Legal

Data Processing Agreement

Last updated: 2026-04-11

Important notice.This Data Processing Agreement (DPA) is a draft pending legal review. It governs the processing of personal data carried out by Nitro Cloud LTD ("ARPCLEAN") on behalf of its business customers as required by Article 28 of the EU General Data Protection Regulation (GDPR). It is an integral part of our Terms of Service and applies automatically to every customer using the ARPCLEAN platform.

1. Parties

This DPA is entered into between:

Processor:Nitro Cloud LTD, a company incorporated under the laws of the Republic of Bulgaria, registered with the Bulgarian Commercial Register under UIC 207555451, having its registered office at Akad. Mihail Arnaudov 3, Et. 3, 7005 Ruse, Bulgaria, represented by its Managing Director Bekir Özalp ("Processor", "ARPCLEAN", "we").

Controller:the business customer that has entered into a subscription for the ARPCLEAN service under our Terms of Service (the "Customer", "Controller", "you").

2. Definitions

Unless otherwise defined in this DPA, capitalised terms have the meaning assigned to them in the GDPR. In particular, "personal data", "processing", "controller", "processor", "data subject", "supervisory authority" and "personal data breach" shall have the meaning set out in Art. 4 GDPR.

3. Subject Matter, Duration, Nature and Purpose of Processing

Subject matter. The Processor processes personal data on behalf of the Controller for the sole purpose of providing the ARPCLEAN platform and the related services described in the Terms of Service.

Duration.The processing takes place for the duration of the Customer's subscription and for any statutory retention period thereafter. Data export and deletion after termination are governed by Section 12 below.

Nature of processing. The processing consists of collection, recording, organisation, structuring, storage, retrieval, use, disclosure to sub-processors listed in Annex B, erasure and destruction of personal data, as well as technical operations such as back-up, restoration, encryption and format conversion, in each case as necessary to provide the service.

Purpose. The purpose of the processing is to enable the Controller to manage hotel cleaning and housekeeping operations, including task assignment, team coordination, inspection workflows, multilingual communication, billing support and integration with hotel property management systems.

4. Types of Personal Data and Categories of Data Subjects

Types of personal data (Annex A):

  • identity and contact data (name, email address, phone, job title);
  • employment data (team membership, shift information, language skills);
  • authentication data (hashed passwords, OAuth identifiers, session tokens);
  • operational data (task assignments, timestamps, status updates, notes);
  • image and document data (room photos, lost-and-found items, onboarding documents);
  • communication metadata (messages exchanged inside the platform);
  • limited device data (IP address, user agent, language preference, push notification tokens).

Categories of data subjects:

  • Controller's employees and contractors using the platform;
  • hotel guests referenced in tasks or incidents (e.g. lost-and-found items);
  • hotel staff members referenced by the Controller in tasks, communications or reports.

The Processor does not intentionally process special categories of personal data within the meaning of Art. 9 GDPR and the Customer undertakes not to upload such data without a separate written agreement.

5. Obligations of the Processor

The Processor shall:

(a) Documented instructions.Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. The Terms of Service, the configuration of the platform and any additional written instructions issued by the Controller through the platform shall constitute the Controller's documented instructions.

(b) Confidentiality. Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Security. Implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk, as further described in Section 8 (Technical and Organisational Measures).

(d) Sub-processors. Respect the conditions referred to in Art. 28(2) and (4) GDPR for engaging sub-processors. The current list of sub-processors is published at /subprocessors and the Controller is notified of changes as set out in Section 7 below.

(e) Data subject rights. Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR.

(f) Assistance with Art. 32-36 GDPR. Assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor.

(g) Deletion and return. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data. Section 12 sets out the default deletion timeline.

(h) Audit information. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to Section 11 below.

6. Obligations of the Controller

The Controller shall:

  • remain responsible for the lawfulness of the processing, including the existence of a legal basis for any processing of personal data that the Controller initiates through the platform;
  • issue instructions to the Processor only in accordance with applicable data protection law;
  • ensure that users of the platform are authorised to act on behalf of the Controller and that their access rights are appropriate;
  • inform the Processor without undue delay of any errors or irregularities concerning the processing of personal data;
  • respond to requests from data subjects received directly from the Processor;
  • comply with applicable notification and transparency obligations towards data subjects, including the provision of information pursuant to Art. 13 and 14 GDPR.

7. Sub-Processors

The Controller gives the Processor a general written authorisation to engage sub-processors for the performance of the service, in accordance with Art. 28(2) GDPR. The current list of sub-processors is available at /subprocessors.

The Processor shall impose on any sub-processor, by contract, the same data protection obligations as those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.

The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of sub-processors, giving the Controller the opportunity to object on reasonable data-protection-related grounds within 14 days of the notification. Where such an objection cannot be resolved in good faith, the Controller is entitled to terminate the affected part of the service for good cause.

Where the sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations.

