Data Processing Addendum

Between GT1 Partners LLC, a California limited liability company, doing business as Dimora AI (“Dimora AI”, “Processor”) and its property management Clients (“Controller”)

Effective April 20, 2026

Table of Contents

Definitions

The following terms have specific meanings throughout this Data Processing Addendum:

Agreement

The Dimora AI Service Agreement between GT1 Partners LLC, dba Dimora AI and the Client, which this DPA supplements.

Controller

The entity that determines the purposes and means of processing personal data. Under this DPA, the Client is the Controller.

Data Subject

An identified or identifiable natural person whose personal data is processed. This includes property guests, property owners, and property managers.

DPA

This Data Processing Addendum, which forms part of the Agreement.

Personal Data

Any information relating to an identified or identifiable natural person, including names, contact details, reservation information, call recordings, and message content.

Processing

Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.

Processor

The entity that processes personal data on behalf of the Controller. Under this DPA, GT1 Partners LLC, dba Dimora AI is the Processor.

SCCs

Standard Contractual Clauses — the European Commission's model clauses for cross-border data transfers, as adopted on June 4, 2021. This DPA incorporates Module 2 (controller-to-processor) SCCs as the lawful transfer mechanism for EU-to-US personal data flows.

Sub-processor

A third party engaged by Dimora AI to process personal data on behalf of the Client. The current sub-processor list is maintained at dimora.ai/sub-processors.

Scope & Roles

Data Processing Roles

Client (Controller / Business)

Determines the purposes and means of processing guest and property data through the Dimora AI platform.

GT1 Partners LLC, dba Dimora AI (Processor / Service Provider)

Processes personal data solely on documented instructions from the Client to deliver AI-powered property management operations.

Processing Details

Subject Matter: AI-powered property management operations

Duration: Term of the service agreement

Nature of Processing: Automated call handling, inbox reply generation, revenue optimization analytics, guest communication management

Data Subjects: Property guests, property owners, property managers

Categories of Personal Data

Created by Dimora AI

  • Call recordings & transcripts
  • AI reply drafts
  • Upsell offers & analytics
  • Feedback scores
  • Availability sessions

Read from PMS (not stored)

  • Guest names & emails
  • Phone numbers
  • Reservation details
  • Property information
  • Guest messages

Not Accessed

  • Payment card data
  • Financial transactions
  • Booking financials
  • Credit card numbers

Inadvertent Receipt — GDPR Article 9

Dimora AI does not intentionally collect special-category personal data (Article 9 GDPR), which includes health data, racial or ethnic origin, religious beliefs, or similar sensitive categories. If such data is inadvertently received — for example, if a guest volunteers health information during a call — Dimora AI will promptly delete it upon discovery and notify the Client. The Client, as Controller, is responsible for ensuring guests do not transmit special-category data through Dimora AI's channels.

Processor Obligations

GT1 Partners LLC, dba Dimora AI commits to the following obligations as required by GDPR Article 28:

GDPR Article 28 Compliance: All eight mandatory processor clauses are addressed below.

1

Documented Instructions

Dimora AI processes personal data only on documented instructions from the Controller (Client). If EU or member state law requires processing beyond these instructions, Dimora AI will inform the Client before proceeding, unless prohibited by law.

2

Confidentiality

All persons authorized to process personal data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

3

Security Measures (Article 32)

Dimora AI implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk. See the Security Measures section below for details.

4

Sub-processor Engagement

Dimora AI engages sub-processors only with prior general written authorization from the Controller. The Client provides that authorization by entering into the Agreement. The same data protection obligations are imposed on each sub-processor by way of contract. Dimora AI remains fully liable for each sub-processor's acts and omissions.

5

Data Subject Rights Assistance

Dimora AI assists the Controller in fulfilling its obligations to respond to data subject rights requests, including access, rectification, erasure, restriction, portability, and objection. Dimora AI will provide this assistance within 5 business days of the Client's written request.

6

DPIA & Prior Consultation

Dimora AI assists the Controller with data protection impact assessments (DPIAs) and prior consultation with supervisory authorities where required, taking into account the nature of processing and information available.

7

Data Deletion or Return

At the end of the service relationship, Dimora AI deletes or returns all personal data to the Controller (at the Controller's choice) and deletes existing copies, unless EU or member state law requires storage.

