Version 1.1, effective 19/06/2026.
This Data Processing Agreement (DPA) forms part of the agreement between:
RoomPriceGenie AG, Sumpfstrasse 18, 6312 Steinhausen, Switzerland (“RoomPriceGenie”, “Provider”, “Processor”), and
the entity identified as customer in the applicable order form, subscription, or terms (“Customer”, “Controller”).
This DPA applies where and to the extent RoomPriceGenie processes Personal Data on behalf of Customer in connection with the Services.
1.1 Capitalised terms not defined in this DPA have the meaning given in the Agreement.
1.2 Applicable Data Protection Laws means all data protection and privacy laws applicable to the Processing under this DPA, including (as applicable):
1.3 Customer Personal Data means Personal Data processed by RoomPriceGenie on behalf of Customer under this DPA.
1.4 Data Subject, Personal Data, Processing, Controller, Processor, Supervisory Authority, and Personal Data Breach have the meanings given in Applicable Data Protection Laws.
1.5 Standard Contractual Clauses or SCCs means the standard contractual clauses adopted by the European Commission for the transfer of personal data to third countries pursuant to GDPR, as updated or replaced from time to time.
1.6 Sub-processor means any Processor engaged by RoomPriceGenie to process Customer Personal Data.
2.1 Processor role. Customer appoints RoomPriceGenie as Processor to process Customer Personal Data on Customer’s behalf to provide the Services.
2.2 Controller role. Customer is the Controller of Customer Personal Data.
2.3 RoomPriceGenie as independent controller. Nothing in this DPA restricts RoomPriceGenie’s processing of Personal Data as an independent controller for its own legitimate business purposes, including billing, account management, security, and service improvement.
3.1 Primary hosting. RoomPriceGenie is a Swiss company and the Services are designed so that Customer Personal Data is hosted primarily in Switzerland and/or the European Economic Area (EEA).
3.2 Operational access. Customer acknowledges that, as part of operating and supporting the Services, Customer Personal Data may be accessed from other jurisdictions (for example, by authorised personnel or Sub-processors located outside Switzerland or the EEA).
3.3 RoomPriceGenie will not transfer Customer Personal Data to countries outside Switzerland or the EEA except where necessary to provide the Services and in accordance with Applicable Data Protection Laws.
The subject matter, duration, nature and purpose of Processing, the types of Customer Personal Data and categories of Data Subjects are described in Annex 1.
5.1 Customer shall:
a) ensure it has a lawful basis to provide Customer Personal Data to RoomPriceGenie;
b) ensure it provides all required notices to Data Subjects;
c) ensure its instructions comply with Applicable Data Protection Laws; and
d) be responsible for the legality, accuracy and quality of Customer Personal Data.
5.2 Customer shall not provide RoomPriceGenie with special categories of Personal Data (sensitive Personal Data) unless expressly agreed in writing and supported by appropriate safeguards.
6.1 RoomPriceGenie shall:
a) process Customer Personal Data only on documented instructions from Customer (including with regard to transfers), unless required to do otherwise by applicable law; where RoomPriceGenie is required by applicable law to process Customer Personal Data other than in accordance with Customer’s instructions, RoomPriceGenie shall inform Customer of that legal requirement before processing, unless such law prohibits this on important grounds of public interest;
b) inform Customer if, in RoomPriceGenie’s reasonable opinion, an instruction infringes Applicable Data Protection Laws;
c) ensure persons authorised to process Customer Personal Data are subject to confidentiality obligations; and
d) implement and maintain appropriate technical and organisational measures as described in Annex 2.
6.2 RoomPriceGenie may process Customer Personal Data as necessary to:
a) provide the Services;
b) maintain the security, availability and integrity of the Services;
c) provide support and troubleshooting; and
d) fulfil its contractual obligations under the Agreement.
7.1 RoomPriceGenie shall implement appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
7.2 RoomPriceGenie may update the Security Measures from time to time, provided that such updates do not materially reduce the overall security of the Services.
8.1 General authorisation. Customer provides a general authorisation for RoomPriceGenie to appoint Sub-processors.
8.2 Sub-processor list. RoomPriceGenie will maintain a list of Sub-processors which will be made available to Customer upon written request.
8.3 Notification. RoomPriceGenie will notify Customer of any intended addition or replacement of Sub-processors and give the Customer the opportunity to object.
8.4 Objection. Customer may object to a new Sub-processor within ten (10) Business Days of the update, on reasonable grounds relating to data protection. If Customer objects, the parties will work in good faith to resolve the objection.
8.5 Flow-down. RoomPriceGenie shall impose data protection obligations on Sub-processors no less protective than those in this DPA.
8.6 RoomPriceGenie remains responsible for the performance of its Sub-processors’ obligations.
9.1 Taking into account the nature of the Processing, RoomPriceGenie shall provide reasonable assistance to Customer to respond to Data Subject requests under Applicable Data Protection Laws.
9.2 Where RoomPriceGenie provides such assistance, it shall do so at Customer’s cost, calculated at RoomPriceGenie’s then-current professional services rates (or as otherwise agreed in writing).
