TravyxoTravyxo← Back to home

Travyxo — Data Processing Agreement

Effective date: {{EFFECTIVE_DATE}} Last updated: {{LAST_UPDATED_DATE}} Version: 1.0-draft

Plain-English summary. This Agreement governs how Travyxo handles personal data about your end travelers when you use the Travyxo service. You (the Customer) are the controller of that data; Travyxo is the processor. This document includes our security commitments, our sub-processor list, EU Standard Contractual Clauses, and the UK International Data Transfer Addendum.

Status. This is a draft pending legal review. It is not yet in force.

1. Parties and background

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Travyxo Terms of Service (the "Agreement") between {{COMPANY_LEGAL_NAME}} of {{COMPANY_ADDRESS}} ("Travyxo", "we", "us") and the Customer identified in the Agreement ("Customer", "you").

This DPA applies whenever Travyxo processes Personal Data on Customer's behalf in the course of providing the Service.

2. Definitions

Capitalised terms not defined here have the meaning given in the Agreement or in the GDPR.

  • "Applicable Data Protection Law" means the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended ("CCPA/CPRA"), and any other data-protection law applicable to a Party's processing of Personal Data.
  • "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach" have the meanings given in GDPR Article 4.
  • "Sub-processor" means a third party engaged by Travyxo to process Customer Personal Data in Travyxo's capacity as Processor within the meaning of Article 28(2) of the GDPR.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office, version B1.0 in force on 21 March 2022.
  • "Service" has the meaning given in the Agreement.
  • "Customer Personal Data" means Personal Data Travyxo processes on Customer's behalf, including End Traveler personal data as described in Annex I.B.

3. Roles, scope and duration

For the purposes of Applicable Data Protection Law, Customer is the Controller and Travyxo is the Processor in respect of Customer Personal Data. Travyxo processes Customer Personal Data solely on Customer's behalf and in connection with providing the Service as described in the Agreement. Travyxo does not determine the purposes or means of processing Customer Personal Data; those determinations are made by Customer in its capacity as Controller.

The scope of Travyxo's processing is limited to the activities described in Annex I.B of this DPA. Travyxo shall not process Customer Personal Data for any other purpose, including for Travyxo's own commercial purposes, without Customer's prior written consent.

This DPA remains in force for the duration of Customer's Subscription under the Agreement. It terminates automatically upon expiry or termination of the Agreement, subject to the deletion and return obligations set out in §13.

4. Customer instructions

Customer's documented instructions to Travyxo consist of: (a) the Agreement; (b) this DPA; and (c) any further written instructions Customer provides during the term of the Agreement, whether via the Service's configuration features or through direct written communication with Travyxo. These documents together constitute the complete and final set of Customer's processing instructions.

Travyxo shall process Customer Personal Data only in accordance with those instructions, except where Applicable Data Protection Law requires otherwise. If Applicable Data Protection Law requires Travyxo to process Customer Personal Data for reasons other than Customer's instructions, Travyxo will notify Customer of that requirement before undertaking the processing unless the relevant law prohibits such notification.

If Travyxo reasonably believes that a Customer instruction would, if followed, infringe Applicable Data Protection Law, Travyxo will notify Customer of that concern in writing without undue delay. Travyxo is not obligated to carry out legal analysis on Customer's behalf and such notification does not constitute legal advice. Customer retains responsibility for determining the lawfulness of its own instructions.

5. Confidentiality of personnel

Travyxo ensures that all personnel authorised to process Customer Personal Data are subject to appropriate confidentiality obligations — whether contractual (such as obligations in their employment or contractor agreements) or statutory — that require them to keep Customer Personal Data confidential and to process it only as permitted under this DPA and the Agreement.

Travyxo provides data-protection training, proportionate to their responsibilities, to personnel who process Customer Personal Data on a regular basis. Such training covers at a minimum the applicable requirements of Applicable Data Protection Law, the handling obligations under this DPA, and the consequences of unauthorised disclosure or misuse of personal data.

Access to Customer Personal Data by Travyxo personnel is limited on a need-to-know basis. Personnel are granted access only where necessary to carry out their function in connection with providing the Service.

6. Security

Travyxo implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, as further described in Annex II. Travyxo may update Annex II from time to time provided that the overall level of protection is not reduced.

7. Sub-processing

Customer grants Travyxo a general written authorisation to engage Sub-processors. The current list of authorised Sub-processors is set out in Annex III.

