This Data Processing Addendum ("DPA") forms part of the Master Service Agreement or Terms of Service (the "Agreement") between Orvia Technologies, Inc. ("HAS", "we", "us", or "Processor") and the entity subscribing to the Services ("Customer", "you", or "Controller").

This DPA is automatically incorporated by reference into our Terms of Service for all customers who act as "Data Controllers" under GDPR (EU/UK), CCPA (California), or similar privacy regulations. By using our Services, you agree to the terms of this DPA.

This DPA governs the processing of Service Data (as defined in our Privacy Policy) that you upload or create within the Hotel Audit System.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set forth below:

"Controller" means the Customer (hotel, resort, restaurant chain, or hospitality organization) who determines the purposes and means of processing personal data.
"Processor" means Orvia Technologies, Inc., which processes personal data on behalf of the Controller.
"Service Data" means any personal data uploaded, entered, or created by the Customer or its authorized users within the Hotel Audit System, including but not limited to:
- Employee names, roles, and contact information
- Audit findings, inspection reports, and compliance records
- Photos and videos captured during inspections
- Corrective action plans and remediation records
- Notes, comments, and annotations
- Any other data input by the Customer
"Sub-processor" means any third-party service provider engaged by HAS to process Service Data on behalf of the Customer.
"Personal Data", "Data Subject", "Processing", and "Data Breach" have the meanings given in applicable data protection laws (GDPR, CCPA, etc.).

2. Scope of Processing

2.1 Processing Activities

HAS shall process Service Data only for the following purposes:

Providing the Hotel Audit System as described in the Terms of Service
Performing audits, generating reports, and providing analytics
Enabling offline-online data synchronization
Providing technical support and troubleshooting
Maintaining and improving the Service (using anonymized, aggregated data)
Complying with legal obligations

2.2 Processing Details

Nature of Processing:	Cloud-based SaaS platform for hotel audit management
Purpose:	Quality assurance, compliance management, audit execution
Duration:	For the term of the Agreement plus 90 days post-termination
Data Subjects:	Hotel employees, contractors, auditors, and any individuals mentioned in audit reports
Categories of Data:	See Annex A below

3. Obligations of Processor (HAS)

3.1 Compliance with Instructions

HAS shall process Service Data only on documented instructions from the Customer, unless required by law to process otherwise (in which case HAS will inform the Customer of such legal requirement before processing, unless prohibited by law).

3.2 Confidentiality

HAS shall ensure that all personnel authorized to process Service Data are under a duty of confidentiality, whether by contract or statutory obligation.

3.3 Security Measures

HAS implements appropriate technical and organizational measures to protect Service Data, including:

Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Role-based access, multi-factor authentication support
Infrastructure: SOC 2 compliant cloud providers
Monitoring: Real-time threat detection and audit logging
Backups: Regular automated backups with disaster recovery procedures

3.4 Sub-processors

HAS may engage sub-processors to assist in providing the Services, provided such sub-processors meet equivalent data protection standards. Our sub-processors include providers for:

Sub-processor Categories:

Database Hosting & Authentication - Cloud infrastructure provider (USA)
Application Hosting & CDN - Edge computing provider (USA)
Payment Processing - Merchant of record (UK/USA)
Transactional Email - Email delivery provider (USA)

View Complete List: Authenticated customers can view the full sub-processor list including specific company names in their account settings.

HAS will notify the Customer of any intended changes to sub-processors by updating this list and providing 30 days' notice via email. The Customer may object to a new sub-processor within 30 days, in which case the parties will work in good faith to find an alternative solution or terminate the Agreement.

3.5 Data Breach Notification

In the event of a personal data breach affecting Service Data, HAS shall:

Notify the Customer without undue delay and in any case within 48 hours of becoming aware of the breach
Provide the Customer with sufficient information to enable the Customer to meet any obligations to report or inform Data Subjects of the breach
Take reasonable steps to mitigate the breach and prevent further unauthorized access

3.6 Data Subject Requests

HAS shall, to the extent legally permitted, promptly notify the Customer if HAS receives a request from a Data Subject to exercise their rights under applicable data protection laws (e.g., access, rectification, erasure). HAS will assist the Customer in responding to such requests to the extent reasonably possible.

