Data Processing Agreement

Effective Date: 25 March 2026

Last Updated: 25 March 2026


This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms of Service or other written agreement between:

1. TripZILLA B.V., a company incorporated under the laws of the Netherlands, with its principal place of business at Van der Boechorststraat 120, 1081 BX Amsterdam, The Netherlands (“Processor”);

and

2. The Customer using TripZILLA services under a separate agreement (“Controller”).


For DPA-related questions or to exercise your data protection rights, you can contact us at [email protected]

We may update the DPA to reflect changes in our services or legal obligations. We may also notify users via email or through the platform if material changes are made. Continued use of the platform after such updates constitutes your acceptance of the revised DPA.

1.

Definitions

“Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, and “Supervisory Authority” have the meanings set out in the GDPR.

“Data Protection Laws” means all laws and regulations relating to data protection and privacy applicable to the Processing, including the GDPR, UK GDPR, Swiss FADP, and where applicable, the CCPA/CPRA.

“CCPA/CPRA” means the California Consumer Privacy Act and California Privacy Rights Act.

“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2.

Scope and Roles

  • The Controller determines the purposes and means of the Processing of Personal Data.

  • The Processor processes Personal Data on behalf of the Controller in accordance with the Agreement and this DPA.

  • The Processor shall act only on documented instructions from the Controller.

  • The parties acknowledge that the Processor may act as an independent controller for certain Personal Data relating to its own business operations (e.g. account management, billing, analytics, and support). Such processing is outside the scope of this DPA and governed by the Processor’s Privacy Policy.

3.

Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required by applicable law.

  • Inform the Controller without undue delay if, in its opinion, an instruction infringes applicable Data Protection Laws.

  • Ensure that persons authorised to process Personal Data are subject to confidentiality obligations

  • Implement appropriate technical and organisational measures as set out in Annex 3.

  • Assist the Controller, taking into account the nature of processing, in responding to Data Subject requests under applicable Data Protection Laws;

  • Assist the Controller in ensuring compliance with Articles 32–36 GDPR.

  • At the choice of the Controller, delete or return all Personal Data upon termination of the Services within a reasonable period (not exceeding 60 days), unless retention is required by law.

  • Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4.

Sub-processing

  • The Controller provides general authorisation for the Processor to engage Sub-processors.

  • The Processor maintains an up-to-date list of Sub-processors, which will be made available to the Controller upon request by contacting [email protected].

  • The Processor shall:

    • Impose data protection obligations on Sub-processors that are equivalent to those set out in this DPA;

    • Remain responsible for ensuring that its Sub-processors process Personal Data in accordance with applicable Data Protection Laws.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors prior to such changes taking effect, thereby giving the Controller the opportunity to object on reasonable data protection grounds.

5.

Data Location & International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, the Processor shall ensure appropriate safeguards are in place, including:

  • The European Commission’s Standard Contractual Clauses (Module 2: Controller-to-Processor), including the UK Addendum where applicable;

  • Participation in the EU–U.S. Data Privacy Framework where applicable;

  • Implementation of supplementary measures where required.

6.

CCPA/CPRA Compliance

Where applicable, the Processor acts as a “service provider” and shall not:

  • Sell or share Personal Data.

  • Retain, use, or disclose Personal Data for any purpose other than performing the Services.

  • Combine Personal Data with data obtained from other sources, except as permitted by law.

7.

Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures as described in Annex 3. Such measures may be updated from time to time, provided that they do not materially reduce the level of security.

8.

Personal Data Breach Notification

The Processor shall notify the Controller without undue delay (and no later than 72 hours) after becoming aware of a Personal Data Breach. The notice shall contain all information reasonably available for the Controller’s compliance obligations.

9.

Auditing

The Controller may audit the Processor’s compliance no more than once per year, unless required by law or following a Personal Data Breach.

Audits shall:

  • Be conducted upon at least 30 days’ prior written notice.

  • Occur during normal business hours.

  • Not unreasonably interfere with the Processor’s operations.

The Processor may satisfy audit requirements by providing independent audit reports or certifications (e.g. ISO 27001), where appropriate.

The Controller shall bear its own audit costs.

10.

Liability

Liability arising from this DPA shall be subject to the limitations set out in the Terms & Conditions, except where such limitations are prohibited by applicable law.

11.

Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller and until such data is deleted or returned in accordance with this DPA.

Annex 1.

Details of Processing

The Processor implements and maintains appropriate technical and organisational measures designed to protect Personal Data, including:

1.

Subject Matter

Processing of Personal Data in connection with the provision of the TripZILLA platform, a software-as-a-service solution that enables travel professionals to plan, manage, collaborate on, and deliver travel itineraries and related services, including client communication and booking-related workflows.

2.

Duration of Processing

Personal Data is processed for the duration of the Services and retained thereafter only as necessary to comply with this DPA, the Controller’s instructions, or applicable law.

3.

Client Data

The Processor processes Personal Data solely for the purpose of providing the Services to the Controller, including:

  • Hosting and secure storage of travel itinerary and booking-related data.

  • Organisation, management, and display of travel information.

  • Facilitating collaboration and communications between the Controller and Data Subjects (e.g. itinerary sharing and updates).

  • Supporting booking-related workflows and integrations with third-party service providers, where applicable.

  • Providing customer support and technical assistance.

  • Maintaining, securing, and improving the performance, reliability, and functionality of the platform.

The Processor shall not process Personal Data for its own purposes.

4.

Types of Personal Data

Depending on the Controller’s use of the Services, Personal Data may include:

  • Identification data (e.g. full name)

  • Contact data (e.g. email address, phone number)

  • Travel-related data (e.g. itineraries, bookings, destinations, preferences)

  • Transaction data (e.g. booking or purchase details, where applicable)

  • Identification document data (e.g. passport or national ID details), only where provided by the Controller and strictly necessary for travel-related services

The Controller determines the categories and scope of Personal Data submitted to the platform.

5.

Categories of Data Subjects

  • Customers and clients of the Controller (travelers).

  • Prospective customers or travelers.

  • Employees, contractors, or representatives of the Controller.

  • Suppliers or service providers of the Controller (e.g. hotels, tour operators, or other travel partners).

Annex 2.

Sub-processors

The Processor maintains an up-to-date list of Sub-processors, which shall be made available to the Controller upon request by contacting [email protected].

Annex 3.

Security Measures

TripZILLA implements and maintains appropriate technical and organisational measures, including:

  • Role-based access control (RBAC) and multi-factor authentication (MFA) for administrative access.

  • Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).

  • Logging of system access and activity.

  • Regular security updates, patching, and vulnerability assessments.

  • Regular backups and disaster recovery procedures.

  • Incident detection and response processes.

  • Hosting in secure, industry-standard data centres (e.g. ISO 27001-certified).

These measures may be updated from time to time, provided that they do not materially reduce the level of security.