9.3 If RoomPriceGenie receives a request directly from a Data Subject relating to Customer Personal Data, RoomPriceGenie shall (unless legally prohibited):
a) notify Customer without undue delay; and
b) not respond to the request except on Customer’s documented instructions.
10.1 RoomPriceGenie shall provide reasonable assistance to Customer with data protection impact assessments and consultation with supervisory authorities, to the extent required under Applicable Data Protection Laws and taking into account the nature of the Processing and information available to RoomPriceGenie.
10.2 Any such assistance shall be provided at Customer’s cost, calculated at RoomPriceGenie’s then-current professional services rates (or as otherwise agreed in writing).
11.1 RoomPriceGenie shall notify Customer without undue delay of a Personal Data Breach affecting Customer Personal Data after becoming aware.
11.2 The notification shall include, to the extent available:
a) a description of the breach;
b) the categories and approximate number of Data Subjects and records concerned;
c) likely consequences; and
d) measures taken or proposed to address the breach.
11.3 RoomPriceGenie shall cooperate with Customer in good faith to investigate, mitigate and remediate the Personal Data Breach, and reasonably support Customer in fulfilling its notification obligations relating to the Personal Data Breach.
12.1 Transfers subject to GDPR. Where Customer Personal Data is subject to the GDPR and is transferred to a country not recognised by the European Commission as providing an adequate level of protection, the parties agree that the EU SCCs are incorporated by reference. Where Customer acts as a Controller, Module Two (Controller to Processor) applies. Where Customer acts as a Processor, Module Three (Processor to Processor) applies.
12.2 Transfers subject to Swiss FADP. Where the Swiss FADP applies and Customer Personal Data is transferred from Switzerland to a country not recognised by the Swiss Federal Council as providing an adequate level of protection, the parties agree that the EU SCCs (as amended by the Swiss FDPIC addendum) are incorporated by reference.
12.3 Transfers subject to UK GDPR. Where UK GDPR applies and Customer Personal Data is transferred to a country not recognised as adequate, the parties agree that the EU SCCs are incorporated by reference together with the UK Addendum issued by the ICO.
12.4 Supplementary measures. Where required, the parties will cooperate in good faith to implement supplementary measures.
12.5 Conflict. If there is a conflict between the SCCs and this DPA, the SCCs shall prevail.
13.1 Upon termination or expiry of the Services, RoomPriceGenie shall, at Customer’s choice and to the extent supported by the Services:
a) make Customer Personal Data available for export; and/or
b) delete Customer Personal Data.
13.2 RoomPriceGenie may retain Customer Personal Data where required by law or for legitimate purposes such as establishing, exercising or defending legal claims, provided that retained data remains protected in accordance with this DPA.
13.3 Deletion will occur within a reasonable period following termination, taking into account backup and disaster recovery retention cycles.
14.1 RoomPriceGenie shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA.
14.2 RoomPriceGenie may satisfy audit obligations by providing:
a) a SOC 2, ISO 27001 or equivalent third-party report (if available); and/or
b) a written summary of the Security Measures.
14.3 Customer audit. Customer may conduct an audit only:
a) where required by a Supervisory Authority or Applicable Data Protection Laws; or
b) where Customer reasonably believes RoomPriceGenie is in material breach of this DPA,
and in both cases subject to:
i) at least 30 days’ prior written notice;
ii) audits limited to once per 12-month period;
iii) audits conducted during normal business hours;
iv) scope limited to controls relevant to Customer Personal Data;
v) confidentiality obligations; and
vi) Customer paying RoomPriceGenie’s reasonable costs and expenses, including internal time, third-party costs, and legal or security review costs, calculated at RoomPriceGenie’s then-current professional services rates.
14.4 RoomPriceGenie may object to an audit request that would compromise security, confidentiality, or other customers’ data.
RoomPriceGenie shall ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations.
16.1 The liability provisions and limitations in the Agreement apply to this DPA.
16.2 Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Laws.
In the event of conflict:
a) the SCCs prevail;
b) this DPA prevails over the Agreement in respect of Processing of Customer Personal Data; and
c) the Agreement prevails for all other matters.
This DPA remains in force for as long as RoomPriceGenie processes Customer Personal Data on behalf of Customer.
Subject matter: Provision of the Services.
Duration: For the duration of the Agreement and for any additional period required to return or delete Customer Personal Data in accordance with the Agreement and this DPA.
Nature and purpose: Hosting, storing, transmitting, analysing, and otherwise processing Customer Personal Data as necessary to provide the Services, maintain the security and integrity of the Services, and fulfil RoomPriceGenie’s obligations under the Agreement.
Categories of Data Subjects:
Types of Customer Personal Data:
Special categories: Processing of special categories of Personal Data is not intended and should not be included in the data submitted to the Services. Customer agrees not to submit special categories of Personal Data without prior written agreement and appropriate safeguards.
RoomPriceGenie implements technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the nature, scope, context and purposes of processing, including as appropriate:
Access Control
Encryption
Infrastructure Security
Monitoring and Logging
Vulnerability Management
Backup and Availability
Personnel Security
Sub-processor Management
Updated June 2026
