Effective from: 23 June 2026
Data Processing Agreement
This document defines how Customer personal data is entrusted to the Provider for the purpose of providing Salio Rooms as a SaaS service.
1. Nature of this document
This Data Processing Agreement is an appendix to the Terms and applies where the Customer uses Salio Rooms in a way that entrusts the Provider with personal data for which the Customer is controller.
By accepting the Terms or using the Application on behalf of the Customer, the person acting for the Customer represents that they are authorized to enter into this Data Processing Agreement.
2. Roles, subject matter and duration
| Controller | The Customer, deciding the purposes and means of processing personal data of its users, employees, collaborators, guests and booking participants. |
|---|---|
| Processor | MACH Studio Mariusz Chmiest, processing data on behalf of the Customer to provide Salio Rooms. |
| Subject matter | Processing personal data within Salio Rooms as a SaaS service for rooms, bookings, invitations, check-in, calendar integrations, reports, support and security. |
| Duration | For the period of Service use and afterwards for deletion, return, backups, settlements, security or legal obligations. |
3. Categories of data and data subjects
| Data subjects | Account owners, administrators, users, employees, collaborators, guests, meeting participants and persons invited to bookings. |
|---|---|
| Data | Name, email, role, user status, company identifier, booking data, meeting participation, attendance status, calendar preferences, activity logs, integration identifiers and technical data. |
| Excluded data | The Customer should not enter special categories of data, children's data, health data, payment card data or other high-risk data without separate safeguards and agreement. |
4. Processor obligations
- The Provider processes data only on documented Customer instructions, including the Terms, account settings, user actions, support requests and this DPA.
- The Provider ensures confidentiality obligations for authorized persons and applies technical and organizational measures appropriate to risk.
- The Provider assists the Customer reasonably with data subject rights, breaches, DPIAs and supervisory authority consultations, considering the nature of processing.
- After the Service ends, the Provider deletes or returns personal data according to the Customer's decision unless law requires further storage.
5. Subprocessors and transfers
The Customer gives general authorization for the Provider to use subprocessors necessary for hosting, VPS infrastructure, email, backups, payments, calendar integrations, monitoring, IT support, accounting and legal services.
The Provider imposes data protection obligations on subprocessors appropriate to their processing. If a subprocessor change materially affects Customer Data, the Provider will reasonably inform the Customer.
Transfers outside the EEA, if any, are protected by lawful GDPR transfer mechanisms such as adequacy decisions, standard contractual clauses or other required safeguards.
6. Breaches, audits and Customer duties
- The Provider informs the Customer of a confirmed personal data breach without undue delay after becoming aware of it, to the extent needed for the Customer to assess notification duties.
- The Customer may request information necessary to demonstrate compliance. Audits involving the Provider must be reasonable, announced in advance, performed during business hours and not compromise security or other customers' confidentiality.
- The Customer is responsible for lawful data and instructions, legal bases, privacy notices, user permissions, data minimization and avoiding high-risk processing without prior assessment and separate arrangements.
7. Liability and priority
Liability related to processing is governed by the Terms and mandatory law. This DPA does not extend the Provider's liability beyond the Terms and legally required scope.
If the Terms and this DPA conflict on personal data processing, this DPA prevails.