Data Processing Agreement

Last updated: February 8, 2026

DATA PROCESSING AGREEMENT (DPA)

TripProf

Last updated: February 7, 2026

This Data Processing Agreement ("Agreement" or "DPA") forms an integral part of the Terms of Service and governs the processing of Personal Data by TripProf in connection with the provision of the Services.

This DPA is entered into between:

  • TripProf ("Processor" or "Service Provider"), and

  • The entity or individual using the Services ("Controller" or "Customer").

1. Definitions

Capitalized terms not defined herein shall have the meanings given in:

  • Regulation (EU) 2016/679 (GDPR),

  • UK GDPR,

  • TripProf Terms of Service.

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person.

  • "Processing" means any operation performed on Personal Data.

  • "Sub-processor" means any third party engaged by TripProf to process Personal Data.

2. Roles of the Parties

  • The Customer acts as the Data Controller.

  • TripProf acts as the Data Processor when processing Personal Data on behalf of the Customer.

  • For certain limited processing activities (e.g. account administration, security, analytics), TripProf may act as an independent Data Controller, as described in the Privacy Policy.

3. Scope and Purpose of Processing

TripProf shall process Personal Data solely for the purpose of providing, maintaining, and improving the Services, including:

  • User account management,

  • Trip planning and report generation,

  • Storage of user-provided travel data and content,

  • Analytics, monitoring, and security,

  • Customer support.

TripProf shall not process Personal Data for purposes other than those specified in this Agreement, unless required by law.

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

  • End users of the TripProf Services,

  • Trip participants added by users.

4.2 Categories of Personal Data

May include, depending on usage:

  • Identification and contact data,

  • Travel preferences and itineraries,

  • Optional dietary, accessibility, or religious preferences,

  • Uploaded content (photos, notes, documents),

  • Technical and usage data.

TripProf does not intentionally process special categories of data, except where voluntarily provided by users for personalization purposes.

5. Customer Obligations

The Customer represents and warrants that:

  • it has a valid legal basis for processing Personal Data,

  • it has provided all necessary notices and obtained required consents,

  • its instructions comply with applicable data protection laws.

The Customer remains solely responsible for the legality of Personal Data processed through the Services.

6. Processor Obligations

TripProf shall:

  • Process Personal Data only on documented instructions from the Customer,

  • Ensure that personnel authorized to process Personal Data are bound by confidentiality,

  • Implement appropriate technical and organizational security measures,

  • Assist the Customer in responding to data subject requests,

  • Assist with DPIAs and regulatory inquiries where required.

7. Security Measures

TripProf implements measures appropriate to the risk, including but not limited to:

  • Access controls and authentication mechanisms,

  • Encryption in transit and at rest where appropriate,

  • Logging and monitoring,

  • Incident response procedures.

TripProf does not guarantee absolute security, but commits to industry-standard protections.

8. Sub-processing

The Customer provides a general authorization for TripProf to engage Sub-processors for the performance of the Services.

TripProf may engage Sub-processors to provide infrastructure, payment-related services, analytics, monitoring, authentication, messaging, application delivery, and AI-enabled functionalities.

Such Sub-processors may be located within the European Union or in third countries, including the United States.

Where Sub-processors are located outside the European Economic Area and the relevant jurisdiction does not provide an adequate level of data protection, TripProf shall ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms in accordance with applicable data protection laws.

TripProf shall:

  • impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA;

  • remain fully responsible for the performance of Sub-processors with respect to their data protection obligations;

  • maintain an up-to-date list of Sub-processors and make such list available to the Customer upon request or via a publicly accessible location;

  • inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, where required by applicable law.

Certain service providers involved in payment processing act as independent data controllers with respect to payment card data processed through their platforms. In such cases, TripProf acts solely as a conduit for limited transaction-related metadata, and the relevant provider’s own privacy policy and data controller obligations shall apply.

9. International Data Transfers

Where Personal Data is transferred outside the European Union or the United Kingdom to a country that does not provide an adequate level of data protection under applicable law, TripProf shall ensure that such transfers are carried out subject to appropriate safeguards.

Such safeguards may include, as applicable:

  • the Standard Contractual Clauses approved by the European Commission;

  • the UK International Data Transfer Addendum or other UK-approved transfer mechanisms;

  • any other lawful transfer mechanisms recognized under applicable data protection laws.

TripProf shall assess the circumstances of the transfer and, where required, implement supplementary technical and organizational measures to ensure a level of protection essentially equivalent to that guaranteed within the EU and the UK.

Details regarding the locations of Sub-processors and the applicable transfer mechanisms shall be documented and made available to the Customer upon request or via a separate annex or publicly accessible sub-processor list.

10. Data Subject Rights

Taking into account the nature of the processing, TripProf shall assist the Customer by:

  • implementing technical and organizational measures,

  • responding to requests for access, rectification, erasure, restriction, portability, or objection.

11. Personal Data Breach

In the event of a Personal Data Breach, TripProf shall:

  • notify the Customer without undue delay and in any event within 48 hours of becoming aware of the breach, to enable the Controller to comply with the 72-hour supervisory authority notification requirement under GDPR Article 33,

  • provide information reasonably required for compliance with legal obligations.

12. Data Retention and Deletion

Upon termination of the Services:

  • Personal Data shall be deleted from active systems within 24 hours of account deletion,

  • automated encrypted backups are purged in accordance with standard infrastructure retention cycles (up to 7 days),

  • unless retention is required by law.

Deletion may be canceled by the user within the 24-hour grace period.

13. Audits

TripProf shall make available information reasonably necessary to demonstrate compliance with this DPA.

Audits:

  • must be reasonable,

  • limited in scope,

  • subject to confidentiality and security obligations.

14. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.

Nothing in this DPA increases TripProf's liability beyond what is required by applicable law.

15. CCPA / CPRA Compliance

For purposes of CCPA/CPRA:

  • TripProf acts as a Service Provider,

  • does not sell or share Personal Data,

  • processes data solely for business purposes.

16. Governing Law

This DPA shall be governed by the same law and jurisdiction as the Terms of Service, unless otherwise required by mandatory data protection law.

17. Order of Precedence

In the event of conflict, the general order of precedence across the TripProf legal framework is:

  1. Terms of Service

  2. EULA

  3. Privacy Policy

  4. DPA

  5. Other policies

For matters specifically relating to personal data protection, this DPA takes precedence over the Terms of Service, EULA, and other non-data-protection policies.

18. Contact

For data protection matters:
privacy@tripprof.com

Version 18 · EN