Data Processing Agreement (DPA)

Scope and Purpose

The Data Processing Agreement applies where Nuitee Connect processes personal data on behalf of a customer in the course of providing its services.

The DPA:

• Defines the roles and responsibilities of each party
• Ensures compliance with GDPR Article 28
• Applies to all Nuitee Connect services that involve the processing of personal data

---

Roles Under GDPR

For the purposes of the GDPR:

• Customer acts as the Data Controller
• Nuitee Connect acts as the Data Processor

Nuitee Connect processes personal data solely on documented instructions from the customer and only to provide and operate the services.

---

Categories of Data and Data Subjects

Data Subjects

May include:

• End users
• Travelers or guests
• Customer employees or agents

Categories of Personal Data

May include:

• Identifiers (e.g. names, booking references)
• Contact information (where applicable)
• Booking and travel-related data
• Technical and usage data

Nuitee Connect does not intentionally process special categories of personal data under GDPR.

---

Processing Activities

Nuitee Connect processes personal data for the following purposes:

• Providing API-based travel search, booking, and related services
• Operating and maintaining the Nuitee Connect platform
• Security monitoring and incident prevention
• Customer support and troubleshooting

---

Data Protection Obligations

Nuitee Connect commits to:

• Process personal data lawfully, fairly, and transparently
• Implement appropriate technical and organizational security measures
• Ensure confidentiality of personnel with access to personal data
• Restrict access to personal data on a need-to-know basis

---

Sub-Processors

Nuitee Connect may engage sub-processors to support infrastructure and service delivery.

Nuitee Connect ensures that:

• Sub-processors are bound by data protection obligations equivalent to those in the DPA
• Customers are informed of sub-processors upon request
• Sub-processors are subject to appropriate security and confidentiality commitments

---

International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), Nuitee Connect relies on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Contractual and technical safeguards consistent with GDPR requirements

---

Data Subject Rights

Nuitee Connect supports customers in fulfilling data subject rights requests, including:

• Access
• Rectification
• Erasure
• Restriction of processing

Requests from data subjects should be directed to the customer acting as Data Controller.

---

Security Incident Notification

Nuitee Connect will notify customers without undue delay after becoming aware of a personal data breach affecting customer data, in accordance with GDPR requirements.

Notifications will include relevant information available at the time.

---

Data Retention and Deletion

Personal data is retained only for as long as necessary to provide the services and meet legal or operational obligations.

Upon termination of the services, Nuitee Connect will delete or anonymize personal data in accordance with the DPA, unless retention is required by law.

---

Audits and Compliance

Nuitee Connect makes available information reasonably necessary to demonstrate compliance with GDPR obligations and the DPA.

Audit requests are subject to reasonable notice, scope, and confidentiality obligations.

---

Availability of the DPA

The formal Data Processing Agreement (DPA) is available upon request and forms part of the contractual documentation governing Nuitee Connect services.

Customers can request the DPA through their account or support contact.

---

Questions

For questions related to data protection or the DPA, customers can contact us through the usual support or account channels.