Back to Home

Data Processing Agreement

(Hotel – Atithi Cloud)

This DPA forms an integral part of the Terms of Service / Master Service Agreement.

Data Processor

Sudha Software Solutions Private Limited

Owner and operator of Atithi Cloud

CIN: U62099JH2025PTC023777

(“Processor”, “Atithi Cloud”, “Company”)

Data Fiduciary / Controller

The Hotel

Resort, homestay, or hospitality business entity subscribing to Atithi Cloud

(“Hotel”, “Customer”, “Data Fiduciary”, “Controller”)

1

PURPOSE OF THIS DPA

This DPA governs the processing of Personal Data and Sensitive Personal Data by the Processor on behalf of the Hotel, in accordance with:

  • Digital Personal Data Protection Act, 2023 (India)
  • Information Technology Act, 2000 & SPDI Rules, 2011
  • GDPR (for EU/EEA guests, where applicable)

This DPA applies only to data processed through Atithi Cloud.

2

DEFINITIONS

Unless otherwise defined here, capitalised terms shall have the same meaning as under the DPDP Act, GDPR, or the primary service agreement.

2.1 Personal Data

Any data relating to an identified or identifiable natural person (including guests, staff, or representatives).

2.2 Sensitive Personal Data

Includes passwords, financial data, biometric data, health data, government IDs, or similar protected information.

2.3 Guest Data

Any data relating to hotel guests entered, uploaded, stored, or processed by the Hotel using Atithi Cloud.

3

ROLES OF THE PARTIES

3.1 Hotel (Fiduciary)

  • Determines purpose and means of processing Guest Data
  • Is solely responsible for lawful collection, consent, and notices
  • Bears full legal responsibility toward guests

3.2 Atithi Cloud (Processor)

  • Processes data only on documented instructions of the Hotel
  • Acts purely as a technology service provider
  • Does not independently verify guest consent or legality
4

SCOPE OF DATA PROCESSING

4.1 Data Subjects

  • Hotel guests
  • Hotel staff and administrators
  • Business representatives

4.2 Data Categories

  • Guest names, contact, bookings
  • Check-in/out details
  • Invoice & payment metadata
  • Preferences & uploaded docs
  • System logs

4.3 Processing Nature

  • Storage & Retrieval
  • Transmission
  • Analytics and reporting
  • AI-assisted insights
5

HOTEL OBLIGATIONS (STRICT)

The Hotel explicitly agrees and warrants that it shall:

  • Collect Guest Data lawfully and fairly
  • Obtain valid consent or rely on lawful grounds
  • Provide privacy notices to guests
  • Comply with all applicable data protection laws
  • Ensure accuracy of uploaded data
  • Respond to guest data requests (access, deletion)
  • Maintain internal access controls
  • Use Atithi Cloud only for lawful hospitality operations

    • The Company shall not be responsible for any failure by the Hotel to comply with law.

    6

    PROCESSOR OBLIGATIONS

    Atithi Cloud shall:

    • Process data only as per Hotel instructions
    • Implement reasonable technical and organisational safeguards
    • Ensure staff confidentiality
    • Assist the Hotel (where legally required) with data access requests, breach notifications, and compliance documents.
    7

    SUB-PROCESSORS

    The Hotel authorises Atithi Cloud to engage sub-processors including:

    Cloud hosting providersPayment gatewaysEmail/SMS service providersAnalytics tools

    All sub-processors are contractually bound to confidentiality, security, and data protection requirements.

    8DATA SECURITY MEASURES

    Atithi Cloud implements industry-standard safeguards including:

    • AES-256 encryption (data at rest)
    • TLS encryption (data in transit)
    • Role-based access controls
    • Audit logging
    • Secure development practices
    • Periodic security assessments

    ⚠️ No system is completely secure. Absolute security is not guaranteed.

    9DATA BREACH MANAGEMENT

    9.1 Processor Obligations

    Investigate, contain, and notify the Hotel without undue delay.

    9.2 Hotel Responsibility

    Solely responsible for guest notifications and regulatory reporting.

    10CROSS-BORDER TRANSFERS

    Data may be processed/stored in:

    India USA Europe Singapore

    Safeguarded using contractual protections and industry-accepted mechanisms.

    11. AI & AUTOMATION DISCLAIMER

    AI features provide assistive insights only. Outputs are non-binding/probabilistic. Business decisions are at Hotel’s sole risk.

    12. DATA RETENTION & DELETION

    Retained while account active. Upon termination, deleted/anonymised within reasonable time. Backups persist temporarily.

    13. AUDITS

    Hotel waives routine audit rights. May request reasonable compliance documentation.

    14. INDEMNITY (CRITICAL)

    Hotel shall fully indemnify Company from claims arising from unlawful collection, lack of consent, regulatory violations, or misuse.

    15. LIMITATION OF LIABILITY

    No liability for indirect damages. Capped at last 3 months fees or ₹5,000. No liability for Hotel’s compliance failures.

    16. TERM & TERMINATION

    Effective while data is processed. Terminates with service. Liability/Indemnity survive.

    17. GOVERNING LAW & JURISDICTION

    This DPA is governed by laws of India. All disputes are subject to exclusive jurisdiction of courts in Ranchi, Jharkhand.

    18. PRECEDENCE

    In case of conflict, this DPA shall prevail over any conflicting data-related provisions in other agreements.

    19. CONTACT

    Data Protection Contact

    contact@sudhasoftwaresolutions.com

    Registered Office

    Sudha Software Solutions Private Limited
    Ranchi, Jharkhand, India