Travyxo will give Customer at least 30 days' prior notice of any intended changes to the Sub-processor list by updating Annex III of this DPA and by email to the contact address on file for the Customer account. Customer may object to a change on reasonable data-protection grounds within that notice period; if the objection cannot be resolved, Customer may terminate the affected portion of the Service on reasonable notice.

Travyxo will impose on each Sub-processor data-protection obligations no less protective than those in this DPA and will remain liable for each Sub-processor's performance.

8. Data subject rights — assistance

Travyxo provides reasonable assistance to enable Customer to fulfil its obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, taking into account the nature of Travyxo's processing. Where the Service provides in-app self-service features — such as the ability to export or delete Client records and associated personal data — Customer should use those features as the primary means of responding to Data Subject requests. Where the in-app features are insufficient to address a particular request, Travyxo will provide additional assistance on a case-by-case basis, on Customer's reasonable written request.

If Travyxo receives a request directly from a Data Subject that relates to Customer Personal Data, Travyxo will acknowledge receipt of the request to the Data Subject and forward the request to Customer without undue delay. Travyxo will not otherwise respond to the Data Subject's request unless it is legally required to do so. Customer is solely responsible for determining the appropriate response to such a request in Customer's capacity as Controller.

9. Personal Data Breach notification

Travyxo will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours after becoming aware of it, via email to the contact address on file. The notification will include, to the extent then known: the nature of the breach; the categories and approximate number of Data Subjects and records concerned; the likely consequences; and the measures taken or proposed.

10. DPIA and prior consultation assistance

Where Customer is required under Applicable Data Protection Law to carry out a Data Protection Impact Assessment ("DPIA") pursuant to Article 35 of the GDPR, or to engage in prior consultation with a supervisory authority pursuant to Article 36 of the GDPR, and where such assessment or consultation relates to Travyxo's processing under this DPA, Travyxo will provide Customer with reasonable assistance with that assessment or consultation, taking into account the information available to Travyxo and the nature of Travyxo's processing activities.

Such assistance may include: providing information about the processing activities described in Annex I.B; describing the technical and organizational measures set out in Annex II; and responding to reasonable information requests from Customer or from a supervisory authority. Travyxo is not obligated to undertake a DPIA on Customer's behalf or to make legal determinations regarding the necessity of a DPIA.

11. Audits and inspections

Travyxo will make available to Customer such information as is reasonably necessary to demonstrate Travyxo's compliance with this DPA. Where available, Travyxo will provide relevant third-party audit reports — such as SOC 2 Type II or ISO 27001 certification reports — on Customer's written request, under a non-disclosure agreement, without charge. Where such reports adequately address Customer's stated compliance concern, they shall be deemed to satisfy Customer's audit right for that period.

In addition, Travyxo will allow for and contribute to audits, including on-site inspections, conducted by Customer or an independent auditor mandated by Customer, subject to the following conditions: (a) Customer provides at least 30 days' prior written notice; (b) audits are conducted no more than once per calendar year; (c) audits take place during normal business hours, at Customer's cost, and are limited in scope to Travyxo's facilities and systems directly relevant to Travyxo's processing under this DPA; (d) Customer and its auditor shall have no access to any other customer's data or to Travyxo's confidential, commercially sensitive, or legally privileged information; and (e) Customer and its auditor shall comply with Travyxo's reasonable security and confidentiality requirements during the audit.

12. International transfers

Where Travyxo's processing of Customer Personal Data involves a transfer outside the EEA or the UK to a country not subject to an adequacy decision, the parties incorporate by reference:

  • the EU Standard Contractual Clauses (Module 2, Controller → Processor; and Module 3, Processor → Sub-processor, where applicable), as set out in Annex IV; and
  • the UK International Data Transfer Addendum to the EU SCCs, as set out in Annex V.

Where there is any conflict between this DPA and the SCCs or the UK Addendum in respect of an in-scope transfer, the SCCs or the UK Addendum (as applicable) prevail.

13. Deletion or return on termination

At Customer's choice, Travyxo will either return or delete Customer Personal Data at the end of the Agreement. Customer may exercise the return option by exporting Customer Personal Data using the Service's export features during the 30-day window following termination or expiry of the Agreement. Where Customer requires a complete data return that the export features cannot fully satisfy, Customer may request reasonable cooperation from Travyxo in writing within that window and Travyxo will provide it.

Thereafter, Travyxo will delete Customer Personal Data from active production systems within 30 days, and from backups in line with Travyxo's documented backup-rotation period. Travyxo will certify deletion on Customer's reasonable written request unless retention is required by law.

14. Liability, precedence, governing law, miscellaneous

(a) Liability. Each party's liability under or in connection with this DPA is subject to the limitation-of-liability provisions set out in the Agreement. Nothing in this DPA extends or supplements the liability cap or exclusions stated in the Agreement, except to the extent that liability cannot be limited under Applicable Data Protection Law (for example, with respect to obligations that the SCCs impose directly on the parties as data importer or data exporter).

(b) Order of precedence. Where there is any conflict or inconsistency between this DPA and the Agreement on a matter relating to data protection or the processing of Customer Personal Data, this DPA prevails. In all other respects, the Agreement prevails over this DPA.

(c) Governing law. This DPA is governed by the law of {{GOVERNING_LAW}}, without regard to conflict-of-laws principles, and the parties submit to the exclusive jurisdiction of {{GOVERNING_COURT}}, except as otherwise required by the SCCs or the UK Addendum in respect of an in-scope transfer.

(d) Severability. If any provision of this DPA is held invalid or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid and enforceable, and the remaining provisions shall continue in full force and effect.

(e) No third-party beneficiaries. This DPA does not create any rights in favour of third parties except as expressly required by the SCCs or the UK Addendum in respect of Data Subjects.

Annex I — Description of the processing

I.A — List of Parties

Data exporter / Controller: Customer, as identified in the Agreement. Contact details and DPO (if any) are as Customer has provided in its Travyxo account profile. Activities relevant to the data transferred: operating a tour-operator business that uses the Travyxo Service to manage tour packages, client information, and itineraries.

Data importer / Processor: {{COMPANY_LEGAL_NAME}}, of {{COMPANY_ADDRESS}}. Contact: {{PRIVACY_EMAIL}} (and {{DPO_EMAIL}} if appointed). Activities relevant to the data transferred: providing the Travyxo Service as described in the Agreement.

I.B — Description of the processing

Categories of Data Subjects

The Customer Personal Data processed under this DPA relates to four categories of Data Subjects:

  1. End Travelers — individuals whose personal data Customer has entered into the Travyxo Service in connection with managing tour packages, bookings, and itineraries. These are typically the Customer's clients or prospective clients.
  2. Client Portal users — End Travelers who have been invited to create a Client Portal account under the Customer's Travyxo workspace, enabling them to log in to view itineraries, communicate with the tour company, and manage their own profile.
  3. Intake-form submitters — individuals who complete a Customer-configured intake form published via the Travyxo Service, providing their personal data directly.
  4. Customer staff users — individuals employed or engaged by Customer who are granted access to the Travyxo Service by Customer (as Company Admin or Company Staff). Personal data processed includes: name, email address, Clerk user ID, and role assignment within the Service.

Categories of Personal Data

The categories of personal data processed include: full name; email address; telephone number; nationality; arrival and departure dates; tour interest description and preferences; free-form notes and chat messages exchanged with Customer's staff via the Client Portal; Client Portal account credentials (passwords are stored in hashed form only; plaintext passwords are never stored); Client Portal profile information as completed by the Data Subject.

Sensitive Data

Travyxo does not intentionally collect special categories of personal data (within the meaning of Article 9 GDPR) under this DPA. If Customer or a Data Subject includes sensitive personal data in free-text fields (such as notes, chat messages, or intake form responses), that data will be stored and processed to the same standard as other Customer Personal Data under Annex II, but no additional safeguards beyond those in Annex II are guaranteed for such incidental inclusion. Customer is responsible for ensuring that any special-category data it causes to be processed through the Service is processed on a valid legal basis.

Frequency of processing

Processing is continuous throughout the Subscription term, occurring whenever Customer staff or Data Subjects interact with the Service.

Nature and purpose of processing

Travyxo processes Customer Personal Data to provide the Service as described in the Agreement. The specific processing activities include: hosting and storing Customer Personal Data in Travyxo's managed database environment; retrieving and displaying Customer Personal Data to authorised Customer staff within the Service; generating PDF itinerary documents incorporating End Traveler details as configured by Customer; presenting Customer Personal Data via shareable public itinerary links as configured and shared by Customer; operating the Client Portal, including authenticating Client Portal users and enabling secure communication between End Travelers and Customer's staff; delivering transactional email notifications via Resend (such as Client Portal invitations, password-reset messages, and staff welcome emails) where Customer has configured such notifications.

