Data Processing Addendum – August 3, 2023

Last Updated: August 3, 2023

This Data Processing Addendum (“DPA“) forms part of, and is subject to, the Terms of Use, or other written or electronic terms of service or subscription agreement between the Softrip LLC or the applicable Affiliate that is a party to such agreement (“Softrip“) and the legal entity defined as ‘Customer’ thereunder together with all Customer Affiliates who are signatories to an Order (collectively, for purposes of this DPA, “Customer,” and together with Softrip, the “Parties” and each a “Party” (such agreement, the “Agreement“)). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

  1. Definitions.

Affiliate“ has the meaning given in the Agreement.

Application” has the meaning given in the Agreement.

Authorized Affiliate” will mean a Customer Affiliate who has not signed an Order pursuant to the Agreement but is either a Data Controller or Data Processor for the Customer Personal Data processed by Softrip pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.

Customer Data” has the meaning given in the Agreement.

Customer Personal Data” means any Customer Data that is Personal Data.

Data Controller” means an entity that determines the purposes and means of Processing Personal Data.

Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.

Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and USASP Laws.

Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

EU & UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); and (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR“) and the Data Protection Act 2018.

Personal Data” means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the USASP Laws.

Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination and “Process“, “Processes” and “Processed” will be interpreted accordingly.

Purposes” means (i) Softrip’s provision of the Softrip Offerings as described in the Agreement, including Processing initiated by Users in their use of the Softrip Offerings; and (ii) further documented, reasonable instructions from Customer agreed upon by the Parties.

Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

Softrip Offering(s)” has the meaning given in the Agreement.

SCCs” means, collectively, (i) “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and (ii) “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf (“UK Addendum”).

Sub-Processor” means any other Data Processors engaged by Softrip to Process Customer Personal Data.

“USASP Laws” means, collectively and individually, the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, any other United States state privacy legislation of similar scope to the aforementioned statutes that become enforceable after execution of this Addendum, and any implementing regulations adopted thereunder, as may be amended from time to time.

  1. Scope and Applicability of this DPA. This DPA applies where and only to the extent that Softrip Processes Customer Personal Data on behalf of Customer as Data Processor in the course of providing the Softrip Offerings.
  2. Roles and Scope of Processing.
    1. Role of the Parties. As between Softrip and Customer, Softrip will Process Customer Personal Data only as a Data Processor (or sub-processor) acting on behalf of Customer and, with respect to USASP Laws, as a “service provider” as defined therein, in each case regardless of whether Customer acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller (such third-party, the “Third-Party Controller“) with respect to Customer Personal Data. To the extent any Usage Data (as defined in the Agreement) is considered Personal Data under applicable Data Protection Laws, Softrip is the Data Controller of such data and will Process such data in accordance with the Agreement and applicable Data Protection Laws.
    2. Customer Instructions. Softrip will Process Customer Personal Data only for the Purposes. Customer will ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The Parties agree that the Agreement (including this DPA) sets out the exclusive and final instructions to Softrip for all Processing of Customer Personal Data, and (if applicable) include and are consistent with all instructions from Third-Party Controllers. Any additional requested instructions requires the prior written agreement of Softrip. Softrip will promptly notify Customer if, in Softrip’s opinion, such an instruction violates EU & UK Data Protection Law. Where applicable, Customer will be responsible for any communications, notifications, assistance and/or authorizations that may be required in connection with a Third-Party Controller
    3. Customer Affiliates. Softrip’s obligations stated in this DPA will also extend to Authorized Affiliates, subject to the following conditions:
      (a) Customer must exclusively communicate any additional Processing instructions requested pursuant to 3.2 directly to Softrip, including instructions from its Authorized Affiliates;
      (b) Customer will be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this DPA will be considered the acts and/or omissions of Customer; and
      (c) Authorized Affiliates will not bring a claim directly against Softrip. If an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding  or otherwise against Softrip (“Authorized Affiliate Claim”): (i) Customer must bring such Authorized Affiliate Claim directly against Softrip on behalf of such Authorized Affiliate, unless Data Protection Laws require the Authorized Affiliate be a party to such claim; and (ii) all Authorized Affiliate Claims will be considered claims made by Customer and will be subject to any liability restrictions in the Agreement, including any aggregate limitation of liability.
    4. Customer Processing of Personal Data.  Customer agrees that it: (i) will comply with its obligations under Data Protection Laws with respect to its Processing of Customer Personal Data; (ii) will make appropriate use of the Application to ensure a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing and backing-up Customer Personal Data; and (iii) has obtained all consents, permissions and rights necessary under Data Protection Laws for Softrip to lawfully Process Customer Personal Data for the Purposes, including, without limitation, Customer’s sharing and/or receiving of Customer Personal Data with third-parties via the Application.
    5. Details of Data Processing.

(a) Subject Matter: The subject matter of the Processing under this DPA is the Customer Personal Data.

(b) Frequency and duration: Notwithstanding expiry or termination of the Agreement, Softrip will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.

