Data Processing Agreement
Last updated: April 11, 2026
GDPR / UK GDPR / CCPA / Swiss FADP
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Terms of Service ("Agreement") between:
Controller: The entity identified as "Client" in the Agreement ("Controller")
Processor: Trellis Tech, Inc., a Delaware corporation ("Processor" or "Trellis")
Each a "Party" and together the "Parties." Capitalised terms not defined herein have the meanings given in the Agreement.
1. Definitions
"Data Protection Laws" means, as applicable: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act as amended by the CPRA ("CCPA"); and (e) any other applicable data protection or privacy legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller under the Agreement.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"AI Processing" means the processing of Personal Data by the Processor using artificial intelligence, machine learning, or large language model ("LLM") technologies, including but not limited to natural language processing, automated text generation, conversational AI agents, and automated decision-support systems, in each case as part of the services provided under the Agreement.
"AI Sub-processor" means any Sub-processor that provides artificial intelligence, machine learning, or large language model services to the Processor, including but not limited to inference API providers, and through which Personal Data is transmitted for AI Processing.
2. Scope and Purpose of Processing
The Processor processes Personal Data solely to provide the Trellis property-operations platform and related services as described in the Agreement. The details of the processing are set out in Annex 1.
The Processor shall not process Personal Data for any purpose other than as documented in the Agreement and this DPA, or as otherwise instructed in writing by the Controller.
3. Processor Obligations
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law—in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
- Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organisational security measures as described in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
- Respect the conditions for engaging Sub-processors set out in Section 5 below.
- Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures for the fulfilment of Data Subject rights requests.
- Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections as set out in Section 8.
4. Controller Obligations
The Controller warrants that: (a) it has a lawful basis for processing Personal Data and for instructing the Processor accordingly; (b) it has provided adequate notice to Data Subjects regarding the processing; and (c) its instructions to the Processor comply with all applicable Data Protection Laws.
5. Sub-processors
The Controller provides general written authorisation for the Processor to engage Sub-processors. The Processor shall maintain an up-to-date list of Sub-processors, made available to the Controller at a publicly accessible URL maintained by the Processor (currently available at the Processor's trust or legal page). The Processor shall also provide the list to the Controller upon written request.
The Processor shall notify the Controller in writing at least 30 days before adding or replacing a Sub-processor, giving the Controller the opportunity to object. If the Controller raises a reasonable objection within 14 days, the Parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.
The Processor shall impose on each Sub-processor, by way of contract, data protection obligations no less protective than those set out in this DPA, and shall remain liable for the acts and omissions of its Sub-processors to the same extent the Processor would be liable if performing the services of each Sub-processor directly, subject to the limitations of liability set out in the Agreement.
5A. AI Sub-processors and AI Processing
5A.1 The Processor uses AI Sub-processors to provide AI Processing as part of the services. As of the effective date of this DPA, the Processor's AI Sub-processors include providers of large language model inference services (currently: Anthropic, LLC; Google LLC; and OpenAI, LLC). The current list of AI Sub-processors, including the categories of Personal Data transmitted and the purposes of processing, is set out in Annex 3.
5A.2 The Processor shall ensure that each AI Sub-processor is contractually prohibited from: (a) using Personal Data received from the Processor to train, retrain, fine-tune, or otherwise improve any machine learning or AI model; (b) retaining Personal Data beyond the duration necessary to process the specific inference request (and in no event longer than 30 days); and (c) using Personal Data for any purpose other than providing the inference services requested by the Processor.
5A.3 The Processor shall implement appropriate technical measures to minimise the Personal Data transmitted to AI Sub-processors, including pseudonymisation, data masking, or prompt-level filtering where technically feasible and consistent with the provision of the services.
5A.4 Where AI Processing involves automated decision-making that produces legal effects or similarly significant effects on Data Subjects (within the meaning of GDPR Article 22), the Processor shall: (a) inform the Controller of such processing; (b) implement suitable safeguards, including the ability for the Controller to request human review of automated decisions; and (c) provide the Controller with meaningful information about the logic involved, the significance, and the envisaged consequences of such processing, to the extent such information is available to the Processor.
5A.5 The Processor shall promptly notify the Controller of any material change to an AI Sub-processor's data processing practices.
