Capitalized terms used but not defined here have the meaning set out in the Terms of Service or the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

“Customer Data” means data that the Customer or its authorized users submit to the Service, including supplier records, itineraries, pricing rules, and personal data of the Customer's employees and end users.

DMCE.ai (“Processor”) processes Customer Data on behalf of the Customer (“Controller”) for the sole purpose of providing the Service under the Terms of Service.

Processing continues for the term of the Customer's subscription, plus the export-and-deletion period set out in the Terms of Service.

The Customer remains the controller of personal data submitted to the Service. Categories include:

• Identification and contact data of Customer's employees (names, work emails, roles).
• Identification and contact data of Customer's suppliers and travel agents (names, work emails, phone numbers).
• End-traveller data submitted as part of itineraries (names, ages, travel dates).
• Operational data: itineraries, supplier rates, pricing rules, archive content.

• Process Customer Data only on the Controller's documented instructions.
• Ensure that personnel with access to Customer Data are bound by appropriate confidentiality undertakings.
• Implement and maintain the security measures set out in the Annex.
• Assist the Controller in responding to data-subject requests and to data-protection authority inquiries.
• Notify the Controller without undue delay of any personal-data breach affecting Customer Data.
• Delete or return Customer Data upon termination, subject to applicable legal retention requirements.

The Controller authorizes the Processor to engage sub-processors. A current list is available on request at max@dmce.ai. The Processor will give at least 30 days' notice of any new sub-processor.

Each sub-processor is bound by data-protection obligations no less protective than those in this DPA.

Customer Data is hosted in the European Union. Where data must be transferred outside the EEA (for example to a sub-processor with global operations), the Processor relies on the European Commission's Standard Contractual Clauses (Module 2 - controller to processor) or another adequate transfer mechanism.

A list of countries to which data may be transferred is maintained alongside the sub-processor list.

The Processor implements the following technical and organizational measures:

• Encryption of Customer Data at rest (AES-256) and in transit (TLS 1.3).
• Tenant isolation; per-tenant encryption keys; least-privilege access controls.
• MFA-enforced administrative access; role-based access for end users.
• Audit logging of data access and changes; 12-month retention.
• Daily encrypted backups with monthly tested restores.
• Annual penetration testing and quarterly vulnerability scanning.
• Incident response plan with defined RTO/RPO targets.

For security questions or to request our current security posture summary, email max@dmce.ai.

The Processor will provide reasonable assistance, by appropriate technical and organizational measures, to enable the Controller to fulfil its obligations to respond to data-subject access, correction, deletion, restriction, portability, and objection requests.

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including the most recent SOC 2 Type II report (when available), penetration test summary, and security-policy summaries.

Where these documents are insufficient, the Controller may request an audit on 30 days' written notice, no more than once every 12 months, at the Controller's expense.

The liability of each party arising out of or related to this DPA is governed by the limitations set out in the Terms of Service.

This DPA terminates automatically upon termination of the Terms of Service. Upon termination, the Processor will, at the Controller's option, return or delete Customer Data within 90 days, subject to applicable legal retention obligations and backup-rotation schedules.