This Data Processing Addendum is between Serko Ltd or its relevant subsidiary (‘Serko’) and the person identified as the ‘Customer’ or ‘Client’ in the Agreement (‘Customer’) and comes into effect on the date which Serko commences the processing of Customer Personal Data in the provision of the Licensed Product (‘Commencement Date’).

1. Application and scope

1.1 Scope: Serko and Customer are parties to the Agreement, which requires Serko to process Customer Personal Data on behalf of the Customer. This Data Processing Addendum (‘Addendum’) sets out the terms, requirements and conditions on which Serko will process Customer Personal Data under the Agreement.

1.2 Term: This Addendum shall be deemed to commence, and form part of the Agreement, on the Addendum Commencement Date. This Addendum will terminate immediately upon termination of the Agreement.

1.3 Order of precedence: If there is any conflict between this Addendum and the Agreement, this Addendum will prevail.

1.4 Amendments: No amendment to this Addendum will be effective unless it is in writing and signed by both parties.

1.5 Liability: The parties’ respective liability under or in connection with this Addendum is subject to the limitations on liability contained in the Agreement.

2. Data Processing Particulars

2.1 Data Processing Particulars: The parties acknowledge and agree that the table at Schedule 1 to this Addendum sets out an accurate description of the Data Processing Particulars.

2.2 Updates: Either party may from time to time propose in writing (including by email) updates to the Data Processing Particulars in order to ensure they remain accurate, and neither party will unreasonably withhold its consent to any change reasonably necessary.

3. Compliance with data protection laws

3.1 Serko’s compliance with Data Protection Laws: When carrying out the Services and/or otherwise processing any Customer Personal Data on behalf of the Customer under the Agreement, Serko will comply with all obligations imposed on Serko under Data Protection Laws.

3.2 Customer’s compliance with Data Protection Laws: Customer must comply with all Data Protection Laws applicable to Customer’s collection, use, disclosure and processing of Customer Personal Data.

4. Customer obligations

4.1 Customer instructions: Customer warrants that it is, and will at all times remain, duly authorised to give data processing instructions provided under and in relation to this Addendum and the Agreement.

4.2 Customer obligations: Customer must: (a) ensure that Customer has all necessary notices, permissions, and/or consents in place to enable the lawful collection and use of Customer Personal Data by Serko in accordance with the Agreement, this Addendum, and otherwise as contemplated by the functionality of the Licensed Product; (b) take reasonable steps to ensure Customer Personal Data is accurate, up to date, complete and relevant; and (c) promptly notify Serko if Customer becomes aware of any breach by Customer of any Data Protection Laws in connection with Customer Personal Data and/or any complaint, request, or other matter which may adversely affect Serko’s reputation arising from or in connection with Customer’s use of Customer Personal Data (regardless of whether such use complies with Data Protection Laws).

5. Serko’s data processing

5.1 Serko’s use of Customer Data: Serko may use Customer Personal Data: (a) for the purposes of providing the Services and the Licensed Product and all of its functionality; (b) for the purposes of undertaking maintenance, support, upgrades and revisions of the Licensed Product and its functionality, and detecting, investigating and protecting against security incidents and fraudulent, malicious and illegal activity; (c) to produce aggregated and anonymised data, analytics, statistics, and reports regarding the use of the Licensed Product, including to understand how it is being used and performing for maintenance and quality assurance purposes, and to improve and develop new services; (d) to exercise its rights and comply with its obligations under the Agreement and this Addendum; and (e) where permitted to do so in accordance with Applicable Laws.

6. Security

6.1 Technical and organisational measures: Serko will implement and maintain reasonable administrative, technical, and physical data security practices to protect Customer Personal Data against Information Security Incidents, in each case which ensure a level of security appropriate to the nature of the Customer Personal Information and to ensure confidentiality and integrity of Customer Personal Information (‘Security Measures’).

6.2 Data security: Each party must comply with its security obligations under the Agreement.

7. Confidentiality

7.1 Confidentiality: Serko will maintain the confidentiality of Customer Personal Data and will not disclose Customer Personal Data to third parties unless Customer, this Addendum, or the Agreement authorises such disclosure, or unless such disclosure is otherwise required by Applicable Law.

7.2 Persons processing: Serko will ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality that is consistent with the terms set out in this Addendum and the Agreement.

