boringhost
Use cases
GuestOwnerRevenueOperations
CustomersIntegrationsBlog
Resources
GuidesNewsletterEvents
Pricing
Sign inBook a demo
  • Customers
  • Integrations
  • Blog
  • Pricing
Book a demoSign in
  • Guest
  • Owner
  • Revenue
  • Operations
  • Guides
  • Newsletter
  • Events

Legal

Data Processing Agreement

Last updated: 11 July 2026

Terms & ConditionsPrivacy PolicyCookie PolicyData DeletionDPAAPI Terms

Boring Host AI Ltd, 128 City Road, London, United Kingdom, EC1V 2NX. Questions about anything on this page: contact@boringhost.ai.

This Data Processing Agreement ("DPA") forms part of the agreement between the customer (the "Controller") and Boring Host AI Ltd (the "Processor") for the boring host platform, and applies whenever we process personal data on the customer's behalf.

1. Definitions

"Data Protection Laws" means the UK GDPR and Data Protection Act 2018, the EU GDPR, and any other applicable data protection laws (including, where relevant, the Swiss FADP and the CCPA/CPRA). "Personal Data", "processing", "controller", "processor", and "data subject" have the meanings given in those laws. "AI Processing" means processing using machine learning or large language model technologies.

2. Roles and scope

The Controller determines the purposes and means of processing; the Processor processes Personal Data only to provide the platform. Annex 1 describes the subject matter, duration, nature, and purposes of processing and the categories of data subjects and data.

3. Processor obligations

  • Process Personal Data only on the Controller's documented instructions, including these terms and the platform's configuration, unless required otherwise by law (in which case we inform the Controller unless prohibited).
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement the technical and organisational measures in Annex 2.
  • Assist the Controller, by appropriate measures, with data subject rights requests and with the Controller's obligations on security, breach notification, and data protection impact assessments.
  • Make available information reasonably necessary to demonstrate compliance.

4. Data subject requests

If a data subject contacts the Processor directly about data processed for the Controller, the Processor will forward the request to the Controller without undue delay and will not respond substantively except on the Controller's instruction or where the law requires.

5. Sub-processors

The Controller gives general authorisation for the sub-processors listed in Annex 3. The Processor will give at least 30 days' notice of intended additions or replacements, during which the Controller may object on reasonable data-protection grounds. The Processor imposes on each sub-processor data protection obligations no less protective than this DPA and remains liable for their performance.

5A. AI sub-processors

AI sub-processors are contractually prohibited from using Personal Data received through the platform to train, retrain, fine-tune, or otherwise improve any general machine learning or AI model.

6. International transfers

Where processing involves transfers outside the UK or EEA to countries without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: controller to processor), supplemented by the UK International Data Transfer Addendum for UK transfers, and equivalent recognised mechanisms elsewhere.

7. Personal data breach

The Processor notifies the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Controller's data, with the nature of the breach, categories and approximate numbers affected, likely consequences, and measures taken or proposed.

8. Audits

Up to once per year, on at least 30 days' notice, the Controller may audit the Processor's compliance with this DPA, or may accept the Processor's then-current security documentation and independent assessments in lieu. The Controller bears the costs of audits it initiates unless the audit reveals a material breach of this DPA.

9. Return and deletion

On termination of the services, at the Controller's election, the Processor returns or securely deletes all Personal Data within 90 days and certifies deletion in writing, except where the law requires continued storage.

10. Liability

Liability under this DPA is subject to the limitations and exclusions in the main agreement, except that nothing limits or excludes either party's liability where such limitation is prohibited by Data Protection Laws.

Annex 1, Processing details

  • Subject matter and nature: operating AI agents that handle guest, owner, and operational communications and tasks for the Controller, receiving and sending messages, answering and placing calls, syncing reservation data, creating work orders, and producing reports.
  • Duration: the term of the agreement plus the deletion period in section 9.
  • Data subjects: the Controller's guests, property owners, staff, and vendors.
  • Categories of data: contact details; booking and reservation data; check-in and check-out information; message content across connected channels; call recordings and transcripts; task and work-order records; payment references (not full card numbers).

Annex 2, Security measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access control, least privilege, and MFA for administrative access.
  • Logical tenant isolation between customer workspaces.
  • Logging, monitoring, and alerting on production systems.
  • Regular backups with tested restoration, and vendor security management.
  • Periodic security reviews and testing; staff confidentiality and training.

Annex 3, Sub-processors

Current categories and providers (the live list is available on request at contact@boringhost.ai):

  • Cloud hosting and infrastructure providers, platform hosting, storage, and backups.
  • Anthropic, OpenAI, Google, large language model processing for drafting, understanding, and voice.
  • Telephony and messaging carriers (including Twilio), voice calls and SMS delivery.
  • Meta Platforms, WhatsApp Business Platform message delivery.
  • Stripe, subscription billing.
Ask AI about Boring HostChatGPTClaudeGeminiPerplexity

Use cases

  • Guest
  • Owner
  • Revenue
  • Operations

Templates

  • All templates
  • The MVP eight
  • Owner retention pack
  • Revenue optimizer pack

Integrations

  • Guesty
  • Hostaway
  • Smoobu
  • OwnerRez
  • All integrations

Resources

  • Blog
  • Guides
  • Newsletter
  • Events

Company

  • Customers
  • Pricing
  • Book a demo
  • Contact
© 2026 Boring Host AITermsPrivacyCookiesData deletionDPAAPI terms