Last update 01/04/2025

Data Processing Agreement (DPA)

TravelPerk’s platform provides business travel services by connecting the Customer to the best travel partners, such as hotels or airlines, to book accommodation, flights and other services, all while ensuring the highest level of privacy throughout the booking process. For this purpose, TravelPerk will process personal data.Some laws, such as the GDPR, require us to conclude a DPA.

We believe that contracts serve a greater purpose of building partnerships based on trust, and privacy is a big part of that. This is why we offer you these clear and fair terms - no tricks and no friction. Hopefully, we can quickly fly off to a great start to save time and money.

Details of processing

Purpose of processing

  • Provision of business travel services, in particular to create, maintain and update customer accounts, manage travel bookings, provide customer service, send notices to users (e.g., when a flight is delayed) and store emergency contacts.
  • TravelPerk will not use personal data for unrelated purposes (we will not sell personal data).

Processing roles

  • Customer: controller (in relation to personal data of individuals using the customer account).
  • TravelPerk: processor (connecting the Customer with travel partners to book their services).

Nature of processing

  • Collection, recording, storage, use, structuring, transmission.

Affected data subjects

  • Individuals invited to the TravelPerk platform by the Customer, such as employees, contractors, or job candidates, and their emergency contacts.

Affected personal data

  • User information (e.g., name, contact details, job information, identification documents), travel history (e.g., hotel stays, flights, car rentals), customer service interactions, travel affiliation information (e.g., Miles & More number).
  • Payments are processed directly by third-party processors (e.g., Stripe) that meet relevant standards, such as PCI DSS. TravelPerk stores the type (Visa/Mastercard), last four digits (not full numbers), expiration date of the credit card, and bank information to add this payment method to your user profile. TravelPerk complies with the PCI DSS SAQ-A (Self-Assessment Questionnaire A).
  • TravelPerk does not require users to share special categories of personal data (sensitive information), and the Customer will inform users to do so only when necessary. TravelPerk will delete such information, unless required to follow user instructions (e.g., request for a special meal).

Duration of processing

  • TravelPerk will process personal data for as long as it provides business travel services, and afterwards only for the applicable statutory retention periods (typically between 5 and 7 years).
  • Deletion or anonymisation cannot be triggered prior to the termination of our relationship, except for individual data subject requests. Individual travellers can be archived or deleted from the platform at all times by admins.
  • TravelPerk will issue a written confirmation of deletion or anonymisation upon request.
  • This DPA will remain in force until TravelPerk deletes or anonymises personal data within 30 days after termination of our relationship or expiration of statutory periods, whichever is later.

Terms of processing

Applicable laws

  • All relevant laws and rulings of authorities and courts, in particular the GDPR, UK GDPR, CCPA/CPRA, FADP (Switzerland).

Customer obligations

  • As a controller, the Customer will be responsible for ensuring a lawful basis and meeting applicable transparency obligations.

Instructions for TravelPerk

  • TravelPerk will process personal data only on Customer’s documented instructions.
  • This DPA exhausts Customer’s instructions, new instructions require an amendment of this DPA.
  • TravelPerk will notify the Customer immediately, if any of the instructions infringe applicable laws.

Confidentiality

  • TravelPerk staff are subject to contractual and/or statutory confidentiality obligations.

Security measures

  • TravelPerk offers technical and organisational security measures appropriate to the level of risk, listed at https://trustcenter.travelperk.com/.
  • These measures will be improved from time to time.

Personal data breaches

  • TravelPerk will notify the Customer of any personal data breaches related to their data within 24 hours of becoming aware, free of charge. Further information will be provided on an ongoing basis.
  • TravelPerk will assist the Customer with investigation, containment and remediation, free of charge.
  • TravelPerk will not disclose any information to third parties without consent, unless legally obliged.

Assistance

  • TravelPerk will forward requests from data subjects or authorities within 5 days, free of charge.
  • In case of disclosure requests from authorities and to the extent allowed by applicable laws, TravelPerk will immediately notify the Customer, challenge the request, and only disclose the minimum amount of personal data.
  • TravelPerk will reasonably assist the Customer with relevant assessments, free of charge.

Sub-processors

  • The Customer accepts TravelPerk’s current sub-processors, listed at https://trustcenter.travelperk.com/subprocessors. Selecting specific sub-processors is not possible.
  • TravelPerk will notify the Customer 30 days before engaging a new sub-processor. In that time the Customer has the right to object. If the Customer does object, parties will work together to find an amicable solution, and the sub-processor will not be engaged in the meantime. If that is not possible in the next 30 days, the Customer has the right to terminate the relationship with TravelPerk on the terms specified in the business travel service agreement (30 days notice).
  • New sub-processors will be subject to equivalent terms of processing through a written contract.
  • TravelPerk will be liable for any acts, errors or omissions of sub-processors.

International (restricted) transfers

  • TravelPerk processes personal data:
    — in Ireland, Germany, and Spain, for customers with domicile in the EU/EEA,
    — additionally in the United States, for customers with domicile in the United States,
    — additionally in the United Kingdom, for customers with domicile in the United Kingdom.
  • TravelPerk’s sub-processors may process personal data in third countries. If that is the case, we will ensure the transfer is compliant with applicable laws (e.g., standard contractual clauses).

Audit rights

  • TravelPerk will allow for audits at Customer’s reasonable request and free of charge, provided that audits are during business hours, except in case of a personal data breach.
  • TravelPerk will bear the costs if the audit reasonably determines its responsibility for the breach.
  • TravelPerk will provide information to demonstrate compliance with applicable laws, free of charge.

Liability and indemnity

At TravelPerk, we believe in risk allocation that reflects our growing partnership. As the Customer’s spend on TravelPerk increases, so does our ability to accept additional risk.

  • Each party’s liability (together with all its affiliates) is capped at €250,000 (two hundred fifty thousand euros), or at the total value of services booked by the Customer through TravelPerk at the time of the event giving rise to the liability, if that value is higher than €250,000 (two hundred fifty thousand euros). Where the total value of services booked exceeds €1,000,000 (one million euros), liability becomes uncapped.
  • For illustration: if you book services, such as hotel stays, for a total value of €10,000, the liability cap will be €250,000 (two hundred fifty thousand euros). However, if you keep using TravelPerk and book services for a total value of €450,000 (four hundred fifty thousand euros), the liability cap will be €450,000 (euros hundred fifty thousand euros). And if you become an enthusiast of TravelPerk and book with us for over €1,000,000 (one million euros), the liability cap disappears entirely.
  • This model is much more customer-friendly than the standard 12 month fees offered by SaaS companies.
  • Liability includes claims (including by data subjects or third parties), penalties (including regulatory enforcement actions) and expenses (including reasonable legal fees) directly arising from a breach of applicable laws or this DPA.
  • For customers with business domicile in Germany, Austria or Switzerland: liability for breaches of applicable laws or this DPA is uncapped during its term due to local law requirements.

Other

  • Terms have the meaning associated with them in applicable laws (e.g., personal data) or in the business travel service agreement (e.g., Customer).
  • In case of conflict, this DPA takes precedence over the business travel service agreement.
  • Any amendments to this DPA must be agreed in writing.
  • This DPA is the entire agreement in relation to processing of personal data for providing business travel services.