3.7 Deletion or Return of Data

Upon termination of the Agreement, HAS shall:

Provide the Customer with the ability to export Service Data for 30 days after termination
Delete or anonymize all Service Data within 90 days of termination, unless legally required to retain it
Upon request, certify in writing that all Service Data has been deleted

3.8 Audits and Inspections

HAS shall make available to the Customer information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Customer or an auditor mandated by the Customer. Such audits shall be:

Conducted upon reasonable notice (at least 30 days)
Performed during normal business hours
Limited to once per year unless there is a suspected breach
Conducted under confidentiality obligations

4. Obligations of Controller (Customer)

⚠️ Customer Responsibilities

The Customer acknowledges and agrees that it is solely responsible for:

Legal Basis: Ensuring it has a valid legal basis (e.g., consent, legitimate interest, legal obligation) to collect and process personal data uploaded into the HAS platform
Compliance: Complying with all applicable data protection laws (GDPR, CCPA, etc.) in its jurisdiction
Data Accuracy: Ensuring the accuracy, quality, and legality of Service Data
Privacy Notices: Providing appropriate privacy notices to Data Subjects whose data is processed through the Service
Data Subject Rights: Responding to Data Subject requests (HAS will assist but the Customer is ultimately responsible)
Third-Party Data: If the Customer uploads data about hotel guests, employees, or third parties, the Customer must have proper authorization and consent
Instructions: Ensuring that any instructions given to HAS comply with applicable data protection laws

HAS is NOT responsible for the Customer's failure to comply with applicable data protection laws or obtain necessary consents before uploading data into the Service.

5. International Data Transfers

Service Data may be transferred to and processed in the United States and other countries where HAS or its sub-processors operate. For data transfers from the EEA/UK to countries without an adequacy decision, HAS relies on:

Standard Contractual Clauses (SCCs): HAS has implemented the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor)
Supplementary Measures: Technical and organizational measures (encryption, access controls, etc.) to ensure adequate protection

A copy of the SCCs is available upon request at legal@orviahq.com.

6. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

The Customer agrees to indemnify and hold HAS harmless from any claims arising from:

The Customer's failure to comply with its obligations as a Data Controller
The Customer's instructions to HAS that violate applicable data protection laws
Unauthorized data uploaded by the Customer or its users

7. Term and Termination

This DPA shall remain in effect for as long as the Agreement is in effect or until all Service Data has been deleted or returned, whichever is later.

8. Governing Law

This DPA shall be governed by the same governing law and dispute resolution provisions as set forth in the Terms of Service (State of Texas, United States).

Annex A: Categories of Data and Data Subjects

Categories of Data Subjects:

Hotel employees and contractors
Quality assurance auditors and inspectors
Property managers and administrators
Any individuals mentioned in audit reports or findings
Hotel guests (if included in audit reports)

Categories of Personal Data:

Data Type	Examples
Identity Data	Names, employee IDs, job titles, roles
Contact Data	Email addresses, phone numbers
Audit Records	Inspection findings, compliance scores, pass/fail results
Visual Data	Photos/videos of facilities, equipment, or issues identified during audits
Location Data	Property addresses, GPS coordinates of audit locations
Operational Data	Timestamps, device IDs, sync logs
Notes & Comments	Free-text observations, corrective actions, recommendations

Sensitive Personal Data:

The Service is not intended to collect sensitive personal data (e.g., health data, biometric data, racial/ethnic origin). If the Customer uploads such data, the Customer is solely responsible for ensuring it has the appropriate legal basis and has implemented additional safeguards as required by law.

Contact Information

For questions about this DPA or to request a signed copy, please contact us:

Orvia Technologies, Inc.

Legal Inquiries: legal@orviahq.com

General Support: support@orviahq.com

Address: 1234 Hospitality Drive, Suite 500, Austin, TX 78701, USA

This DPA is incorporated by reference into our Terms of Service and should be read in conjunction with our Privacy Policy.

Data Processing Addendum (DPA)