Data Processing Agreement
Last Updated: 16 June 2026 · Version 1.2
Data Processing Agreement
Last Updated: 16 June 2026 · Version 1.2
Scope and Incorporation
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Hostli Ltd., an Israeli company ("Processor", "Hostli") and the subscribing hotel customer ("Controller", "Client"). By accepting the Terms and Conditions, the Client enters into this DPA. This DPA governs all processing of Personal Data that Hostli performs on behalf of the Client in connection with the Hostli hotel CRM and marketing platform ("Service"). In the event of conflict between this DPA and the Terms and Conditions, this DPA prevails with respect to data protection matters.
1. Definitions
In this DPA: "Personal Data" means any information relating to an identified or identifiable natural person, as defined in the Israeli Protection of Privacy Law 5741-1981 and in the GDPR where applicable. "Processing" has the meaning given in the applicable data protection law. "Controller" is the party that determines the purposes and means of processing — the Client hotel. "Processor" is the party that processes Personal Data on behalf of the Controller — Hostli. "Data Subject" means the individual to whom Personal Data relates (hotel guests, marketing leads, hotel staff). "GDPR" means Regulation (EU) 2016/679. "Israeli PPL" means the Israeli Protection of Privacy Law 5741-1981 and its amendments (including Amendment 13, in force from 2025). "Reg. 15" means Regulation 15 of the Israeli Privacy Protection Regulations (Data Security) 5777-2017. "Sub-Processor" means any third party engaged by Hostli to carry out processing activities on Personal Data on behalf of the Controller. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Roles of the Parties
The Client acts as Controller of hotel guest data, marketing lead data, and hotel staff data uploaded to or generated within the Service. Hostli acts as Processor of that data, processing it solely on documented instructions from the Controller. Hostli acts as an independent Controller only of data it collects about hotel staff for the purpose of providing and securing the Service (authentication logs, audit trails, security events) — such processing is governed by Hostli's Privacy Policy, not this DPA. Where Hostli processes data for its own analytics, product development, or legal compliance, it acts as Controller and such processing is not covered by this DPA.
3. Documented Instructions
Hostli shall process Personal Data only on documented instructions from the Controller. The Controller's instructions are: (a) those set out in this DPA and the Terms and Conditions; (b) those given through the Service interface (uploading contacts, triggering campaigns, initiating audience syncs); and (c) any subsequent written instructions agreed by the parties. If Hostli believes any instruction infringes applicable data protection law, Hostli shall promptly notify the Controller. Hostli shall not process Personal Data for any purpose beyond the documented instructions unless required to do so by applicable law, in which case Hostli shall notify the Controller of that legal requirement before processing, unless prohibited by law.
4. Confidentiality of Processing
Hostli shall ensure that persons authorised to process Personal Data are subject to appropriate obligations of confidentiality, whether under a contractual or statutory duty. Access to Personal Data is restricted to Hostli personnel and authorised Sub-Processors who require access to perform their obligations under the Terms and Conditions.
5. Sub-Processors
The Controller grants Hostli general authorisation to engage the Sub-Processors disclosed to the Controller in the service agreement (the current list is also available on request). Hostli shall: (a) provide the Controller with at least 30 days' prior written notice before adding or replacing a Sub-Processor (email to the Controller's registered account address suffices); (b) impose on each Sub-Processor data protection obligations materially equivalent to those in this DPA by written contract; and (c) remain fully liable to the Controller for the acts and omissions of its Sub-Processors as if they were Hostli's own. The Controller may object to any new Sub-Processor within the notice period by notifying [email protected] with reasons. Where the Controller objects and Hostli cannot provide the Service without the proposed Sub-Processor, either party may terminate the affected Service on 30 days' written notice.
6. Security Measures
Hostli shall implement and maintain the technical and organisational measures described in Annex 2. Hostli may update or modify these measures over time, provided that any modification does not materially reduce the level of protection. Hostli shall ensure that its Sub-Processors maintain equivalent or greater security standards.
