Data Processing Agreement

Last Updated: December 10, 2024

At www.viqal.com, one of our main priorities is the privacy of our visitors. This Privacy Policy document contains types of information that is collected and recorded by www.viqal.com and how we use it.If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.

This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between

Viqal (Localpepper B.V.)
Barbara Strozzilaan 201
1083HN Amsterdam
(the “Data Processor”)

and

[Customer Name and Address]

(the “Data Controller”)

Together as the “Parties”

WHEREAS

(A) The Customer acts as a Data Controller.

(B) The Data Controller wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor (Viqal).

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules.
1.1.2 “Subprocessor” means any third-party service provider appointed by the Data Processor to assist in processing personal data on behalf of the Data Controller.
1.1.3 “Personal Data” means any information relating to an identified or identifiable individual where such information is contained in Data Processor's content.
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
1.1.5 “EEA” means the European Economic Area.
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679.
1.1.8 “Data Transfer” means:
(i) a transfer of Personal Data from the Data Processor to a Subprocessor; or
(ii) an onward transfer of Personal Data from a Subprocessor to another Subprocessor, or between two establishments of a Subprocessor, in each case, where such transfer would be prohibited by Data Protection Laws.
1.1.9 “Services” means the concierge services Viqal provides.
1.1.10 “Breach” means an unauthorized or unlawful processing of Personal Data, including but not limited to unauthorized access, disclosure, alteration, or destruction of Personal Data, as defined under GDPR Article 4(12). A breach does not include errors, inaccuracies, or omissions in the delivery of services or communications provided by the Data Processor’s AI concierge, including but not limited to incorrect pricing, unless such errors involve a breach of Personal Data.

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Personal Data

2.1 The Data Processor shall:

  • Comply with all applicable Data Protection Laws in the Processing of Personal Data.
  • Not Process Personal Data other than on the Data Controller’s documented instructions.
  • Maintain a record of all categories of processing activities conducted on behalf of the Data Controller, as required under Article 30 of the GDPR.

2.2 The Data Controller instructs the Data Processor to process Personal Data.

2.3 The Data Processor shall not be held liable for inaccuracies, errors, or omissions in responses generated by the AI concierge unless such errors constitute a Breach as defined under Section 1.1.10. Specifically:

  • Operational errors, such as incorrect pricing, discount application, or service information, are excluded from liability unless they directly involve the unauthorized Processing of Personal Data.
  • The Data Controller acknowledges that these operational inaccuracies are an inherent risk of AI technologies and do not constitute a violation of GDPR unless Personal Data is affected as per the defined Breach.

3. Data Processor Personnel

The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Subprocessor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement. The Data Processor shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Management of Customer Chats

4.1 Viqal manages chat communications between our customers and their guests. This involves collecting, processing, and storing chat data, which may include personal information provided by guests during their interactions with our virtual concierge services.

4.2 Types of Information Collected:

  • Guest names
  • Contact details (e.g., phone numbers, email addresses)
  • Booking details (e.g., reservation numbers, dates of stay)
  • Communication content (e.g., inquiries, responses, feedback)
  • Any other information guests voluntarily provide during chat interactions

4.3 Purpose of Data Collection:

  • To facilitate and manage guest communication on behalf of our customers
  • To improve and personalize the guest experience
  • To handle inquiries, requests, and provide support
  • For internal analytics and service improvement

4.4 Data Retention:
Retention of chat data shall be determined by the Data Controller’s documented instructions or applicable legal obligations. In the absence of such instructions, the Data Processor shall retain chat data for a default period of 12 months from the date of collection. After the retention period, the Data Processor shall securely delete the data unless required to retain it under applicable legal obligations.

4.5 Anonymized Analytics Data:
The Data Processor may retain aggregated and anonymized data derived from chat communications for internal analytics and service improvement purposes. Such data shall not contain any Personal Data and shall not be attributable to any individual Data Subject.

4.6 Marketing Messages:
The Data Processor facilitates the processing of marketing-related messages as per the documented instructions of the Data Controller. The Data Controller is solely responsible for obtaining consent for marketing purposes and ensuring compliance with GDPR.

4.7 Data Protection Measures:

  • Implementation of encryption for data in transit and at rest
  • Regular security audits and updates to protect against unauthorized access
  • Compliance with relevant data protection regulations, including GDPR
  • Providing guests with the ability to request access, correction, or deletion of their personal information

4.8 Guest Rights:
The Data Processor shall assist the Data Controller in fulfilling Guest Rights requests within a reasonable timeframe, not exceeding 30 days from documented instruction.

