Data Processing Agreement (DPA)

Last updated: 3 December 2025

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions and governs the processing of
personal data carried out by Grexgo Group SAS (“Processor”, “Grexgo”, “we”, “us”), on behalf of
hotels, travel agencies, companies, and other professional clients (“Controller”, “Client”, “you”).

This DPA ensures compliance with:

  • The EU General Data Protection Regulation (GDPR – EU 2016/679)
  • The Swiss Federal Act on Data Protection (nLPD – 2023)
  • Applicable French and EU privacy laws

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data (collection, storage, disclosure, etc.).
  • Controller: The entity determining the purposes and means of processing (Hotels, Agencies).
  • Processor: Grexgo Group SAS processing data on behalf of the Controller.
  • Subprocessor: Any third party engaged by Grexgo to assist with data processing.

2. Subject of the Agreement

The Controller authorizes Grexgo to process Personal Data solely for the purpose of providing the Grexgo Platform,
including:

  • Managing group booking requests
  • Facilitating communication and negotiation between Users
  • Document storage and exchange
  • Technical operation, security, and maintenance

No processing is carried out for marketing purposes without Controller consent.

3. Duration

This DPA remains in effect for the duration of the Controller’s use of Grexgo services and until all Personal Data
is deleted or returned upon termination.

4. Obligations of the Processor (Grexgo)

Grexgo commits to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure confidentiality and train authorized personnel
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in fulfilling GDPR and Swiss LPD obligations
  • Notify the Controller without undue delay in the event of a data breach
  • Maintain records of processing activities
  • Allow audits or provide documentation demonstrating compliance

5. Obligations of the Controller

The Controller agrees to:

  • Ensure a valid legal basis for all Personal Data processed on the Platform
  • Provide accurate and lawful data
  • Inform data subjects of the processing carried out using Grexgo
  • Respond to data subject requests (access, deletion, rectification, etc.)
  • Ensure appropriate internal security measures

6. Categories of Data Subjects

Data processed may concern:

  • Employees of Hotels, Agencies, and Companies
  • Travel agents, group coordinators, and corporate representatives
  • Platform users involved in group booking workflows

7. Categories of Personal Data

  • Identification data (name, surname, job title)
  • Professional contact data (email, phone number, company name)
  • Login credentials (email + hashed password)
  • Messages and documents exchanged
  • Metadata and logs associated with activity on the Platform

8. Subprocessing

The Controller authorizes Grexgo to use Subprocessors necessary for service delivery. Current subprocessors include:

  • Infomaniak Network SA – Hosting (Switzerland)
  • Email and communications providers
  • Analytics or monitoring providers (if activated)

Grexgo ensures all Subprocessors comply with GDPR and Swiss data protection standards through appropriate agreements.

9. International Transfers

Data may be processed in Switzerland or the European Union. If transferred outside the EU or Switzerland, Grexgo
ensures legal safeguards such as:

  • EU Standard Contractual Clauses (SCCs)
  • Swiss-compliant transfer mechanisms
  • Adequacy decisions recognized by both the EU and Switzerland

10. Security Measures

  • Encrypted data transfer (HTTPS/TLS)
  • Secure hosting infrastructure
  • Access control and authentication
  • Regular backups
  • Monitoring and intrusion detection
  • Encrypted passwords and confidentiality training

11. Data Subject Rights

Grexgo assists the Controller in managing data subject rights under GDPR and Swiss law, including:

  • Access
  • Rectification
  • Deletion
  • Data portability
  • Objection
  • Restriction of processing

Requests may be sent to: privacy@grexgo.com.

12. Data Breach Notification

In the event of a Personal Data breach, Grexgo will notify the Controller without undue delay and provide:

  • Description of the breach
  • Categories and volume of affected data
  • Potential consequences
  • Measures taken or proposed to mitigate risks

13. Return or Deletion of Data

Upon termination of services, at the Controller’s request, Grexgo will:

  • Return all Personal Data, or
  • Permanently delete it (unless retention is required by law)

14. Documentation and Audits

Grexgo provides all necessary documentation to demonstrate compliance with this DPA.
Physical audits may be requested with reasonable notice, and must respect Grexgo’s security and confidentiality
requirements.

15. Liability

Each Party is responsible for compliance with its obligations under this DPA, the GDPR, and applicable Swiss law.

16. Governing Law and Jurisdiction

This DPA is governed by French law, without prejudice to mandatory data protection
regulations of the EU or Switzerland.

17. Contact

For questions regarding this DPA or data protection:
Grexgo Group SAS
Email: privacy@grexgo.com