the Company’s properties.
- Categories of data subjects: The Company (host) and its team members (cleaners, maintenance staff) invited to the Company’s Staymaker account.
- Categories of personal data: Name, email address, phone number (if provided), account credentials, task and schedule data, in-app chat messages, device push-notification tokens, and usage/log data.
- Special categories of personal data: None.
Schedule 2: Authorized Subprocessors
- Supabase, Inc. — Database, authentication, backend hosting, and file storage. Location: European Union (project configured for EU-region hosting). Safeguard: Supabase DPA (SCCs cover any incidental access from Supabase’s US-based staff).
- Vercel Inc. — Web application hosting. Location: United States. Safeguard: Vercel DPA (SCCs).
- Plus Five Five, Inc. (Resend) — Transactional email delivery. Location: United States. Safeguard: Resend DPA, EU-US Data Privacy Framework certified.
- Functional Software, Inc. (Sentry) — Error monitoring and crash reporting. Location: United States. Safeguard: Sentry DPA (SCCs).
Execution
Because this DPA applies on a click-through basis, it takes effect when the Customer accepts the Principal Agreement, and no separate signature is required. Where a Customer requires a separately countersigned copy, the block below may be completed.
For Staymaker: Name: Emil Dellert. Title: Owner.
For Customer: Name, title, and date as recorded on the Customer’s Staymaker account at the time the Principal Agreement is accepted.