Staymulate · Legal

Data Processing Agreement

Une traduction française juridiquement vérifiée est en cours de préparation par notre avocat. Cette version anglaise reste la langue contraignante jusqu'à la signature de l'avocat. Pour les marchés francophones (Québec — Loi 25), envoyez un e-mail à legal@staymulate.com pour la langue spécifique au marché avant l'inscription.
Market:GlobalIndiaSingaporeCanada / QuebecThailandIndonesiaAustralia
This is a working draft pending external legal review. Final language will appear here once our lawyer signs off; until then, treat this as our good-faith intent — not a binding contract.

Staymulate — Data Processing Agreement (DPA)

Version 1.0 first draft. Status: AWAITING LAWYER REVIEW.

The most important and complex document in this stack. Per s42 panel finding 8/11, Staymulate's role for AI flows is JOINT CONTROLLER, not just processor. This DPA reflects that honestly.

Parties

This Data Processing Agreement ("DPA") is between:

- the Processor (for raw data storage, message routing, billing, account management)

- a Joint Controller (for AI-derived inferences specifically — see §4)

§1 — Scope and purpose

This DPA governs the processing of personal data and other sensitive data that flows through Staymulate's software in connection with the Customer's property operations. It is incorporated by reference into the Terms of Service and forms part of the binding contract between the parties.

§2 — Data categories processed

CategoryDescriptionSourceStorage location
Owner account dataOwner's name, email, phone, payment detailsOwner self-providesStaymulate database
Property recordsProperty name, type, location, configuration, ground truthOwner self-provides + AI pre-fillStaymulate database
Staff recordsStaff name, chat ID, role, salary, hours, sick days, leaveOwner self-providesStaymulate database
Guest recordsGuest name, contact, stay dates, dietary, paymentOwner / OTA / DirectStaymulate database
Bills and financialsBill photos, OCR extractions, vendor names, paymentsStaff submissionStaymulate database
Voice recordingsAudio files (raw, transcribed, then deleted within 24h)Staff/owner/guestWhisper local processing, raw deleted
Communication logsInbound and outbound messages, timestamps, routing decisionsStaff/owner/guestStaymulate database
AI-derived inferencesProperty DNA, content captions, OCR results, classification labelsGemini API / Whisper / Phi-3Staymulate database
Audit trailsMode flip records, consent records, escalation records, build session logsAutomatedStaymulate database, append-only

§3 — Roles, in detail

Customer (Controller)

The Customer is the Controller for:

Staymulate (Processor)

Staymulate acts as a Processor for:

Staymulate (Joint Controller — the panel-flagged scope)

Per s42 panel finding 8/11, Staymulate is a Joint Controller (not merely a Processor) for the following AI-derived activities, because Staymulate is making material decisions about the data on behalf of itself (the AI vendor relationships, the model choices, the prompt engineering) and not solely on the Customer's instructions:

For each of these, Staymulate accepts joint controller responsibility under DPDP, PDPA, PIPEDA, GDPR, and equivalent laws.

§4 — Joint controller activities — what this means in practice

For the activities listed in §3 (Joint Controller), both parties:

  1. Share legal responsibility for ensuring the processing has a lawful basis under applicable law.
  2. Share legal responsibility for ensuring data subjects (guests, staff) have been informed of the AI processing per ai_disclosure.md.
  3. Share responsibility for honouring data subject rights requests (access, rectification, erasure) — Staymulate handles the technical implementation, the Customer is the first point of contact for the data subject.
  4. Each bear their own statutory penalties if a regulator finds a violation. Neither party indemnifies the other for statutory penalties imposed directly by a regulator.

The Customer remains the sole Controller for the underlying property data, staff records, guest records, and financials. Joint controllership applies only to the AI-derived layer.

§5 — Sub-processors

Staymulate uses the following sub-processors. The Customer is informed of any change to this list 30 days in advance and may object in writing:

Sub-processorWhat they processHostingCross-border?
Google (Vertex AI — Gemini models)Photos, text snippets, structured data for AI inferenceasia-south1 (Mumbai). Region-pinned via Vertex AI per s132 b04 migration. For India market: in-country. For other markets: in-India transfer.Region-pinned. India: no cross-border. Other markets: in-India transfer, subject to per-market law (addressed in addenda + SCCs where applicable)
Anthropic (Claude API)Used for build sessions ONLY — never live customer data per Foundation Brief D-31USNot for customer data
Telegram (Bot API)Inbound and outbound message deliveryMulti-regionYes — addressed in per-market addenda
Google Cloud Platform (asia-south1 / equivalent per market)All Staymulate database storage + computeIndia primary (asia-south1); other markets per data-residency requirementsSubject to per-market law; Standard Contractual Clauses where applicable
Razorpay (India primary; per-market processor where Razorpay is unavailable, subject to lawyer review)Customer billing + guest payment collectionLocal per marketYes (PCI-DSS + per-market financial-services compliance)

The Customer's consent to this DPA is consent to the use of these sub-processors for the listed purposes. Adding a new sub-processor requires 30-day notice.

