01Parties & scope
This Data Processing Agreement ("DPA") forms part of the
Terms of Service and any signed agreement between
Innovate Solution Global FZ-LLC (trading as Reservationhub; "Processor", "we") and the
customer entity that subscribes to or uses our services ("Controller", "you"), collectively the "Parties".
This DPA applies whenever we Process Personal Data on your behalf in connection with the Services, and
where applicable laws — including the EU General Data Protection Regulation (GDPR) 2016/679, the UK GDPR,
the Swiss Federal Act on Data Protection (FADP), and comparable laws of other jurisdictions — require a
data processing contract.
If a separate, signed DPA is in place between us, that signed DPA controls. Otherwise, by using the Services you accept this DPA.
02Definitions
Capitalised terms not defined here have the meaning given in the GDPR. In addition:
- Personal Data
- Any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Services.
- Processing
- Any operation performed on Personal Data, including collection, storage, use, disclosure, erasure or destruction.
- Data Subject
- The identified or identifiable natural person to whom Personal Data relates (e.g. your end-travellers, employees or customers).
- Sub-processor
- A third party engaged by us to Process Personal Data on your behalf.
- Standard Contractual Clauses (SCCs)
- The European Commission's standard contractual clauses for the transfer of personal data to third countries, set out in Commission Implementing Decision (EU) 2021/914.
- UK Addendum
- The Information Commissioner's Office "International Data Transfer Addendum to the EU SCCs", version B1.0, in force from 21 March 2022.
03Roles & responsibilities
The Parties acknowledge that, for the purposes of this DPA:
- You are the Controller of Personal Data you submit to the Services (including booking data, traveller data, account-holder data of your end-users).
- We are the Processor acting on your documented instructions.
- Where multiple controllers are involved (e.g. a Reservationhub customer who is itself a service provider to its own corporate customers), you warrant that you have obtained all necessary authorisations and instructions from upstream controllers.
Each Party is responsible for its own compliance with applicable data-protection laws.
04Processing instructions
We will Process Personal Data only on your documented instructions, as set out in
Schedule I, the Terms, any Order Form and reasonable instructions you give in
writing from time to time. Use of the Services constitutes such instructions.
We will inform you if we believe an instruction infringes data-protection law, in which case we may refuse
to act on it until clarified. We will not Process Personal Data for our own purposes except where
permitted or required by law (in which case we will inform you unless prohibited).
05Confidentiality of personnel
We ensure that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations or are under a statutory duty of confidentiality, and that they Process Personal Data only as needed to provide the Services.
06Security measures
We implement and maintain appropriate technical and organisational measures to protect Personal Data
against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The
current set of measures is set out in Schedule II. We may update Schedule II
from time to time provided the security level is not reduced.
07Sub-processors
You give us a general authorisation to engage Sub-processors, provided that we:
- Maintain a current list of Sub-processors at Schedule III.
- Impose written contractual data-protection obligations on each Sub-processor that are no less protective than this DPA.
- Remain liable to you for the acts and omissions of Sub-processors.
- Notify you at least 30 days in advance of any intended addition or replacement of a Sub-processor (by email to your administrator address or via in-product notification). You may object on reasonable data-protection grounds within that period. If we cannot accommodate a reasonable objection, you may terminate the affected service with a pro-rata refund of pre-paid, unused fees.
08Data subject rights
We will provide reasonable assistance, taking into account the nature of the Processing and the
information available to us, to enable you to respond to requests from Data Subjects exercising their
rights under data-protection law (access, rectification, erasure, restriction, portability, objection).
Where a Data Subject contacts us directly, we will instruct them to address the request to you.
For self-service tooling (export, deletion, redaction) provided in the Services, we will charge no fee. For exceptional manual assistance we may charge our reasonable costs at our then-current professional-services rates.
09Personal data breach
We will notify you without undue delay — and in any event within 48 hours — after becoming aware of a
Personal Data Breach affecting Personal Data Processed on your behalf. The notification will, to the
extent then known, describe:
- The nature of the breach including the categories and approximate number of Data Subjects and records concerned.
