Data Processing Agreement (DPA)

Stellar Tourism Innovations GmbH

Translation Notice

This is a translation of the German Data Processing Agreement. In case of any discrepancies, the German version is legally binding and takes precedence.

between

[Controller]
– hereinafter referred to as "Data Controller" –

und
Stellar Tourism Innovations GmbH
Immanuelkirchstraße 37
10405 Berlin
– hereinafter referred to as "Data Processor" or "Stellar Trust" –

§1 Subject Matter and Duration of Processing

(1) The subject matter of this agreement is the processing of personal data on behalf of the Data Controller by Stellar Trust in the context of software solutions and services for digital guest communication and automation of administrative processes in vacation rental management.

(2) The duration of processing is governed by the term of the main contract between the parties.

§2 Nature and Purpose of Processing

Processing includes in particular:

  • Collection, storage, organization, provision, transmission and deletion of personal data of guests (e.g. check-in data),
  • technical provision of applications (e.g. hosting),
  • email dispatch (e.g. confirmations),
  • customer communication (e.g. support, chat),
  • analysis and optimization of user interactions.

§3 Categories of Data Subjects

  • Guests of vacation rentals
  • Customers and employees of the Data Controller
  • Service providers of the Data Controller (if applicable)

§4 Categories of Personal Data

  • First and last name
  • Contact data (email, phone number)
  • Travel data, identification data, date of birth
  • Address, nationality
  • Payment information (e.g. Stripe ID)
  • Communication content

§5 Obligations of the Data Processor

(1) Stellar Trust processes personal data exclusively based on documented instructions from the Data Controller.

(2) Employees authorized to process data are bound to confidentiality.

(3) The Data Processor must ensure the security of processing through appropriate technical and organizational measures (TOMs) (see Annex 2).

(4) The Data Processor supports the Data Controller in upholding the rights of data subjects and in conducting data protection impact assessments.

§6 Sub-processing Relationships

(1) The use of sub-processors is only permitted in compliance with the requirements of this agreement and the GDPR.

(2) The Data Processor uses the sub-processors listed in Annex 3.

(3) International data transfers are carried out exclusively on the basis of Standard Contractual Clauses (SCC) or within the framework of the EU-U.S. Data Privacy Framework (DPF).

§7 Rights and Obligations of the Data Controller

The Data Controller is responsible for the lawfulness of data processing and for upholding the rights of data subjects. The Data Controller has the right to regularly review compliance with this agreement.

§8 Technical and Organizational Measures

The Data Processor must implement the TOMs listed in Annex 2 and regularly adapt them to the state of the art.

§9 Deletion and Return of Data

After termination of processing, the Data Processor deletes or returns all personal data to the Data Controller, unless there is a legal obligation to retain the data.

§10 Liability

(1) The liability of the Data Processor towards the Data Controller for damages arising from processing is limited to five times the remuneration paid in the last 12 months, but no more than EUR 50,000.

(2) This limitation does not apply in cases of intent or gross negligence.

(3) Liability under data protection law towards data subjects remains unaffected.

§11 Final Provisions

(1) Amendments and supplements require written form.

(2) Should individual provisions of this agreement be wholly or partially invalid, the validity of the remainder shall remain unaffected.

(3) Place of jurisdiction is, where legally permissible, Berlin. German law applies.

Place, Date

Berlin, 01.06.2025

Signatures

For the Data Controller:

Name / Position

For the Data Processor (Stellar Tourism Innovations GmbH)

Philipp Reuter, Managing Director

Annex 1 – Description of Processing Activities

(see §§ 2–4, already covered)

Annex 2 – Technical and Organizational Measures (TOMs)

  • SSL/TLS encryption of all data transmissions
  • Password hashing according to current standards (e.g. bcrypt)
  • Access restriction through role and rights management
  • Logging of all security-relevant activities
  • Encryption of personal data on servers
  • 2-factor authentication for employees with admin access
  • Regular penetration testing by external providers
  • Hosting in certified data centers (ISO 27001)

Annex 3 – List of Sub-processors

Name of Sub-processorType of ServiceLocation / Country
Amazon Web Services (AWS)Cloud Infrastructure & HostingUSA / EU
Microsoft AzureCloud Infrastructure & ServicesUSA / EU
Google Cloud PlatformData Analysis & StorageUSA / EU
SendGrid (Twilio)Email DeliveryUSA
StripePayment ProcessingUSA
IntercomCustomer CommunicationUSA
HubSpotCRM & Marketing AutomationUSA
ImprintPrivacy Policy