Data Protection and Privacy Addendum

Data Protection and Privacy Addendum

This Data Protection and Privacy Addendum (the “DPA”) forms part of the Agreement to which it is attached. The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them elsewhere in the Agreement.

1. Definitions

The following terms shall have the meanings set out below:

“Customer Personal Data” means any Personal Data processed by DerbySoft on behalf of Customer under the Agreement.

“Data Protection Laws” means data protection and privacy laws and regulations in any relevant jurisdiction that are applicable to DerbySoft’s Processing of Personal Data, including, to the extent directly applicable, General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Regulation and the Data Protection Act of 2018 (“UK Data Protection Law), China’s Personal Information Protection Act, and the California Consumer Privacy Act, California Civil Code § 1798.100 et seq as amended by the California Privacy Rights Act of 2020 and its implementing regulations (“CCPA”).

“Services” means the services performed by DerbySoft under the Agreement.

“Sell” and “Share” are defined as set out in the CCPA.

“Standard Contractual Clauses” means the European Commission Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj completed as set out in Section 11.

“Subprocessor” means any person (excluding an employee of DerbySoft or any of its allowed sub-contractors) appointed by or on behalf of DerbySoft to Process Personal Data on behalf of the Customer under the Agreement.

The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data Breach”, and “Supervisory Authority” shall have the same meaning as in the GDPR.

2. Processing of Customer Personal Data

2.1 Customer represents and warrants that Customer Personal Data sent or otherwise disclosed to Derbysoft for Processing has been collected in compliance with Data Protection Laws.

2.2 Customer represents and warrants that Customer Personal Data sent to DerbySoft for Processing was collected in accordance with one or more legal bases as required by Data Protection Laws.

2.3 DerbySoft covenants and agrees (a) to comply with Data Protection Laws in Processing Customer Personal Data, and (b) not to Process Customer Personal Data other than on and according to Customer’s documented instructions and as reasonably necessary for the performance of the Agreement, unless Processing is required by Data Protection Laws, in which case DerbySoft shall to the extent permitted by Data Protection Laws inform Customer of such legal requirement before the relevant Processing of Customer Personal Data.

2.4 Customer instructs DerbySoft (and authorizes DerbySoft to instruct each Subprocessor) to Process Customer Personal Data and to transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement.

2.5 DerbySoft shall not: (i) Sell or Share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services; (iii) retain, use, or disclose Customer Personal Data for a commercial purpose other than providing the Services; or (iv) retain, use, or disclose Customer Personal Data outside of the direct business relationship between DerbySoft and Customer. DerbySoft certifies that it understands the restrictions in Section 2.3 and will comply with them.

3. DerbySoft Personnel

DerbySoft shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of DerbySoft who may have access to Customer Personal Data, ensuring in each case that (a) access is strictly limited to those individuals who need to know/access the relevant Customer Personal Data as strictly necessary for the purposes of the Agreement or to comply with Data Protection Laws, and (b) such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DerbySoft shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, DerbySoft shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach.

4.3 The minimum technical and organizational measures to be implemented by DerbySoft are set forth in Attachment 2.

5. Subprocessing

5.1 Customer authorizes DerbySoft to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the Agreement.

5.2 DerbySoft may continue to use those Subprocessors already engaged by DerbySoft or any DerbySoft Affiliate as of the date of this Agreement, subject to DerbySoft meeting the obligations set out in section 5.4. A list of DerbySoft’s current Subprocessors as of the Effective Date is attached as Attachment 3 to this DPA.

5.3 DerbySoft shall give the Customer 30 days prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 10 days of receipt of that notice, Customer notifies DerbySoft in writing of a reasonable objection to the proposed appointment, DerbySoft will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid the Processing of Customer Personal Data by the objected-to Subprocessor.

5.4 With respect to each Subprocessor, DerbySoft shall:

(a) Review the Subprocessor’s practices and procedures to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Agreement.

(b) Enter into a written agreement with the Subprocessor which includes provisions that are at least as protective of Customer Personal Data as those set out in the Agreement and meet the requirements of Article 28(3) of the GDPR.

(c) If processing by the Subprocessor requires an onward transfer of Customer Personal Data which would be prohibited by Data Protection Laws without the Subprocessor’s agreement to the Standard Contractual Clauses, DerbySoft shall require the Subprocessor to agree to such terms as part of the written agreement referenced under Paragraph 5.4(b); and

(d) Provide Customer with copies of the Subprocessor agreement(s) required under Paragraph 5.4(b), as Customer may request from time to time, which may be redacted to remove Confidential Information not relevant to the requirements of this DPA.

5.5 DerbySoft shall ensure that each Subprocessor performs the obligations under Sections 2, 3, 6.2, 7, and 9.1, as they apply to the Processing of Customer Personal Data carried out by that Subprocessor as if it were a party to this DPA in place of DerbySoft.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, DerbySoft shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 DerbySoft shall:

(a) Promptly notify Customer if any of its Subprocessors receives a request from a Data Subject under Data Protection Laws in respect of Customer Personal Data; and

(b) Not respond to any such request except as instructed by Customer in writing or as required by Data Protection Laws, in which case DerbySoft shall inform Customer prior to responding to the request as permitted by Data Protection Laws.

7. Personal Data Breach

7.1 DerbySoft shall notify Customer without undue delay upon DerbySoft becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet its obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.

7.2 DerbySoft shall cooperate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of a Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

DerbySoft and each DerbySoft Affiliate shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, DerbySoft.

9. Deletion or Return of Customer Personal Data

9.1 Subject to Sections 9.2 and 9.3, DerbySoft shall promptly and in any event within twenty-five (25) days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of Customer Personal Data.

9.2 Subject to Section 9.3, Customer may by written notice to DerbySoft within five (5) days of the Cessation Date require DerbySoft and each DerbySoft Affiliate to (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably requested by Customer to DerbySoft; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by anySubprocessor.

9.3 DerbySoft may retain Customer Personal Data to the extent required by applicable law.

9.4 DerbySoft shall provide written certification to Customer that it and each DerbySoft Affiliate has fully complied with this Section 9 within thirty (30) days of the Cessation Date.

10. Certifications and Audits

10.1 DerbySoft Certifications. Upon the Customer’s request, and provided that the parties have an applicable NDA in place, DerbySoft will make available the following information:

• Payment Card Industry Data Security Standard (“PCI DSS”) Attestation of Compliance (“AOC”).

• System and Organization Controls (“SOC”) 2 report.

• Other applicable policies, standards, procedures, and frameworks describe the controls implemented by DerbySoft.

10.2 Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Processing and the information available to DerbySoft, DerbySoft will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information DerbySoft makes available under this Section 10.

10.3 Customer Audits. If Customer chooses to conduct any audit, including any inspection, it has the right to request one on its own behalf, and on behalf of its controller(s) (with its controller(s)’ prior written consent) when Customer is acting as a processor, under Data Protection Laws or the Standard Contractual Clauses, by providing at least thirty (30) days prior written notice instructing DerbySoft to carry out the audit described in this Section 10. Audits must be performed during regular business hours so as not to disrupt DerbySoft’s business. Audits will be performed no more than once annually or following notice by DerbySoft to Customer of a Personal Data Breach, upon Customer’s reasonable belief that DerbySoft is in breach of its obligations in respect of the protection of Customer Personal Data under this DPA, or if such audit is required by Customer’s supervisory authority.

11. Restricted Transfers

11.1 European Economic Area. To the extent, Customer Personal Data is transferred from the European Economic Area (“EEA”) and such transfer would otherwise be prohibited by Data Protection Law, Customer (as “data exporter”) and DerbySoft (as “data importer”) hereby enter into and are deemed to have signed the Standard Contractual Clauses which form part of this DPA and are completed as follows:

(a) Module 2 of the Standard Contractual Clauses applies to transfers of Customer Personal Data from Customer (as a controller) to DerbySoft (as a processor) and Module 3 of the Standard Contractual Clauses applies to transfers of Customer Personal Data from Customer (as a processor) to DerbySoft (as a processor).

