Staymulate — Data Processing Agreement (DPA)
Version 1.0 first draft. Status: AWAITING LAWYER REVIEW.
The most important and complex document in this stack. Per s42 panel finding 8/11, Staymulate's role for AI flows is JOINT CONTROLLER, not just processor. This DPA reflects that honestly.
Parties
This Data Processing Agreement ("DPA") is between:
- Staymulate ("we", "us", "our") — the software provider — referred to herein as either:
- the Processor (for raw data storage, message routing, billing, account management)
- a Joint Controller (for AI-derived inferences specifically — see §4)
- The Customer ("you", "your") — the property owner using Staymulate — the Controller for all property data (your property records, your staff records, your guest records, your financial records).
§1 — Scope and purpose
This DPA governs the processing of personal data and other sensitive data that flows through Staymulate's software in connection with the Customer's property operations. It is incorporated by reference into the Terms of Service and forms part of the binding contract between the parties.
§2 — Data categories processed
| Category | Description | Source | Storage location |
|---|---|---|---|
| Owner account data | Owner's name, email, phone, payment details | Owner self-provides | Staymulate database |
| Property records | Property name, type, location, configuration, ground truth | Owner self-provides + AI pre-fill | Staymulate database |
| Staff records | Staff name, chat ID, role, salary, hours, sick days, leave | Owner self-provides | Staymulate database |
| Guest records | Guest name, contact, stay dates, dietary, payment | Owner / OTA / Direct | Staymulate database |
| Bills and financials | Bill photos, OCR extractions, vendor names, payments | Staff submission | Staymulate database |
| Voice recordings | Audio files (raw, transcribed, then deleted within 24h) | Staff/owner/guest | Whisper local processing, raw deleted |
| Communication logs | Inbound and outbound messages, timestamps, routing decisions | Staff/owner/guest | Staymulate database |
| AI-derived inferences | Property DNA, content captions, OCR results, classification labels | Gemini API / Whisper / Phi-3 | Staymulate database |
| Audit trails | Mode flip records, consent records, escalation records, build session logs | Automated | Staymulate database, append-only |
§3 — Roles, in detail
Customer (Controller)
The Customer is the Controller for:
- All property records and configurations
- All staff records (the Customer remains the legal employer — see
disclaimer.md) - All guest records (the Customer's contractual relationship with each guest is the source of consent)
- All financial records and bills
- The decision to onboard the property to Staymulate
- The decision to enable any AI-driven feature
- The decision to grant or revoke staff and guest access
Staymulate (Processor)
Staymulate acts as a Processor for:
- Storing raw data (database persistence)
- Routing messages (passing inbound messages to the correct topic handler)
- Billing the Customer for the Staymulate service
- Account management (Customer's own login, password, MFA)
- Backups and disaster recovery
- Audit logging
- Customer support interactions where the Customer requests help
Staymulate (Joint Controller — the panel-flagged scope)
Per s42 panel finding 8/11, Staymulate is a Joint Controller (not merely a Processor) for the following AI-derived activities, because Staymulate is making material decisions about the data on behalf of itself (the AI vendor relationships, the model choices, the prompt engineering) and not solely on the Customer's instructions:
- Voice transcription via Whisper — Staymulate chooses the model, controls hosting, makes deletion decisions about raw audio
- Bill photo OCR + classification via Gemini — Staymulate engineers the prompt, chooses the model version, decides what fields to extract
- Property DNA extraction via Gemini — Staymulate's prompt engineering determines what is "the property's voice"
- Content generation (captions, suggested review responses) via Gemini — Staymulate's templates determine the tone
- Damage assessment via Gemini Vision — Staymulate's classification rules determine severity
- Maintenance trade detection via Phi-3 — Staymulate's training prompts determine the trade categories
- Panel reviews via Gemini — Staymulate's panel member personas determine the analysis frame
For each of these, Staymulate accepts joint controller responsibility under DPDP, PDPA, PIPEDA, GDPR, and equivalent laws.
§4 — Joint controller activities — what this means in practice
For the activities listed in §3 (Joint Controller), both parties:
- Share legal responsibility for ensuring the processing has a lawful basis under applicable law.
- Share legal responsibility for ensuring data subjects (guests, staff) have been informed of the AI processing per
ai_disclosure.md. - Share responsibility for honouring data subject rights requests (access, rectification, erasure) — Staymulate handles the technical implementation, the Customer is the first point of contact for the data subject.
- Each bear their own statutory penalties if a regulator finds a violation. Neither party indemnifies the other for statutory penalties imposed directly by a regulator.
The Customer remains the sole Controller for the underlying property data, staff records, guest records, and financials. Joint controllership applies only to the AI-derived layer.
§5 — Sub-processors
Staymulate uses the following sub-processors. The Customer is informed of any change to this list 30 days in advance and may object in writing:
| Sub-processor | What they process | Hosting | Cross-border? |
|---|---|---|---|
| Google (Vertex AI — Gemini models) | Photos, text snippets, structured data for AI inference | asia-south1 (Mumbai). Region-pinned via Vertex AI per s132 b04 migration. For India market: in-country. For other markets: in-India transfer. | Region-pinned. India: no cross-border. Other markets: in-India transfer, subject to per-market law (addressed in addenda + SCCs where applicable) |
| Anthropic (Claude API) | Used for build sessions ONLY — never live customer data per Foundation Brief D-31 | US | Not for customer data |
| Telegram (Bot API) | Inbound and outbound message delivery | Multi-region | Yes — addressed in per-market addenda |
| Google Cloud Platform (asia-south1 / equivalent per market) | All Staymulate database storage + compute | India primary (asia-south1); other markets per data-residency requirements | Subject to per-market law; Standard Contractual Clauses where applicable |
| Razorpay (India primary; per-market processor where Razorpay is unavailable, subject to lawyer review) | Customer billing + guest payment collection | Local per market | Yes (PCI-DSS + per-market financial-services compliance) |
The Customer's consent to this DPA is consent to the use of these sub-processors for the listed purposes. Adding a new sub-processor requires 30-day notice.