8

Audit & Compliance

Dimora AI makes available all information necessary to demonstrate compliance with Article 28 obligations and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Security Measures (Article 32)

In accordance with GDPR Article 32(1), Dimora AI implements technical and organizational measures across four categories, taking into account the state of the art, implementation costs, and the nature and risks of processing:

(a) Pseudonymisation and Encryption

  • TLS 1.2+ for all data transmission between systems, APIs, and end users
  • AES-256 encryption at rest across Supabase (AWS us-east-1) database and backup systems
  • Supabase Row-Level Security (RLS) — data access scoped per organization, enforced at database level
  • Call recordings stored with per-tenant access controls in VAPI (GCP)

(b) Confidentiality, Integrity, Availability, and Resilience

  • Role-based permissions with least-privilege access to personal data
  • Access to production systems limited to a minimal authorized set of personnel; access events logged via Supabase audit logs and reviewed quarterly
  • Supabase daily automated backups with point-in-time recovery; hosted on AWS us-east-1
  • Railway (workflow infrastructure) isolates tenant execution environments
  • All personnel with data access bound by written confidentiality obligations

(c) Timely Restoration of Availability and Access

  • Supabase point-in-time recovery enables rapid data restoration after incidents
  • Multi-region failover capability via AWS infrastructure
  • Documented incident response procedures for identifying, containing, and remediating security incidents
  • Service disruptions communicated to Clients per the SLA at dimora.ai/sla

(d) Regular Testing, Assessment, and Evaluation

  • Regular security reviews of infrastructure, dependencies, and access patterns
  • Supabase Security Advisor and automated dependency vulnerability scanning
  • Internal review of access logs on a quarterly basis
  • Third-party penetration testing planned on an annual basis when operationally warranted

Certification Status

Dimora AI does not currently hold SOC 2 or ISO 27001 certifications. These certifications are not currently being actively pursued. We implement security practices aligned with these frameworks and will update this DPA if certification status changes. See the Security page at dimora.ai/security for current status.

Standard Contractual Clauses & International Transfers

SCCs Incorporated: The Standard Contractual Clauses adopted by the European Commission on June 4, 2021 (Commission Implementing Decision 2021/914), Module 2 (controller-to-processor), are incorporated into this DPA by reference and govern all transfers of EU personal data from the Client (Controller, established in the EU/EEA) to Dimora AI (Processor, established in the United States). Where the SCCs conflict with any other provision of this DPA, the SCCs shall prevail.

Primary Processing Location

United States — AWS us-east-1 (N. Virginia, USA) (primary database). VAPI infrastructure on GCP (United States). Workflow execution on Railway (United States).

Transfer Mechanism for EU Personal Data

Module 2 SCCs (controller-to-processor, 2021). The SCCs are executed upon Client signature of the Service Agreement. A signed PDF copy is available upon request via legal@dimora.ai and can be executed electronically via DocuSign.

No Transfers Outside the US

Dimora AI does not transfer personal data outside the United States (beyond what the SCCs already govern) without prior written notification to the Client and appropriate supplementary safeguards.

EU Representative

Dimora AI does not currently have a designated EU representative under GDPR Article 27. This designation is under evaluation. Pending appointment, EU data subjects may direct inquiries to privacy@dimora.ai.

Sub-Processors

Dimora AI uses the following sub-processors to deliver its services. By entering into the Agreement, the Client provides general written authorization for the sub-processors listed below. The current list is also maintained at dimora.ai/sub-processors.

Guest Data Processors

Sub-ProcessorPurposeData AccessedLocation
VAPIDPA →Voice AI platform for guest callsCall audio, transcripts, phone numbers, durationUnited States (GCP)
OpenAIDPFDPA →LLM inference for Voice AI (Maggie)Live call transcript contentUnited States
OpenRouterDPA →LLM routing for Inbox AI sub-workflowsGuest message content for AI draftingUnited States
DeepgramDPFDPA →Real-time speech-to-text transcriptionVoice audio streamUnited States
ElevenLabsDPA →Voice synthesis for AI responses (via VAPI)AI-generated response textUnited States
Google (Gemini + Workspace)DPFDPA →Inbox AI classification + call summary emails + VAPI post-call analysisGuest messages, call transcripts, call summariesUnited States
GuestyDPA →Property management system (PMS) integrationGuest names, reservations, messages, lock codes — read-only via API on Customer's Guesty tenantUnited States / European Union (depending on Customer's tenant region)
SupabaseDPFDPA →Database for operational data storageGuest names, phone, email, call metadata, AI drafts, transcriptsUnited States (AWS us-east-1)

Customer (Client) Data Processors

Sub-ProcessorPurposeData AccessedLocation
StripeDPFDPA →Payment processing for customer subscriptionsCustomer billing information, VAT ID, payment methodUnited States
DocuSignDPFDPA →Electronic signature for Service Agreement and DPACustomer contact info, signed documentUnited States

Infrastructure Processors

Sub-ProcessorPurposeData AccessedLocation
RailwayDPA →Infrastructure hosting for workflow platform (n8n)Infrastructure logs, workflow execution data (transient)United States

DPA Execution with Sub-Processors

Dimora AI has entered into, or will enter into, written data processing agreements with each sub-processor imposing data protection obligations no less protective than those in this DPA. Where a sub-processor's DPA link is listed above, Clients may review the applicable terms directly.

Objection Period

Dimora AI will notify the Client at least 30 days before engaging a new sub-processor. The Client may object in writing within that period. If the Client objects and a reasonable resolution cannot be reached, either party may terminate the affected services without penalty.

Sub-Processor Liability

Dimora AI remains fully liable for the acts and omissions of its sub-processors to the extent the sub-processor fails to fulfill its data protection obligations.

Data Retention

Dimora AI retains personal data only as long as necessary to fulfill the purposes of processing:

Call recordings & transcripts

90 days post-call

Automatically deleted after retention period; Clients may request earlier deletion

AI reply drafts, offers, sessions

90 days post-termination

Operational data retained during service period, deleted after termination

Feedback scores & golden examples

90 days post-termination

AI learning data retained during service for quality improvement

Billing and financial records

7 years

Retained for tax compliance and financial audit obligations

Support logs and correspondence

2 years post-termination

Retained for legal and dispute resolution purposes

Upon Termination

  1. 1.

    Data Export Window

    Client may request a complete data export within 30 days of termination. Data provided in JSON or CSV format.

  2. 2.

    Deletion

    Dimora AI deletes all personal data within 90 days of termination, unless retention is required by applicable law.

  3. 3.

    Backup Purge

    Backups containing personal data are purged within 30 days of the primary deletion.

Data Breach Notification

In the event of a confirmed personal data breach, Dimora AI will notify the Client without undue delay and within the following timeframes:

All Clients

24 hours

Of confirmed breach — so the Client can fulfill its own GDPR Art. 33 72-hour supervisory authority notification obligation

Initial Notice

Preliminary

A preliminary notice is sent within 24 hours; a full incident report follows within 72 hours as information becomes available

Breach Notification Contents

  • Nature of the personal data breach, including categories and approximate number of records affected
  • Approximate number of data subjects concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address and mitigate the breach
  • Contact details of the person handling the incident at Dimora AI

Notification Channel

Email to the Client's designated contact on record. For high-severity breaches affecting a large number of data subjects, Dimora AI will also contact the Client by phone. Initial notices are sent from security@dimora.ai.

CCPA/CPRA Service Provider Certification

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), GT1 Partners LLC, dba Dimora AI certifies the following as a Service Provider:

Dimora AI will NOT retain, use, or disclose personal information for any purpose other than performing the services specified in the Agreement.

Dimora AI will NOT sell or share personal information received from or on behalf of the Client.

Dimora AI will NOT combine personal information received from the Client with personal information from other sources, except as permitted by CCPA/CPRA.

Dimora AI grants the Client the right to take reasonable and appropriate steps to ensure Dimora AI uses personal information in a manner consistent with the Client's obligations under CCPA/CPRA.

Dimora AI will notify the Client if it determines it can no longer meet its obligations under CCPA/CPRA.

No Sale of Data: Dimora AI does not sell, share, or use personal information for cross-context behavioral advertising. Data is processed exclusively to deliver contracted services.

Data Subject Rights

Dimora AI assists the Client in fulfilling data subject rights requests under GDPR, CCPA, and applicable law:

Access

Provide copies of personal data held

Rectification

Correct inaccurate or incomplete data

Erasure

Delete personal data upon valid request

Restriction

Limit processing activities

Portability

Export data in machine-readable format

Objection

Cease processing where applicable

Response Timeline

Dimora AI will provide the Client with the information or actions needed to respond to a data subject request within 5 business days of the Client's written request.

Direct Requests

If a data subject contacts Dimora AI directly, Dimora AI will redirect them to the Client (Controller) and notify the Client of the request within 2 business days.

Audit Rights

The Client may verify Dimora AI's compliance with this DPA through audits:

1.

Frequency

One audit per calendar year, unless a confirmed security incident warrants additional audit rights

2.

Notice

30 days written notice required before audit commences

3.

Scope

Limited to DPA obligations; conducted during normal business hours; Dimora AI may require the auditor to sign a confidentiality agreement

4.

Costs

Client bears audit costs, unless the audit reveals material non-compliance by Dimora AI

Governing Law & Dispute Resolution

General Governing Law

This DPA is governed by the laws of the State of New York, USA, consistent with the main Service Agreement, except as provided below for EU data protection matters. Disputes are resolved by binding arbitration administered by the International Centre for Dispute Resolution (ICDR) under the ICDR International Arbitration Rules, seated in New York, NY, USA, conducted in English.

EU Data Protection Disputes

For any dispute arising solely out of the EU data protection provisions of this DPA (including the SCCs), the parties submit to the non-exclusive jurisdiction of the courts of Ireland. This does not affect any data subject's right to bring a claim before their local supervisory authority or courts.

Supervisory Authority

Clients established in Spain may also lodge complaints with the Information Commissioner's Office (ICO) / Spanish Data Protection Agency (AEPD). EU data subjects retain the right to lodge complaints with their local data protection authority.

Questions About How We Handle Your Data?

Contact us to request a signed copy of this DPA (available via DocuSign) or to discuss data processing details.

A signed PDF version of this DPA can be executed electronically via DocuSign upon request.

legal@dimora.ai
← Back to Home
Privacy PolicyTerms of ServiceGDPRSecuritySub-Processors