7. Security Incident Notification
Upon becoming aware of a Security Incident, Hostli shall: (a) notify the Controller without undue delay, and in any event within 72 hours of confirmed discovery of the incident; (b) provide, in the initial or subsequent notifications, at minimum: a description of the nature of the Security Incident, the categories and approximate number of Data Subjects affected, the categories and approximate number of Personal Data records affected, the likely consequences, and the measures taken or proposed to address the incident; and (c) cooperate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each Security Incident. The Controller is responsible for notifying the applicable supervisory authority (Israeli Privacy Protection Authority and/or EEA lead supervisory authority) and Data Subjects in accordance with applicable law, based on the information provided by Hostli. For the avoidance of doubt, the 72-hour clock runs from Hostli's confirmed discovery, not from the incident itself.
8. Data Subject Rights
Taking into account the nature of the processing, Hostli shall assist the Controller by appropriate technical and organisational measures to fulfil the Controller's obligations to respond to requests from Data Subjects exercising their rights under applicable data protection law (including the right to access, rectify, erase, restrict processing, data portability, and to object). Hostli shall promptly forward to the Controller any Data Subject request received by Hostli that relates to Personal Data processed under this DPA, without responding to the Data Subject directly (unless the Controller instructs otherwise). The Controller is responsible for responding to Data Subject requests within the applicable statutory period.
9. Data Protection Impact Assessment
Hostli shall provide reasonable assistance to the Controller in carrying out any data protection impact assessment or prior consultation required under applicable data protection law, to the extent such assessment relates to processing carried out by Hostli under this DPA and Hostli has access to relevant information.
10. Audit Rights
Hostli shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Hostli shall, upon the Controller's reasonable request and at the Controller's cost: (a) provide a copy of any relevant third-party audit report or security certification; and (b) permit and contribute to an audit or inspection conducted by the Controller or an auditor mandated by the Controller, subject to: (i) at least 30 days' prior written notice; (ii) reasonable advance agreement on scope, timing, and duration; (iii) the auditor being bound by written confidentiality obligations; and (iv) the audit not occurring more than once per calendar year except following a confirmed Security Incident. Any audit shall be conducted during normal business hours in a manner that causes minimal disruption to Hostli's operations.
11. International Transfers of Personal Data
Personal Data processed under this DPA may be transferred to and processed in countries outside the European Economic Area (EEA) and Israel, including the United States, by Hostli and its Sub-Processors. All such transfers are made subject to an appropriate safeguard within the meaning of Chapter V of the GDPR. Where EEA Personal Data is transferred to Hostli in Israel, Israel benefits from a European Commission adequacy decision; accordingly, no additional transfer mechanism is required for the transfer to Hostli in Israel. Where Hostli or its Sub-Processors transfer EEA Personal Data to the United States or other third countries, such transfers are made under the applicable module of the EU Standard Contractual Clauses (Commission Decision 2021/914) and/or, where the recipient is certified, the EU-U.S. Data Privacy Framework, supplemented by additional technical and organisational measures where required. Hostli shall not transfer Personal Data to a Sub-Processor in a third country without an appropriate transfer mechanism in place. The transfer mechanism applicable to each Sub-Processor is provided to the Controller as part of the service agreement.
12. Return and Deletion of Personal Data
Upon termination or expiry of the Terms and Conditions, or upon the Controller's written request, Hostli shall: (a) make available to the Controller an export of all Personal Data processed under this DPA, in a machine-readable format, for a period of 30 days following termination; and (b) after that 30-day period, securely delete all copies of Personal Data processed under this DPA, including copies held by Sub-Processors. Deletion does not apply to: (i) anonymised or aggregated data that does not identify any Data Subject; (ii) data that Hostli is required to retain under applicable law; or (iii) backup copies, which will be deleted in the ordinary course of Hostli's backup rotation cycle (not to exceed 90 days). Hostli shall, upon the Controller's written request, provide a written certification of deletion.
13. Liability
Each party's liability arising out of or in connection with this DPA (whether in contract, tort, or otherwise) is subject to the limitations and exclusions set out in the Terms and Conditions. In particular, Hostli's aggregate liability under this DPA is subject to, and counts toward, the aggregate limitation of liability set out in the Agreement; this DPA does not create a separate or additional liability cap. Nothing in this DPA limits either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited under applicable law. For the avoidance of doubt, this contractual allocation between the parties does not affect the rights of Data Subjects or the powers of a supervisory authority under applicable data protection law.
