Data Processing Agreement

This DPA is entered into between the customer (the “Controller”) and HOLM AI, operated by AI STUDIO 10, LLC, a Florida limited liability company with its principal place of business at 830 Brickell Plaza, Miami, FL 33131 (the “Processor”).

It applies whenever HOLM processes personal data on behalf of the Controller in connection with the HOLM platform.

Subject matter: provision of the HOLM platform to the Controller.

Duration:the term of the Controller’s subscription, plus any additional period described in the Terms of Service for export and deletion.

Nature and purpose: hosting, processing and transmitting personal data to deliver guest communication, field operations, finance, guest experience, growth and AI supervision features.

Categories of data: account, operator, guest, usage and payment data as described in the Privacy Policy.

Categories of data subjects: Controller personnel, operator team members, property owners, guests and their authorised representatives.

HOLM processes personal data only on the Controller’s documented instructions — principally the Terms of Service, configuration of the platform and written instructions from authorised admins. If HOLM believes an instruction infringes data protection law, it will notify the Controller promptly.

Personnel with access to personal data are bound by written confidentiality obligations and receive regular data protection training. Access is limited to what is necessary to perform their role.

HOLM maintains technical and organisational measures appropriate to the risk, including:

• SOC 2 Type II controls across the platform.
• Strict per-tenant isolation at the database level — no shared schemas across operators.
• AES-256 encryption at rest, TLS 1.3 in transit, per-tenant KMS keys.
• SSO/SAML, role-based access and least-privilege internal access controls.
• Full audit logging of AI actions and administrative operations, with reversal mechanisms.
• Annual third-party penetration testing and regular internal reviews.

The Controller authorises HOLM to engage sub-processors to provide the platform (including cloud hosting, observability, email delivery, AI model providers and payment processors). A current list is published on our trust page and available from privacy@useholm.com.

We’ll notify the Controller of intended changes to sub-processors at least 30 days in advance. The Controller may object on reasonable data protection grounds.

Customer data is hosted in the EU by default. Where personal data is transferred outside the EEA or UK, HOLM relies on appropriate safeguards — primarily the EU Standard Contractual Clauses and the UK International Data Transfer Addendum.

HOLM assists the Controller in responding to data subject requests by providing in-product access, export and deletion tools, and by supporting the Controller with reasonable additional measures when needed.

HOLM notifies the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach, providing the information the Controller needs to meet its own notification obligations.

HOLM makes available the information necessary to demonstrate compliance with this DPA, including the latest SOC 2 report and penetration test summary. Additional audits may be agreed on reasonable notice, at the Controller’s cost, subject to confidentiality and operational constraints.

On termination or expiry of the subscription, HOLM returns or deletes personal data in line with the Terms of Service, except where retention is required by law. Backups are deleted according to our retention schedule.

The liability provisions in the Terms of Service apply to this DPA. Nothing in this DPA reduces or excludes any rights of data subjects under applicable data protection law.

HOLM may update this DPA to reflect changes in law, operational practice or sub-processing. Material changes are communicated to account admins at least 30 days in advance.