- The likely consequences.
- The measures taken or proposed to mitigate possible adverse effects.
- The contact point at Reservationhub.
We will cooperate with you and provide reasonable assistance with your notification obligations to supervisory authorities and affected Data Subjects.
10Assistance with DPIA & prior consultation
We will provide you with reasonable assistance with data-protection impact assessments (Art. 35 GDPR)
and prior consultations with supervisory authorities (Art. 36 GDPR), taking into account the nature of
Processing and the information available to us.
11Audits & inspections
We will make available all information necessary to demonstrate compliance with Article 28 GDPR and
allow for audits, including inspections, conducted by you or an auditor mandated by you, in accordance
with the following:
- Audits will use independent, recognised audit reports (SOC 2 Type II, ISO 27001) made available to you upon request and under NDA, which the Parties agree will normally satisfy this obligation.
- Where, after review of those reports, you still reasonably require an on-site audit, the audit will be at your cost, with no more than one audit per year (save where a regulator requires more), conducted during normal business hours, after at least 30 days' written notice, and subject to confidentiality.
- Audits may not unreasonably interfere with our operations and may not access other customers' data.
12International transfers & SCCs
To the extent we transfer Personal Data from the European Economic Area, the United Kingdom or
Switzerland to a country outside the EEA, UK or Switzerland that is not the subject of an adequacy
decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914),
Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable, are
incorporated by reference and apply with the following selections:
- Clause 7 (Docking) — applies.
- Clause 9(a) (Sub-processors) — Option 2 (general written authorisation), with 30 days' notice.
- Clause 11 (Independent dispute resolution) — optional language not selected.
- Clause 17 (Governing law) — the law of Ireland.
- Clause 18 (Choice of forum) — the courts of Ireland.
- Annex I.A — the Parties are as identified in this DPA; the contact persons are the email addresses on file plus [email protected].
- Annex I.B — set out in Schedule I.
- Annex II — set out in Schedule II.
- Annex III — set out in Schedule III.
For UK transfers, the UK Addendum applies and is incorporated by reference with the EU SCCs as the "Approved EU SCCs" referenced in the Addendum. For Swiss transfers, references to GDPR are read as references to the FADP and references to EU member-state supervisory authorities are read as references to the Swiss FDPIC.
Where required by law, we conduct transfer impact assessments and apply supplementary measures (encryption, access controls, data minimisation, challenge of unlawful access requests).
13Return or deletion of data
On termination or expiry of the Services we will, at your choice, return or delete Personal Data
Processed on your behalf, unless storage is required by applicable law. Self-service export is
available for 30 days after termination. After that period (or sooner if you instruct us in writing),
we will delete or anonymise the data, save for back-up copies which are deleted in accordance with our
standard back-up rotation (typically 30–90 days).
14Liability
The Parties' liability under this DPA is subject to the limitations of liability in the Terms of Service. Where the SCCs apply, Clause 12 of the SCCs is not affected.
15Term & termination
This DPA takes effect on the effective date of the Terms of Service or signed agreement and continues for as long as we Process Personal Data on your behalf. Sections that by their nature survive termination — confidentiality, deletion, liability, transfer mechanisms — will survive.
S1Schedule I — Description of processing
Subject matter
The Reservationhub Services
SaaS booking platform, hosted Source Code Edition, Travel APIs and supporting services as described in the Terms and Order Form.
Duration
For the term of the agreement
Plus the deletion period in Section 13 above.
Nature and purpose
Travel-distribution Processing
Storing, retrieving, transmitting, displaying and otherwise Processing Personal Data necessary to: enable Customer's authorised users to access the platform; route searches and bookings to airlines, hotels, GDS and other travel suppliers; process payments through PCI-DSS certified gateways; provide support, security and reporting.
Categories of Data Subjects
Customer's personnel and end-travellers
Customer's employees, contractors and authorised users; Customer's corporate customers' employees; end-travellers and accompanying passengers; payment-card holders; emergency contacts.