Duration of processing

Travyxo retains Customer Personal Data for the duration of the Customer's Subscription, plus a post-termination period of up to 60 days (a 30-day export window during which Customer may retrieve data, followed by deletion from active production systems within 30 days after the export window closes), and thereafter from backup systems in line with Travyxo's documented backup-rotation period (see Annex II — Backups and recovery). These retention periods are subject to any legal obligation requiring Travyxo to retain specific data for a longer period.

I.C — Competent supervisory authority

The competent supervisory authority for the purposes of the SCCs is determined by Customer's place of establishment. Where Customer is established in the EEA, the competent supervisory authority is the lead supervisory authority for Customer's main establishment or, where Customer has no main establishment in the EEA, the supervisory authority in the EU Member State in which Customer is established. Where Customer has no establishment in the EEA or the UK, the competent supervisory authority is the lead authority for Customer's EU representative.

Annex II — Technical and organizational security measures

The following technical and organizational measures ("TOMs") are implemented by Travyxo to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Encryption

In transit: All data transmitted between end users and Travyxo's application is encrypted using TLS (Transport Layer Security) 1.2 or higher. API communication between application components and third-party services is also conducted over TLS.

At rest: Customer Personal Data stored in Travyxo's managed database (Neon PostgreSQL) is encrypted at rest using AES-256 encryption, as provided by default by Neon's managed service. Files and assets stored in Cloudflare R2 object storage are encrypted at rest using AES-256 encryption, as provided by default by Cloudflare's managed service.

Identity and access controls

Authentication: All Customer staff access to the Travyxo Service is mediated by Clerk, Travyxo's identity and authentication provider. Clerk provides secure session management, credential hashing, and supports multi-factor authentication (MFA).

Internal access: Travyxo personnel are granted access to Customer Personal Data only on a need-to-know basis. Principle of least privilege is applied: personnel are given the minimum level of access required to carry out their role. Access to production database environments requires multi-factor authentication.

Role-based access: Within the Service, access is controlled by role — Company Admin and Company Staff — enforced at the application layer. Customer can manage user roles and revoke access via the Service's user management features.

Client Portal authentication: Client Portal user accounts are authenticated separately via a dedicated session mechanism (cps cookie), with passwords stored in hashed form using a recognised cryptographic algorithm.

Tenant isolation

Application layer: All Customer Personal Data is scoped to the Customer's companyId at the application layer. Travyxo's code enforces that every data access operation filters by companyId, derived from the authenticated session rather than from client-supplied request parameters.

Database layer: Travyxo's PostgreSQL database is protected by Row-Level Security (RLS) policies that enforce tenant isolation at the database level. RLS policies are implemented with FORCE ROW LEVEL SECURITY to ensure that even queries that bypass application-layer scoping cannot access another tenant's data. The design and implementation of these policies are documented in the internal specification docs/superpowers/specs/2026-04-09-tenant-isolation-rls-design.md.

These two controls together provide defence-in-depth tenant isolation: a defect at the application layer is backstopped by the database-level policy.

Audit logging

Application logs: Travyxo's application generates logs of significant events, including authentication events, data access, and administrative actions. These logs are retained for security monitoring and incident response purposes.

Provider-level logs: Travyxo's hosting providers (Vercel, Neon, Cloudflare) generate and retain their own infrastructure and access logs in accordance with their respective security practices and data-retention policies.

Logs are reviewed as part of routine security monitoring and are available for incident response investigations.

Backups and recovery

Production data is backed up via Neon's managed point-in-time recovery (PITR), with a default recovery window of seven (7) days on production plans. Backups are encrypted at rest. Customer Personal Data deleted from production systems is removed from backup snapshots within this rotation window. Travyxo will notify Customer if the rotation window changes materially.

Vulnerability management

Dependency monitoring: Travyxo monitors application dependencies for known security vulnerabilities using automated dependency scanning tools. Critical vulnerabilities are prioritised for remediation.

Security review: Changes to the Service that touch authentication mechanisms, session management, data access controls, or tenant isolation logic are subject to security review before deployment to production.

Security patches: Operating system and infrastructure patches are applied by Travyxo's managed service providers (Vercel, Neon, Cloudflare) in accordance with their own patching schedules. Application-level security patches are applied by Travyxo on a risk-based timeline.

Incident response

Travyxo maintains a documented incident response playbook covering the identification, containment, investigation, remediation, and communication of security incidents, including Personal Data Breaches. The playbook includes the 72-hour breach-notification commitment described in §9 of this DPA. Personnel responsible for incident response are trained on the playbook and review it periodically.