6. International Data Transfers
The Processor shall not transfer Personal Data to a country outside the EEA, UK, or Switzerland unless adequate safeguards are in place in accordance with Data Protection Laws. Such safeguards may include:
- An adequacy decision by the European Commission, UK Secretary of State, or Swiss Federal Council.
- The EU Standard Contractual Clauses (Module 2: Controller-to-Processor), as supplemented by a transfer impact assessment where required.
- The UK International Data Transfer Addendum to the EU SCCs.
- Binding Corporate Rules approved by a competent supervisory authority.
- Certification under the EU-U.S. Data Privacy Framework.
- Any other transfer mechanism permitted under applicable Data Protection Laws.
The Parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor), are incorporated by reference into this DPA and shall apply to transfers of Personal Data from the Controller to the Processor where required. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum shall supplement the EU SCCs. For transfers subject to the Swiss FADP, the EU SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.
Where the CCPA applies, the Processor certifies that it understands and will comply with the CCPA restrictions on the sale or sharing of Personal Data and will process Personal Data only for the business purposes specified in the Agreement.
7. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach. The notification shall include, to the extent available:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
- The name and contact details of the Processor's point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach.
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
The Processor shall also notify the Controller if it becomes aware of a Personal Data Breach affecting an AI Sub-processor that involves Personal Data processed on behalf of the Controller.
8. Audit Rights
The Controller (or its appointed independent third-party auditor) may conduct audits and inspections of the Processor's processing activities no more than once per year, with at least 30 days' prior written notice, during normal business hours, and in a manner that minimises disruption.
The Processor shall provide reasonable cooperation and access to relevant facilities, systems, and records. The Controller shall bear the costs of any audit it initiates, unless the audit reveals a material breach of this DPA by the Processor.
The Processor may satisfy the Controller's audit rights by providing: (a) a current SOC 2 Type II report (or equivalent independent third-party certification); and (b) written responses to reasonable written questions from the Controller regarding the Processor's data protection practices.
9. Data Subject Rights
The Processor shall notify the Controller without undue delay (and in any event within five (5) business days) if it receives a request from a Data Subject to exercise rights under applicable Data Protection Laws. The Processor shall not respond directly to any such request without the Controller's prior written authorisation, unless required by applicable law.
The Processor shall provide the Controller with reasonable assistance in responding to Data Subject requests, taking into account the nature of the processing.
10. Liability
Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either Party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.
11. Term and Termination
This DPA shall remain in effect for the duration of the Agreement and for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination, the Processor shall, at the Controller's election, return or securely delete all Personal Data within 90 days, except where applicable law requires retention.
The Processor shall provide the Controller with written certification of deletion upon request. The Processor shall ensure that all Sub-processors (including AI Sub-processors) delete or return Personal Data processed on behalf of the Controller within the same timeframe.
12. Governing Law and Jurisdiction
This DPA shall be governed by the laws specified in the Agreement. Where required by Data Protection Laws, the mandatory provisions of the applicable jurisdiction shall prevail. Disputes shall be resolved in accordance with the dispute resolution mechanism set out in the Agreement.
13. Miscellaneous
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. This DPA may be amended only in writing signed by both Parties.