8. Information security incidents

8.1 Information Security Incident: If an Information Security Incident occurs: (a) Serko will notify Customer without undue delay after becoming aware of the Information Security Incident; (b) Serko will promptly take reasonable steps to identify and contain the Information Security Incident; (c) each party will co-ordinate with the other party to investigate the Information Security Incident and provide all reasonable cooperation; and (d) Customer will upon reasonable request provide Serko with copies of communications with any Regulatory Authority and/or Data Subjects in connection with the Information Security Incident; and (e) Customer will not identify Serko as being involved in the Information Security Incident other than: (i) if required to do so by Data Protection Laws; or (ii) with Serko’s prior approval (which approval may be given or withheld in Serko’s absolute discretion).

8.2 No admission: Any notification of an Information Security Incident is not, and will not be construed as, an automatic acknowledgement by Serko or any Subprocessor of any fault or liability in respect of it.

9. Disposal and retrieval

9.1 Disposal of Customer Data: Serko will destroy and/or anonymise all Customer Personal Data, using methods which are consistent with Good Industry Practice: (a) in accordance with Serko’s retention policy; (b) otherwise, at Customer’s reasonable request during the term of the Agreement; (c) within 90 Business Days after the termination of the Agreement; and (d) except to the extent that Serko is required by Applicable Law to maintain a copy of that Customer Personal Data.

9.2 Data retrieval: Upon termination of the agreement, Serko will at Customer’s request provide Customer with a copy of the Customer Personal Data that is held on the relevant Licensed Product by Serko in such format as Serko reasonably considers appropriate, provided that Customer: (a) makes such request within 20 Business Days after the date of the earlier of: (i) the termination of the relevant Licensed Product; or (ii) termination of the agreement; and (b) has paid Serko in full all amounts due and payable under the agreement, and (c) Serko may charge Customer a fee, based on its then current standard rates, to collect, retrieve, and provide the Customer Personal Data that is the subject of Customer’s request.

10. Subprocessors and third parties

10.1 Subprocessors: Customer acknowledges that Serko’s list of Subprocessors is available to view by following the link here at serko.com/legal/serko-subprocessor-list (‘Serko Subprocessor List’). Customer authorises Serko to engage the Subprocessors listed in the Serko Subprocessor List provided it does so on written terms which require such Subprocessor to protect Customer Personal Data on terms no less onerous than those set out in this Addendum, as required under Applicable Data Protection Laws.

10.2 Notification of Changes: Customer may sign up to receive email notification of changes to the Serko Subprocessor List by signing up to receive updates on the Serko Subprocessor List page (‘Change Notice’).

10.3 Liability: Serko will be liable for the acts and omissions of any Subprocessor in relation to the processing of Customer Personal Data under this Addendum as if they were the acts or omissions of Serko.

11. Data subject access requests

11.1 Subject Access Requests: Serko: (a) will notify Customer if Serko receives a request from a Data Subject to exercise any rights under Data Protection Laws (other than a request that can be fulfilled using the functionality of the Licensed Product) (‘Subject Access Request’); and (b) will, where technically feasible, provide reasonable assistance to the Customer in responding to a Subject Access Request, in which case Serko may charge Customer for such assistance (other than to the extent that such assistance is only required by reason of Serko’s breach of Data Protection Laws).

12. Audit

12.1 PCI Audit: Customer acknowledges that Serko is audited on an annual basis by an external PCI Qualified Security Assessor for compliance with the PCI DSS Standards and agrees that such PCI Compliance will be sufficient in place of an audit of Serko by Customer.

12.2 Attestation of Compliance: Upon Customer’s written request, no more than once annually, Serko will make available to Customer an Attestation of Compliance in the form provided by the PCI Security Standards Council, or other similar evidence of its compliance with such PCI Standards (‘PCI Compliance’), subject to the confidentiality provisions of the Agreement.

13. Assistance

13.1 Assistance: Serko will provide reasonable assistance to Customer, (taking into account the nature of processing and the information available to Serko) at Customer’s cost to enable Customer to: (a) conduct data protection impact assessments with respect to Customer Personal Data, where required to comply with Data Protection Laws; and (b) respond to enquiries or consultations with supervisory authorities or regulators with respect to Customer Personal Data.

14. GDPR (if applicable)

14.1 Customer instructions: Where GDPR or UK GDPR applies, Serko will process Customer Personal Data on documented instructions from Customer (including this Addendum and the Agreement), unless required under Applicable Law (in which case, Serko shall inform Customer unless that Applicable Law prohibits Serko from doing so).

