Skip to main content

Data Processing Agreement

Last updated: June 2026

This Data Processing Agreement (“DPA”) forms part of the contract between Szalai Kevin EV (“Provider”, acting as data processor) and the Customer (the hotel or hospitality business, acting as data controller) for the use of Hydra Suite. It governs the processing of personal data carried out by the Provider on behalf of the Customer under Article 28 GDPR. This is a template: the parties complete the Annex with the concrete details of their processing, and it should be reviewed by a qualified lawyer before signing.

1. Roles of the parties

The Customer is the data controller and determines the purposes and means of processing the personal data handled in Hydra Suite (e.g. guest and reservation data). The Provider is the data processor and processes that personal data only on behalf of, and on the documented instructions of, the Customer. Where Hydra Suite runs on-premises on the Customer's own infrastructure, the Provider only accesses personal data to the extent needed to deliver support, maintenance or the AI chatbot service the Customer has enabled.

2. Subject matter, nature and purpose

The subject matter of the processing is the operation, support and maintenance of the Hydra Suite software and any optional services (such as the AI guest chatbot) the Customer enables. The nature of the processing includes storage, organisation, retrieval, transmission and — where instructed — deletion of personal data. The purpose is limited to providing the contracted services to the Customer; the Provider does not process the personal data for its own purposes.

3. Categories of personal data and data subjects

The personal data processed may include: guest identification and contact data (name, email, phone, address), reservation and stay data, invoicing and payment data, and — where the AI chatbot is enabled — the content of guest conversations. The categories of data subjects are the Customer's guests, prospective guests and staff users. The concrete list is set out in the Annex.

4. Duration

The Provider processes personal data for the duration of the service contract. On termination, the Provider returns or deletes the personal data in accordance with the 'Return and deletion' section, unless storage is required by law.

5. Processing on instructions and confidentiality

The Provider processes personal data only on the documented instructions of the Customer, including this DPA and the service contract, unless required to act by law (in which case it informs the Customer beforehand, where legally permitted). The Provider ensures that persons authorised to process the personal data are bound by an appropriate duty of confidentiality.

6. Security measures (Article 32)

Taking into account the state of the art and the risks, the Provider implements appropriate technical and organisational measures, including: access control and authentication, encryption of data in transit, regular backups, the principle of least privilege, logging of administrative access, and the ability to restore availability after an incident. Because Hydra Suite is designed to run on-premises, a substantial part of the security measures (physical security, network, local backups) is also the Customer's responsibility. Detailed measures are described in the Annex.

7. Sub-processors

The Customer authorises the Provider to engage sub-processors (for example hosting or email-delivery providers) for clearly defined parts of the processing. The Provider imposes data-protection obligations on each sub-processor equivalent to those in this DPA and remains responsible for their performance. The Provider informs the Customer of any intended change of sub-processor, giving the Customer the opportunity to object.

8. International transfers

The Provider does not transfer personal data outside the European Economic Area unless instructed to do so or it is necessary for a sub-processor's service, and then only with appropriate safeguards under Chapter V GDPR (such as an adequacy decision or the Standard Contractual Clauses).

9. Assistance and data subject rights

Taking into account the nature of the processing, the Provider assists the Customer with appropriate technical and organisational measures in fulfilling the Customer's obligation to respond to data subject requests (access, rectification, erasure, portability, objection), and in ensuring compliance with the obligations under Articles 32–36 GDPR (security, breach notification, impact assessments and prior consultation).

10. Personal data breaches

The Provider notifies the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, and provides the information the Customer reasonably needs to meet its own notification obligations under Articles 33–34 GDPR.

11. Return and deletion

On termination of the services, the Provider, at the Customer's choice, returns the personal data in a machine-readable format or deletes it, and deletes existing copies, unless Union or Hungarian law requires continued storage.

12. Audits

The Provider makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice and confidentiality.

13. Liability

Liability under this DPA follows the liability and limitation-of-liability provisions of the Terms of Use and the service contract, to the extent permitted by the GDPR and Hungarian law. The allocation of liability between controller and processor follows Article 82 GDPR.

14. Governing law and annex

This DPA is governed by Hungarian law and the GDPR. The Annex (categories of data, data subjects, processing operations, sub-processors and security measures) forms an integral part of this DPA and is completed by the parties for their specific engagement.