Sub-processor due diligence

Before engaging a Sub-processor that will process Customer Personal Data, Travyxo conducts due diligence on the Sub-processor's data-protection practices and contractual commitments. Travyxo imposes data-protection obligations on each Sub-processor by contract, requiring at minimum that the Sub-processor implements appropriate technical and organizational security measures and processes Customer Personal Data only on Travyxo's instructions. The Sub-processors currently engaged are listed in Annex III.

Annex III — Sub-processors

The list below is current as of {{LAST_UPDATED_DATE}}. Travyxo may update this list under §7 above with 30 days' prior notice.

Name Purpose Location Transfer mechanism (if non-EEA/UK)
Clerk, Inc. Authentication & identity (Customer staff and Client Portal accounts) USA EU SCCs + UK IDTA
Stripe, Inc. Payment processing (Customer subscriptions) USA / Ireland EU SCCs + UK IDTA
Neon, Inc. Managed PostgreSQL hosting (application database) Region per deployment — confirm at publication EU SCCs + UK IDTA where applicable
Cloudflare, Inc. (R2) Object storage for images and assets Global / region per deployment EU SCCs + UK IDTA where applicable
Vercel, Inc. Application hosting and serverless functions USA / global EU SCCs + UK IDTA
Resend, Inc. Transactional email delivery (portal invites, staff welcome, password reset) USA EU SCCs + UK IDTA
Upstash, Inc. Redis caching and rate-limit storage (Vercel KV) Region per deployment — confirm at publication EU SCCs + UK IDTA where applicable
Google LLC (Maps Platform) Geocoding, static map image generation for PDFs, and interactive map rendering for tour locations USA / global EU SCCs + UK IDTA
Svix, Inc. Webhook delivery infrastructure (used by Clerk to deliver identity events) USA EU SCCs + UK IDTA

Annex IV — EU Standard Contractual Clauses

The parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), incorporated here by reference, govern transfers of Customer Personal Data from the EEA to Travyxo or its Sub-processors in countries not subject to an adequacy decision.

The following modules apply:

  • Module 2 (Controller to Processor) — for direct transfers from Customer (as data exporter) to Travyxo (as data importer).
  • Module 3 (Processor to Sub-processor) — where applicable to onward transfers from Travyxo to Sub-processors listed in Annex III.

The following docking, optional and selection clauses are confirmed:

  • Docking clause (Clause 7): enabled.
  • General authorisation (Clause 9, Option 2): selected, with the 30-day notice period in §7 of this DPA.
  • Clause 11 (Redress) optional language: not adopted in this template. Customer may request that the optional Clause 11 paragraph be included by writing to {{LEGAL_EMAIL}} before signing; otherwise, Data Subjects retain their statutory rights to redress directly without the additional independent dispute-resolution path.
  • Clause 17 (Governing law): the law of the EU Member State of Customer's establishment, or, if Customer has no EEA establishment, the law of Ireland.
  • Clause 18 (Choice of forum and jurisdiction): the courts of the EU Member State referenced in Clause 17.

Annexes I, II and III of the SCCs are populated as follows:

  • SCC Annex I.A (List of Parties) — as set out in Annex I.A above.
  • SCC Annex I.B (Description of the transfer) — as set out in Annex I.B above.
  • SCC Annex I.C (Competent supervisory authority) — as set out in Annex I.C above.
  • SCC Annex II (Technical and organizational measures) — as set out in Annex II above.
  • SCC Annex III (List of sub-processors) — as set out in Annex III above.

Annex V — UK International Data Transfer Addendum

The parties agree that the UK International Data Transfer Addendum to the EU SCCs (UK ICO version B1.0, in force 21 March 2022) is incorporated here by reference and applies to transfers of Customer Personal Data from the United Kingdom to Travyxo or its Sub-processors in countries not subject to UK adequacy regulations.

Part 1 Tables of the UK Addendum are completed as follows:

  • Table 1 (Parties) — as set out in Annex I.A above.
  • Table 2 (Selected SCCs, Modules and Selected Clauses) — the EU SCCs as set out in Annex IV.
  • Table 3 (Appendix Information) — Annexes I.A, I.B, I.C, II and III above.
  • Table 4 (Ending the Addendum when the Approved Addendum Changes) — either Party may end the Addendum in accordance with Section 19 of the UK Addendum.