Data Processing Agreement (DPA) – Europe
This page describes the data protection and processing commitments applicable to customers subject to European data protection laws, including the EU General Data Protection Regulation (GDPR). LiteAPI offers a Data Processing Agreement (DPA) that governs the processing of personal data on behalf of customers using LiteAPI services.
Scope and Purpose
The Data Processing Agreement applies where LiteAPI processes personal data on behalf of a customer in the course of providing its services.
The DPA:
- Defines the roles and responsibilities of each party
- Ensures compliance with GDPR Article 28
- Applies to all LiteAPI services that involve the processing of personal data
Roles Under GDPR
For the purposes of the GDPR:
- Customer acts as the Data Controller
- LiteAPI acts as the Data Processor
LiteAPI processes personal data solely on documented instructions from the customer and only to provide and operate the services.
Categories of Data and Data Subjects
Data Subjects
May include:
- End users
- Travelers or guests
- Customer employees or agents
Categories of Personal Data
May include:
- Identifiers (e.g. names, booking references)
- Contact information (where applicable)
- Booking and travel-related data
- Technical and usage data
LiteAPI does not intentionally process special categories of personal data under GDPR.
Processing Activities
LiteAPI processes personal data for the following purposes:
- Providing API-based travel search, booking, and related services
- Operating and maintaining the LiteAPI platform
- Security monitoring and incident prevention
- Customer support and troubleshooting
Data Protection Obligations
LiteAPI commits to:
- Process personal data lawfully, fairly, and transparently
- Implement appropriate technical and organizational security measures
- Ensure confidentiality of personnel with access to personal data
- Restrict access to personal data on a need-to-know basis
Sub-Processors
LiteAPI may engage sub-processors to support infrastructure and service delivery.
LiteAPI ensures that:
- Sub-processors are bound by data protection obligations equivalent to those in the DPA
- Customers are informed of sub-processors upon request
- Sub-processors are subject to appropriate security and confidentiality commitments
International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), LiteAPI relies on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Contractual and technical safeguards consistent with GDPR requirements
Data Subject Rights
LiteAPI supports customers in fulfilling data subject rights requests, including:
- Access
- Rectification
- Erasure
- Restriction of processing
Requests from data subjects should be directed to the customer acting as Data Controller.
Security Incident Notification
LiteAPI will notify customers without undue delay after becoming aware of a personal data breach affecting customer data, in accordance with GDPR requirements.
Notifications will include relevant information available at the time.
Data Retention and Deletion
Personal data is retained only for as long as necessary to provide the services and meet legal or operational obligations.
Upon termination of the services, LiteAPI will delete or anonymize personal data in accordance with the DPA, unless retention is required by law.
Audits and Compliance
LiteAPI makes available information reasonably necessary to demonstrate compliance with GDPR obligations and the DPA.
Audit requests are subject to reasonable notice, scope, and confidentiality obligations.
Availability of the DPA
The formal Data Processing Agreement (DPA) is available upon request and forms part of the contractual documentation governing LiteAPI services.
Customers can request the DPA through their account or support contact.
Questions
For questions related to data protection or the DPA, customers can contact us through the usual support or account channels.
Updated 4 days ago