14.2 Data exports: Serko will only onwards internationally transfer Customer Personal Data if such transfer occurs in accordance with this Addendum and via an approved transfer method under Articles 44 to 49 of GDPR or UK GDPR as applicable.

14.3 Right to Object to Subprocessor: Where Customer has a right to object to the appointment or replacement of a Subprocessor under GDPR or UK GDPR, Customer may notify Serko in writing of reasonable and legitimate objections to the addition or replacement of a Subprocessor within 20 days of Serko providing the Change Notice to Client. In which case: (a) the parties will, at Serko’s request, discuss in good faith how to resolve Customer’s objections to a change notified under this clause; and (b) Serko will use commercially reasonable endeavours to address the Customer’s objection by (i) cancelling its plans to use the Subprocessor to process Customer Personal Data; (ii) offering an alternative to provide the Services and/or Licensed Product (as the case may be) without the Subprocessor; or (iii) taking corrective steps to overcome the objection and proceed to use the Subprocessor. If Customer does not notify Serko of any reasonable and legitimate objections to the addition or replacement of a Subprocessor within 20 days of the Change Notice, Customer shall be deemed to have accepted the addition or replacement of such Subprocessor.

15. USA privacy laws (if applicable)

15.1 Service Provider: To the extent Serko processes Customer Personal Data under the CCPA and CPRA, in the provision of the Services to Customer, Serko acts as a Service Provider.

15.2 Contracted Business Purposes: Where the CCPA and CPRA apply, Serko shall only use, disclose, or otherwise process Customer Personal Data on behalf of Customer for the Contracted Business Purposes, unless otherwise permitted by the CCPA, CPRA, or required by Applicable Law.

15.3 Serko’s obligations: To the extent Serko processes Customer Personal Data under the CCPA and CPRA, Serko must not: (a) sell (as defined in the CCPA and CPRA) Customer Personal Data; (b) retain, use, or disclose the Customer Personal Data for any purpose other than for the Contracted Business Purposes unless otherwise permitted by the CCPA, CPRA, or required by Applicable Law; (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between the parties unless otherwise permitted by the CCPA, CPRA or required by Applicable Law.

15.4 Certification: Serko certifies that it understands the requirements set out in clause 15.3 (Serko’s obligations) and it shall comply with them.

15.5 Non-compliance: Serko shall notify Customer if it makes a determination that it can no longer comply with its obligations under the CPRA when processing Customer Personal Data on behalf of the Customer under the Agreement.

15.6 Remediation: Both parties have the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, where the CCPA and CPRA apply.

16. General

16.1 Amendments: No amendment to this Addendum will be effective unless it is in writing and signed by both parties.

16.2 Governing Law: This Addendum will be governed by the governing law that applies to the Agreement.

17. Definitions and interpretation

17.1 Rules of interpretation: The same rules of interpretation that apply to the Agreement apply to the interpretation of this Addendum.

17.2 Definitions: In this Addendum, unless the context otherwise requires;

‘Agreement’ means the agreement for the distribution or provision of online booking tool services and/or expense management services between Serko and the Customer pursuant to the General Terms or otherwise.

‘Applicable Law’ means any legislation, regulation, code or guidance which is binding on a party.

‘Business Day’ means a day (other than Saturday or Sunday) on which registered banks are open for business in the usual place of business of Serko, but excludes any day in the period from 24 December in any year to 5 January in the following year (both inclusive).

‘CCPA’ means the California Consumer Privacy Act 2018, as amended from time to time.

‘CPA’ means the Colorado Privacy Act 2023.

‘CPRA’ means the California Privacy Rights Act 2020.

‘CTDPA’ means the Connecticut Data Privacy Act 2023.

‘Contracted Business Purposes’ means the following purposes; (a) providing the Services and the Licensed Product and all of its functionality; (b) undertaking maintenance, support, upgrades and revisions of the Licensed Product and its functionality, and detecting, investigating and protecting against security incidents and fraudulent, malicious and illegal activity; (c) producing aggregated and anonymised data, analytics, statistics, and reports regarding the use of the Services and Licensed Product, including to understand how it is being used and performing for maintenance and quality assurance purposes, and to improve and develop new services; (d) exercising Serko’s rights and complying with its obligations under the Agreement; and (e) complying with Applicable Law.