Categories of Personal Data
Booking and account data
Name, contact details, account credentials, IP and device data, transaction data, booking details,
passport and visa information, date of birth, nationality, frequent-flyer numbers, dietary/accessibility
preferences, billing/payment data (tokenised), itineraries, and any other data Customer chooses to upload.
Special-category data
Only as instructed
We do not solicit special-category data. Where Customer Data necessarily implies special categories (dietary preferences implying religion, accessibility data implying health), we Process it only on Customer's documented instructions.
Frequency of transfer
Continuous
On a continuous basis during the term, in line with use of the Services.
S2Schedule II — Technical & organisational measures
We implement appropriate technical and organisational measures, including the following, to protect the security of Personal Data:
Access control
- Role-based access control with least-privilege defaults.
- Mandatory multi-factor authentication for all production-system access.
- Quarterly access reviews; immediate revocation on personnel changes.
- Separate environments for development, staging and production.
Encryption
- TLS 1.2+ (preferably TLS 1.3) for all data in transit.
- AES-256 for primary data at rest; key rotation managed by KMS.
- Tokenisation of payment data through PCI-DSS Level 1 processors.
Network and platform security
- Web application firewall (WAF), DDoS protection, bot management.
- Network segmentation; private subnets for databases.
- Continuous vulnerability scanning; quarterly external penetration tests.
- Hardened, patched operating system images; immutable infrastructure.
Application security
- Secure SDLC: peer review, static analysis (SAST), dynamic testing (DAST), dependency scanning.
- Bug-bounty programme open to responsible researchers.
- OWASP Top 10 controls; regular security training for engineers.
Operational resilience
- Geographically distributed back-ups; documented recovery-time and recovery-point objectives.
- Tested business-continuity and disaster-recovery plans.
- Service-level monitoring with on-call rotation.
Personnel
- Background checks where lawful for personnel with production-data access.
- Contractual confidentiality obligations covering all personnel.
- Mandatory annual privacy and security training.
- Immediate de-provisioning on separation.
Vendor management
- Risk-based vendor due-diligence for Sub-processors handling Personal Data.
- Contractual data-protection terms equivalent to this DPA.
- Annual review of critical Sub-processors.
Incident management
- Documented incident-response runbooks and post-incident reviews.
- 72-hour breach-notification target (48-hour notice to Customer per Section 9).
- Forensic-evidence preservation procedures.
Governance and assurance
- SOC 2 Type II programme; ISO 27001 alignment.
- Annual independent audits made available to Customer under NDA.
- Documented data-retention and deletion procedures.
S3Schedule III — Sub-processors
The current list of Sub-processors is below. We may update this list in accordance with Section 7; the current version is always available at this URL.
| Sub-processor |
Service provided |
Processing location |
Transfer mechanism |
| Amazon Web Services, Inc. | Cloud hosting (EU, US, Asia regions per contract) | EU / US / SG | EU SCCs (2021/914) + UK Addendum where relevant |
| Microsoft Azure | Cloud hosting and managed services | EU / US | EU SCCs |
| Google Cloud Platform | Cloud hosting and managed services | EU / US | EU SCCs |
| Cloudflare, Inc. | CDN, WAF, DDoS protection | Global | EU SCCs + UK Addendum |
| Stripe Payments Europe Ltd. | Payment processing | EU / US | EU SCCs (Stripe-Customer DPA) |
| SendGrid (Twilio) | Transactional email delivery | EU / US | EU SCCs |
| Zendesk, Inc. | Customer support helpdesk | EU / US | EU SCCs |
| Sentry / Datadog | Error monitoring & observability | EU / US | EU SCCs |
| Slack Technologies LLC | Internal collaboration (no customer data uploaded) | EU / US | EU SCCs |
This list is a current sample. To receive prior notice of changes, write to
[email protected] with the subject "Sub-processor
notifications" and the email you wish to use.