Data Processing Addendum

Last Updated -
November 23, 2023

If you are a business customer and need to request an executable copy of this Data Processing Addendum or the Standard Contractual Clauses, please email compliance@acaitravel.com and include the name of your company, the name and title of the authorized representative who will execute this Addendum on your company’s behalf and his or her email address. We will then follow up directly with that individual, after confirming your account, with a copy of this Addendum or Standard Contractual Clauses in PDF format for execution.

THIS DATA PROCESSING ADDENDUM (“ADDENDUM”) APPLIES TO THE EXTENT ACAI TRAVEL INC. (“ACAI TRAVEL”) IS A “PROCESSOR” (DEFINED BELOW) OF PERSONAL DATA (DEFINED BELOW) THAT IS SUBJECT TO APPLICABLE DATA PROTECTION LAWS (DEFINED BELOW) IN CONNECTION WITH ITS PROVISION OF SERVICES TO THE ENTITY (“CLIENT”) EXECUTING THE MASTER SUBSCRIPTION AGREEMENT OR OTHER WRITTEN OR ELECTRONIC AGREEMENT BETWEEN ACAI TRAVEL AND CLIENT FOR THE PURCHASE OF ONLINE SERVICES (THE “AGREEMENT”) TO WHICH THIS ADDENDUM IS ATTACHED OR INCORPORATED BY REFERENCE. TO THE EXTENT THE AGREEMENT ENTERED INTO BY CLIENT INCORPORATED BY REFERENCE THE DATA PROCESSING ADDENDUM LOCATED AT www.acaitravel.com/privacy-security/data-processing-addendum, THEN THIS ADDENDUM SHALL SUPERSEDE SUCH DATA PROCESSING ADDENDUM AS OF THE LAST UPDATED DATE SET FORTH ABOVE. IF YOU ARE ACCESSING THE SERVICES ON BEHALF OF CLIENT, YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TO AGREE TO THESE TERMS ON ITS BEHALF AND THE RIGHT TO BIND CLIENT THERETO. FOR THE AVOIDANCE OF DOUBT, THIS ADDENDUM IS NOT VALID OR LEGALLY BINDING IF THERE IS NO AGREEMENT IN PLACE BETWEEN CLIENT AND ACAI TRAVEL.

1. Definitions

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.2 “Anonymous Data” means data not deemed “personal data” or “personal information” (or analogous variations of those terms) under Applicable Data Protection Laws, including (i) for the purpose of EU & UK Data Protection Laws, Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person; or (ii) “Aggregate consumer information” or “Deidentified personal information” as those terms are defined under the applicable US Privacy Laws.

1.3 “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement. With respect to Personal Data relating to EEA, UK, and/or Switzerland Data Subjects, “Applicable Data Protections Laws” shall include, but not be limited to, EU & UK Data Protection Laws. With respect to Personal Data relating to California, Colorado, Connecticut, Utah, and/or Virginia Data Subjects, “Applicable Data Protection Laws” shall include, but not be limited to, US Privacy Laws.

1.4 “Authorized Employee” means an employee of Acai Travel who has a need to know or otherwise access Personal Data to enable Acai Travel to perform their obligations under this Addendum or the Agreement.

1.5 “Authorized Individual” means an Authorized Employee or Authorized Subprocessor.

1.6 “Authorized Subprocessor” means each of Acai Travel’s Affiliates and a third-party subcontractor, agent, reseller, or auditor who (i) has a need to know or otherwise access Personal Data to enable Acai Travel to perform its obligations under this Addendum or the Agreement and (ii) is either a Current Subprocessor under Section 4.1 hereof or added as an Authorized Subprocessor under Section 4.2 hereof after the Effective Date.

1.7 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. With respect to Personal Data relating to California, Colorado, Connecticut, Utah, and Virginia Data Subjects, Controller shall include, but is not limited to, the term “Business” or “Controller,” as applicable, under the relevant US Privacy Laws.

1.8 “Data Subject” means (i) an identified or identifiable natural person to whom Personal Data relates, and who is in the EEA, UK or Switzerland or whose rights are protected by EU & UK Data Protection Laws; or (ii) a “Consumer” or if applicable “Household” as the term is defined under the applicable US Privacy Law.

1.9 “EEA” means the European Economic Area.

1.10 “EU & UK Data Protection Laws” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) the United Kingdom’s Data Protection Act 2018 (“UK DPA”); the UK General Data Protection Regulation as defined by the UK DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (together with the UK DPA, the “UK GDPR”); (iii) the Privacy and Electronic Communications Regulations 2003; and (iv) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the Processing of Personal Data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time (including, for purposes of clarification and without limitation, the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time) (“Swiss DPA”)).

1.11 “EU Transfer Clauses” means the Standard Contractual Clauses approved by EC Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) and Module 3 (Processor to Processor), as may be amended, updated or replaced from time to time by the European Commission, for the transfer of personal data from the European Economic Area (“EEA”) to a Third Country and processing of Personal Data;

1.12 “Instruction” means a direction, either in writing, in textual form (e.g. by email) or by using a software or online tool, issued by Client to Acai Travel and directing Acai Travel to Process Personal Data.

1.13 “Personal Data” or “Personal Information” means any information made available to Acai Travel in connection with the Services that constitutes “personal information”, “personally identifiable information”, “personal data” or similar information governed by Applicable Data Protection Laws and shall have the meaning assigned to such terms, as applicable, under the Applicable Data Protection Laws, including such information relating to Data Subjects which Acai Travel Processes on behalf of Client other than Anonymous Data.

1.14 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Acai Travel’s possession, custody or control.

1.15 “Privacy Shield Framework” means the EU-US and/or Swiss-US Privacy Shield self-certification program operated by the US Department of Commerce, or any equivalent legal framework that may apply between the United Kingdom and the United States.

1.16 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

1.17 “Processor” means the entity which Processes Personal Data on behalf of the Controller. With respect to Personal Data covered under US Privacy Laws, from California, Colorado, Connecticut, Utah, and/or Virginia Data Subjects, Processor shall include the term “Processor” or “Service provider”, as applicable, according to the meaning given to that term by the relevant US Privacy Law.

1.18 “Security and Privacy Documentation” means the Security and Privacy Documentation applicable to the specific Services purchased by Client, as updated from time to time, and accessible via https://www.acaitravel.com/privacy-center.

1.19 “Services” means any services provided by Acai Travel to Client, as set forth in the Agreement (including any applicable Order (as defined in the Agreement)).

1.20 “Standard Contractual Clauses” means EU Transfer Clauses and the UK International Data Transfer Addendum, provided that their Appendices and Annexes are set forth in Schedule 1 to this Addendum.

1.21 “Supervisory Authority” means an independent public authority which is established by a member state of the EEA, Switzerland, United Kingdom, or any other governmental authority or body which has jurisdiction over the compliance and enforcement of Applicable Data Protection Laws.

1.22 “Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR or Swiss data protection law, any country outside of the scope of the data protection laws of the UK or Switzerland (as applicable), excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK or Switzerland (as applicable) from time to time.

1.23 “Third-Party Services” means connections and/or links to third party websites and/or services that Acai Travel enables Client to integrate with and access through the Services, including, without limitation, via application programming interfaces, workflows or webhooks, and for which Client has entered into an agreement(s) directly with such third party websites and/or services with respect to the Processing of Personal Data.

1.24 “UK International Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK information Commissioner, as may be amended from time to time, for the transfer of personal data from the UK to a Third Country and the processing of Personal Data.

1.25 “US Privacy Laws” means (i) as of January 1, 2020, the California Consumer Privacy Act (“CCPA”), (ii) as of January 1, 2023, the CCPA as amended by the California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“VCDPA”), (iii) as of July 1, 2023, the Connecticut Data Privacy Act (“CTDPA”), the Colorado Privacy Act (“CPA”), and (iv) as of December 31, 2023, the Utah Consumer Privacy Act (“UCPA”). “Business”, “Business Purpose”, “Commercial Purposes”, “Sell”, “Share”, and “Service Provider” have the meanings given in the applicable US Privacy Laws.