14. Duration
This DPA is effective from the date the Controller accepts the Terms and Conditions and continues for the duration of those Terms and Conditions. Obligations under Sections 7 (Security Incident Notification), 12 (Return and Deletion), and 13 (Liability) survive termination.
15. Governing Law
This DPA is governed by the laws of the State of Israel. Disputes shall be resolved by the competent courts of Tel Aviv-Yafo, Israel, subject to any mandatory local law that cannot be contractually displaced. This DPA is provided in English and Hebrew; the language-precedence rule in the Agreement (or accepted Terms) applies equally to this DPA.
16. Entire Agreement; Order of Precedence
This DPA, together with its Annexes, constitutes the complete data processing agreement between the parties and supersedes all prior agreements on the subject matter. In case of conflict: this DPA prevails over the Terms and Conditions on data protection matters; Annex 1 (Processing Particulars) describes the authorised scope; Annex 2 (TOMs) governs the minimum security standard; Annex 3 (Sub-Processors) governs Sub-Processor authorisation; Annex 4 (Israeli Reg. 15) governs Israeli-law-specific obligations.
Annex 1 — Processing Particulars
Mandatory description under GDPR Art. 28(3) and Israeli Data Security Reg. 15
Subject-Matter of Processing
Hostli processes Personal Data to deliver hotel CRM and marketing automation services, including:
- Campaign creation and delivery: generating AI-powered creative campaigns (copy, images) and publishing them via the Meta Ads API and, for outbound campaign and transactional messages, the WhatsApp Business API.
- Hotelier control channel: enabling hotel staff to operate the platform via the WhatsApp Business API (issuing commands and receiving reports) alongside the web application.
- Audience management: creating and syncing Meta Custom Audiences using hashed guest contact data (SHA-256 email hashing; phone numbers transmitted via Meta's secure API).
- Review aggregation: scraping and storing public guest reviews from third-party platforms to ground campaign copy and analytics.
- Embedding and semantic search: generating vector embeddings of reviews, copy fragments, and media assets to power intelligent campaign recommendations.
- Analytics: aggregating campaign performance metrics and audience insights.
Nature of Processing
- Collection and storage of Personal Data uploaded by the Controller.
- Automated analysis and AI-assisted generation (copy, images, reply suggestions).
- Transmission to third-party platforms (Meta, Google) as instructed by the Controller.
- Deletion per retention schedules set out in this DPA.
Purpose of Processing
- Primary: providing the Hostli hotel CRM and marketing platform as described in the Terms and Conditions.
- Secondary (within primary): improving relevance of AI recommendations using the Controller's own data (not shared across hotel accounts; not used for cross-customer training).
- No purpose beyond delivering the agreed Service without further written instruction from the Controller.
Categories of Personal Data and Data Subjects
| Data Subject Category | Personal Data Processed |
|---|---|
| Hotel Guests | Name, email address, phone number, reservation metadata (check-in/out dates, room type, booking value), public review text, IP address (where transmitted by Meta). |
| Marketing Leads | Name, email address, source (website form, social ad lead form), opt-in timestamp, hotel association. |
| Hotel Staff | Name, work email, phone number (for authentication), role, login events, audit actions within the Service. |
Duration of Processing
Hostli processes Personal Data for the duration of the Controller's active subscription, plus the 30-day export window following termination (Section 12). Marketing leads are retained for the duration of the commercial relationship plus a reasonable archival period not exceeding 2 years. Backup copies are deleted within 90 days of termination.
Annex 2 — Technical and Organisational Measures (TOMs)
Minimum security standard maintained by Hostli as Processor
Encryption
- Data at rest: AES-256 encryption applied at the database layer (Neon Postgres managed encryption) and object storage layer (Cloudflare R2 server-side encryption).
- Data in transit: TLS 1.2 minimum (TLS 1.3 preferred) enforced on all connections between clients, the Hostli application, the database, and Sub-Processors.
- Authentication credentials: bcrypt (minimum cost factor 10) for password storage. OAuth tokens stored encrypted at rest.
- Session management: httpOnly, Secure, SameSite=Strict session cookies. Session tokens are invalidated on logout and on detected anomalies.
Access Control
- Least-privilege model: Hostli staff access to Personal Data is restricted to what is necessary for their job function.
- Hotel data isolation: each hotel's data is logically isolated by hotel_id partitioning; cross-hotel access is not possible through the application interface.
