Data Processing Agreement
Effective date: 2026-06-04 · Last updated: 2026-06-04
Data Processing Agreement
Tourbox Systems Limited Company number: 15613075 Registered address: 125 Freshfield Road, Brighton, England, BN2 0BR Contact: privacy@tourbox.com
This Data Processing Agreement ("DPA") is entered into between the entity agreeing to the Tourbox SaaS Terms of Service (the "Controller" or "Operator") and Tourbox Systems Limited (the "Processor" or "Tourbox").
1. Definitions and Interpretation
1.1. In this DPA, the following terms shall have the meanings set out below:
- "Approved Transfer Mechanism" means the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office, and/or the European Union Standard Contractual Clauses (SCCs) adopted by the European Commission, as applicable to the relevant transfer of Personal Data.
- "Controller" has the meaning given to it in the UK GDPR, being the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR) as retained in domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018, together with all subordinate legislation and guidance issued thereunder, in each case as amended, superseded, or replaced from time to time.
- "Data Subject" has the meaning given to it in the UK GDPR, being an identified or identifiable natural person to whom Personal Data relates.
- "Personal Data" has the meaning given to it in the UK GDPR, being any information relating to a Data Subject.
- "Processing" has the meaning given to it in the UK GDPR (and "Process" and "Processed" shall be construed accordingly), meaning any operation or set of operations performed on Personal Data.
- "Processor" has the meaning given to it in the UK GDPR, being a natural or legal person which Processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party appointed by Tourbox to Process Personal Data on behalf of the Controller in connection with this DPA.
- "UK GDPR" means the United Kingdom General Data Protection Regulation, as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.2. Terms not otherwise defined in this DPA shall have the meaning given to them in the UK GDPR or, where applicable, the SaaS Terms of Service.
1.3. In this DPA, unless the context otherwise requires: (a) references to sections are to sections of this DPA; (b) headings are for convenience only and shall not affect interpretation; and (c) words in the singular include the plural and vice versa.
2. Scope and Purpose
2.1. This DPA applies to the Processing of Personal Data by Tourbox on behalf of the Operator for the purpose of delivering the Tourbox platform service as described in the SaaS Terms of Service (the "Services").
2.2. This DPA supplements and forms part of the SaaS Terms of Service. In the event of any conflict between this DPA and the SaaS Terms of Service, this DPA shall prevail with respect to data protection matters.
2.3. The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects are as set out in sections 3 and 4 of this DPA.
2.4. The duration of the Processing shall be for the term of the SaaS Terms of Service, unless otherwise agreed in writing.
3. Types of Personal Data Processed
3.1. Tourbox Processes the following types of Personal Data on behalf of the Operator in connection with the Services:
- Identity data: first name, last name, preferred name, middle name, title;
- Date of birth;
- Contact data: postal addresses (full), email addresses, phone numbers;
- Booking data: booking dates, booking references, booking status, financial summaries;
- Travel documents: copies of passports, visas, and other travel documentation (stored in OVHcloud object storage, EU);
- Communications content: email subject lines, email body content, and recipient information;
- Financial information: payment amounts, currencies, and exchange rates;
- Enquiry data: enquiry source, marketing source, and associated contact details.
3.2. The Operator shall ensure that it does not provide to Tourbox any special categories of Personal Data (as defined in Article 9 of the UK GDPR), except to the extent that such data is contained within travel documents uploaded by the Operator.
4. Categories of Data Subjects
4.1. The categories of Data Subjects whose Personal Data may be Processed under this DPA are:
- (a) the Operator's customers and prospective customers (including travellers and passengers); and
- (b) the Operator's staff and team members.
5. Processor Obligations
5.1. Tourbox shall Process Personal Data only on documented instructions from the Controller (including as set out in this DPA and the SaaS Terms of Service), unless Processing is required by applicable law to which Tourbox is subject, in which case Tourbox shall, to the extent permitted by law, inform the Controller of that legal requirement before the relevant Processing.
5.2. Tourbox shall ensure that all persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. Tourbox shall implement and maintain appropriate technical and organisational security measures as set out in section 8 (Schedule 1) of this DPA, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects.
5.4. Tourbox shall comply with the requirements relating to Sub-processors as set out in section 6 of this DPA.
5.5. Tourbox shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under Data Protection Laws. Such assistance shall be provided within reasonable timeframes.