2. Processing of Data

2.1 The parties acknowledge and agree that with regard to the Processing of Personal Data, (i) where Client is the Controller, Acai Travel is the Processor and (ii) where Client acts as a Processor on behalf of another entity, Acai Travel is a Subprocessor. Acai Travel will engage Authorized Subprocessors pursuant to the requirements set forth in Section 4 below. Client understands that to the extent Third-Party Services are accessed by Client, Client serves as the Controller (or Processor on behalf of another entity, where applicable) and the Third-Party Services are Processors (or Subprocessors, where applicable), and the Third-Party Services are not Authorized Subprocessors of Acai Travel.

2.2 The rights and obligations of the Client with respect to this Processing are described herein. Client shall, in its use of the Services, at all times Process Personal Data, and provide Instructions for the Processing of Personal Data, in compliance with Applicable Data Protection Laws. Without limiting any of Acai Travel’s obligations under Applicable Data Protection Laws, Client shall ensure that its Instructions comply with all Applicable Data Protection Laws in relation to the Personal Data, and that the Processing of Personal Data in accordance with Client’s Instructions, the Agreement and this Addendum will not cause Acai Travel to be in breach of Applicable Data Protection Laws. Client is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Acai Travel by or on behalf of Client, (ii) the means by which Client acquired any such Personal Data, and (iii) the Instructions it provides to Acai Travel regarding the Processing of such Personal Data. Client shall not provide or make available to Acai Travel any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Acai Travel from all claims and losses in connection therewith.

2.3 Acai Travel shall Process Personal Data only (i) for the purposes set forth in the Agreement (including any applicable Order (as defined in the Agreement)), (ii) in accordance with the terms and conditions set forth in this Addendum and any other Instructions provided by Client, and (iii) in compliance with Applicable Data Protection Laws. Client hereby instructs Acai Travel to Process Personal Data in accordance with the foregoing purposes and as part of any Processing initiated by Client in its use of the Services and documented reasonable Instructions provided by Client (e.g., via email) where such Instructions are consistent with the terms of the Agreement. Client also instructs Acai Travel to use, and to process Personal Data for the purpose of using, its artificial intelligence (AI) and machine learning (ML) powered features to provide the Services on behalf of Client, including to better understand the nature of communications received by the Client in order to more accurately and efficiently allow Client to respond to its customers, and further instructs Acai Travel, where necessary, to de-identify or anonymize Personal Data, to train the AI and ML features of the Services on behalf of Client as part of the Processing.

2.4 The subject matter, nature, purpose, and duration of Acai Travel’s Processing of Personal Data under the Agreement and this Addendum, including the types of Personal Data collected and categories of Data Subjects, are described in Schedule 1 to this Addendum.

2.5 Following completion of the Services, at Client’s choice, Acai Travel shall return or delete the Personal Data as soon as reasonably practicable, except as required to be retained to comply with applicable legal requirements, including Applicable Data Protection Laws (it being understood and agreed that, notwithstanding anything to the contrary herein, Acai Travel’s obligations under this Addendum shall survive for so long as it is Processing (including storing) Personal Data, including, but not limited to, storing Personal Data to allow Client to access and download Personal Data following the completion of the Services as set forth in the Agreement and Acai Travel’s retention policy within its Product Privacy Statement at www.acaitravel.com/privacy-security/product-privacy-statement.

3. Authorized Employees

3.1 Acai Travel shall take commercially reasonable measures to ensure the reliability and appropriate training of any Authorized Employee.

3.2 Acai Travel shall ensure that all Authorized Employees are made aware of the confidential nature of Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with Acai Travel, any Personal Data except in accordance with their obligations in connection with the Services.

3.3 Acai Travel shall take commercially reasonable measures to limit access to Personal Data to only Authorized Individuals.

4. Authorized Subprocessors

4.1 Client acknowledges and agrees that Acai Travel may (1) engage the Authorized Subprocessors listed on Acai Travel’s website at www.acaitravel.com/privacy-security/subprocessors on the Effective Date (each a “Current Subprocessor”) to access and Process Personal Data in connection with the Services and (2) from time to time after the Effective Date engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.

4.2 Acai Travel shall notify Client before engaging any third party other than its Affiliates and Current Subprocessors to access or participate in the Processing of Personal Data by updating the current list of Authorized Subprocessors available on Acai Travel’s website at www.acaitravel.com/privacy-security/subprocessors as well as providing a mechanism to subscribe by email to receive notifications of new Authorized Subprocessors, and if Client subscribes, Acai Travel shall provide an email notification to Client of a new Authorized Subprocessor before authorizing any new Authorized Subprocessor to Process Personal Data in connection with the provision of the Services.

4.3 Acai Travel shall, by way of contract or other legal act under applicable law (including without limitation approved codes of conduct and standard contractual clauses), ensure that every Authorized Subprocessor is subject to data protection obligations regarding the Processing of Personal Data that are no less protective than those in this Addendum to the extent applicable to the nature of the services provided by such Authorized Subprocessor. Acai Travel conducts appropriate due diligence in the selection and retention of its Authorized Subprocessors.

4.4 Client may object to Acai Travel’s use of a new subprocessor by emailing compliance@acaitravel.com within fifteen (15) days after receipt of Acai Travel’s notice in accordance with the mechanism set out in Section 4.2, provided such objection is based on reasonable grounds that the new subprocessor does not or cannot comply with the requirements set forth in this Addendum (each, an “Objection”). In such an event, the parties agree to discuss commercial reasonable alternative solutions in good faith to address the Objection, which may include finding a reasonable work around or the parties mutually agreeing to terminate the Agreement and affected Orders without further liability to either party.

4.5 Acai Travel shall be liable to Client for the Personal Data Processing acts and omissions of Authorized Subprocessors to the same extent that Acai Travel would itself be liable under this Addendum had it conducted such acts or omissions.

5. Security of Personal Data

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Acai Travel shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), as set forth in the Security and Privacy Documentation. Acai Travel regularly monitors compliance with these measures.

6. Transfers of Personal Data

6.1 Any transfer of Personal Data made subject to this Addendum from member states of the EEA, Switzerland or the United Kingdom to the United States or any other Third Country (collectively, “Transferred Personal Data”) shall, to the extent such Transferred Personal Data is subject to such Applicable Data Protection Laws, be undertaken by Acai Travel in accordance with (a) the Standard Contractual Clauses, or (b) an alternative recognised compliance standard, including any new version of, or successor to, the Standard Contractual Clauses or Privacy Shield Framework adopted pursuant to Applicable Data Protection Laws (where Acai Travel has adopted such alternative recognised compliance standard) (“Alternative Transfer Solution”).

6.2 This Addendum hereby incorporates by reference the EU Transfer Clauses and the UK International Data Transfer Addendum. For the avoidance of doubt, each party’s signature or other form of acceptance to this Addendum or the Agreement shall be deemed to constitute its respective signature and acceptance of both sets of Standard Contractual Clauses incorporated herein, including their appendices and annexes set forth on Schedule 1 hereto. The parties agree that (i) purely for the purposes of the descriptions in the Standard Contractual Clauses, Acai Travel shall comply with the “data importer” obligations and Client shall comply with the “data exporter” obligations in the Standard Contractual Clauses (notwithstanding that Client may be located outside Europe and/or Client may be acting as a processor on behalf of third party controllers); (ii) with respect to subprocessing, Acai Travel may commission Authorized Subprocessors, in accordance with Section 4 of this Addendum, to Process the Client’s Personal Data in a Third Country, in which case Acai Travel shall execute the Processor to Processor Clauses with any relevant subcontractor (including Affiliates) it appoints on behalf of the Client (with the processing details set out in Schedule 1 of this Addendum (Details of Processing) and the technical and organisational security measures set out in the subcontractor’s relevant information security documentation from time to time applying for the purposes of Annex II or Part 1 of the Standard Contractual Clauses (as relevant)) with any relevant subcontractor (including Affiliates) it appoints on behalf of the Data Controller; and (iii) it is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this Addendum), the Standard Contractual Clauses shall prevail to the extent of such conflict. The parties may also agree to separately execute a copy of the Standard Contractual Clauses, in which case, such signed Standard Contractual Clauses shall govern.

6.3 In the event that the Services are covered by more than one recognised compliance standard as an adequate and lawful transfer mechanism with respect to the Transferred Personal Data, then such Transferred Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) an Alternative Transfer Solution (where Acai Travel has adopted such alternative recognised compliance standard and only to the extent such Alternative Transfer Solution complies with Applicable Data Protection Laws with respect to such Transferred Personal Data); and (b) the Standard Contractual Clauses. If requested by Acai Travel, Client agrees that it shall promptly take any action (including, without limitation, electronic acknowledgement or execution of documents) reasonably required for Acai Travel to continue to process the Personal Data as contemplated by this Addendum in compliance with the Applicable Data Protection Laws, including to give full effect to an Alternative Transfer Solution or the Standard Contractual Clauses.

6.4 If and to the extent the Standard Contractual Clauses are no longer recognized by the European Commission, Switzerland, the UK or other applicable local privacy authorities as an adequate and lawful transfer mechanism with respect to the Transferred Personal Data, then Acai Travel will promptly adopt and will abide by an Alternative Transfer Solution; provided, however, that if, after commercially reasonable efforts, Acai Travel is unable to comply with an Alternative Transfer Solution, the parties shall promptly discuss in good faith mutually agreeable additional supplementary, technical, contractual and/or policy measures for Acai Travel to undertake to ensure the Transferred Personal Data is protected to a standard equivalent to that afforded by Applicable Data Protection Laws or, if the parties are unable to mutually agree on such additional measures, Client or Acai Travel may, upon thirty (30) days advance written notice (including email) to the other party terminate the Agreement and affected Orders and Client shall be entitled a refund from Acai Travel or the reseller, as applicable, of the pro-rata amount of any subscription fees actually pre-paid to Acai Travel covering the remainder of the Subscription Term after the effective date of termination.

7. Rights of Data Subjects

7.1 Acai Travel shall, to the extent permitted by law, promptly, and in no event later than ten (10) business days of Acai Travel’s receipt thereof, notify Client upon receipt of a request by a Data Subject to exercise the Data Subject’s individual’s rights under Applicable Data Protection Laws with respect to Personal Data, including where applicable rights of: access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, objection to being subject to Processing that constitutes automated decision-making and/or any other individual’s rights under Applicable Data Protection Laws (such requests individually and collectively “Data Subject Request(s)”).

7.2 Acai Travel shall, at the request of the Client, and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Client in complying with Client’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Client is itself unable to respond without Acai Travel’s assistance and (ii) Acai Travel is able to do so in accordance with all Applicable Data Protection Laws and other applicable legal requirements. Client shall be responsible to the extent legally permitted for any reasonable and documented costs and expenses arising from any such assistance by Acai Travel.

8. Actions and Access Requests; Security Incident Management

8.1 Acai Travel shall, taking into account the nature of the Processing and the information available to Acai Travel, provide Client with reasonable cooperation and assistance where necessary for Client to comply with its obligations under Applicable Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, if any such obligations exist, provided that Client does not otherwise have access to the relevant information. Client shall be responsible to the extent legally permitted for any reasonable and documented costs and expenses arising from any such assistance by Acai Travel.

8.2 Acai Travel shall, taking into account the nature of the Processing and the information available to Acai Travel, provide Client with reasonable cooperation and assistance with respect to Client’s cooperation and/or prior consultation with any Supervisory Authority, where necessary and where required by Applicable Data Protection Laws. Client shall be responsible to the extent legally permitted for any reasonable and documented costs and expenses arising from any such assistance by Acai Travel.

8.3 Acai Travel shall maintain records sufficient to demonstrate its compliance with its obligations under this Addendum and prevailing data security standards applicable to the Processing of Client’s Personal Data in the form of the third-party certifications, reports and audits as set forth in the Security and Privacy Documentation to the extent Acai Travel makes them generally available to its business customers. Acai Travel shall retain such records for a period of three (3) years after the termination of the Agreement. Subject to and without limiting Applicable Data Protection Laws, Client (or Client’s independent, third-party auditor) shall, with reasonable notice to Acai Travel and no more than once per year, have the right to review, audit and copy such records at Acai Travel’s offices during regular business hours, subject to the Confidentiality obligations set forth in the Agreement.

8.4 In the event of a Personal Data Breach, Acai Travel shall, without undue delay, but no later than seventy-two (72) hours from Acai Travel’s actual knowledge of such Personal Data Breach, inform Client of the Personal Data Breach and the categories of Personal Data implicated.

8.5 Promptly following a Personal Data Breach, Acai Travel shall take such steps as Acai Travel in its sole discretion deems necessary and reasonable to identify the cause of such Personal Data Breach and remediate such violation (to the extent that remediation is within Acai Travel’s reasonable control) and to the extent possible, include such information in the notification of the Personal Data Breach to Client.

8.6 In the event of a Personal Data Breach, Acai Travel shall, taking into account the nature of the Processing and the information available to Acai Travel, provide Client with reasonable cooperation and assistance necessary for Client to comply with its obligations under Applicable Data Protection Laws with respect to notifying (i) the relevant Supervisory Authority and (ii) Data Subjects affected by such Personal Data Breach without undue delay.

8.7 The obligations described in Sections 8.5 and 8.6 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Client.

9. Limitation of Liability

9.1 The total liability of each of Client and Acai Travel (and their respective employees, directors, officers, Affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the applicable limitation of liability set forth in the Agreement.

10. Jurisdiction Specific Terms

10.1 To the extent Acai Travel Processes Personal Data of Data Subjects residing in and protected by Applicable Data Protection Laws in one of the jurisdictions listed in Schedule 2 hereto, then the terms specified in Schedule 2 with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Addendum. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Addendum, the applicable Jurisdiction Specific Terms will take precedence. In case of conflict or ambiguity between the Jurisdiction Specific Terms and the Standard Contractual Clauses, the Standard Contractual Clauses will take precedence.

Schedule 1

Details of Processing/Transfer under the Standard Contractual Clauses

APPENDIX

ANNEX I

A. List of Parties

Data exporter(s):

  1. Name: The Client which enters into the Agreement and the user of the Services pursuant to the Agreement.
    Address: As per the Agreement
    Contact person’s name, position and contact details: As per the Agreement
    Activities relevant to the data transferred under these Clauses: receipt of the Services pursuant to the Agreement
    Signature and date: As per the Agreement
    Role (controller/processor): Controller or Processor, as applicable to the activities of Client

Data importer(s):

  1. Name: Acai Travel Inc.
    Address: 2248 Broadway #1554, New York, 10024, USA
    Contact person’s name, position and contact details: Director of Security; compliance@acaitravel.com
    Activities relevant to the data transferred under these Clauses: performance of the Services pursuant to the Agreement
    Signature and date: As per the Agreement
    Role (controller/processor): Processor

B. Processing Details / Description of Transfer

Categories of Data Subjects whose personal data is processed/transferred:

  • Client’s employees, consultants and contractors who are authorized to access the Services as described in the Agreements (who are natural persons)
  • Client’s customers (who are natural persons)

Categories of Personal Data processed/transferred:

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client and/or Client’s customers in its and/or their sole discretion, respectively, and which may include, but is not limited to the following categories of Personal Data:

  • Contact details (customer first and last name, customer email address, phone number, physical address, gender, social media handles, etc.)
  • Technical data (IP address, browser information, device ID, etc.)
  • User data (order status and history, support conversations history, etc.)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Acai Travel does not intentionally collect or process any special categories of Personal Data in the provision of the Services. However, special categories of data may from time to time be processed through the Services where the data exporter or its end users choose to include this type of data within the communications it transmits using the Services. As such, the data exporter is solely responsible for ensuring the legality of any special categories of Personal Data it or its end users choose to process using the Services.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

The frequency of the transfer is a continuous basis for the duration of the Agreement and the start date is the Effective Date per the Agreement.

Nature and Purpose of the Processing:

Acai Travel Inc. is a provider of enterprise cloud computing solutions which processes Personal Data upon the Instruction of the data exporter in accordance with the terms of the Agreement and this Addendum entered into by the data exporter and data importer.

Acai Travel will Process Personal Data as necessary to provide the Services as described in Agreement and other relevant documentation and as further instructed by Client in its use of the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

As per Client’s instructions and otherwise pursuant to the retention policy set forth within Acai Travel’s Product Privacy Statement at https://www.acaitravel.com/privacy-security/product-privacy-statement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As specified at www.acaitravel.com/privacy-security/subprocessors

ANNEX II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Description of the technical and organizational security measures implemented by the data importer in accordance with the Standard Contractual Clauses:

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security and Privacy Documentation applicable to the specific Services purchased by data exporter, as updated from time to time, and accessible via https://www.acaitravel.com/privacy-center. Data importer will not materially decrease the overall security of the Services during a subscription term.

ANNEX III

List of Sub-Processors

As set out in www.acaitravel.com/privacy-security/subprocessors and Section 4 of this Addendum.

Schedule 2

Jurisdiction Specific Terms

  1. Additional Terms for Clients for which the Standard Contractual Clauses apply

1.1 For the purposes of Annex I or Part 1 (as relevant) of such the Standard Contractual Clauses, the parties and processing details set out in 1 (Details of Processing) shall apply, as between Client and Acai Travel.

1.2 The Module Two (Transfer controller to processor) or Module Three (Transfer processor to processor) terms of the EU Transfer Clauses shall apply where relevant.

1.3 For the purposes of Annex II or Part 1 (as relevant) of such Standard Contractual Clauses, the technical and organizational security measures set out in Schedule 1 (Annex III) shall apply.

1.4 For the purposes of Clause 7 of the EU Transfer Clauses, the optional docking clause shall not apply and shall be deleted.

1.5 The parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 shall be provided by Acai Travel to Client only upon Client’s written request (including email).

1.6 For the purposes of Clause 9 of the EU Transfer Clauses, Option 2 shall apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 (Authorized Subprocessing) of this Addendum. More specifically, Client acknowledges and expressly agrees that (a) Acai Travel’s Affiliates may be retained as subprocessors; and (b) Acai Travel may engage third party subprocessors in connection with the Processing operations covered by the EU Transfer Clauses. Acai Travel shall make available to Client the current list of subprocessors in accordance with Section 4.1 of the Addendum. Pursuant to Clause 9 of the EU Transfer Clauses, Client acknowledges and expressly agrees that Acai Travel may engage new subprocessors as described in, and subject to, Sections 4.2 and 4.3 of the Addendum.

1.7 For the purposes of Part 1 of the UK International Data Transfer Addendum, Acai Travel may terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor Clauses

  1. Additional Terms for Clients for which the US Privacy Laws apply

Section 2 shall apply only if and to the extent that Acai Travel Processes Personal Data on behalf of Client as part of the Services that is subject to US Privacy Laws (“US Personal Data”). Acai Travel shall, to the extent it is required of Processors, as relevant, by US Privacy Laws:

2.1 Not retain, use, or disclose US Personal Data outside of the direct business relationship with Client or for any purpose other than for the specific Business Purposes described in the Agreement, including retaining, using, or disclosing US Personal Data for a Commercial Purpose other than performing the Business Purposes described in the Agreement;

2.2 Not Sell or Share US Personal Data;

2.3 Except to perform a Business Purpose or as otherwise permitted of Processors by US Privacy Laws, not combine US Personal Data with Personal Data that Acai Travel received from or on behalf of another person or collected from Acai Travel’s own interactions with a consumer;

2.4 Notify Client if Acai Travel can no longer meet its obligations under US Privacy Laws; and

2.5 Upon Client’s reasonable written request, and subject to Acai Travel’s verification of a violation of US Privacy Laws, Acai Travel shall grant Client the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of US Personal Data.