8. Technical and Organisational Measures (Art. 32 GDPR)

The Processor implements and maintains appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration or disclosure. These measures currently include, in particular:

  • Access control: role-based access control, hashed credentials using industry-standard algorithms, mandatory strong passwords, multi-factor authentication for administrative access.
  • Encryption in transit: TLS 1.2+ with industry-standard cipher suites for all external traffic and internal service-to-service communication where applicable.
  • Encryption at rest: database-level encryption for sensitive columns; object storage configured with at-rest encryption.
  • Network segmentation: databases, cache servers and mail server are not directly exposed to the public internet and communicate only within a private network.
  • Logging and monitoring: audit logs for administrative actions, authentication events and changes to sensitive records; log retention consistent with security needs and legal requirements.
  • Backup and recovery: regular automated backups of databases and object storage; restoration procedures tested periodically.
  • Change management: version control for all source code; release procedures with code review.
  • Secure development: dependency scanning, security updates applied in a timely manner, separation of development, staging and production environments.
  • Personnel security: confidentiality commitments for personnel with access to personal data; principle of least privilege; offboarding procedures.
  • Incident response: documented incident response procedure, including notification of affected Controllers within 72 hours of becoming aware of a personal data breach.

The Processor may update these measures over time provided that the overall level of security is not reduced. A current summary is available to the Controller on request.

9. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Such notification shall at least:

  • describe the nature of the breach;
  • where possible, indicate the categories and approximate number of data subjects and records concerned;
  • communicate the name and contact details of a contact point where more information can be obtained;
  • describe the likely consequences of the breach;
  • describe the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Where and insofar as it is not possible to provide this information at the same time, the information may be provided in phases without undue further delay.

10. Data Protection Impact Assessments (DPIA)

Taking into account the nature of the processing and the information available to the Processor, the Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments pursuant to Art. 35 GDPR and in consultations with the supervisory authority pursuant to Art. 36 GDPR, where such assessments or consultations relate to the processing carried out under this DPA.

11. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA once per year. Audits may be carried out by the Controller or by an independent third-party auditor bound by confidentiality. Audits shall be conducted during normal business hours, with reasonable prior written notice (at least 30 days), and in a manner that does not unduly disrupt the Processor's business operations. The Processor may satisfy the audit right by providing third-party audit reports (e.g. ISO 27001, SOC 2) or completed industry standard questionnaires (e.g. CAIQ), where available and applicable.

If the Controller requests additional on-site audits beyond the first annual audit, or requires specific engagements, the Processor may charge its reasonable costs.

12. Deletion and Return of Personal Data

Upon termination of the Customer's subscription, the Processor shall provide a data export in a common, machine-readable format (e.g. CSV, JSON) for a period of 30 calendar days. After expiry of this export period, the Processor shall irreversibly delete all personal data processed on behalf of the Controller within a further 60 calendar days, unless statutory retention obligations require a longer period. Anonymised and aggregated data used for statistical purposes shall remain unaffected.

Upon written request, the Processor shall confirm such deletion to the Controller.

13. International Transfers

Personal data is primarily processed on servers located within the European Union. Where the provision of the service requires transfers of personal data to third countries (in particular to service providers in the United States listed in the Subprocessors annex), such transfers take place on the basis of:

  • an adequacy decision of the European Commission (for example, the EU-US Data Privacy Framework, where applicable); or
  • the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 or Module 3 as applicable), supplemented by appropriate supplementary measures where necessary; or
  • any other lawful transfer mechanism permitted by Chapter V GDPR.

14. Liability

The liability of the Parties under this DPA is governed by the Terms of Service. The liability provisions therein apply mutatis mutandis to any claims arising out of or in connection with this DPA, without prejudice to any rights of data subjects under the GDPR.

15. Final Provisions

Language precedence. This DPA is published in English and German. In the event of any discrepancy or conflict between the two versions, the English version prevails.

Relationship with Terms of Service. This DPA forms an integral part of the Terms of Service. In case of conflict between the Terms of Service and this DPA with regard to processing of personal data, this DPA prevails.

Severability. Should any provision of this DPA be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected.

Updates. The Processor may update this DPA from time to time to reflect changes in applicable law, regulatory guidance or the service. Material changes shall be notified to the Controller at least 30 days in advance as set out in the Terms of Service.

16. Governing Law and Jurisdiction

This DPA is governed by the substantive law of the Republic of Bulgaria, without prejudice to mandatory provisions of EU data protection law. The exclusive place of jurisdiction for disputes arising out of or in connection with this DPA is Ruse, Bulgaria, subject to mandatory protective provisions of the Customer's country of habitual residence under Regulation (EC) No 593/2008 (Rome I) and Regulation (EU) No 1215/2012 (Brussels Ibis).

17. Contact

Questions regarding this DPA or our data processing practices can be addressed to:

Nitro Cloud LTD
Akad. Mihail Arnaudov 3, Et. 3
7005 Ruse, Bulgaria
Email: [email protected]

Your privacy, your choice

We use strictly necessary cookies to run this site. With your permission, we'd also like to use analytics to understand how the site is used. You can change your decision at any time from the footer. Read our Privacy Policy