5.6. Tourbox shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of Processing and the information available to Tourbox. This includes assistance with data protection impact assessments and prior consultations with supervisory authorities where required.
5.7. At the choice of the Controller, Tourbox shall delete or return all Personal Data to the Controller within thirty (30) days after the end of the provision of the Services, and shall delete existing copies unless applicable law requires storage of the Personal Data.
5.8. Tourbox shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to section 10 of this DPA.
6. Sub-processors
6.1. The Controller grants Tourbox a general written authorisation to engage Sub-processors for the Processing of Personal Data in connection with the Services.
6.2. A current list of Sub-processors engaged by Tourbox is maintained at /legal/sub-processors.
6.3. Tourbox shall notify the Controller at least fourteen (14) days before engaging a new Sub-processor or making a material change to an existing Sub-processor arrangement. Notification shall be provided by reasonable means, which may include email or notice within the Tourbox platform.
6.4. The Controller may object to the appointment of a new Sub-processor within fourteen (14) days of receiving notification. Any objection must be made in writing and shall set out reasonable grounds for the objection.
6.5. Where the Controller raises a reasonable objection and the parties are unable to resolve the matter, either party may terminate the affected Services by providing written notice. Tourbox shall, where reasonably possible, offer an alternative solution that avoids the use of the objected-to Sub-processor.
6.6. Tourbox shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. Tourbox shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.
7. International Transfers
7.1. Personal Data Processed under this DPA is primarily hosted within the European Union on infrastructure provided by Northflank.
7.2. Where a transfer of Personal Data to a country outside the United Kingdom or the European Economic Area is necessary (for example, in connection with US-based Sub-processors), Tourbox shall ensure that such transfer is made subject to an Approved Transfer Mechanism, namely:
- (a) the UK International Data Transfer Agreement (IDTA); and/or
- (b) the European Union Standard Contractual Clauses (SCCs),
as applicable to the relevant transfer.
7.3. Tourbox shall carry out and document a transfer risk assessment where required by Data Protection Laws.
7.4. AI processing kept in the EU: All AI processing of Operator Personal Data is performed by EU-based Sub-processors (Mistral AI in France for text generation, document OCR, and classification; Jina AI / Elastic in the EU for embeddings). Tourbox does not transfer Operator Personal Data to AI providers outside the UK and EU. Transfers to the United States are limited to optional, business-tier media features (video encoding, AI image editing, and GPU vision), which process uploaded media only and are subject to an Approved Transfer Mechanism (UK IDTA / EU SCCs) and supplementary measures as appropriate.
8. Security Measures (Schedule 1)
8.1. Tourbox implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risk of Processing:
Multi-tenant Isolation
8.2. Tourbox employs PostgreSQL Row-Level Security (RLS) to ensure that each organisation's data is logically isolated at the database level. Queries are automatically scoped to the authenticated organisation, preventing cross-tenant data access.
Encryption at Rest
8.3. Integration credentials and other sensitive configuration data are encrypted at rest using AES-256-CBC encryption.
Encryption in Transit
8.4. All communications between clients and Tourbox services are encrypted using HTTPS/TLS. Internal service communications, including Redis connections, are secured with TLS.
Authentication
8.5. User authentication is provided by Hanko, a passwordless, JWT-based authentication service, reducing the risk of credential-based attacks.
Access Control
8.6. Role-based access control is enforced at the organisation level, with the following roles: owner, admin, and editor. Permissions are scoped according to role.
File Storage
8.7. Files (including travel documents) are stored in private OVHcloud object storage buckets hosted in the EU (France). Access to files is controlled via time-limited signed URLs. Content hashing is applied to verify file integrity. Encrypted off-site backups are held with Scaleway (EU, France).
Infrastructure
8.8. Application infrastructure is managed by Northflank, with automated deployments and environment isolation between production and development environments.
Monitoring
8.9. Error tracking is provided by a self-hosted, EU-based error tracker running on Tourbox's own infrastructure (not a third-party Sub-processor), and is configured to minimise the collection and exposure of Personal Data in error reports (Personal Data in error reports is disabled by default).
Backup and Recovery
8.10. Automated database backups are performed with point-in-time recovery capability, ensuring data can be restored in the event of loss or corruption.
9. Personal Data Breach Notification
9.1. Tourbox shall notify the Controller without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data breach affecting Personal Data Processed on behalf of the Controller.