‘Customer Personal Data’ means Customer Data that is Personal Data processed by Serko on behalf of Customer or a Customer Affiliate to provide the Licensed Products under the Agreement.

‘Data Protection Laws’ means all legislation and regulations of a Territory relating to data protection and privacy that are directly applicable to, and binding on, a party in relation to Customer Personal Data, including without limitation, USA Privacy Laws and the GDPR, as applicable.

‘Data Processing Particulars’ means in relation to any processing of Customer Personal Data under this Addendum: the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data being processed, and the categories of data subjects.

‘Data Subject’ means a natural person to whom Customer Personal Data relates.

‘General Terms’ mean the terms and conditions found at serko.com/legal/online-general-terms

‘Good Industry Practice’ means, in relation to any undertaking and any circumstances, the exercise of the degree of skill, care, prudence, diligence and foresight that would be exercised by a good practitioner, experienced in the relevant industry practice.

‘GDPR’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

‘Information Security Incident’ means a breach of security leading to the accidental or unauthorised destruction, loss, alteration, or disclosure of, or unauthorised access to Customer Personal Data, in circumstances where Serko (acting reasonably) considers that the destruction, loss, alteration, disclosure, or access to such Customer Personal Data is, or is likely to be, notifiable to a Regulatory Authority and/or a Data Subject in accordance with applicable USA Privacy Law.

‘PCI DSS’ Has the meaning given to it in the Agreement.

‘Personal Data’ means information about, or relating to, an identified or identifiable individual, and otherwise has the meaning given to it or to the term ‘personal information’ by applicable Data Protection Laws.

‘Processor’ has the meaning given to it the VCDPA , CPA or UCPA as applicable.  

‘Licensed Product’ means the Software as a Service (SaaS) made available to the Customer by Serko pursuant to the Agreement.

‘Regulatory Authority’ means a regulatory authority having jurisdiction over a party.

‘Services’ means the services provided by Serko to Customer, together with any additional obligations Serko has to Customer, pursuant to the Agreement.

‘Service Provider’ has the meaning given to it in CCPA.

‘State’ means California, Colorado, Connecticut, Utah or Virginia as applicable.

‘Subcontractor’ means any person to whom Serko subcontracts any obligations under the Agreement.

‘Subprocessor’ means another Process or engaged by Serko to process Customer Personal Data on Serko’s and Customer’s behalf.

'UCPA’ means the Utah Consumer Privacy Act.

‘USA Privacy Law’ means: (a) CPA, CCPA, CPRA, VCDPA and CTDPA, to the extent that each is directly applicable and binding on a party to this Addendum; and (b) UCPA from 31 December 2023.

‘VCDPA’ means the Virginia Consumer Data Protection Act 2023.

Schedule 1 to Addendum

Data Processing Particulars

Subject matter, nature, and purpose of processing

To provide the Services and Licensed Product, and as set out in the Agreement

Duration of processing

For the term of the Agreement and as specified in this Addendum

Type of personal data being processed

• Identity data: including name, employee ID, network ID, title, date of birth, gender, company name, and company number;
• Contact data: including email address, address, and phone number;
• Financial data: including bank account number, and details of payments to and from you;
• Technical data: including internet protocol (IP) address, login data, browser type and version, time zone setting, operating system and platform, device type, unique device identification numbers, and other information your browser supplies;
• Profile data: including username and user ID;
• Usage data: including details of products and services you have purchased from us, and information on how you are using the products, and services;
• Communications data: including your communication preferences, and any feedback or survey responses; and
• Support data: including screenshots (of error messages, for example), support ID, and support communications.

If the Agreement relates to distribution or provision of online booking tool services, it will also include:

• Travel data:  including passport details, details of your bookings and travel itineraries, frequent flyer details, loyalty details, visa details, rental car details,  meal preferences, seat preferences, travel dates/times, flight number, ticket  number, confirmation number, booking locators (booking ID, passenger name record (PNR), airline locator), origin location, destination location, third party profile ID/code, and travel components (air, car, hotel, transfers, rail).

If the Agreement relates to provision of expense management services, it will also include:

• Expense data:  including details of expenses submitted (such as copies of receipts).

Categories of data subjects

Customer’s employees and end users of the Licensed Product

Frequency of the transfer

Ongoing