Annex 1 — Details of Processing
| Element | Description |
|---|---|
| Subject Matter | Provision of the Trellis AI-powered property operations platform (guest communications, task management, workforce scheduling, and related services). |
| Duration | For the term of the Agreement, plus any post-termination retention period as specified herein. |
| Nature and Purpose | Collection, storage, organisation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure, and destruction of Personal Data as necessary to provide the services. |
| Categories of Data Subjects | Guests and travellers; property owners; workforce members (employees, contractors, cleaners, maintenance personnel); vendors and service providers; emergency contacts. |
| Types of Personal Data | Contact details (name, email, phone, address); booking and reservation data; check-in/check-out information; payment references; communication records; task assignments and work schedules; shift and absence records; property access codes (transient); device identifiers; IP addresses; location data (workforce only, where enabled). |
| Special Categories | None processed by default. If the Controller instructs the Processor to process special category data, the Controller is responsible for ensuring a valid legal basis. |
| Retention | Personal Data is retained for the duration of the Agreement. Post-termination: deleted or returned within 90 days at Controller's election. Aggregated, anonymised data may be retained indefinitely. |
Annex 2 — Technical and Organisational Measures
| Measure | Description |
|---|---|
| Encryption | TLS 1.2+ for data in transit. AES-256 encryption at rest for databases and backups. End-to-end encryption for sensitive credentials. |
| Access Control | Role-based access with least-privilege principle. Multi-factor authentication for all administrative access. Unique credentials per user; no shared accounts. |
| Multi-Tenancy Isolation | Strict workspace-level data segregation enforced at the application and database query layers. All queries scoped by workspace identifier. |
| Network Security | Firewalls, intrusion detection, DDoS protection. Private networking between application and database layers. Regular vulnerability scanning. |
| Logging & Monitoring | Centralised audit logging of access and changes. Real-time alerting via Sentry and monitoring dashboards. Log retention per applicable requirements. |
| Business Continuity | Automated daily database backups with point-in-time recovery. Multi-region hosting with failover capability. Documented incident response plan. |
| Personnel | Confidentiality agreements for all staff and contractors. Security awareness training. Background checks where legally permitted. |
| Vendor Management | Sub-processors assessed for security posture before engagement. Contractual data protection obligations imposed on all Sub-processors. |
| Data Minimisation | Collection limited to what is necessary for the specified purposes. Automated data retention and purging policies. |
| Testing | Regular penetration testing and security audits. Prompt remediation of identified vulnerabilities. |
Annex 3 — AI Sub-processors
| AI Sub-processor | Location | Purpose | Categories of Personal Data | Data Retention | Model Training |
|---|---|---|---|---|---|
| Anthropic, LLC | United States | LLM inference (Claude) for AI-powered guest communications, task management, and conversational AI agents | Guest names, contact details, booking information, communication content, property details | Per Anthropic API terms (currently 30 days for API inputs/outputs, with zero-retention option available) | Prohibited |
| Google LLC | United States | LLM inference (Gemini), text embeddings for semantic search, image generation (Imagen), and real-time voice AI for meeting agents (Gemini Live) | Guest names, contact details, booking information, communication content, property details, knowledge base documents, meeting audio and transcripts | Per Google Cloud AI / Gemini API terms | Prohibited |
| Microsoft Corporation (Azure OpenAI Service) | United States | LLM inference (GPT-4o) for AI-powered guest communications and task management; speech-to-text transcription (Whisper) | Guest names, contact details, booking information, communication content, property details, audio recordings of voice messages | Per Microsoft Azure OpenAI Service terms (currently 30 days for abuse monitoring, with zero-retention option available) | Prohibited |
| Retell, Inc. | United States | Real-time voice AI agents for inbound and outbound phone calls | Caller identity, voice recordings, call transcripts, booking information discussed during calls | Per Retell API terms | Prohibited |
| ElevenLabs, Inc. | United States | Real-time web-based voice conversations via WebRTC | Voice audio, conversation content, property and booking details discussed during voice sessions | Per ElevenLabs API terms | Prohibited |
| Recall.ai, Inc. | United States | Meeting bot for video call recording, live transcription, and in-call AI agent execution | Meeting recordings, live transcripts, attendee names, calendar event details, booking and property information | Per Recall.ai terms of service | Prohibited |
| OpenAI, LLC | United States | Text-to-speech synthesis for meeting bot voice responses | AI-generated response text (may reference guest names, booking details, or property information) | Per OpenAI API terms (currently 30 days) | Prohibited |
| Exa AI, Inc. | United States | AI-powered semantic web search used by AI agents for research and information retrieval | Search queries (may contain guest names, property names, or booking context) | Per Exa AI terms of service | To be confirmed |
| Browser Use GmbH | Europe | AI-powered browser automation for agent-executed web tasks | Website interactions, form inputs, property and booking details | Per Browser Use terms of service | To be confirmed |
| Keywords AI, Inc. | United States | LLM observability, tracing, and cost monitoring for AI agent executions | Agent input/output traces (may contain guest names, contact details, booking information) | Per Keywords AI terms of service | To be confirmed |
Annex 4 — Standard Contractual Clauses
The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor), are incorporated by reference into this DPA as set out in Section 6. The completed SCC annexes shall be populated with the information set out in Annexes 1, 2, and 3 of this DPA, respectively.
Contact
For questions about this DPA or our data processing practices, contact us at: