Back to Legal Resources

Data Processing Agreement

How we process data on behalf of our clients in compliance with global data protection regulations.

Last updated: May 9, 2025

Contents

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tourmoo ("Processor," "we," "us," or "our") and clients using our travel booking SaaS platform ("Controller," "you," "your," or "Client") (collectively, the "Parties").

This DPA reflects the Parties' agreement with respect to the processing of Personal Data by Tourmoo on behalf of the Client in connection with the SaaS platform provided by Tourmoo. This DPA is designed to ensure compliance with applicable Data Protection Laws, including but not limited to the GDPR, CCPA, and other similar regulations worldwide.

Definitions

In this DPA, the following terms shall have the meanings set out below:

"Data Protection Laws"

All laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the GDPR, CCPA, and other applicable data protection laws.

"GDPR"

The General Data Protection Regulation (EU) 2016/679.

"CCPA"

The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.

"Personal Data"

Any information relating to an identified or identifiable natural person ('Data Subject').

"Processing"

Any operation performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, etc.

"Data Subject"

The identified or identifiable person to whom the Personal Data relates.

"Controller"

The entity that determines the purposes and means of the Processing of Personal Data (the Client).

"Processor"

The entity that Processes Personal Data on behalf of the Controller (Tourmoo).

"Sub-processor"

Any Processor engaged by Tourmoo to process Personal Data on behalf of the Client.

"End Users"

The customers of the Client who use the travel booking website created using the Tourmoo platform.

Scope and Roles

This DPA applies to the Processing of Personal Data by Tourmoo on behalf of the Client in the course of providing the SaaS platform for travel booking websites.

For the purposes of this DPA:

Client

is the Controller of Personal Data collected through the travel booking website created using the Tourmoo platform

Tourmoo

is the Processor of Personal Data, processing data on behalf of the Client

Processing of Personal Data

Subject Matter and Duration

The subject matter of the Processing is the provision of the SaaS platform for travel booking websites. The Processing will continue for the duration of the Client's subscription to Tourmoo's services.

Nature and Purpose

Tourmoo will Process Personal Data as necessary to provide the SaaS platform and related services as set out in the Terms of Service and as further instructed by the Client in its use of the services.

Types of Personal Data

The types of Personal Data Processed may include:

  • End User contact information (name, email, phone number, address)
  • Travel document information (passport details, visa information)
  • Travel preferences and itinerary details
  • Payment information
  • Special categories of data (e.g., dietary requirements, accessibility needs)
  • Client account information (business contact details, user credentials)
  • Any other Personal Data submitted by or for the Client through the platform

Categories of Data Subjects

The categories of Data Subjects may include:

  • End Users of the Client's travel booking website
  • Client's employees and authorized users of the Tourmoo platform
  • Client's business partners and suppliers
  • Other individuals whose Personal Data is submitted to the platform

Client Obligations

As the Controller, the Client shall:

  • Ensure that all Processing of Personal Data complies with applicable Data Protection Laws.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Obtain all necessary consents from End Users for the Processing of their Personal Data.
  • Provide clear and sufficient privacy notices to End Users regarding the Processing of their Personal Data.
  • Respond to Data Subject requests in a timely manner, with Tourmoo's assistance where necessary.
  • Notify Tourmoo promptly of any instructions that may infringe Data Protection Laws.
  • Ensure that Personal Data is accurate and kept up to date.
  • Ensure that only authorized personnel have access to the Tourmoo platform and the Personal Data processed therein.

Tourmoo Obligations

As the Processor, Tourmoo shall:

  • Process Personal Data only on documented instructions from the Client, including with regard to transfers to third countries.
  • Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
  • Assist the Client in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
  • At the choice of the Client, delete or return all Personal Data to the Client after the end of the provision of services.
  • Make available to the Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.
  • Allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
  • Notify the Client without undue delay after becoming aware of a Personal Data breach.

Sub-processors

The Client acknowledges and agrees that Tourmoo may engage third-party Sub-processors in connection with the provision of the SaaS platform. Tourmoo shall ensure that its contract with each Sub-processor contains data protection obligations no less protective than those in this DPA.