(b) Clause 7 of Modules 2 and 3 (the optional docking clause) is not included.

(c) Under Clause 9 of Modules 2 and 3, Customer and DerbySoft select Option 2 (General Written Authorization). The initial list of sub-processors is set forth in Attachment 3 of this DPA, and DerbySoft will propose updates to that list at least 30 days prior to making any additions or replacements of subprocessors in accordance with Section 5.3 of this DPA.

(d) Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be included.

(e) Under Clause 17 of Modules 2 and 3 (Governing Law) and Clause 18 of Modules 2 and 3 (Jurisdiction), Customer and DerbySoft choose Spain.

(f) Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Attachment 1 of this DPA.

(g) Under Annex I(C) of Modules 2 and 3 (Competent Supervisory Authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Spanish Data Protection Authority.

(h) Annex II of Modules 2 and 3 (Technical and Organizational Measures) is completed with Attachment 2 of this DPA.

11.2 United Kingdom. To the extent Customer Personal Data is transferred from the UK and such transfer would otherwise be prohibited by Data Protection Law, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) (“IDTA”) forms part of this DPA. The IDTA shall be completed as follows:

(a) Table 1 of the IDTA:

(i) The parties’ details shall be the parties and their affiliates to the extent any of them are involved in such transfer, including those set forth in the Agreement.

(ii) The Key Contacts shall be the contacts set forth in the Agreement.

(b) Table 2 of the IDTA: The Approved Standard Contractual Clauses referenced in Table 2 shall be the Standard Contractual Clauses as executed by the parties.

(c) Table 3 of the IDTA: Annex 1A, 1B, II, and III shall be set forth in Attachment 1 of this DPA.

(d) Table 4 of the IDTA: Both parties may end the IDTA as set out in Section 19 of the IDTA.

(e) By entering into this DPA, the parties are deemed to have signed the IDTA, the Mandatory Clauses in Part 2, and its applicable Tables and Appendix Information.

11.3 China. To the extent that Customer Personal Data is transferred from China and such transfer would be otherwise prohibited by Data Protection Law, the PRC Standard Contractual Clauses (available at https:www.cac.gov.cn/2023-02/24/c_1678884830036813.htm) (“PRC SCCs”) form part of this DPA and the parties agree as follows:

(a) With respect to any data acquired and processed by the Parties for the purpose of completing the cooperation hereunder and the information concerning relevant personal information subject (if any), the Parties will use and process such information in accordance with the requirements under relevant applicable laws, administrative regulations, and national standards and within the purpose of this Agreement. In the event DerbySoft or its agents process any Personal Data on behalf of Customer, the Parties agree that the terms and conditions of the PRC Data Protection and Privacy Addendum attached hereto, which is incorporated herein by this reference, shall apply. Except where expressly agreed by the parties in writing, where DerbySoft is acting as an intermediary between Customer and a third party, DerbySoft shall only be deemed to process information on behalf of Customer to the extent such information is received by DerbySoft from Customer and not received from such third party.

(b) In the event that Customer Data involves cross-border transfer as per Customer’s request, both Parties agree to comply with applicable PRC SCCs provided and updated (if applicable) by the supervisory authorities in PRC and incorporated into this DPA. Subject to PRC SCCs, both Parties may amend certain terms under the PRC SCCs based on the business relationship, as long as it does not contradict what is provided under the PRC SCCs.

