Last updated: May 7, 2026
This Data Processing Addendum ("DPA") is entered into between Goodstay, Inc. ("Goodstay", "we", "us") and the Facility Customer identified in the underlying subscription agreement ("Customer", "you"). It supplements and is incorporated into the Terms of Service and Privacy Policy (together, the "Agreement"). This DPA applies to the extent that Goodstay processes personal information on behalf of Customer in the course of providing the Service.
By using the Service, Customer accepts this DPA on behalf of itself and any authorized affiliates that use the Service under Customer's account. Customer does not need to sign or countersign this DPA for it to take effect; if Customer requires a signed copy for procurement records, Goodstay will provide one upon written request to legal@goodstay.pet.
Capitalized terms not defined in this DPA have the meaning given in the Agreement. In addition:
For the purposes of this DPA and Customer Data:
Goodstay will process Customer Data for the duration of the Agreement (and any post-termination period during which Customer has exported, restored, or otherwise instructed Goodstay to retain Customer Data).
Goodstay will process Customer Data only for the purpose of providing, securing, and improving the Service for Customer, and for any other purpose Customer documents in writing or configures through the Service.
Customer's use of the features, functionality, and configurable settings within the Service constitutes its documented processing instructions to Goodstay. Goodstay will notify Customer if it believes a Customer instruction violates Data Protection Laws (unless prohibited from doing so by law). Goodstay will not process Customer Data for its own commercial purposes, will not sell Customer Data, and will not share Customer Data with any third party except as permitted by this DPA.
Customer authorizes Goodstay to engage Sub-processors to process Customer Data, provided that Goodstay (a) imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and (b) remains responsible to Customer for the acts and omissions of each Sub-processor.
As of the date above, Goodstay engages the following Sub-processors:
| Sub-processor | Purpose | Data Categories | Location |
|---|---|---|---|
| DigitalOcean, LLC | Application hosting, managed PostgreSQL database, object storage | All Customer Data | United States |
| Postmark (ActiveCampaign, Inc.) | Transactional email delivery | Names, email addresses, message content of transactional emails | United States |
| Twilio Inc. | SMS message delivery (when SMS notifications are enabled by Customer) | Phone numbers, SMS message content, delivery metadata | United States |
| Stripe, Inc. | Subscription billing and payment processing for Customer's Goodstay subscription, and (where Customer enables it) for Customer's own invoices to pet owners | Names, email addresses, billing addresses, tokenized card data, transaction records | United States |
| Functional Software, Inc. (Sentry) | Application error and performance monitoring | Limited request metadata, IP address, user-agent, error stack traces (Customer Data is scrubbed where reasonably possible) | United States |
Goodstay will notify Customer at least 30 days before adding or replacing any Sub-processor. Notice will be sent to the primary email address on file for Customer's account and posted to this DPA. The notice will identify the new Sub-processor and the processing activities involved.
Customer may object to a new Sub-processor on reasonable data-protection grounds within 30 days of the notice by emailing legal@goodstay.pet. Goodstay will work in good faith with Customer to resolve the objection. If the parties cannot agree on a resolution within a reasonable period, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience and receive a pro-rata refund of prepaid, unused subscription fees.
Goodstay will maintain technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Without limiting the foregoing, these measures include:
Goodstay reviews and updates these measures as the Service evolves. Goodstay will not materially diminish the overall protection of Customer Data during the term of the Agreement.
Goodstay will ensure that personnel authorized to process Customer Data are subject to confidentiality obligations (whether by contract or by statutory duty) and have received appropriate training on the handling of personal information.
Goodstay will, taking into account the nature of the processing, provide reasonable assistance to Customer in responding to requests by data subjects (including requests for access, correction, deletion, portability, opt-out of sale or sharing, and similar rights under Data Protection Laws). Customer can use the in-product tools (such as data export, record edit and delete, and notification preference controls) to fulfill most data-subject requests directly. For requests that cannot be fulfilled through these tools, Customer may contact privacy@goodstay.pet.
If Goodstay receives a request directly from a data subject relating to Customer Data, Goodstay will, where permitted by law, refer the request to Customer rather than respond directly.
Goodstay will notify Customer without undue delay, and in any event within 72 hours, after confirming a Personal Data Breach affecting Customer Data. Notification will be sent to the primary email address on file for Customer and will include, to the extent then known: the nature of the breach, the categories and approximate volume of personal data and data subjects affected, the likely consequences, and the measures Goodstay is taking or proposes to take in response. Goodstay will provide reasonable cooperation in connection with any further notifications Customer is required to make under Data Protection Laws.
The Service is hosted in the United States and is offered to U.S. facilities. Goodstay does not currently make available the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or any other cross-border transfer mechanism, and Goodstay does not act as a "processor" under the EU or UK General Data Protection Regulations or similar non-U.S. data protection laws.
Customer agrees not to use the Service to process personal data of data subjects in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions whose data protection laws would require such a transfer mechanism or processor commitment from Goodstay. If Customer has obligations to such data subjects, Customer is solely responsible for any required transfer mechanism.
On termination of the Agreement, Goodstay will, at Customer's option, return or delete Customer Data within the timeframes described in the Privacy Policy (currently: data export available for 30 days, deletion within 90 days), except to the extent retention is required by applicable law. Customer may export its data at any time during the subscription term using the data export tools in the Service.
On Customer's reasonable written request, no more than once per twelve-month period (and more frequently if required by a regulator or following a confirmed Personal Data Breach), Goodstay will provide Customer with the most recent copy of any third-party audit reports or certifications it maintains, summary documentation of its security and privacy controls, and reasonable written responses to a security questionnaire. Where these resources are not sufficient to demonstrate compliance with this DPA, the parties will discuss in good faith additional audit measures, which may include an on-site or remote audit conducted at Customer's expense by a mutually agreed independent auditor under reasonable confidentiality terms and at a mutually agreed time.
Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement. The Agreement, this DPA, and the Privacy Policy together state the entire liability of each party with respect to the subject matter of this DPA.
If there is any conflict between this DPA and the Agreement, this DPA controls solely with respect to the processing of Customer Data.
Goodstay may update this DPA from time to time to reflect changes in the Service, the Sub-processor list, or applicable Data Protection Laws. Material changes will be communicated to Customer by email or in-product notice and reflected by an updated "Last updated" date above. Continued use of the Service after the effective date of an updated DPA constitutes acceptance of the changes, except that Customer's right to object to new Sub-processors under Section 3.3 is preserved.
Questions about this DPA, requests for a signed copy, requests for security documentation, or objections to a new Sub-processor can be sent to: