Advanced Data Processing Compliance Agreement

This Advanced Data Processing Agreement (“DPA”) reflects the agreement between Travel Moola Digital Marketing Agency ("Processor") with its CRM service provider, and its Customers ("Customer") regarding the processing of Personal Data in connection with the provision of services.

1. Definitions

- CCPA: California Consumer Privacy Act of 2018, as amended.

- Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing: As defined by applicable Data Protection Laws.

- Data Protection Laws: All applicable global data protection and privacy laws including but not limited to GDPR, POPIA, CCPA.

- European Data: Personal Data subject to European Data Protection Laws.

- Standard Contractual Clauses: The standard contractual clauses issued by the European Commission under Decision (EU) 2021/914.

- Subprocessors: Third parties authorized by Processor to process Personal Data on behalf of Customer.

2. Compliance

Both parties agree to comply with applicable Data Protection Laws. This DPA supplements but does not replace obligations under such laws.

3. Controller/Processor Relationship

Customer acts as Controller (or Processor where applicable) and Travel Moola Digital Marketing Agency acts as Processor.

4. Consents

Customer confirms they have all necessary consents and legal basis to transfer Personal Data to Processor and its authorized Subprocessors.

5. Scope of Processing

Processor shall only process Customer Personal Data to deliver contracted services and per Customer instructions, including through integrated mobile applications.

6. Processor Obligations

- Maintain adequate technical and organizational measures to protect Personal Data, including encryption, pseudonymization, secure backups, role-based access, and audit logs.

- Notify Customer promptly in the event of a Personal Data Breach.

- Provide reasonable assistance with data subject requests and legal compliance as required.

- Delete or return Personal Data upon contract termination, subject to legal obligations.

- Make available compliance documentation and submit to audits upon Customer request.

7. Subprocessors

Customer authorizes Processor to engage approved Subprocessors who must meet equivalent legal and security obligations. Processor remains liable for its Subprocessors.

8. Cross-Border Transfers

Processor uses Subprocessors and hosting providers located outside of the Customer’s jurisdiction, including but not limited to certified data centers in the United States. Transfers are conducted under Standard Contractual Clauses and other approved legal mechanisms.

9. Service Provider (CCPA)

Processor qualifies as a Service Provider under the CCPA and does not sell or share Personal Data except to fulfill service obligations.

10. Security Standards Summary

- Encryption at rest (AES-256 CBC) and in transit (TLS 1.2+)

- Managed cloud hosting with AWS and Google Cloud infrastructure

- Endpoint protection, multi-factor authentication, role-based access controls

- Ongoing monitoring, audit logs, vulnerability management, patching, disaster recovery protocols

11. Amendments

Processor may update this DPA as required by law provided protections are not materially reduced.

12. Contact

For inquiries, contact [email protected]

VERSION: JUNE 2025