Data Processing Agreement for Operators

Note: This document is intended for all users/operators of a bessa software system: service providers, retail businesses, hospitality businesses, accommodation and hotel businesses.

DATA PROCESSING AGREEMENT (DPA)

pursuant to Art. 28 GDPR

between

[Operator Name]
[Address]
[Postal Code City]
[Country]
(hereinafter referred to as the "Controller")

and

meisterwork GmbH
Rosentaler Straße 1
9020 Klagenfurt am Wörthersee
Austria
(hereinafter referred to as the "Processor")

1. Subject and Duration of Processing

1.1 Subject

The Processor provides Software-as-a-Service (bessa) services to the Controller pursuant to the underlying main agreement (software licence agreement / SaaS agreement). In the course of providing these services, the Processor processes personal data on behalf of the Controller.

1.2 Duration

The duration of this Data Processing Agreement is governed by the term of the underlying main agreement.

2. Nature and Purpose of Processing

2.1 Nature of Processing

Processing comprises the following activities:

• Storage and hosting of customer data in cloud infrastructure

• Processing of order, invoice and payment data

• Management of customer loyalty programmes (digital stamp passes, points systems)

• Performance of revenue analyses and provision of key performance indicators

• Processing of online orders and kiosk transactions

• Management of canteen systems and subsidy administration

• Sending of marketing messages and push notifications on behalf of the Controller

• Hospitality/Accommodation: Billing of hotel services (restaurant, bar, spa, minibar)

• Hospitality/Accommodation: Room number assignment for internal billing

2.2 Purpose of Processing

The purpose of processing is to provide and operate a comprehensive software system with modules for point-of-sale functions, customer loyalty, online orders and other services for the hospitality, retail, service, accommodation and hotel sectors.

3. Types of Personal Data and Categories of Data Subjects

3.1 Data Categories

• Master data (last name, first name, title, salutation)

• Contact data (e-mail address, telephone number, address)

• Transaction data (orders, invoices, merchant and customer receipts)

• Customer loyalty data (point balances, stamp cards, purchase history)

• Usage data (login data, access logs)

• Communication data (support requests, feedback)

• Hospitality-specific data: Room number (for internal billing), consumption (restaurant, bar, spa, minibar), additional services and their billing

Important note:

• Payment data (credit card information, etc.) is not stored in the bessa system. It is processed exclusively via the PCI-DSS-certified payment service provider Stripe.

• ID or passport data is NOT processed in the bessa system. Guest registration and reporting obligations are handled via separate systems.

3.2 Categories of Data Subjects

• End customers of the Controller

• Hotel guests (only for additional services, not for accommodation itself)

• Employees of the Controller

• Suppliers and business partners of the Controller

• Prospects and potential customers

4. Obligations of the Processor

4.1 Bound by Instructions

The Processor processes personal data exclusively within the scope of the agreements concluded and on the basis of documented instructions from the Controller. The Processor shall inform the Controller without undue delay if it is of the opinion that an instruction violates data protection regulations.

4.2 Confidentiality

The Processor ensures that persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.

4.3 Data Security

The Processor takes all technical and organisational measures required pursuant to Art. 32 GDPR (see Annex 1).

4.4 Engagement of Subprocessors

The Processor is entitled to engage the subprocessors listed in Annex 2. The engagement of further subprocessors must be notified to the Controller in good time in advance. The Controller may object to the engagement within 14 days of notification.

4.5 Duty to Provide Support

The Processor supports the Controller in:

• Responding to requests from data subjects

• Carrying out data protection impact assessments

• Reporting personal data breaches

• Fulfilling accountability obligations

4.6 Deletion and Return

After termination of the data processing services, the Processor shall delete all personal data or return it to the Controller, unless there is a statutory retention obligation.

5. Obligations of the Controller

5.1 Lawfulness

The Controller is responsible for ensuring that the collection, processing and use of personal data is carried out lawfully.

5.2 Instructions

The Controller issues all instructions in writing or in electronic form. Verbal instructions must be confirmed in writing without undue delay.

6. Audit Rights

The Controller has the right to audit the Processor's compliance with data protection regulations. Audits must be announced in good time and carried out during normal business hours.

7. Notification Obligations

The Processor shall inform the Controller without undue delay about:

• Audits by supervisory authorities

• Violations of data protection regulations

• Breaches of the protection of personal data

• Requests from data subjects

8. Liability

Liability is governed by the statutory provisions of the GDPR and the provisions of the main agreement.

9. Miscellaneous

9.1 Remuneration

Remuneration for data processing is regulated in the main agreement.

9.2 Final Provisions

Amendments and supplements to this agreement must be made in writing. Austrian law applies, excluding the conflict-of-laws provisions.

Annex 1: Technical and Organisational Measures

1. Physical Access Control

• Server location in secured data centres (AWS Frankfurt)

• Access only for authorised persons

• Monitoring of the data centres

2. System Access Control

• Individual user accounts with strong passwords

• Two-factor authentication available

• Automatic session termination on inactivity

• Regular review of access rights

3. Data Access Control

• Role-based rights management

• Tenant isolation

• Principle of least privilege

• Separation of production and test systems

• No storage of sensitive payment data (processing via PCI-DSS-compliant partner Stripe)

4. Transfer Control

• Encrypted data transmission (SSL/TLS)

• Secure API interfaces

• Logging of data exports

5. Input Control

• Logging of data changes (in implementation)

• Versioning

• Audit trail for critical operations (in implementation)

6. Order Control

• Clear contractual arrangements with subprocessors

• Documented instructions

• Regular review of subprocessors

7. Availability Control

• Daily data backup

• Disaster recovery plan

• Redundant systems

• Monitoring and alerting

8. Separation Control

• Multi-tenant architecture

• Logical data separation

• Separate databases for different services

Annex 2: Approved Subprocessors

Annex 3: Persons Authorised to Issue Instructions

Persons authorised to issue instructions on behalf of the Controller:

• Management

• Head of IT

• Data protection officer (if appointed)

Recipients of instructions on behalf of the Processor:

• DI Daniel Lichtenegger (Managing Director)

• Georg Kitz (Managing Director)

• Richard Marktl (Managing Director)

• E-mail: support@bessa.app

• Tel: +43 720 317 836

Place, date: _______________________

For the Controller:

Name, position
Signature

For the Processor:

Name, position
Signature