This DPA forms an integral part of the Terms of Service. It complies with Article 28 of Regulation (EU) 2016/679 ("GDPR") and governs how we process personal data on your behalf.
1. Parties and roles
Controller: You (the customer organization that signed up — typically a housing association or its representative).
Processor: Filip Vnenčák, sole proprietor, Slovak Republic, operating as ResiApp Cloud.
2. Subject matter and duration
Subject matter: hosting and operating an isolated instance of OpenResiApp on your behalf, including database storage, application runtime, and automated backups.
Duration: until termination of the underlying service contract.
3. Nature and purpose of processing
We process personal data only to operate the service: storing it, backing it up, displaying it back to you, and ensuring security and availability. We do not analyze, profile, or use Customer Data for any other purpose.
4. Categories of data subjects
- Members of your housing association
- Owners and tenants of units in your building
- Members of the board / committee
- Guests / contractors mentioned in records
5. Categories of personal data
Whatever you upload — typically: names, addresses, unit numbers, contact details (email, phone), ownership share, voting records, meeting minutes, document attachments. You may also upload special-category data (e.g., health information for accessibility records); see Section 13 if so.
6. Our obligations as Processor
We will:
- process your data only on your documented instructions, except as required by EU or Slovak law;
- ensure persons authorized to access your data are bound by confidentiality;
- implement appropriate technical and organizational security measures (Section 9);
- only engage sub-processors as listed in Section 7, and notify you of changes;
- assist you in responding to data-subject requests;
- assist you in meeting your obligations under GDPR Articles 32-36 (security, breach notification, DPIA, prior consultation);
- delete or return your data after termination (Section 10);
- provide information necessary to demonstrate compliance and allow audits.
7. Sub-processors
You consent to the sub-processors listed at /legal/subprocessors. Adding or replacing a sub-processor will be notified by email at least 30 days in advance. You may object on reasonable grounds; if we cannot accommodate the objection, you may terminate.
8. International transfers
Application data is hosted in the EU (AWS eu-central-1, Germany). Stripe may transfer billing data to the US under EU Standard Contractual Clauses (2021/914). No other transfers outside the EEA occur for Customer Data.
9. Security measures
- AES-256 encryption at rest for databases and backups
- TLS 1.3 in transit
- Isolated database per customer instance
- Principle-of-least-privilege IAM (no human direct DB access in routine operations)
- Daily encrypted backups, retained 30 days, in a separate S3 bucket per organization
- Public-access blocked on all backup storage
- Audit logging of admin actions
- MFA available for customer admin accounts
- Regular dependency updates and security patches
10. Return and deletion of data
On termination of the service contract:
- your data remains accessible for export for 30 days;
- after 30 days, the production database is permanently deleted;
- encrypted backups continue to exist for up to 30 additional days under our backup retention policy, then are automatically deleted;
- this 30-day backup retention is documented as a security measure under GDPR Article 32 and is necessary to recover from incidents — the 30-day window is the minimum we have determined is operationally appropriate.
You may request earlier deletion by emailing privacy@resiapp.cloud. We will delete the production data within 7 days; backup retention will still apply (you accept this limitation by signing this DPA).
11. Personal-data breaches
We will notify you without undue delay, and in any event within 72 hours of becoming aware of a personal-data breach affecting your data, with all information required by GDPR Art. 33(3) to enable you to meet your own notification obligations to the supervisory authority.
12. Audit
You may audit our compliance with this DPA once per calendar year, with 30 days' written notice, during normal business hours, in a manner that does not unreasonably disrupt our operations. Audits may be conducted in writing (questionnaire) or by reviewing third-party certifications (e.g., AWS SOC 2 reports). On-site audits may be requested for cause.
13. Special categories of data
If you upload special categories of data (Article 9 GDPR — health, biometric, racial/ethnic origin, religious belief, etc.), you are responsible for ensuring you have a lawful basis under Article 9(2). We treat all data with the same security measures regardless of category.
14. Liability
Each party is liable for damages arising from its own breach of GDPR. Limitation of liability under the main Terms of Service applies to this DPA, except where prohibited by GDPR Article 82.
15. Changes to this DPA
Material changes (new sub-processor categories, retention changes, material security changes) will be notified 30 days in advance and may require your re-acceptance. Your continued use of the service after the effective date constitutes acceptance of non-material changes.
16. Acceptance
By accepting these terms during signup, you agree to this DPA. Your acceptance is recorded with timestamp and DPA version on your organization record. You may request a signed PDF copy at any time by emailing privacy@resiapp.cloud.