Data Processing Agreement (DPA)

Effective Date: June 17, 2026

Company Information

moovit, s.r.o.

IČO: 45240639

IČ DPH: SK2022919415

Bobuľová 11/B, 900 28 Ivanka pri Dunaji, Slovakia

Emails:privacy@renvia.app, support@renvia.app

1. Introduction

This Data Processing Agreement ("DPA") forms part of the contractual relationship between moovit, s.r.o., trading as Renvia ("Renvia" or "Data Processor"), and the customer ("Customer" or "Data Controller"). This DPA governs the processing of Customer Data by Renvia on behalf of the Customer in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This DPA sets forth the terms and conditions under which Renvia processes personal data on behalf of the Customer and reflects the Parties' commitment to data protection and privacy.

2. Definitions

Capitalized terms used in this DPA shall have the meanings assigned to them in the GDPR or as defined herein:

3. Scope and Application

This DPA applies to all processing of Customer Data by Renvia in connection with the provision of services pursuant to the underlying service agreement between the Parties. Renvia shall process Customer Data solely in accordance with the documented instructions of the Customer, including those set forth in this DPA, the service agreement, and applicable law.

4. Roles of the Parties

The Customer is the Data Controller and Renvia is the Data Processor with respect to Customer Data. Renvia acts only on documented instructions from the Customer and does not determine the purposes or means of processing.

5. Processing Instructions

Renvia shall process Customer Data only on documented instructions from the Customer. Such instructions include this DPA, the service agreement, and any additional written instructions provided by the Customer. Renvia shall immediately inform the Customer if, in its opinion, any instruction infringes applicable data protection law.

Renvia shall process Customer Data only on documented instructions from the Customer, including with regard to transfers of Customer Data to a third country or an international organization, unless required to do so by applicable European Union or Member State law. In such a case, Renvia shall inform the Customer of that legal requirement before processing unless prohibited by law on important grounds of public interest.

Renvia shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in Article 28 GDPR and this DPA.

6. Confidentiality

Renvia ensures that all personnel authorized to process Customer Data are committed to confidentiality obligations, whether contractual or statutory. Access to Customer Data is strictly limited to those individuals who require access to fulfill Renvia's obligations under this DPA.

7. Security of Processing

Renvia shall implement and maintain appropriate technical and organizational measures to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures shall be appropriate to the risks involved and shall include, but are not limited to, the following:

8. Personnel Access Controls

Renvia ensures that all personnel authorized to access Customer Data are subject to appropriate background checks, confidentiality agreements, and receive ongoing data protection training. Access rights are reviewed regularly and revoked immediately upon termination or role change.

9. Subprocessors

The Customer authorizes Renvia to engage Subprocessors to process Customer Data in connection with the services. Renvia shall:

All Subprocessors are bound by written agreements imposing data protection obligations substantially equivalent to those contained in this DPA pursuant to Article 28(4) GDPR.

10. International Transfers

Customer Data may be transferred outside the European Economic Area ("EEA") only if appropriate safeguards are in place, such as:

Renvia commits to comply with all applicable data transfer laws and regulations and to cooperate with the Customer in relation to transfer compliance.

Where Customer Data is transferred outside the EEA and no adequacy decision applies, the European Commission Standard Contractual Clauses shall be deemed incorporated by reference into this DPA to the extent required by applicable law. Renvia shall implement the applicable SCC module and any supplementary safeguards reasonably required to achieve an essentially equivalent level of protection.

11. Assistance with Data Subject Requests

Renvia shall assist the Customer in responding to requests from data subjects exercising their rights under the GDPR, including access, rectification, erasure, restriction, portability, and objection. Such assistance shall be provided in a timely manner and in accordance with the Customer's instructions.

12. Assistance with GDPR Compliance

Renvia shall assist the Customer in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, including but not limited to:

Renvia's assistance shall be proportionate to the nature of processing and available information.

13. Personal Data Breach Notification

Renvia shall notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer Data. Such notification shall include:

Renvia shall cooperate fully with the Customer in investigating the breach, mitigating its effects, and complying with any notification obligations imposed by law.

