Legal

Data Processing Agreement.

Last updated · April 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Tadmit Interactive Ltd. (“HotelX”, “Processor”) and you (“Hotel”, “Controller”).

Definitions

Controller — the hotel entity that determines the purposes and means of processing personal data.
Processor — HotelX (Tadmit Interactive Ltd.), which processes personal data on behalf of the Controller.
Sub-processor — a third party engaged by HotelX to assist in processing personal data.
Personal Data — any information relating to an identified or identifiable natural person.
Processing — any operation performed on personal data, including collection, storage, retrieval, use, and erasure.

Scope

This DPA applies to all personal data that HotelX processes on behalf of the hotel through the HotelX platform. HotelX processes guest data solely to provide the concierge service as instructed by the hotel.

Processing Details

Categories of Data

Guest names, room numbers, service requests, feedback ratings, language preferences, and interaction timestamps.

Purpose of Processing

To provide the QR-based digital concierge service, process service requests, and collect guest feedback.

Duration

For the duration of the service agreement between HotelX and the hotel. Data is deleted within 30 days of agreement termination.

Obligations of the Processor

HotelX shall:

Process personal data only on documented instructions from the hotel
Ensure that all personnel authorized to process personal data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the hotel in responding to data subject access requests
Delete or return all personal data upon termination of the agreement, at the hotel's choice
Make available all information necessary to demonstrate compliance with this DPA

Sub-processors

HotelX uses the following sub-processors to deliver the service. We will notify you at least 30 days before adding a new sub-processor:

Provider	Purpose	Location
AWS	Cloud infrastructure & storage	eu-central-1
Resend	Transactional email delivery	US / EU
Vercel	Application deployment	EU (fra1)

Security Measures

HotelX implements the following security measures to protect personal data:

AES-256 encryption at rest, TLS 1.3 in transit
VPC network isolation with private subnets and security groups
Automated backups every 6 hours with point-in-time recovery
Role-based access control and audit logging
Regular penetration testing by independent third parties
SOC 2 Type II aligned practices

Data Breach Notification

In the event of a personal data breach, HotelX will notify the hotel without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, approximate number of data subjects, and measures taken to address the breach.

Data Subject Rights

HotelX will assist the hotel in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, and objection) within the timeframes required by applicable law.

International Transfers

Personal data is stored and processed within the EU. Where transfers outside the European Economic Area are necessary, HotelX ensures appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs).

Audit Rights

The hotel may audit HotelX's compliance with this DPA once per calendar year, with at least 30 days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with HotelX's operations.

Term & Termination

This DPA is effective for the duration of the service agreement. Upon termination, HotelX will delete all personal data within 30 days unless legally required to retain it. The hotel may request a data export in a machine-readable format before deletion.

Contact

Tadmit Interactive Ltd., Israel.
For DPA inquiries, reach us at dpa@hotelx.app.