(c) Purpose: Softrip will Process the Customer Personal Data for the Purposes, as described in this DPA.

(d) Nature of the Processing: Softrip will perform Processing as needed for the Purposes, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this DPA

(e) Retention Period. The period for which Customer Personal Data will be retained and the criteria used to determine that period will be determined by Customer during the term of the Agreement via its use and configuration of the Application. Upon termination or expiration of the Agreement, Customer may retrieve or delete all Customer Personal Data as stated in the Agreement. Any Customer Personal Data not deleted by Customer will be deleted by Softrip promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “Retrieval Right” in the Agreement.

(f) Categories of Data Subjects: The categories of Data Subjects to which Customer Personal Data relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:

(i) Prospects, customers, Users, Tour Operators, Travel Agents and Travelers, business partners, and vendors of Customer (who are natural persons);

(ii) Employees or contact persons of Customer’s prospects, customers, business partners, and vendors; and/or

(iii) Employees, agents, advisors, freelancers of Customer (who are natural persons).

(g) Categories of Personal Data: The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:

(i) Identification and contact data (name, address, title, contact details);

(ii) Financial information (credit card details, account details, payment information);

(iii) Employment details (employer, job title, geographic location, area of responsibility); and/or

(iv) IT information (IP addresses, cookies data, location data).

(h) Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Agreement or Documentation, Customer may also include “special categories of personal data” or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation.

  1. Sub-Processing.
    1. Authorized Sub-Processors. Customer provides Softrip with a general authorization to engage Sub-processors, subject to Section 4.3 (Changes to Sub-processors), as well as Softrip’s current Sub-processors listed here (“Sub-processor Site”) as of the effective date of this DPA and members of Softrip.
    2. Sub-Processor Obligations. Softrip will: (i) enter into a written or electronic agreements with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as Softrip’s obligations under this DPA to the extent applicable to the nature of the services or products provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, Softrip will provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.
    3. Changes to Sub-Processors. Softrip will make available on its Sub-processor Site a mechanism to subscribe to notifications of new Sub-processors. Softrip will provide such notification to those emails that have subscribed at least fourteen (14) days in advance of allowing the new Sub-processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, objections (if any) to Softrip’s appointment of the new Sub-processor must be provided to Softrip in writing and based on reasonable grounds relating to data protection. In such event, the Parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to Softrip that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Softrip cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may provide written notice to Softrip terminating the Order Form(s) with respect only to those aspects which cannot be provided by Softrip without the use of the new Sub-processor. Softrip will refund Customer any prepaid unused fees of such Order(s) following the effective date of such termination.
  2. Security.
    1. Security Measures. Softrip will implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with Softrip’s Security Addendum (“Security Addendum”). Softrip may review and update its Security Addendum from time to time, provided that any such updates will not materially diminish the overall security of the Application or Customer Personal Data.
    2. Confidentiality of Processing.  Softrip will ensure that any person who is authorized by Softrip to Process Customer Personal Data (including its staff, agents, and subcontractors) will be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
    3. No Assessment of Customer Personal Data by Softrip. Softrip will have no obligation to assess the contents or accuracy of Customer Personal Data, including to identify information subject to any specific legal, regulatory, or other requirement. Customer is responsible for reviewing the information made available by Softrip relating to data security and making an independent determination as to whether the Application meet Customer’s requirements and legal obligations under Data Protection Laws.
  3. Data Transfers.
    1. Hosting and Processing Locations. Softrip will only host Customer Personal Data in the region(s) offered by Softrip (the “Hosting Region”).  Softrip will not Process Customer Personal Data from outside the Hosting Region except as reasonably necessary to provide the Softrip Offerings procured by Customer, or as necessary to comply with a governmental body’s law or binding order.
    2. Transfer Mechanisms.
      1. For any transfers by Customer of Customer Personal Data from the European Economic Area and its member states, United Kingdom and/or Switzerland (collectively, “Restricted Countries”) to Softrip in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the applicable Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers will be governed by a valid mechanism for the lawful transfer of Customer Personal Data recognized under applicable Data Protection Laws. For clarity, for transfers from the United Kingdom and Switzerland, references in the SCCs will be interpreted to include applicable terminology for those jurisdictions (e.g., “Member State” will be interpreted to mean “United Kingdom” for transfers from the United Kingdom).

(a) SCCs: Each Party agrees to abide by and transfer Customer Personal Data from the Restricted Countries in accordance with the EU SCCs and UK Addendum respectively and where applicable, which are incorporated into this DPA by reference. Each Party is deemed to have executed the SCCs as of the Effective Date by entering into this DPA and such details will apply for the purposes of Table 1 of the UK Addendum.