12. Order of Precedence

Nothing in this DPA reduces DerbySoft’s obligations under the other terms and conditions of the Agreement in relation to the protection of Personal Data or permits DerbySoft to Process (or permit the processing of) Personal Data in a manner that is otherwise prohibited by the Agreement. Subject to the foregoing, if there is any inconsistency or conflict between the provisions of this DPA and any other agreements between the parties, including the other terms and conditions of this Agreement, the provisions of this DPA shall prevail.In the event of any conflict or inconsistency between the Agreement (including this DPA) and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Attachment 1

DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA

Attachment 1 includes certain details of the Processing of Customer Personal Data as required by

• Article 28(3) GDPR,

• Annexes I and III to the Standard Contractual Clauses, and

• Appendices I and II to the UK SCCs.

A. LIST OF PARTIES

Data Exporter: Customer

Name: Please See the Agreement

Address: Please See the Agreement

Contact Person’s Name, Position, and Contact Details: Please See the Agreement

Activities Relevant to the Data Transferred Under these Clauses: The data exporter is a user of the data importer’s services pursuant to their underlying commercial agreement. The data exporter acts as a controller with respect to its own Customer Personal Data. To the extent permitted by the Agreement, the exporter is also permitted to use the Services as a processor.

Data Importer:

Name: DerbySoft, Inc.

Address: 14800 Landmark Blvd., Suite 640, Dallas, TX 75254

Contact Person’s Name, Position, and Contact Details:

General Counsel Office

Privacy@derbysoft.net

Activities relevant to the data transferred under these Clauses: The data importer is the provider of services to the data exporter pursuant to their underlying commercial agreement. The data importer acts as the data exporter’s processor.

B. DESCRIPTION OF TRANSFER

Data Transfer Commencement Date: Effective Date of the Agreement

Categories of data subjects whose personal data is transferred.

The data exporter may transfer Customer Personal Data to DerbySoft in connection with the data exporter’s use of the Services pursuant to the Agreement. Depending on the data exporter’s use of the Services, the data subjects whose personal data is transferred may include, without limitation data exporter’s customers, employees, consultants, contractors, agents, and end users who are residing in the European Economic Area or the United Kingdom.

Categories of Personal Data Transferred:

The data exporter may transfer Customer Personal Data to DerbySoft in connection with the data exporter’s use of the Services pursuant to the Agreement. Depending on the data exporter’s use of the Services, such Customer Personal Data may include, without limitation, the following categories of personal data:

• Hotel Guest Booking Information: Name, contact information (address, email, telephone number), gender, birthdate, payment information (e.g., credit card number), loyalty program number, and other information associated with the reservation, such as amenities or meals.

• Digital/Advertising/Consent: Advertiser data ID from mobile device; browsing time; cookie information; geolocation; IP address; location as identified via mobile device; logs; MAC address; online surfing; social media account; social media contact; social media history; website history. 

• General Contact Data: Business email; business phone number; business street address; company/entity; emergency contacts; first initial; first name; last name; personal email; personal phone number; personal street address; state/province/country.

• Travel and Stay Data: Confirmation number; expense details; family members, and companions; incidents; member status; reservation history; rewards number; rewards points; stay history; transaction history/purchased goods/services; travel agent profile; travel booking details; travel history; travel itinerary; travel partner affiliations.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the Processing

DerbySoft’s Processing activities shall be limited to those described in the Agreement and the DPA between the parties.

Purpose(s) of the data transfer and further processing.

The purpose of the transfer and further processing of personal data is the access to and use of the DerbySoft Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Personal Data will be retained for the period of time necessary to provide the Services to Customer under the Agreement and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing.

Same as above to the extent such information is provided to subprocessors for purposes of providing the Services.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13.

Spain

Attachment 2

MINIMUM TECHNICAL AND ORGANIZATIONAL MEASURES

ANNEX III

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The applicable Technical and Organizational Measures for the applicable Services in Attachment 2, which may be obtained at [CT1], describe the technical and organizational measures that DerbySoft implements for those Services.

Attachment 3

List of Approved Subprocessors as of the Effective Date.

A list of Subprocessors for the Services is located here.