Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between: (a) the entity that has agreed to the Filoxenos.gr Terms of Service ("Data Controller" or "Customer"), and (b) Filoxenos.gr ("Data Processor" or "Filoxenos").

This DPA applies for the duration of our commercial relationship and governs the processing of personal data by the Processor on behalf of the Controller. It terminates automatically upon expiration or termination of the main agreement.

• Data types: Guest names, email addresses, check-in/check-out dates, booking amounts, commissions, tax identifiers.
• Categories of data subjects: Guests of short-term rental properties.
• Purpose: Generation of reports for tax compliance with AADE and automated delivery to accountants.
• Storage duration: 10 years as required by Greek tax law.

The Processor undertakes to: (a) Process data only in accordance with the documented instructions of the Controller. (b) Ensure that personnel with access to data are bound by confidentiality obligations. (c) Implement all required technical and organizational security measures. (d) Not subject the data to further processing beyond the scope of this agreement. (e) Assist the Controller in complying with their obligations under the GDPR.

The Processor implements appropriate technical and organizational measures to protect data, including: AES-256-GCM encryption at rest, TLS 1.2+ in transit, role-based access controls, monitoring and logging, backup procedures, and security testing.

The Processor may engage sub-processors only with the prior approval of the Controller. The current list of sub-processors is available on the Sub-processors page. The Processor informs the Controller of any addition or replacement of a sub-processor.

The Processor does not transfer data outside the European Economic Area (EEA) without adequate safeguards in accordance with Chapter V of the GDPR.

The Processor assists the Controller in fulfilling data subject requests (access, rectification, erasure, portability, objection, restriction).

The Processor notifies the Controller without undue delay and within 48 hours of discovering a data breach that is likely to result in a risk to the rights of data subjects.

The Processor makes available to the Controller all information necessary to demonstrate compliance and allows for audits conducted by the Controller or a mandated third party.

Upon termination of the agreement, the Processor deletes or returns all data to the Controller, unless storage is required by applicable law.

This DPA is governed by German Law. The courts of Berlin have jurisdiction.

• Encryption: AES-256-GCM for data at rest, TLS 1.2+ for data in transit.
• Access controls: Role-based (RBAC), least privilege, multi-factor authentication.
• Key management: Encryption keys stored separately, regular rotation.
• Monitoring: Security event logging and analysis.
• Backups: Daily encrypted backups, restoration testing.
• Countermeasures: Continuous updates, penetration testing, incident response plan.
• Personnel training: Regular data protection training.
• Physical security: Data centers with ISO 27001 certification.