9.2. Such notification shall include, to the extent reasonably available at the time of notification:
- (a) a description of the nature of the Personal Data breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- (b) the name and contact details of the data protection officer or other contact point where more information can be obtained;
- (c) a description of the likely consequences of the Personal Data breach; and
- (d) a description of the measures taken or proposed to be taken by Tourbox to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3. Where it is not possible to provide all information at the same time, Tourbox shall provide the information in phases without further undue delay.
9.4. Tourbox shall co-operate with and assist the Controller in complying with the Controller's obligations under Articles 33 and 34 of the UK GDPR.
10. Audit Rights
10.1. The Controller may audit Tourbox's compliance with this DPA upon reasonable written notice of not less than thirty (30) days.
10.2. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Tourbox's business operations. The Controller shall ensure that its auditors are bound by appropriate confidentiality obligations.
10.3. Tourbox may charge the Controller reasonable costs for assisting with audits conducted more than once in any twelve (12) month period, unless such audit is necessitated by a Personal Data breach or a requirement of a supervisory authority.
10.4. Tourbox may satisfy audit requests by providing the Controller with relevant certifications, audit reports (including SOC 2 reports), or summaries prepared by independent third-party auditors, where such documentation reasonably addresses the Controller's audit requirements.
11. Consumer App Data Sync
11.1. Where the Operator enables the consumer app sync feature within the Tourbox platform, the following special provisions shall apply:
11.2. Tourbox as Controller: Tourbox becomes a Controller in its own right for the processing of consumer app user account data, including authentication data managed by Hanko. Such processing is governed by the Consumer Privacy Policy published at www.tourbox.app/privacy.
11.3. Operator as Controller: The Operator remains the Controller for all synced booking, trip, and passenger data that is displayed to consumers via the consumer app. Tourbox Processes such data on the Operator's behalf in accordance with this DPA.
11.4. Consent to sync: By enabling the consumer app sync feature, the Operator consents to the synchronisation of their customer data to the Tourbox consumer platform for the purpose of providing the consumer app service.
11.5. Consumer access: Consumer users access synced data via the Tourbox portal at portal.tourbox.app and via the Tourbox mobile applications.
11.6. Consumer terms: Consumer users' access to and use of the consumer platform is governed by the separate Consumer Terms of Use published at www.tourbox.app/terms and the Consumer Privacy Policy published at www.tourbox.app/privacy.
12. AI Data Processing
12.1. Where the Operator uses AI-powered features within the Tourbox platform, the following provisions shall apply:
12.2. Data sent to AI providers: Document content and text may be transmitted to AI Sub-processors for the purpose of processing, including but not limited to document extraction, content generation, and analysis.
12.3. AI providers: AI features are provided by EU-based Sub-processors: Mistral AI (France) for text generation, document OCR, and classification, and Jina AI / Elastic (EU) for embeddings. Operator Personal Data is not processed by AI providers outside the UK and EU. The current AI Sub-processors are listed in the Sub-processor List.
12.4. No model training: No AI provider engaged by Tourbox trains their models on the Operator's Personal Data Processed through the Tourbox platform.
12.5. Usage tracking: AI usage is tracked per organisation, including token consumption and associated cost, and is logged for billing and audit purposes.
12.6. The Operator acknowledges that the selection of an AI provider may affect the jurisdictions in which Personal Data is Processed, and the provisions of section 7 (International Transfers) shall apply accordingly.
13. General Provisions
13.1. Governing law. This DPA shall be governed by and construed in accordance with the laws of England and Wales, consistent with the governing law provisions of the SaaS Terms of Service.
13.2. Jurisdiction. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA.
13.3. Term and termination. This DPA shall come into effect on the date on which the Operator agrees to the SaaS Terms of Service and shall terminate automatically upon termination of the SaaS Terms of Service, without prejudice to any obligations which by their nature survive termination (including, without limitation, the obligations in section 5.7 regarding deletion or return of Personal Data).
13.4. Precedence. In the event of any conflict or inconsistency between this DPA and the SaaS Terms of Service, this DPA shall prevail with respect to data protection matters.
13.5. Amendments. Tourbox may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or Tourbox's data processing practices. Material changes shall be notified to the Controller in advance.
13.6. Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
13.7. Entire agreement. This DPA, together with the SaaS Terms of Service and any documents referred to herein, constitutes the entire agreement between the parties with respect to the Processing of Personal Data in connection with the Services.
Related documents: