Data Processing Agreement

This Data Processing Agreement (“DPA”) governs how Lodgestory processes personal data on behalf of its customers.

Last updated: March 1, 2026-Effective: March 1, 2026

1. Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meanings set out below:

  • “Controller” means the customer (you) who determines the purposes and means of processing personal data using the Lodgestory platform.
  • “Processor” means MARRG GLOBAL TECH PVT LTD, operating as Lodgestory, which processes personal data on behalf of the Controller.
  • “Data Subject” means an identified or identifiable natural person whose personal data is processed through the Lodgestory platform.
  • “Personal Data” means any information relating to a Data Subject, including names, email addresses, phone numbers, conversation data, and any other data processed through the platform.
  • “Sub-processor” means any third-party entity engaged by the Processor to assist in processing Personal Data on behalf of the Controller.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  • “Applicable Data Protection Law” means GDPR (EU) 2016/679, UK GDPR, and any other applicable data protection legislation.

2. Scope of Processing

This DPA applies to all processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the Lodgestory platform and services. The scope includes:

  • Subject Matter: Provision of the Lodgestory omnichannel customer communication platform, including unified inbox, chatbot workflows, broadcast messaging, analytics, and related services.
  • Duration: Processing shall continue for the duration of the service agreement between the Controller and Processor, and for such additional period as required by applicable law.
  • Nature and Purpose: The Processor processes Personal Data to enable the Controller to manage customer communications across WhatsApp, Instagram, Email, SMS, Voice, and other supported channels.
  • Types of Data: Contact information, message content, conversation metadata, analytics data, and any other data uploaded or transmitted through the platform by the Controller.
  • Categories of Data Subjects: End users, customers, prospects, and any other individuals whose data is processed by the Controller through the platform.

The Processor shall process Personal Data only in accordance with the Controller's documented instructions, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required by applicable law.
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 4 of this DPA.
  • Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general authorization, the Processor shall inform the Controller of any intended changes and provide an opportunity to object.
  • Assist the Controller in fulfilling its obligations to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
  • Assist the Controller in ensuring compliance with data protection impact assessments and prior consultation with supervisory authorities, where required.
  • At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires retention.
  • Make available to the Controller all information necessary to demonstrate compliance with these obligations and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

4. Security Measures

The Processor shall implement and maintain the following technical and organizational security measures:

  • Encryption: AES-256 encryption for data at rest; TLS 1.2 or higher for data in transit.
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and the principle of least privilege for all systems.
  • Monitoring: Continuous security monitoring, intrusion detection, and logging of all access to systems containing Personal Data.
  • Backups: Regular encrypted backups stored in geographically redundant locations with tested restoration procedures.
  • Vulnerability Management: Regular vulnerability assessments, penetration testing by qualified third parties, and prompt remediation of identified vulnerabilities.
  • Personnel Security: Background checks for personnel with access to Personal Data, mandatory security awareness training, and ongoing education.
  • Physical Security: Data center physical access controls including biometric authentication, surveillance, and environmental controls.
  • Business Continuity: Documented disaster recovery and business continuity plans with regular testing.

5. Data Breach Notification

In the event of a Data Breach, the Processor shall:

  • Notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Data Breach.
  • Provide the Controller with sufficient information to enable the Controller to meet its obligations under Article 33 of the GDPR, including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
  • Cooperate with the Controller and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
  • Document the Data Breach, including the facts, its effects, and the remedial action taken, and make this documentation available to the Controller and supervisory authorities upon request.
  • Not inform any third party of the Data Breach without first obtaining the Controller's written consent, unless notification is required by applicable law.

The Processor shall maintain an incident response plan and conduct regular testing to ensure preparedness for Data Breach scenarios.

6. Contact Information

For questions about this Data Processing Agreement, to request a signed copy, or to report a data protection concern, please contact:

Data Protection Officer

Email: [email protected]

Legal: [email protected]

Company: MARRG GLOBAL TECH PVT LTD

Address: Gurgaon, Haryana, India

This DPA is incorporated into and forms part of the Lodgestory Terms of Service. In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to the processing of Personal Data.

Data Processing Agreement | Lodgestory | Lodgestory by Inboxcentral