14. Audit and Inspection Rights

The Customer shall have the right to audit and inspect Renvia's compliance with this DPA, subject to the following conditions:

Renvia shall make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Where appropriate, Renvia may satisfy audit requests through third-party audit reports, certifications, security documentation, questionnaires, or similar compliance materials.

15. Return and Deletion of Customer Data

Upon termination or expiration of the service agreement, Renvia shall, at the Customer's choice, return all Customer Data in a commonly used, machine-readable format or securely delete such data, except where retention is required by law.

Renvia shall provide the Customer with an opportunity to export Customer Data prior to deletion. Deletion shall be completed within thirty (30) days of the Customer's instruction, subject to backup lifecycle policies.

Backup copies containing Customer Data shall be deleted in accordance with Renvia's backup retention policies, which do not exceed ninety (90) days unless otherwise required by law.

16. Liability

Liability arising from the processing of Customer Data shall be governed by the terms of the underlying service agreement and applicable law, including the GDPR. Nothing in this DPA shall expand or limit the liability allocation set forth in the service agreement except as required by mandatory law.

17. Term and Termination

This DPA shall remain in effect for the duration of the service agreement and shall terminate upon the return or deletion of all Customer Data in accordance with Section 15 of this DPA.

18. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Slovakia, without regard to its conflict of law provisions. The Parties submit to the exclusive jurisdiction of the courts of Slovakia for any disputes arising out of or in connection with this DPA.

19. Contact Information

For all data protection matters relating to this DPA, the Customer may contact Renvia at:
privacy@renvia.app
support@renvia.app

ANNEX I – DETAILS OF PROCESSING

Subject MatterDurationNature of ProcessingPurpose of ProcessingCategories of Data SubjectsCategories of Personal Data
Customer Data processed by Renvia in connection with the provision of SaaS platform services.Duration of the service agreement plus any applicable retention period.Collection, storage, retrieval, use, disclosure, transmission, deletion, and other processing activities necessary to provide the services.To enable Customer to manage reservations, properties, tenants, billing, customer support, and related administrative functions.Guests, tenants, property owners, employees, team members, and other individuals whose personal data is processed via the platform.Identification data, contact details, financial data, contractual data, transactional data, user account data, and any other personal data provided by Customer.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES

MeasureDescription
EncryptionUse of TLS 1.2+ for data in transit and AES-256 encryption for data at rest where applicable.
Access ControlRole-Based Access Control (RBAC) ensuring least privilege access to Customer Data.
AuthenticationMulti-Factor Authentication (MFA) implemented for privileged access to systems processing Customer Data.
LoggingComprehensive audit logs of access and processing activities maintained securely for forensic purposes.
MonitoringContinuous monitoring of systems and networks for security events and anomalies using SIEM tools.
BackupsRegular encrypted backups with secure storage and retention aligned with business and legal requirements.
Incident ResponseDocumented procedures for detection, containment, investigation, remediation, and reporting of security incidents.
Vendor ManagementDue diligence and contractual controls ensuring Subprocessors comply with equivalent data protection standards.
Secure DevelopmentAdherence to secure software development lifecycle practices including code reviews, testing, and vulnerability management.
Personnel SecurityConfidentiality commitments, onboarding controls, role-based authorization, and periodic security awareness training.
Business ContinuityBusiness continuity planning and recovery procedures designed to support availability of critical systems.
Disaster RecoveryBackup restoration testing and recovery procedures designed to restore operations following significant disruption.
Change ManagementControlled deployment processes, code review requirements, testing procedures, and approval workflows.
Asset ManagementInventory and management of systems, infrastructure components, and processing assets used to deliver services.
Access ReviewsPeriodic review and revocation of unnecessary privileges.

ANNEX III – AUTHORIZED SUBPROCESSORS

ProviderPurposeLocation
Stripe, Inc.Payment processing, subscription billing, fraud prevention, invoicing, payment authentication, and tax-related payment functions.European Union and United States.
Amazon Web Services (AWS)Cloud hosting, infrastructure, storage, networking, backups, platform operations, and transactional email delivery.European Union and other jurisdictions used by AWS.

The list above reflects the Subprocessors authorized by Renvia as of the Effective Date of this DPA. Renvia may update this list from time to time in accordance with Section 9 of this DPA. The current list of authorized Subprocessors may be made available through Renvia documentation, customer communications, or a dedicated Subprocessors page.