(i) The below will apply to the SCCs, including the election of specific terms and/or optional clauses as described in more detail in (A)-(K) below, and any optional clauses not expressly selected are not incorporated (including with respect to Table 2 of the UK Addendum):

(A) the Module 2 terms apply to the extent Customer is a Data Controller and the Module 3 terms apply to the extent Customer is a Data Processor of the Customer Personal Data. The foregoing will apply with respect to Table 2 of the UK Addendum;

(B) the optional Clause 7 in Section I of the SCCs is incorporated, and Authorized Affiliates may accede to this DPA and the SCCs under the same terms and conditions as Customer, subject to Section 3.3 of this DPA via mutual agreement of the Parties. The foregoing will apply with respect to Table 2 of the UK Addendum;

(C) for purposes of Clause 9 of the SCCs, Option 2 (‘General written authorization’) is selected, and the process and time period for the addition or replacement of Sub-processors will be as described in Section 4 (Sub-processing) of this DPA. The foregoing will apply with respect to Table 2 of the UK Addendum;

(D) for purposes of Clause 13 and Annex 1.C of the EU SCCs, Customer will maintain accurate records of the applicable Member State(s) and competent supervisory authority, which will be made available to Softrip on request;

(E) for purposes of Clause 14(c) of the SCCs, Customer may subscribe to the Sub-processor Site to receive notifications regarding updates to Softrip’s overview of relevant laws and practices of Third Countries;

(F) for purposes of Clause 17 and Clause 18 of the EU SCCs, the Member State for purposes of governing law and jurisdiction will be the Netherlands. Part 2, Section 15(m) and Part 2, Section 15(n) of the UK Addendum regarding Clause 17 and Clause 18 of the EU SCCs will apply;

(G) for purposes of Annex 1.A, the ‘data importer’ will be Softrip and the ‘data exporter’ will be Customer and any Authorized Affiliates that have acceded to the SCCs pursuant to this DPA. The foregoing will apply with respect to Table 3 of the UK Addendum;

(H) for purposes of Annex 1.B, the description of the transfer is as described in Section 3.5 (Details of Data Processing) of this DPA. The foregoing will apply with respect to Table 3 of the UK Addendum;

(I) for purposes of Annex 2, the technical and organization measures are as follows: (i) Those measures implemented by Softrip will be as described in Section 5.1 (Security Measures) of this DPA; and (ii) Those measures that can be selected or configured by Customer, including appropriate controls for ‘special categories of data’, will be as further described in Softrip’s Documentation. The foregoing will apply with respect to Table 3 of the UK Addendum;

(J) the Sub-processors for Annex III will be as described in Section 4.1 (Authorized Sub-processors) of this DPA. The foregoing will apply with respect to Table 3 of the UK Addendum; and

(K) with respect to Table 4 of the UK Addendum, Customer may suspend or terminate the Processing of the Customer Personal Data by Softrip that is subject to UK GDPR at any time by deleting all such Customer Personal Data in the Application. Additionally, either Party may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the Parties to amend this DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the Parties are unable to come to a mutual agreement.

(b) Binding Corporate Rules for Processors (“BCRs”): Notwithstanding the foregoing, if Softrip has adopted BCRs for Processors that cover the transfer of Customer Personal Data to a Third Country, then such BCRs will govern the transfer of Customer Personal Data.

  1. Security Incident Response. Please refer to Section 6 of the Security Addendum.
  2. Cooperation.
    1. Data Subject Requests. Softrip will promptly notify Customer if Softrip receives a request from a Data Subject that identifies Customer Personal Data or otherwise identifies Customer, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). The Application provides Customer with a number of controls that Customer may use to assist it in responding to Data Subject Requests and Customer will be responsible for responding to any such Data Subject Requests. To the extent Customer is unable to access the relevant Customer Personal Data within the Application using such controls or otherwise, Softrip will (upon Customer’s written request and taking into account the nature of the Processing) provide commercially reasonable cooperation to assist Customer in responding to Data Subject Requests.
    2. Data Protection Impact Assessments. Softrip will provide reasonably requested information regarding the Application to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.
    3. Government, Law Enforcement, and/or Third-Party Inquiries. If Softrip receives a demand to retain, disclose, or otherwise Process Customer Personal Data for any third party, including, but not limited to law enforcement or a government authority (“Third-Party Demand”), then Softrip will attempt to redirect the Third-Party Demand to Customer. Customer agrees that Softrip can provide information to such third-party as reasonably necessary to redirect the Third-Party Demand. If Softrip cannot redirect the Third-Party Demand to Customer, then Softrip will, to the extent legally permitted to do so, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy. This section does not diminish Softrip’s obligations under the SCCs with respect to access by public authorities.
  3. Relationship with the Agreement.
    1. The Parties agree that this DPA will replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Softrip and Customer may have previously entered into in connection with the Application. Softrip may update this DPA from time to time, with such updated version posted to legalnotices@Softrip.com or a successor website designated by Softrip; provided, however, that no such update will materially diminish the privacy or security of Customer Personal Data.
    2. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.
    3. Notwithstanding anything to the contrary in the Agreement or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the SCCs, and any other data protection agreements in connection with the Agreement (if any), will be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the Parties’ obligations under the Agreement, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Customer Personal Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws will count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other Party under the Agreement.
    4. In no event will this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the SCCs).
    5. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

 

X