Vai al contenuto principale
Italiano

Data Processing Agreement (DPA)

Last updated: 2026-05-03

This DPA is an integral part of the Terms of Service and governs the processing of personal data under GDPR Art. 28 between Cortinovis Brian ("Processor") and the Tenant ("Controller").

1. Roles

  • Data Controller: the Tenant, for data of its own customers/guests.
  • Data Processor: Cortinovis Brian, processing data on behalf of the Controller.
  • Sub-processors: listed at /legal/sub-processors.

2. Subject and purpose

The Processor processes personal data for SaaS service delivery purposes: booking management, invoicing, communications, storage, backup.

3. Categories of data

  • Guest contact data (name, email, phone)
  • Booking data (dates, amounts)
  • ID documents when uploaded by the Controller
  • Tokenised payment data

4. Duration

The DPA duration coincides with the service contract duration.

5. Processor obligations

The Processor undertakes to:

  1. Process data only on documented instructions from the Controller.
  2. Ensure confidentiality of authorised personnel (internal NDAs).
  3. Adopt security measures under GDPR Art. 32 (AES-256-GCM encryption, TLS 1.3, RLS, audit log).
  4. Notify breaches within 72h of discovery.
  5. Assist the Controller with DPIA, DSAR, supervisory authority relations.
  6. At contract end: return or delete data (Controller's choice) within 30 days.

6. Sub-processors

The Processor uses the sub-processors listed at /legal/sub-processors. Changes to the list are notified 30 days in advance via email. The Controller may object with effect of termination if the objection is motivated.

7. Non-EU transfers

Transfers only to countries with adequacy decision or based on Standard Contractual Clauses (SCC EU Decision 2021/914).

8. Audit

The Controller may request an annual audit of the Processor with 30 days' notice, at the Controller's expense. SOC 2 or ISO 27001 reports, if available, satisfy the audit obligation.

9. Security

Technical and organisational measures: at-rest/in-transit encryption, RBAC+RLS access control, admin MFA, daily encrypted backups, annual penetration test, DPIA on new processing.

10. Contacts

Processor: Cortinovis Brian — info@touracore.com Processor DPO: info@touracore.com

Template version: 7bb220bf8aaa16a1