- Multi-factor authentication: enforced for Hostli engineering access to production database and infrastructure.
- Audit logging: all privileged access to production data is logged (admin_audit_log table) with actor, action, timestamp, and affected resource.
- Role-based access control within the Service: hotel staff access is scoped by role (owner, manager, staff) as configured by the Controller.
Privacy-by-Design Controls
- Meta Audience sync: guest emails are SHA-256 hashed before transmission to Meta. The hash is not reversible.
- AI processing: guest Personal Data is sent to AI Sub-Processors only to the extent necessary to generate the requested output (e.g., campaign copy). Hostli does not use Controller Personal Data to train or fine-tune AI models. All AI processing of guest Personal Data is performed by Google Gemini on Google Cloud Vertex AI, under terms that prohibit using Controller Personal Data to train or fine-tune any AI/ML models; any retention of prompt data is limited to short-term abuse monitoring.
- Human-in-the-loop: AI-generated outputs are presented to hotel staff as suggestions for review and approval. AI does not publish campaigns or send messages autonomously.
Infrastructure Security
- Hosting: Vercel (serverless compute with automatic scaling; no persistent application servers with standing access to Personal Data).
- Database: Neon Postgres (managed Postgres with point-in-time recovery, automatic backups, and database-level encryption).
- CDN and DDoS protection: Cloudflare (traffic routed through Cloudflare network with TLS termination and DDoS mitigation).
- Secret management: environment secrets stored in Vercel encrypted environment variables; not committed to source control.
- Dependency management: automated dependency scanning via Dependabot; critical security patches applied within 7 days of disclosure.
Incident Response
- Security Incident detection: monitoring of application and infrastructure logs and provider-level alerting for error-rate and authentication anomalies.
- Incident response: a defined escalation path — detect, contain, assess, notify the Controller (within 72 hours of confirmed discovery), remediate, and review.
- Breach notification: as described in Section 7 of this DPA.
AI and No-Training Commitment
- Hostli does not use Controller Personal Data to train or fine-tune any AI model that is made available to other customers or to the general public.
- AI processing is performed by Google Gemini on Google Cloud Vertex AI, under terms that prohibit using Controller Personal Data to train or fine-tune any AI/ML models; any retention of prompt data is limited to short-term abuse monitoring. Hostli does not route Controller Personal Data to any other AI model provider.
- AI-generated outputs (campaign copy, images) are not attributed to or shared with other hotel accounts.
Annex 3 — Approved Sub-Processors
Hostli provides 30 days' advance notice of changes. The full list is provided to customers in their service agreement.
Approved Sub-Processor List
The current list of approved Sub-Processors — including each Sub-Processor name, role, processing location, and applicable transfer mechanism — is published at hostli.ai/subprocessors and is also provided to the Controller as part of the service agreement. Sub-Processors fall within the following categories: advertising and messaging platforms; cloud hosting and serverless compute; managed database and object storage; AI model providers (under terms that prohibit using Controller Personal Data to train generalised models, with any retention of prompt data limited to short-term abuse monitoring); and transactional communication providers. Hostli remains fully liable to the Controller for the acts and omissions of its Sub-Processors.
Sub-Processor Change Procedure
Before engaging a new Sub-Processor or materially changing an existing Sub-Processor's role, Hostli will notify the Controller's registered account email address at least 30 days in advance. The notification will include the Sub-Processor's name, role, processing location, and transfer mechanism. The Controller may object within the notice period by emailing [email protected] with reasons. If no objection is received within 30 days, the Controller is deemed to have approved the change. The current Sub-Processor list is published at hostli.ai/subprocessors and provided to the Controller with each change notification. For the customer-match (hashed-email) audience feature, Meta acts as a Sub-Processor (processor) on the Controller's instructions under Meta's Customer List Custom Audiences Terms and Data Processing Terms; Meta's separate delivery of advertising using the resulting audience is governed by Meta's own advertising terms, under which Meta acts as an independent controller.