§6 — Joint controller responsibilities during founder unavailability
When Staymulate's Autonomous Mode is active for the Customer's property:
- Staymulate continues to process data per this DPA — joint controller status does not pause.
- The Customer's escalation contact (typically the founder's spouse) may receive notifications about urgent matters affecting the Customer's property. The escalation contact has previously consented to this role.
- The escalation contact has read-only access to the Customer's alerts and may approve or dismiss urgent escalations. The escalation contact does NOT have access to the Customer's financial records, raw guest data, or system administration.
- The Customer may request the system_mode audit trail at any time to see exactly when Autonomous Mode was active for their property.
§7 — Data retention
| Category | Default retention | Controlled by |
|---|---|---|
| Voice recordings (raw) | 24 hours | Staymulate (technical) |
| Voice transcriptions | Same as messages | Customer (operational) |
| Messages and logs | 7 years (financial records compliance) | Customer (Indian Income Tax Act + equivalents) |
| Photos (bills, food, damage) | 3 years | Customer |
| Photos (people / faces) | Until consent revoked OR 1 year after stay | Customer + per-individual consent |
| Audit trails (system_mode, consent, emergency) | Permanent (never deleted) | Staymulate |
| Marketing communications opt-ins | Until revoked | Customer + per-guest opt-in |
| Account data | Duration of contract + 1 year | Customer |
The Customer may request shorter retention periods in writing. Some categories (audit trails) cannot be shortened because they are compliance evidence.
§8 — Data subject rights
When a guest, staff member, or other data subject exercises a right (access, rectification, erasure, portability, restriction of processing, objection to automated decision-making):
- The data subject contacts the Customer first (the Customer is the point of contact named in the privacy notice).
- The Customer forwards the request to Staymulate within 5 business days.
- Staymulate processes the technical fulfilment within 15 business days.
- The Customer responds to the data subject within the legally required window (30 days under GDPR / DPDP / PDPA).
For erasure requests, Staymulate will delete the personal data from active storage within 15 business days. Audit trails are retained as compliance evidence and may include references to deleted data subjects (UUIDs only, no PII).
§9 — Security measures
Staymulate maintains:
- Encryption at rest for all database storage (TBD — confirm with hosting provider)
- Encryption in transit (TLS 1.2+) for all API endpoints
- API key authentication for all storage server endpoints (X-API-Key header)
- Audit logging for all data access
- Role-based access control (RBAC) at the staff registration level
- Rate limiting on inbound endpoints
- Content moderation (NSFW, abusive language, prompt injection) on all inbound text
- Crash-safe queue and replay for critical message paths
- Daily automated backups (TBD — confirm with hosting provider)
The Customer is responsible for the security of their own account credentials and for the physical security of any device used to access Staymulate.
§10 — Breach notification
Staymulate will notify the Customer of any personal data breach affecting the Customer's data without undue delay, and in any case within 72 hours of becoming aware of the breach (per DPDP / GDPR / PDPA standards).
The notification will include:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences
- The measures taken or proposed to address the breach
- The contact point for further information
The Customer is responsible for any further notification to data subjects or regulators required by their local law. Staymulate provides technical assistance with such notifications on request.
§11 — Liability allocation
The liability cap in liability_cap.md applies to all claims under this DPA except where local law prohibits a cap. For joint controller activities, each party bears its own statutory penalties imposed directly by a regulator. Mutual indemnification is governed by liability_cap.md §"Mutual indemnification".
§12 — Term and termination
This DPA is in force for the duration of the Customer's contract with Staymulate plus the data retention periods in §7. On termination, the Customer's data is deleted per §7 unless the Customer requests an export (CSV / JSON) within 30 days of termination.
§13 — Governing law
The governing law is the law of the Customer's home market, as detailed in the per-market addendum (addenda/<market>.md). For any matter not covered in the addendum, the law of India applies.
§14 — Per-market addenda
The following addenda are incorporated into this DPA per the Customer's home market:
- India:
addenda/in.md(DPDP Act 2023, IT Act, Shops & Establishments) - Singapore:
addenda/sg.md(PDPA 2012) - Canada:
addenda/ca.md(PIPEDA + provincial — especially Quebec Law 25) - Thailand:
addenda/th.md(PDPA 2019) - Indonesia:
addenda/id.md(UU PDP Law 27 of 2022)
Where the addendum conflicts with this main DPA, the addendum prevails for that market only.
---
What this DPA does NOT do
This DPA does not:
- Replace the Customer's privacy notice to their guests and staff (the Customer is the controller and must publish their own).
- Replace any contract the Customer has with their staff, guests, OTAs, vendors, or banks.
- Cover Staymulate's own marketing data about its prospects (covered by
privacy_policy.md). - Apply retroactively to data the Customer collected before signing this DPA.
---
Where this document is linked from
terms_of_service.md(incorporated by reference)privacy_policy.md(linked when the user is a property owner)liability_cap.md(referenced in interaction section)ai_disclosure.md(which this references)founder_unavailability.md§6- The per-market addenda
---
Source: s42 panel CRIT (8/11) on processor/controller framing + Foundation Brief D-31, D-32. Version 1.0, awaiting lawyer review. THIS IS THE MOST CRITICAL DOCUMENT IN THE STACK — please prioritize the joint controller framing review.