Data Processing Agreement
1. Parties
This Data Processing Agreement ("DPA") is entered into between the Customer (the "Controller") and Weareplonet Retail d.o.o. (the "Processor") upon acceptance of the Weareplonet Terms of Service. The DPA governs personal data processed by the Processor on behalf of the Controller in the delivery of the subscribed modules.
2. Subject matter and duration
The Processor processes personal data on the Controller's behalf for the sole purpose of operating the subscribed Weareplonet modules. Processing continues for the duration of the Controller's subscription and ceases on termination.
3. Nature and purpose of processing
The Processor performs the technical operations required by each subscribed module: reading and writing data via the Protel API using the Controller's Protel Login, generating and delivering reports, sending notifications, and executing the module-specific workflows described in the module's documentation.
4. Categories of data subjects and personal data
Data subjects: the Controller's guests, the Controller's employees using the Weareplonet dashboard, and — for some modules — the Controller's negotiated corporate contacts. Personal data: names, contact details, reservation identifiers, room assignments, folio notes and folio balances, employment role. No special categories of personal data (Article 9 GDPR) are processed.
5. Processor obligations
- Process personal data only on documented instructions from the Controller, and inform the Controller if the Processor believes an instruction infringes applicable data protection law.
- Ensure that persons authorised to process personal data have committed themselves to confidentiality.
- Implement appropriate technical and organisational measures as detailed in Annex 2 (Security).
- Engage sub-processors only under a written agreement imposing equivalent obligations, and notify the Controller of any intended changes to sub-processors with reasonable prior notice.
- Assist the Controller in responding to data subject requests, and in fulfilling obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
- On termination, delete or return all personal data at the Controller's choice, and delete existing copies unless retention is required by applicable law.
- Make available to the Controller information necessary to demonstrate compliance and permit audits, either directly or via an independent auditor, at reasonable intervals.
6. Sub-processors
The current sub-processors are: our EU hosting provider (Frankfurt and Amsterdam data centres), our transactional email provider (EU), and our payment acquirer (EU, PCI DSS certified). A current list with entity names and location is available on request from dpo@weareplonet.org.
7. Cross-border transfers
Personal data is processed and stored in the European Economic Area. No cross-border transfer to a third country takes place under this DPA without appropriate safeguards (Standard Contractual Clauses or an adequacy decision).
8. Security
TLS 1.3 in transit, AES-256 at rest, per-property scoped API tokens, IP-restricted egress from Weareplonet infrastructure, role-based access control on internal systems, logged access to customer data, quarterly independent penetration testing, incident response process documented and rehearsed.
9. Data breach notification
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and in any event within 48 hours, providing sufficient information for the Controller to meet its own obligations under Article 33 GDPR.
10. Liability
Liability is capped as per Clause 9 of the Terms of Service; nothing in this DPA limits liability that cannot be excluded under applicable law.
Postal: Weareplonet Retail d.o.o., ul. Vaka Đurovića 14, 81000 Podgorica, Crna Gora
Regulator: Agencija za zaštitu ličnih podataka (AZLP), Podgorica, reg. no. 05-030/26-3427