Data Processing Agreement (DPA)
Public standard version compliant with GDPR Article 28. Accepted by reference when signing the Pilot Enrollment Form or SaaS Subscription Agreement.
Processor: HITECH GROUP — SASU with share capital of €5,000, registered office 2323 Chemin de Saint-Bernard, 06220 Vallauris, RCS Antibes 101 382 752
Brand: NEXO Hotel AI Solutions
Last updated: May 2026
1. Purpose and role of the parties
- The Client (the hotel establishment) acts as data controller within the meaning of Article 4(7) GDPR.
- HITECH GROUP acts as processor within the meaning of Article 4(8) GDPR.
This Data Processing Agreement ("DPA") governs the processing of personal data carried out by HITECH GROUP on behalf of the Client in connection with the provision of the NEXO solution.
This DPA is entered into in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act of 6 January 1978 as amended.
2. Description of processing
| Element | Description |
|---|---|
| Nature | Hosting, collection, structuring, automated analysis (AI), translation, transmission and storage of conversational data |
| Purpose | Provision of an AI concierge service to hotel guests: assistance, information, recommendations, request handling, real-time translation |
| Categories of data | Identification data (name if provided), contact (email, phone if provided), conversation content, session metadata, language, timestamps |
| Data subjects | Hotel guests (end users); hotel staff using the interface |
| Sensitive data | No processing of special categories (Art. 9 GDPR) is planned |
| Duration | Term of the contract, extended by retention periods set out in Section 9 |
| Location | European Union only (Germany) |
3. Documented instructions
HITECH GROUP processes data only on documented instructions from the Client. Instructions include: the contract and annexes, this DPA, settings made via the dashboard, and written instructions sent to contact@nexo-hotel.com.
HITECH GROUP will inform the Client if an instruction appears to constitute a breach of the GDPR.
4. Confidentiality
HITECH GROUP ensures that persons authorized to process data are bound by an appropriate duty of confidentiality that survives the end of the relationship.
5. Security (Article 32 GDPR)
- Encryption in transit (TLS 1.2 or higher) and at rest.
- Hosting on cloud infrastructure located in the European Union (Germany).
- Access control with individual authentication, role-based rights management, logging.
- Regular backups with restoration procedures.
- Security incident management and notification procedures.
- Staff awareness and confidentiality commitments.
HITECH GROUP implements appropriate technical and organizational measures:
6. Sub-processors
| Category | Purpose / location |
|---|---|
| Cloud hosting provider | Hosting and storage of data — European Union (Germany) |
| AI model providers (OpenAI, Anthropic, Mistral depending on configuration) | Automated natural language processing — EU / compliant transfer mechanisms |
| Machine translation service | Real-time multilingual translation — EU |
| Speech synthesis and transcription services (Phone AI option) | Voice generation and recognition when Phone AI is enabled — EU |
The Client grants HITECH GROUP general authorization to engage sub-processors to deliver the solution. Current categories are:
HITECH GROUP imposes the same data protection obligations on each sub-processor. Any change is notified to the Client with fifteen (15) days’ notice; the Client may raise a reasoned objection within ten (10) days.
An up-to-date detailed nominative list is provided on written request within fifteen (15) business days.
7. Transfers outside the European Union
To date, no transfers of data outside the European Economic Area are carried out. Any future transfer would be subject to appropriate safeguards under GDPR Chapter V (adequacy decision or standard contractual clauses) and notified to the Client in advance.
8. Assistance and data subject rights
HITECH GROUP provides the Client with technical features to respond to data subject requests (access, rectification, erasure, restriction, portability, objection), and reasonable assistance within fifteen (15) business days.
Any request sent directly to HITECH GROUP by a data subject is forwarded to the Client without delay.
HITECH GROUP also assists the Client with data protection impact assessments (Art. 35) and prior consultations (Art. 36) where required.
9. Personal data breaches
HITECH GROUP notifies the Client of any personal data breach of which it becomes aware within a maximum of seventy-two (72) hours, with the information required under Article 33 GDPR, and cooperates on notifications to the CNIL and data subjects.
10. Audit
The Client may exercise an audit right once per year (unless a breach is established or requested by an authority), with thirty (30) days’ notice. HITECH GROUP may meet this obligation by providing audit reports or certifications.
11. Return or deletion of data
At the end of the service, HITECH GROUP, at the Client’s choice: returns data in a structured format, or securely deletes it, within thirty (30) days, subject to legal retention obligations.
12. Liability
Each party remains responsible for its obligations under the GDPR. Liability limitations in the main contract do not apply to damages giving rise to compensation under Article 82 GDPR.
13. Records of processing
HITECH GROUP maintains a record of categories of processing activities (Art. 30(2) GDPR), available to the Client and the supervisory authority on request.
14. Governing law
This DPA is governed by French law, without prejudice to the direct application of the GDPR.
Data protection contact: contact@nexo-hotel.com
Supervisory authority: CNIL — 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07 — www.cnil.fr