Sub-processor Management

  • Tourmoo shall maintain a list of current Sub-processors for the services, including their names and locations.
  • Tourmoo shall provide prior notice to the Client of any changes to its Sub-processors.
  • The Client may object to Tourmoo's use of a new Sub-processor by notifying Tourmoo promptly in writing within 10 business days after receipt of Tourmoo's notice.
  • If the Client objects to a new Sub-processor, Tourmoo will use reasonable efforts to make available to the Client a change in the services or recommend a commercially reasonable change to the Client's configuration or use of the services to avoid Processing of Personal Data by the objected-to new Sub-processor.
  • If Tourmoo is unable to make available such change within a reasonable period of time, the Client may terminate the applicable services which cannot be provided by Tourmoo without the use of the objected-to new Sub-processor by providing written notice to Tourmoo.

Tourmoo shall be liable for the acts and omissions of its Sub-processors to the same extent Tourmoo would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

International Transfers

Tourmoo may transfer and Process Personal Data to and in other locations around the world where Tourmoo or its Sub-processors maintain data processing operations.

Transfer Mechanisms

Tourmoo shall ensure that such transfers are made in compliance with the requirements of Data Protection Laws. Depending on the destination country, this may include:

  • Transfers to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission or other relevant authorities.
  • Transfers subject to appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission or other relevant authorities.
  • Transfers based on Binding Corporate Rules.
  • Transfers based on derogations for specific situations as set out in Data Protection Laws, where applicable.

Upon the Client's request, Tourmoo shall provide details of the transfer mechanisms used for any specific transfers of Personal Data.

Data Subject Rights

Tourmoo shall, to the extent legally permitted, promptly notify the Client if it receives a request from a Data Subject to exercise their rights under Data Protection Laws.

Assistance with Data Subject Requests

Taking into account the nature of the Processing, Tourmoo shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client's obligation to respond to requests for exercising the Data Subject's rights, which may include:

  • Right of access
  • Right to rectification
  • Right to erasure ('right to be forgotten')
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision making and profiling

The Client shall be responsible for responding to such requests. Tourmoo shall not respond to Data Subject requests without the Client's prior written consent except to confirm that the request relates to the Client.

Data Breach Notification

Tourmoo shall notify the Client without undue delay after becoming aware of a Personal Data breach affecting the Client's Personal Data.

Breach Notification Details

Such notification shall at least:

  • !
    Describe the nature of the Personal Data breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
  • !
    Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
  • !
    Describe the likely consequences of the Personal Data breach
  • !
    Describe the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects

Tourmoo shall cooperate with the Client and take such reasonable commercial steps as are directed by the Client to assist in the investigation, mitigation, and remediation of each such Personal Data breach.

Audit Rights

Tourmoo shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.

Audit Procedures

  • The Client shall give Tourmoo reasonable notice of any audit or inspection to be conducted and shall make reasonable endeavors to avoid causing damage, injury or disruption to Tourmoo's premises, equipment, personnel and business.
  • The frequency of audits shall be limited to once per year, except in the event of a Personal Data breach or if required by a supervisory authority.
  • The Client may be asked to execute a non-disclosure agreement before conducting an audit.
  • Tourmoo may object to an auditor appointed by the Client if the auditor is, in Tourmoo's reasonable opinion, not suitably qualified or independent, a competitor of Tourmoo, or otherwise manifestly unsuitable.
  • Any such objection by Tourmoo will require the Client to appoint another auditor or conduct the audit itself.

The Client shall bear any costs arising from audits or inspections, unless such audit or inspection reveals material non-compliance with this DPA, in which case Tourmoo shall bear its own costs of the audit.

Termination and Data Deletion

Upon termination of the Client's subscription to the Tourmoo platform, or upon the Client's written request, Tourmoo shall, at the choice of the Client, delete or return all Personal Data to the Client and delete existing copies.

Data Retention and Deletion

  • The Client must provide written instructions regarding the deletion or return of data within 30 days of termination.
  • If no instructions are received within this timeframe, Tourmoo will delete all Personal Data after a grace period of 90 days following termination.
  • Tourmoo may retain Personal Data to the extent required by applicable laws, provided that Tourmoo ensures the confidentiality of such data and ensures that the data is only processed as necessary for the purpose(s) specified in the applicable laws.
  • Tourmoo shall provide certification of deletion of Personal Data upon the Client's request.

The Client is responsible for exporting any data it wishes to retain before the end of the grace period. Tourmoo provides export tools within the platform to facilitate this process.

Contact Information

For questions about this DPA, please contact:

Legal Department: [email protected]
Address: Pokhara 20, Bhalam, 33700, Kaski, Nepal