Rectangle

Data Processing Agreement

Data Processing Agreement (DPA) defines how personal data is processed between the data controller and the processor in compliance with GDPR.

Version: 2.0
Last Updated: 23/02/2026

 

1. Parties

This Data Processing Agreement (“DPA”) forms part of the Service Agreement between:

Controller: The hospitality customer using PassportScan Cloud

Processor:
GlobeID Limited
The Black Church, St. Mary’s Place
Dublin 7, D07P4AX
Ireland
VAT: IE 3342103WH

The Processor provides PassportScan Cloud services to the Controller.

 

2. Purpose

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in accordance with:

  • Regulation (EU) 2016/679 (GDPR)
  • Applicable local data protection laws

The Processor shall process Personal Data only on documented instructions of the Controller.

 

3. Nature and Purpose of Processing

PassportScan Cloud enables:

  • Digital guest registration
  • Identity document scanning and OCR extraction
  • Consent capture
  • Regulatory export
  • PMS integration
  • Credit purchase and account activation

Payment processing is handled exclusively by Stripe.

The Processor does not determine the purposes of processing.

 

4. Categories of Data Subjects

  • Hotel guests
  • Minor guests (where legally required)
  • Reservation holders
  • Hotel staff users
  • Billing contacts

 

5. Categories of Personal Data

Identity Data

  • First name, last name
  • Date and place of birth
  • Nationality
  • Identity document number
  • Document type
  • Expiry date
  • Document images (if enabled)
  • Signature images
  • Consent metadata

Technical Data

  • IP address
  • Authentication metadata
  • Device metadata
  • Logs

Payment Metadata

  • Transaction ID
  • Payment status
  • Amount
  • Currency
  • Billing email (if applicable)

The Processor does not store or process:

  • Full payment card numbers
  • CVV codes
  • Card expiration dates

Payment card data is processed exclusively by Stripe.

 

6. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions
  • Ensure confidentiality
  • Implement appropriate technical and organisational measures
  • Assist with data subject rights
  • Notify personal data breaches without undue delay
  • Delete or return Personal Data upon termination

 

7. Technical and Organisational Measures

The Processor implements:

  • AWS-hosted infrastructure
  • Multi-AZ deployment
  • Application-level / field-level encryption (Model B)
  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Role-based access control
  • MFA support
  • Logging and monitoring
  • Independent penetration testing

 

8. Sub-Processors

The Controller authorises the Processor to engage sub-processors as listed in the public Sub-processor Register.

Current categories include:

  • Amazon Web Services (AWS) – Cloud Infrastructure
  • Clerk – Authentication
  • Datadog – Monitoring
  • Google Workspace – Internal operations
  • Stripe – Payment processing

The Processor ensures that sub-processors are bound by GDPR-equivalent obligations.

 

9. Security of Processing (Article 32 GDPR)

The Processor ensures appropriate security measures considering:

  • State of the art
  • Implementation costs
  • Nature, scope, context and purposes of processing
  • Risk to rights and freedoms of natural persons

Security measures include encryption, access control, resilience, and incident response capability.

 

10. Data Residency and International Transfers

10.1 Core Infrastructure

Core platform infrastructure, including application services and primary databases, is hosted exclusively in:

Amazon Web Services (AWS) – eu-west-1 (Ireland, European Union).

No cross-region replication of core databases is configured.

10.2 Regional Document Image Storage

Where document image storage functionality is enabled by the Controller, object storage (Amazon S3) may be provisioned in the AWS region corresponding to the hotel’s operational jurisdiction.

Such regions may include locations outside the European Economic Area (EEA), including but not limited to:

  • Asia-Pacific
  • Africa
  • North America
  • South America
  • Australia

Regionalisation supports:

  • Data localisation requirements
  • Latency optimisation
  • Jurisdictional alignment

10.3 International Transfer Safeguards

Where personal data is processed outside the EEA, transfers are governed by:

  • AWS Data Processing Addendum
  • Standard Contractual Clauses (SCCs), where applicable
  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.2+)

The Processor ensures appropriate safeguards under Chapter V GDPR.

 

11. Audit and Inspection

The Processor shall make available information necessary to demonstrate compliance and may provide:

  • Security documentation
  • Penetration testing summary
  • Certifications (where applicable)

Audits may be conducted subject to reasonable notice.

 

12. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

Notification shall include:

  • Nature of the breach
  • Categories of data affected
  • Mitigation measures taken

 

13. Termination

Upon termination of services:

  • Personal Data shall be deleted within 30 days unless otherwise required by law
  • Access shall be revoked
  • Backup deletion policies apply

 

14. Governing Law and Jurisdiction

This Data Processing Agreement and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of Spain. The courts of Spain shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, unless otherwise required by applicable mandatory data protection law

Passportscan