Data Processing Addendum (DPA)
01Definitions and Interpretation
In this DPA, the following terms have the following meanings:
- “Data Protection Legislation” means all legislation in force from time to time in the United Kingdom relating to data protection and privacy, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (as amended).
- “UK GDPR” means the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of the United Kingdom.
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach” and “Processing” have the meanings given in the UK GDPR.
- “Sub-Processor” means any third party engaged by Cloudfox to process Personal Data on the Customer’s behalf, as listed in Appendix A.
- “Technical and Organisational Measures” means the security measures described in Appendix B.
The Appendices form part of this DPA.
02Roles of the Parties
| Party | Role |
|---|---|
| Customer | Data Controller |
| Cloudfox | Data Processor |
Cloudfox processes Personal Data only on behalf of, and for, the Customer. The Customer remains responsible at all times for ensuring it has a valid lawful basis for collecting the Personal Data and for transferring it to Cloudfox for processing.
03Scope and Order of Precedence
This DPA is incorporated by reference into the Terms of Service and is accepted by the Customer when it accepts the Terms of Service at registration. No separate signature is required for the DPA to take effect; a counter-signable copy is available on request to enterprise customers who require one for their own records. In the event of any conflict between this DPA and the Terms of Service in relation to the processing of Personal Data, this DPA prevails.
04Subject Matter, Duration, Nature and Purpose of Processing
- Subject matter and purpose: provision of the StaySynced service, namely a one-way integration that extracts booking and tenancy data from the Customer’s Concurrent property management system and loads it into the Customer’s HubSpot CRM.
- Nature of processing: extraction, cleaning, formatting, field-mapping, transmission and operational logging of Personal Data to perform the synchronisation.
- Duration: for the duration of the Customer’s use of StaySynced and until deletion or return of Personal Data under Section 15.
05Types of Personal Data and Data Subjects
| Category | Detail |
|---|---|
| Data Subjects | End-users, tenants, leads, applicants and staff whose data is held in the Customer’s Concurrent and HubSpot systems |
| Data Types | Names, contact details (email, telephone, address), booking and tenancy details, CRM activity, and other fields determined by the Customer’s configuration. The Customer must not configure StaySynced to process special category data unless separately agreed in writing. |
06Processing on Documented Instructions
Cloudfox processes Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Cloudfox will inform the Customer of that legal requirement before processing, unless the law prohibits it). The Customer’s instructions are set out in this DPA, the Terms of Service, and the configuration the Customer establishes within the StaySynced platform. Cloudfox will inform the Customer if, in its opinion, an instruction infringes the Data Protection Legislation.
07Confidentiality
Cloudfox ensures that all personnel authorised to process the Personal Data are bound by an appropriate obligation of confidentiality and are made aware of the confidential nature of the data. Cloudfox limits access to the Personal Data to those personnel who require it to deliver the service.
08Security Measures
Cloudfox implements and maintains the Technical and Organisational Measures set out in Appendix B to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing.
09Personal Data Breach
Cloudfox will notify the Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer’s Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Cloudfox will provide reasonable assistance to the Customer in meeting the Customer’s own breach-notification obligations to the ICO and to affected data subjects. The Customer (as Controller) is solely responsible for determining whether and how to notify the ICO or data subjects.
10Sub-Processors
The Customer provides general written authorisation for Cloudfox to engage the Sub-Processors listed in Appendix A. Cloudfox:
- imposes on each Sub-Processor, by written contract, data-protection obligations substantially equivalent to those in this DPA;
- remains fully liable to the Customer for the performance of each Sub-Processor’s obligations; and
- will give the Customer reasonable prior notice of any intended addition or replacement of a Sub-Processor, giving the Customer the opportunity to object on reasonable data-protection grounds.
11Data Subject Rights and Assistance
Taking into account the nature of the processing, Cloudfox will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights under the Data Protection Legislation (access, rectification, erasure, restriction, portability and objection). If Cloudfox receives a request directly from a data subject, it will not respond itself (except to confirm onward referral) but will notify the Customer without undue delay.