5. Security

5.1 Backups: Viqal performs regular automatic data backups daily, weekly, and monthly to negate the risk of data loss or corruption. These backups are verified for accuracy to ensure data integrity. Periodically, backups are placed in cold storage to safeguard against central point-of-failure and facilitate recovery from any disastrous events.

5.2 Recovery: Viqal follows a comprehensive disaster recovery approach to mitigate potential failures and interruptions. This includes multiple redundancies to enable immediate system and service recovery. A comprehensive disaster recovery plan is maintained, focusing on business continuity, defining Recovery Time Objective (RTO) and Recovery Point Objective (RPO) to minimize operational impacts. Regular recovery drills are conducted to ensure readiness for real scenarios.

5.3 Data Centers: Viqal operates on Amazon Web Services (AWS) in Frankfurt, Germany, which complies with high industry standards to assure the availability, confidentiality, and integrity of your data.

5.4 Encryption: Viqal uses robust, standardized encryption practices to safeguard data at rest and during transmission. Data at rest is encrypted using advanced cryptographic methodologies like AES-256. For data transmission, SSL/TLS encryption is employed to protect data communicated between users and our servers. A key management process, including regular key rotation, is adopted to maintain high data security standards.

5.5 Access: Viqal follows a strict least-privilege principle for system access. Access to sensitive data is granted only on a need-to-know basis, and all access logs are monitored for abnormal activities. Regular audits of access controls and user privileges ensure ongoing security. Access permissions are regularly revised, and outdated privileges are promptly revoked.

6. Subprocessing

6.1 The Data Processor has appointed the following subprocessors for processing Personal Data:

  • Amazon Web Services Inc. for database services, hosted in Frankfurt, Germany.
  • OpenAI LLC for AI-generated answers, hosted in the United States.
  • Twilio Ireland Limited for creating and sending WhatsApp messages to guests, hosted in the United States.

6.2 The Data Processor shall not appoint (or disclose any Personal Data to) any other Subprocessor without the prior written consent of the Data Controller.

6.3 Notification of Changes to Subprocessors:
The Data Processor shall notify the Data Controller in writing of any intended changes concerning the addition or replacement of subprocessors. The Data Controller shall have 10 business days to raise objections.

6.4 Subprocessor Audit Rights:
Audit rights under this Agreement do not extend to Subprocessors. However, the Data Processor shall provide sufficient evidence of Subprocessor compliance, such as certifications or audit reports, to satisfy the Data Controller's obligations under GDPR. The Data Processor shall:

  • Require all Subprocessors to submit to audits or provide certifications to demonstrate their compliance with GDPR and the terms of this Agreement.
  • Upon request, provide the Data Controller with audit summaries or certifications received from Subprocessors to satisfy the Controller’s audit obligations under GDPR.
  • Facilitate Controller-subprocessor communication if additional assurances are required, subject to reasonable restrictions for confidentiality and security.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligations, as reasonably understood by the Data Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 The Data Processor shall:

  • Promptly notify the Data Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
  • Ensure that it does not respond to that request except on the documented instructions of the Data Controller or as required by Applicable Laws to which the Data Processor is subject, in which case the Data Processor shall, to the extent permitted by Applicable Laws, inform the Data Controller of that legal requirement before the Subprocessor responds to the request.

8. Personal Data Breach

8.1 The Data Processor shall notify the Data Controller of a Personal Data Breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

8.2 The notification shall include sufficient details to enable the Data Controller to comply with its obligations under GDPR, including:

  • The nature of the breach.
  • Categories and approximate number of affected Data Subjects.
  • Likely consequences of the breach.
  • Measures taken or proposed to mitigate the breach.

8.3 Compensation for damages resulting from a breach shall be subject to the aggregate liability cap defined in Section 13, regardless of the number of affected Data Controllers or Data Subjects.

9. Data Protection Impact Assessment and Prior Consultation

9.1 The Data Processor shall proactively assist the Data Controller with Data Protection Impact Assessments (DPIAs) where required under GDPR, including:

  • Providing templates and standard guidance documents to facilitate DPIA preparation.
  • Offering recommendations for mitigating risks identified during the DPIA process.
  • Conducting collaborative risk analyses and assessments to address specific processing activities.
  • Providing necessary technical and organizational documentation to demonstrate compliance with GDPR Articles 35 and 36.
  • Identifying and addressing potential high-risk processing activities in advance through regular reviews of processing operations.