§6 — Joint controller responsibilities during founder unavailability

When Staymulate's Autonomous Mode is active for the Customer's property:

  1. Staymulate continues to process data per this DPA — joint controller status does not pause.
  2. The Customer's escalation contact (typically the founder's spouse) may receive notifications about urgent matters affecting the Customer's property. The escalation contact has previously consented to this role.
  3. The escalation contact has read-only access to the Customer's alerts and may approve or dismiss urgent escalations. The escalation contact does NOT have access to the Customer's financial records, raw guest data, or system administration.
  4. The Customer may request the system_mode audit trail at any time to see exactly when Autonomous Mode was active for their property.

§7 — Data retention

CategoryDefault retentionControlled by
Voice recordings (raw)24 hoursStaymulate (technical)
Voice transcriptionsSame as messagesCustomer (operational)
Messages and logs7 years (financial records compliance)Customer (Indian Income Tax Act + equivalents)
Photos (bills, food, damage)3 yearsCustomer
Photos (people / faces)Until consent revoked OR 1 year after stayCustomer + per-individual consent
Audit trails (system_mode, consent, emergency)Permanent (never deleted)Staymulate
Marketing communications opt-insUntil revokedCustomer + per-guest opt-in
Account dataDuration of contract + 1 yearCustomer

The Customer may request shorter retention periods in writing. Some categories (audit trails) cannot be shortened because they are compliance evidence.

§8 — Data subject rights

When a guest, staff member, or other data subject exercises a right (access, rectification, erasure, portability, restriction of processing, objection to automated decision-making):

  1. The data subject contacts the Customer first (the Customer is the point of contact named in the privacy notice).
  2. The Customer forwards the request to Staymulate within 5 business days.
  3. Staymulate processes the technical fulfilment within 15 business days.
  4. The Customer responds to the data subject within the legally required window (30 days under GDPR / DPDP / PDPA).

For erasure requests, Staymulate will delete the personal data from active storage within 15 business days. Audit trails are retained as compliance evidence and may include references to deleted data subjects (UUIDs only, no PII).

§9 — Security measures

Staymulate maintains:

The Customer is responsible for the security of their own account credentials and for the physical security of any device used to access Staymulate.

§10 — Breach notification

Staymulate will notify the Customer of any personal data breach affecting the Customer's data without undue delay, and in any case within 72 hours of becoming aware of the breach (per DPDP / GDPR / PDPA standards).

The notification will include:

The Customer is responsible for any further notification to data subjects or regulators required by their local law. Staymulate provides technical assistance with such notifications on request.

§11 — Liability allocation

The liability cap in liability_cap.md applies to all claims under this DPA except where local law prohibits a cap. For joint controller activities, each party bears its own statutory penalties imposed directly by a regulator. Mutual indemnification is governed by liability_cap.md §"Mutual indemnification".

§12 — Term and termination

This DPA is in force for the duration of the Customer's contract with Staymulate plus the data retention periods in §7. On termination, the Customer's data is deleted per §7 unless the Customer requests an export (CSV / JSON) within 30 days of termination.

§13 — Governing law

The governing law is the law of the Customer's home market, as detailed in the per-market addendum (addenda/<market>.md). For any matter not covered in the addendum, the law of India applies.

§14 — Per-market addenda

The following addenda are incorporated into this DPA per the Customer's home market:

Where the addendum conflicts with this main DPA, the addendum prevails for that market only.

---

What this DPA does NOT do

This DPA does not:

---

Where this document is linked from

---

Source: s42 panel CRIT (8/11) on processor/controller framing + Foundation Brief D-31, D-32. Version 1.0, awaiting lawyer review. THIS IS THE MOST CRITICAL DOCUMENT IN THE STACK — please prioritize the joint controller framing review.