Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") is entered into between the customer ("Controller") and BECKO - TRAVEL OS LTD ("Processor", "Becko"). It forms part of, and is subject to, the Terms of Service and governs the processing of personal data by Becko on behalf of the Controller in the course of providing the Service.

This DPA applies to the extent personal data subject to the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, or comparable data-protection laws is processed by Becko on behalf of the Controller.

Terms such as "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Sub-processor", and "Supervisory Authority" have the meaning given in the GDPR.

• Subject matter: Provision of the Becko travel CRM, messaging, automation, and analytics platform.
• Duration: For the term of the underlying agreement plus the retention periods stated in the Privacy Policy.
• Nature & purpose: Hosting, storing, transmitting, analysing, and processing customer/end-user data to deliver the Service.
• Categories of data subjects: Controller's customers, leads, employees, contractors, and other end users.
• Categories of personal data: Contact details, communication content (Messenger/Instagram/WhatsApp/email), booking and travel data, payment metadata, lead form data, AI conversation context, and usage logs.

Becko shall:

• Process personal data only on the Controller's documented instructions, including configuration within the platform and the Terms of Service
• Ensure persons authorised to process personal data are subject to confidentiality obligations
• Implement the technical and organisational security measures described in Section 7
• Assist the Controller, by appropriate measures, in responding to Data Subject requests
• Assist the Controller with data protection impact assessments and prior consultations where required
• Notify the Controller without undue delay (and in any event within 72 hours where feasible) on becoming aware of a Personal Data Breach
• Make available all information necessary to demonstrate compliance with Article 28 GDPR

The Controller represents and warrants that it:

• Has a valid lawful basis for collecting, sharing, and instructing Becko to process the personal data
• Has provided all necessary notices and obtained all necessary consents from data subjects
• Will not upload categories of data prohibited by our Privacy Policy / Acceptable Use Policy unless explicitly permitted in writing
• Is responsible for managing user accounts, permissions, and credentials within its workspace

The Controller provides general written authorisation for Becko to engage sub-processors to deliver the Service. A current list is published at /subprocessors and includes (without limitation) Supabase, Meta Platforms, OpenAI, Resend, AWS, Google Cloud, and RapidAPI providers.

Supabase is engaged as a sub-processor on a dedicated-project-per-Controller basis. Each Controller's database, authentication, file storage, edge functions and secrets are provisioned inside a Supabase project exclusive to that Controller, with no shared database, schema, credentials or backend code between Controllers.

Becko will notify the Controller of changes to sub-processors via email or via the subprocessor page at least 14 days in advance. The Controller may object on reasonable data-protection grounds; in that case the parties will discuss in good faith and, if no resolution is reached, the Controller may terminate the affected service.

Becko remains liable for the acts and omissions of its sub-processors to the same extent as for its own.

• Encryption in transit (TLS 1.2+) and at rest
• Role-based access control and least-privilege policies
• Multi-factor authentication for administrative access
• Audit logging of access and changes
• Tenant isolation by dedicated Supabase project per Controller (separate database, authentication, storage, edge functions and secrets); intra-tenant brand isolation via Row-Level Security and brand_id checks where the Controller operates multiple brands
• Continuous monitoring, abuse detection, and rate limiting
• Backup, disaster-recovery, and business-continuity procedures
• Vendor security review and contractual data-protection terms with sub-processors
• Personnel training and confidentiality undertakings

Where personal data is transferred outside the UK or EEA, the parties incorporate by reference the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum issued by the ICO, with Becko as data importer where applicable. The parties agree to the applicable modules and complete the annexes by reference to this DPA, the Privacy Policy, and the subprocessor list.

Becko will make available, upon reasonable written request and no more than once per year, summary security documentation, sub-processor list, and responses to standard security questionnaires (e.g. SIG-Lite, CAIQ). Where required by Article 28(3)(h) GDPR, the Controller may conduct an audit subject to: (a) 30 days' prior written notice; (b) confidentiality undertakings; (c) audits being limited to information strictly necessary; and (d) the Controller bearing all costs.

The Controller is responsible for responding to data subject requests. Becko will, taking into account the nature of the processing, provide reasonable technical assistance through self-service tooling (export, deletion) and, where necessary, additional assistance at the Controller's cost.

Becko will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's data, and will provide information reasonably required to meet the Controller's notification obligations under Articles 33 and 34 GDPR.

Upon termination of the Service, Becko will, at the Controller's choice, delete or return personal data, subject to legal retention requirements and the retention periods specified in the Privacy Policy. Where the Controller chooses deletion, the dedicated Supabase project provisioned for the Controller is destroyed in its entirety, including the database, authentication users, storage objects, edge functions and secrets. Backups containing personal data will be deleted in accordance with our backup retention schedule.

The liability provisions of the Terms of Service apply to this DPA. In the event of conflict between this DPA and the Terms of Service in respect of data protection matters, this DPA prevails.

This DPA is automatically incorporated into and forms part of the Terms of Service. Customers requiring a counter-signed copy on Becko letterhead may request one from privacy@becko.app.