9.2 In instances where the Data Controller identifies a potential high-risk processing activity, the Data Processor shall be notified within 5 business days. Upon such notification, the Data Processor will assist in conducting the DPIA by:

  • Scheduling risk analysis sessions within 10 business days of receiving the request.
  • Assigning a dedicated compliance contact to support the Controller's DPIA process.
  • Providing tailored recommendations to mitigate risks specific to the processing activity.

10. Deletion or Return of Personal Data

10.1 Subject to this section 10, the Data Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Personal Data.

10.2 If immediate deletion of Personal Data is not feasible due to backups or other technical constraints, the Data Processor shall ensure the data is securely archived and inaccessible until deletion is possible.

11. Audit Rights

11.1 The Data Processor shall, upon request, make available to the Data Controller all information necessary to demonstrate compliance with this Agreement and applicable Data Protection Laws.

11.2 Scope and Frequency of Audits:
The Data Processor agrees to allow audits initiated by the Data Controller:

  • Once per calendar year as part of regular compliance monitoring.
  • In the event of significant changes to processing activities or international data transfer mechanisms.
  • Upon documented suspicion of a breach or non-compliance, provided reasonable notice is given.

Audits shall include:

  • Access to documentation and technical evidence of compliance with GDPR and this Agreement.
  • Review of security measures and technical safeguards.
  • Evidence of Subprocessor compliance, such as certifications or third-party audit reports.

Where applicable, virtual audits or evidence-sharing (e.g., through certification reports) may be conducted to minimize disruption. In urgent situations involving breaches or non-compliance, the Data Controller may request an expedited audit, with specific scope and terms agreed upon in advance.

11.3 The Data Processor shall submit a certification of compliance or audit report to the Data Controller within 30 days after the completion of the audit.

11.4 Subprocessor Audit Limitations:
Audit rights under this Agreement do not extend to Subprocessors. However, the Data Processor shall provide sufficient evidence, such as certifications, third-party audit reports, or relevant documentation, to demonstrate Subprocessor compliance with GDPR.

11.5 The Data Controller shall bear all costs associated with audits unless a material breach of this Agreement or applicable Data Protection Laws is identified.

11.6 The Data Processor may satisfy audit requests by providing relevant certifications, third-party audit reports, or other equivalent documentation demonstrating compliance.

12. Data Transfers

12.1 The Data Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Data Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.

12.2 Any transfer of Personal Data to a Third Country or to an international organization by the Data Processor will be done only on the basis of documented instructions from the Data Controller or in order to fulfill a specific requirement under local law to which the Data Processor is subject and will take place in compliance with Data Protection Laws. The Data Processor may transfer Personal Data to its Subprocessors located in a Third Country, subject to the notification requirements of Section 6.

12.3 The Data Controller agrees that where the Data Processor engages a Subprocessor for carrying out specific processing activities under the Agreement and those activities involve a transfer of Personal Data to any Third Country, the Data Processor and the Subprocessor can ensure compliance with Data Protection Laws by using the Standard Contractual Clauses (SCCs) and, where relevant, the UK International Data Transfer Addendum (UK Addendum), provided the conditions for the use of those SCCs are met.

12.4 The Data Processor shall ensure that any transfer of Personal Data from the UK to a Third Country complies with the UK Data Protection Laws, including but not limited to the UK GDPR and the Data Protection Act 2018. This may include the use of the UK Addendum to the SCCs or other appropriate safeguards as permitted under UK Data Protection Laws.

12.5 For transfers of Personal Data from the European Economic Area (EEA) to the United States, South America, or other regions outside the EEA, the Data Processor shall ensure compliance with EU Data Protection Laws by implementing:

  • Standard Contractual Clauses (SCCs).
  • Binding corporate rules or other appropriate safeguards.

12.6 Subprocessor Liability for GDPR Compliance:
The Data Processor shall ensure that any transfer of Personal Data to a Subprocessor complies with GDPR requirements, including the use of appropriate safeguards such as Standard Contractual Clauses (SCCs) or other lawful mechanisms for international transfers. The Data Processor shall ensure that Subprocessors agree in writing to:

  • Comply with GDPR and other applicable Data Protection Laws.
  • Assume liability for any GDPR-related breaches caused by their actions or omissions.