12Assistance with Compliance Obligations
Taking into account the nature of the processing and the information available to Cloudfox, Cloudfox will provide reasonable assistance to the Customer with: the security of processing; the notification of Personal Data Breaches; the carrying out of data protection impact assessments (DPIAs); and prior consultation with the ICO where required.
13International Transfers
The arrangements for any transfer of Personal Data outside the United Kingdom are set out in Appendix C. Where any Sub-Processor processes Personal Data outside the UK, Cloudfox ensures that an appropriate transfer mechanism under the Data Protection Legislation is in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or reliance on UK adequacy regulations.
14Audit and Compliance
Cloudfox will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, on reasonable prior notice and subject to reasonable confidentiality and security conditions.
15Deletion or Return of Data
On termination of the service, and at the Customer’s choice, Cloudfox will delete or return all Personal Data to the Customer and delete existing copies, unless the law requires continued storage. Cloudfox will certify completion of deletion in writing on request. The integration is one-way and does not retain Personal Data beyond the operational logging needed to run and troubleshoot the service.
16Liability
Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party’s liability where it cannot lawfully be limited.
17Governing Law
This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.
18Contact
For data-protection enquiries, contact dataprotection@cloudfox.it.
AAppendix A — Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Vercel | Application hosting (website, dashboard and API) | UK (London, eu-west-2 / lhr1) — function execution; deployment builds run in the US on source code only (no customer personal data) |
| Supabase | Hosting, database, authentication, storage | EU (Ireland, eu-west-1) — within the EEA |
| Microsoft Azure | Compute hosting for the data-transformation (ETL) workload | UK (UK South, London) |
| Stripe | Payment processing | Stripe Payments Europe Ltd (Ireland); data transferred to the US and India — safeguarded under the UK IDTA, EU SCCs and the EU-US Data Privacy Framework (UK Extension) |
| HubSpot | CRM — destination of the one-way sync | EU / US — US processing safeguarded under the IDTA / SCCs |
Cloudfox will notify Customers of intended changes to this list and provide an opportunity to object on reasonable data-protection grounds.
BAppendix B — Technical and Organisational Measures
Cloudfox maintains the following measures, appropriate to the nature of the Personal Data and the risk:
- Encryption of credentials at rest: third-party integration credentials and secrets are encrypted using an application-managed key before storage.
- Encryption in transit: all connections to the platform and to third-party APIs use TLS.
- Access segregation: database access is governed by Postgres Row-Level Security; the application separates limited, user-scoped access from privileged service-role access used only for system operations.
- Authentication: user access is managed through session-based, token-refreshed authentication.
- Audit logging: significant organisation and system events are recorded to an audit log to support security monitoring and troubleshooting.
- Backups: the database platform maintains regular automated backups.
- Access control and least privilege: access to production systems and Personal Data is limited to personnel who require it.
- Resilience and recovery: the hosting platform provides the ability to restore availability of and access to data following an incident.
These measures are reviewed periodically and may be updated provided the level of security is not materially reduced.
CAppendix C — International Transfers
StaySynced’s primary database hosting is located within the EEA at Supabase in Ireland (eu-west-1). Transfers of Personal Data from the United Kingdom to the EEA are permitted under UK adequacy regulations without additional safeguards. Where a Sub-Processor — being a US-headquartered provider such as Stripe or HubSpot — processes or accesses Personal Data outside the UK and the EEA, for example in the United States or India, Cloudfox relies on an appropriate transfer mechanism: the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, the EU-US Data Privacy Framework (and its UK Extension), or UK adequacy regulations. Where a counter-signed transfer agreement is required by a Sub-Processor or by the Customer, the IDTA is used as the executable transfer annex. The application hosting (Vercel) executes its functions in the UK (London, eu-west-2 / lhr1) — its deployment builds run in the US but operate on source code, not customer Personal Data — and the data-transformation (ETL) compute layer runs on Microsoft Azure virtual machines in the UK (UK South), so no transfer of Personal Data outside the UK arises for that processing.