Annex 4 — Israeli Data Security Regulations (Reg. 15) Schedule
Regulation 15, Israeli Privacy Protection Regulations (Data Security) 5777-2017
Database Security Tier Classification
Pursuant to Regulation 15 of the Israeli Privacy Protection Regulations (Data Security) 5777-2017, the database maintained by Hostli on behalf of Controller hotel customers is classified as a "Basic" security-tier database (רמת אבטחה בסיסית). Basis for classification: the database does not contain "information of special sensitivity" within the meaning of the Regulations — Hostli does not store health data, special-category data, or per-individual financial data (booking revenue is aggregated at the hotel level and is not retained per guest), and payment-card / PAN data is not stored by design; the database holds Personal Data of fewer than 100,000 Data Subjects; and fewer than 100 persons have authorised access to it. Hostli is not a data broker. Notwithstanding the Basic classification, Hostli maintains the technical and organisational measures described in Annex 2 — which meet or exceed the Basic-tier requirements — including encryption at rest and in transit, access controls, audit logging, periodic security reviews, and a documented incident response procedure. Hostli monitors aggregate Data Subject volume and authorised-access headcount; should the database cross 100,000 Data Subjects or 100 authorised-access holders, or should information of special sensitivity be introduced, Hostli will re-classify to the Medium or High tier as required and implement the corresponding additional controls.
Security Officer
Hostli Ltd. designates its founder, Adam Ben Shmuel, as the responsible officer for data security matters ("ממונה אבטחת מידע" / Security Officer) for purposes of Reg. 15. Contact: [email protected]. The Security Officer is responsible for: (a) overseeing implementation of the TOMs in Annex 2; (b) receiving and investigating Security Incident reports; (c) coordinating breach notification to the Controller within 72 hours of confirmed discovery; and (d) conducting or commissioning periodic security reviews. Hostli will appoint a dedicated Security Officer should the organisation scale to a tier that requires one.
Security Audit Cadence
Hostli conducts security reviews on the following schedule:
- Dependency vulnerability scanning: automated and continuous (Dependabot). Critical findings remediated promptly following disclosure.
- Access control review: periodic review and recertification of Hostli engineering access to production systems.
- Security log review: periodic review of security alerts and anomaly events by the Security Officer.
- Penetration testing: conducted prior to general availability and periodically thereafter, and following any confirmed Security Incident affecting Personal Data. Results shared with Controllers on written request.
- Sub-Processor security review: on engagement of each new Sub-Processor and periodically thereafter (review of available security documentation, certifications, or equivalent).
Breach Notification to Controller (Israeli Law)
In the event of a Severe Security Incident (as defined in the Israeli Privacy Protection Regulations — an incident involving unauthorised access to or disclosure of Personal Data affecting the rights or dignity of Data Subjects), Hostli shall notify the Controller within 72 hours of confirmed discovery. The notification shall include: (a) the nature of the incident; (b) the type and approximate volume of Personal Data involved; (c) the likely consequences; and (d) the measures taken or proposed. The Controller, as owner of the database, bears the statutory obligation to notify the Israeli Privacy Protection Authority (Reshut HaGanah Al HaPrivatsiut) and affected Data Subjects in accordance with the applicable Israeli law timeline. Hostli will cooperate fully with the Controller's notification obligations.
Data Subject Rights — Israeli PPL
Under the Israeli Protection of Privacy Law 5741-1981 and its Amendment 13, Data Subjects have the following rights, which Hostli will assist the Controller in fulfilling:
- Right to inspect: Data Subjects may request to review Personal Data held about them.
- Right to correct: Data Subjects may request correction of inaccurate Personal Data.
- Right to delete ("Right to be Forgotten"): Data Subjects may request deletion of Personal Data where retention is no longer required.
- Right to object: Data Subjects may object to processing for direct marketing purposes.
- Response timeline: The Controller must respond to Data Subject requests within 30 days (Israeli PPL) or 1 month (GDPR Art. 12), extendable by a further 2 months for complex requests.
Contact and Complaints
For data protection inquiries, Data Subject requests, or to exercise rights under this DPA, contact: [email protected]. For security incidents or suspected vulnerabilities: [email protected]. Data Subjects who are not satisfied with Hostli's response may contact the Israeli Privacy Protection Authority (Reshut HaGanah Al HaPrivatsiut) at gov.il/en/departments/ministry-of-justice or, for EEA residents, their local data protection supervisory authority.
This DPA forms part of the Hostli Terms and Conditions. By accepting those Terms, you agree to this DPA. Questions: [email protected]