The Data Processor shall not be liable for breaches caused by Subprocessors, provided the Data Processor has exercised reasonable care in selecting and monitoring such Subprocessors to ensure their compliance with GDPR.

12.7 Any compensation claims related to breaches involving Subprocessors shall remain subject to the aggregate liability cap outlined in Section 13.

12.8 The Data Processor shall promptly notify the Data Controller if it becomes aware of any changes to the Data Protection Laws that may impact the legality of any international data transfers under this Agreement and shall work with the Data Controller to implement appropriate measures to address such changes.

12.9 The Data Processor shall ensure that any transfer of Personal Data to a Third Country or an international organization, including but not limited to the United States and South America, will be subject to appropriate safeguards, such as the use of Standard Contractual Clauses, binding corporate rules, certification mechanisms, or other legally recognized instruments for international data transfers.

13. Liability and Compensation

13.1 The Data Processor’s total liability under this Agreement, whether arising from contract, tort, or otherwise, shall be limited to €10,000 in aggregate for all claims arising from a single breach or related set of breaches, regardless of the number of claims, claimants, or affected parties, including hotel groups, individual hotels, or data subjects.

13.2 The Data Processor’s total liability for all claims under this Agreement in any 12-month period shall not exceed €10,000 in aggregate.

13.3 The Data Processor shall not be liable for breaches or damages caused by Subprocessors, provided the Data Processor has exercised reasonable care in selecting and monitoring such Subprocessors to ensure compliance with GDPR.

13.4 The liability cap set out in this Agreement shall not apply in cases of gross negligence or willful misconduct by the Data Processor.

13.5 The Data Processor shall not be held liable for:

  • Errors, inaccuracies, or omissions in responses generated by the AI concierge, including but not limited to pricing discrepancies, discounts, promotions, or other business-related decisions, unless such errors constitute a breach of Personal Data as defined in Section 1.1.10.
  • Indirect, incidental, or consequential damages, including lost profits, revenue, or goodwill, regardless of whether such losses arise from the use of the Data Processor’s services.
  • The Data Processor’s liability is limited to claims made by the Data Controller under this Agreement and shall not extend to direct claims by Data Subjects.

13.6 Compensation for damages resulting from a breach shall only apply to breaches as defined in Section 1.1.10 and shall remain subject to the aggregate liability cap outlined in Section 13.1.

14. Legal Basis for Processing

14.1 The Data Processor shall only process Personal Data based on the following legal bases, as defined in GDPR Article 6:

  • Processing is necessary for the performance of a contract with the Data Subject.
  • Processing is based on the legitimate interests of the Data Controller, provided these do not override the rights and freedoms of the Data Subject.

14.2 The Data Controller is responsible for ensuring that a valid legal basis exists for each processing activity under this Agreement and for providing documented instructions to the Data Processor accordingly.

14.3 The Data Processor shall not be responsible for verifying the validity of the legal basis provided by the Data Controller but shall ensure that all processing activities align with the instructions received from the Data Controller.

15. General Terms

15.1 Confidentiality: Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  • (a) Disclosure is required by law;
  • (b) The relevant information is already in the public domain.

15.2 Notices: All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address set out in the heading of this Agreement.

16. Governing Law and Jurisdiction

16.1 This Agreement is governed by the laws of the Netherlands.

16.2 Any dispute arising in connection with this Agreement, which the Parties are unable to resolve amicably, shall be submitted to the exclusive jurisdiction of the courts of Amsterdam, Netherlands, subject to possible appeal to higher courts.

16.3 For cross-border disputes where the courts of the Netherlands do not have jurisdiction, the Parties agree to resolve the dispute through arbitration under the rules of the International Chamber of Commerce (ICC). The arbitration shall be conducted in English, and the seat of arbitration shall be Amsterdam, Netherlands.

16.4 Arbitration proceedings shall be initiated within 30 days of a dispute being declared and resolved within 90 days unless otherwise agreed by the Parties.

16.5 Arbitrators shall be appointed in accordance with the rules of the International Chamber of Commerce (ICC).

Contact Us:

For any inquiries or concerns regarding the handling of personal information within chat communications, guests or our customers can contact us at customer-service@viqal.com.

Calculer le prix