Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ExperienceLocal, Inc. ("Processor") and the organization using our Services ("Controller"). This DPA sets out the terms under which Processor will process personal data on behalf of Controller.

This DPA applies where and only to the extent that the General Data Protection Regulation (GDPR) applies to the processing of personal data.

Definitions

For the purposes of this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" means any third party appointed by Processor to process Personal Data on behalf of Controller.
"Security Incident" means any unauthorized access, disclosure, or breach affecting Personal Data.

Scope and Purpose

Categories of Data Subjects

Hotel/property guests
Experience providers and their staff
Controller's employees and team members

Types of Personal Data

Contact information (name, email, phone number)
Booking details and preferences
Payment information (processed via Stripe)
Account credentials and authentication data
Usage and analytics data

Purpose of Processing

Personal Data will be processed solely for:

Providing and maintaining the Services
Processing bookings and payments
Communicating with Data Subjects about their bookings
Generating analytics and reports for Controller
Complying with legal obligations

Processor Obligations

Processor agrees to:

Process Personal Data only on documented instructions from Controller
Ensure that persons authorized to process Personal Data have committed to confidentiality
Implement appropriate technical and organizational security measures
Assist Controller in responding to Data Subject requests
Delete or return all Personal Data upon termination of the Services
Make available all information necessary to demonstrate compliance
Allow for and contribute to audits conducted by Controller

Security Measures

Processor implements the following security measures:

Encryption of Personal Data in transit and at rest
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Monitoring and logging of system activity
Incident response procedures
Employee security training
Physical security controls at data centers

Sub-processors

Controller generally authorizes Processor to engage Sub-processors. Current Sub-processors include:

Sub-processor	Purpose	Location
Neon	Database hosting	United States
Vercel	Application hosting	United States/Global
Clerk	Authentication	United States
Stripe	Payment processing	United States
Resend	Email delivery	United States
Sentry	Error monitoring	United States

Processor will notify Controller of any intended changes to Sub-processors, giving Controller the opportunity to object to such changes.

International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). For such transfers, Processor will ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission
Binding Corporate Rules (where applicable)
Adequacy decisions by the European Commission
Other legally recognized transfer mechanisms

Data Subject Rights

Processor will assist Controller in fulfilling its obligation to respond to Data Subject requests, including requests for:

Access to Personal Data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Data portability
Objection to processing

Breach Notification

Processor will notify Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Security Incident. The notification will include:

Description of the nature of the incident
Categories and approximate number of Data Subjects affected
Categories and approximate number of records concerned
Likely consequences of the incident
Measures taken or proposed to address the incident

Term and Termination

This DPA will remain in effect for the duration of the Services agreement. Upon termination:

Processor will cease processing Personal Data
Controller may request return or deletion of Personal Data
Processor will delete all Personal Data within 90 days unless required by law to retain it
Processor will provide certification of deletion upon request

Contact Information

For questions about this DPA or to exercise rights under GDPR, contact:

Email: dpo@experiencelocal.io
Address: ExperienceLocal, Inc., [Address to be added]

Note: This Data Processing Agreement is a template and should be reviewed by a qualified attorney before use.

This DPA applies where and only to the extent that the General Data Protection Regulation (GDPR) applies to the processing of personal data.

Definitions

For the purposes of this DPA:

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" means any third party appointed by Processor to process Personal Data on behalf of Controller.
"Security Incident" means any unauthorized access, disclosure, or breach affecting Personal Data.

Scope and Purpose

Categories of Data Subjects

Hotel/property guests
Experience providers and their staff
Controller's employees and team members

Types of Personal Data

Contact information (name, email, phone number)
Booking details and preferences
Payment information (processed via Stripe)
Account credentials and authentication data
Usage and analytics data

Purpose of Processing

Personal Data will be processed solely for:

Providing and maintaining the Services
Processing bookings and payments
Communicating with Data Subjects about their bookings
Generating analytics and reports for Controller
Complying with legal obligations

Processor Obligations

Processor agrees to:

Process Personal Data only on documented instructions from Controller
Ensure that persons authorized to process Personal Data have committed to confidentiality
Implement appropriate technical and organizational security measures
Assist Controller in responding to Data Subject requests
Delete or return all Personal Data upon termination of the Services
Make available all information necessary to demonstrate compliance
Allow for and contribute to audits conducted by Controller

Security Measures

Processor implements the following security measures:

Encryption of Personal Data in transit and at rest
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Monitoring and logging of system activity
Incident response procedures
Employee security training
Physical security controls at data centers

Sub-processors

Controller generally authorizes Processor to engage Sub-processors. Current Sub-processors include:

Sub-processor	Purpose	Location
Neon	Database hosting	United States
Vercel	Application hosting	United States/Global
Clerk	Authentication	United States
Stripe	Payment processing	United States
Resend	Email delivery	United States
Sentry	Error monitoring	United States

Processor will notify Controller of any intended changes to Sub-processors, giving Controller the opportunity to object to such changes.

International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). For such transfers, Processor will ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses approved by the European Commission
Binding Corporate Rules (where applicable)
Adequacy decisions by the European Commission
Other legally recognized transfer mechanisms

Data Subject Rights

Processor will assist Controller in fulfilling its obligation to respond to Data Subject requests, including requests for:

Access to Personal Data
Rectification of inaccurate data
Erasure ("right to be forgotten")
Restriction of processing
Data portability
Objection to processing

Breach Notification

Processor will notify Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Security Incident. The notification will include:

Description of the nature of the incident
Categories and approximate number of Data Subjects affected
Categories and approximate number of records concerned
Likely consequences of the incident
Measures taken or proposed to address the incident

Term and Termination

This DPA will remain in effect for the duration of the Services agreement. Upon termination:

Processor will cease processing Personal Data
Controller may request return or deletion of Personal Data
Processor will delete all Personal Data within 90 days unless required by law to retain it
Processor will provide certification of deletion upon request

Contact Information

For questions about this DPA or to exercise rights under GDPR, contact:

Email: dpo@experiencelocal.io
Address: ExperienceLocal, Inc., [Address to be added]

Note: This Data Processing Agreement is a template and should be reviewed by a qualified attorney before use.

Definitions

Scope and Purpose

Categories of Data Subjects

Types of Personal Data

Purpose of Processing

Processor Obligations

Security Measures

Sub-processors

International Data Transfers

Data Subject Rights

Breach Notification

Term and Termination

Contact Information

Quick Navigation

Data Processing Agreement

Definitions

Scope and Purpose

Categories of Data Subjects

Types of Personal Data

Purpose of Processing

Processor Obligations

Security Measures

Sub-processors

International Data Transfers

Data Subject Rights

Breach Notification

Term and Termination

Contact Information

Quick Navigation