Data Processing Addendum
How Dimora AI processes data on behalf of property management clients
Table of Contents
Definitions
The following terms have specific meanings throughout this Data Processing Addendum:
Agreement
The Dimora AI Service Agreement between Dimora AI and the Client, which this DPA supplements.
Controller
The entity that determines the purposes and means of processing personal data. Under this DPA, the Client is the Controller.
Data Subject
An identified or identifiable natural person whose personal data is processed. This includes property guests, property owners, and property managers.
DPA
This Data Processing Addendum, which forms part of the Agreement.
Personal Data
Any information relating to an identified or identifiable natural person, including names, contact details, reservation information, call recordings, and message content.
Processing
Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
Processor
The entity that processes personal data on behalf of the Controller. Under this DPA, Dimora AI is the Processor.
Sub-processor
A third party engaged by Dimora AI to process personal data on behalf of the Client.
Scope & Roles
Data Processing Roles
Client (Controller / Business)
Determines the purposes and means of processing guest and property data through the Dimora AI platform.
Dimora AI (Processor / Service Provider)
Processes personal data solely on documented instructions from the Client to deliver AI-powered property management operations.
Processing Details
Subject Matter: AI-powered property management operations
Duration: Term of the service agreement
Nature of Processing: Automated call handling, inbox draft generation, revenue optimization analytics, guest communication management
Data Subjects: Property guests, property owners, property managers
Categories of Personal Data
Created by Dimora
- •Call recordings & transcripts
- •AI draft responses
- •Upsell offers & analytics
- •Feedback scores
- •Availability sessions
Read from PMS (not stored)
- •Guest names & emails
- •Phone numbers
- •Reservation details
- •Property information
- •Guest messages
Not Accessed
- •Payment card data
- •Financial transactions
- •Booking financials
- •Credit card numbers
Processor Obligations
Dimora AI commits to the following obligations as required by GDPR Article 28:
GDPR Article 28 Compliance: All eight mandatory processor clauses are addressed below.
Documented Instructions
Dimora AI processes personal data only on documented instructions from the Controller (Client). If EU or member state law requires processing beyond these instructions, Dimora AI will inform the Client before proceeding, unless prohibited by law.
Confidentiality
All persons authorized to process personal data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Security Measures (Article 32)
Dimora AI implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. See the Security Measures section below for details.
Sub-processor Engagement
Dimora AI engages sub-processors only with prior written authorization from the Controller. The same data protection obligations are imposed on each sub-processor by way of contract. See the Sub-Processors section below.
Data Subject Rights Assistance
Dimora AI assists the Controller in fulfilling its obligations to respond to data subject rights requests, including access, rectification, erasure, restriction, portability, and objection.
DPIA & Prior Consultation
Dimora AI assists the Controller with data protection impact assessments (DPIAs) and prior consultation with supervisory authorities where required, taking into account the nature of processing and information available.
Data Deletion or Return
At the end of the service relationship, Dimora AI deletes or returns all personal data to the Controller (at the Controller's choice) and deletes existing copies, unless EU or member state law requires storage.
Audit & Compliance
Dimora AI makes available all information necessary to demonstrate compliance with Article 28 obligations and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
Security Measures
In accordance with GDPR Article 32, Dimora AI implements the following technical and organizational measures:
Encryption in Transit
TLS 1.2+ for all data transmission between systems, APIs, and end users
Encryption at Rest
AES-256 encryption for all stored data across databases and backup systems
Access Controls
Role-based permissions with least-privilege access to personal data
Employee Confidentiality
All personnel with data access are bound by written confidentiality obligations
Security Assessments
Regular security reviews of infrastructure, dependencies, and access patterns
Incident Response
Documented procedures for identifying, containing, and remediating security incidents
Certification Status
Dimora AI does not currently hold SOC 2 or ISO 27001 certifications. SOC 2 Type II certification is planned. We implement security practices aligned with these frameworks and will update this page when certifications are achieved.
Sub-Processors
Dimora AI uses the following sub-processors to deliver its services. The Client has provided general written authorization for these sub-processors.
| Sub-Processor | Purpose | Data Accessed | Location |
|---|---|---|---|
| VAPI | Voice AI call handling | Call audio, transcripts, caller phone numbers | US (GCP) |
| Guesty | PMS integration (read-only API) | Guest PII, reservations, property data | US/EU |
| Supabase | Operational data storage | AI drafts, offers, sessions, feedback | US (AWS us-east-1) |
| Railway | Workflow hosting | Transient processing (no persistent storage) | US |
| xAI (Grok) | LLM inference for Inbox AI | Message text for draft generation (no retention by xAI) | US |
Objection Period
Dimora AI will notify the Client at least 30 days before engaging a new sub-processor. The Client may object in writing within that period. If the Client objects and a reasonable resolution cannot be reached, either party may terminate the affected services.
Sub-Processor Liability
Dimora AI remains fully liable for the acts and omissions of its sub-processors. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.
Notification Method
Sub-processor change notifications are sent via email to the Client's designated contact on record.
Data Retention
Dimora AI retains personal data only as long as necessary to fulfill the purposes of processing:
Call recordings
30 days post-callAutomatically deleted after retention period
AI drafts, offers, sessions
90 days post-terminationOperational data retained during service, deleted after termination
Feedback scores & golden examples
90 days post-terminationAI learning data retained during service for quality improvement
Upon Termination
- 1.
Data Export Window
Client may request a complete data export within 30 days of termination. Data provided in JSON or CSV format.
- 2.
Deletion
Dimora AI deletes all personal data within 90 days of termination, unless retention is required by applicable law.
- 3.
Backup Purge
Backups containing personal data are purged within 30 days of the primary deletion.
Data Breach Notification
In the event of a personal data breach, Dimora AI will notify the Client without undue delay:
EU Data Subjects
72 hours
Per GDPR Article 33
US Data Subjects
5 business days
Per applicable state laws
Breach Notification Contents
- •Nature of the personal data breach, including categories of data affected
- •Approximate number of data subjects and records concerned
- •Likely consequences of the breach
- •Measures taken or proposed to address and mitigate the breach
Notification Channels
Email to the Client's designated contact on record. For high-severity breaches affecting a large number of data subjects, Dimora AI will also contact the Client by phone.
CCPA/CPRA Service Provider Certification
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), Dimora AI certifies the following as a Service Provider:
Dimora AI will NOT retain, use, or disclose personal information for any purpose other than performing the services specified in the Agreement.
Dimora AI will NOT sell or share personal information received from or on behalf of the Client.
Dimora AI will NOT combine personal information received from the Client with personal information from other sources, except as permitted by CCPA/CPRA.
Dimora AI grants the Client the right to take reasonable and appropriate steps to ensure Dimora AI uses personal information in a manner consistent with the Client's obligations under CCPA/CPRA.
Dimora AI will notify the Client if it determines it can no longer meet its obligations under CCPA/CPRA.
No Sale of Data: Dimora AI does not sell, share, or use personal information for cross-context behavioral advertising. Data is processed exclusively to deliver contracted services.
International Transfers
- •Primary Processing Location: United States
- •EU Data Subjects: Standard Contractual Clauses (SCCs) are available upon request for transfers of EU personal data
- •No Transfers Outside the US: Dimora AI does not transfer personal data outside the United States without prior written notification to the Client
Data Subject Rights
Dimora AI assists the Client in fulfilling data subject rights requests:
Access
Provide copies of personal data held
Rectification
Correct inaccurate or incomplete data
Erasure
Delete personal data upon request
Restriction
Limit processing activities
Portability
Export data in machine-readable format
Objection
Cease processing where applicable
Response Timeline
Dimora AI will respond to Client-forwarded data subject requests within 10 business days.
Direct Requests
If a data subject contacts Dimora AI directly, Dimora AI will redirect them to the Client (Controller) and notify the Client of the request.
Audit Rights
The Client may verify Dimora AI's compliance with this DPA through audits:
Frequency
One audit per calendar year
Notice
30 days written notice required before audit
Scope
Limited to DPA obligations; conducted during normal business hours
Costs
Client bears audit costs, unless the audit reveals material non-compliance by Dimora AI
Questions About How We Handle Your Data?
Contact us for a copy of this DPA for signature or to discuss data processing details.
admin@dimora.ai