HotelMap Data Processing Agreement

. Definitions

In this DPA:

“Accommodation Providers” means hotels, accommodation providers, and other Room Suppliers who receive personal data from HotelMap to fulfil accommodation bookings. Accommodation Providers are independent data controllers and are not Sub-processors of HotelMap.

“Affiliate” means, in relation to either Party, any entity that, now or in the future, directly or indirectly owns, is owned by, or is under common ownership with that Party; for the purposes of this definition, “ownership” means control of more than a 50% interest in an entity or the ability to direct the actions of an entity.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed under this DPA, as defined in Article 4(12) of the Regulation and the equivalent provision under the UK GDPR.

“Data Protection Law” means the UK GDPR, the Regulation (EU GDPR), the Data Protection Act 2018, and any data protection laws of the jurisdiction in which the relevant Personal Data originates, in each case as applicable to the processing of Partner Data under this DPA. Additional country-specific requirements are addressed in Section 22.

“Data Subject” has the meaning given to it in the Regulation.

“Extended EEA Country” means a country within the European Economic Area (including the EU), Switzerland and the UK.

“Extended EEA Personal Data” means personal data as defined in the Data Protection Laws of the applicable Extended EEA Country, the processing of which in connection with the Services is governed by the Data Protection Laws of the applicable Extended EEA Country.

"Partner-Appointed Third Parties" means third parties authorised or directed by Partner, where permitted under the Agreement, to access or use the Platform on Partner's behalf, or with which HotelMap integrates at Partner's direction to deliver the Services, including but not limited to event owners on whose behalf Partner is providing the Services, destination management companies (DMCs), travel management companies (TMCs), professional congress organisers (PCOs), housing companies, event registration platform providers, and payment processors appointed by Partner where Partner acts as merchant. Partner-Appointed Third Parties are not Sub-processors of HotelMap.

“Partner Data” means all personal data which is (i) supplied, or in respect of which access is granted, to HotelMap by or on behalf of Partner, or (ii) produced or generated by or on behalf of HotelMap in connection with the provision of the Services under this DPA. For the avoidance of doubt, Partner Data does not include: (a) data that has been irreversibly anonymised or aggregated such that it cannot reasonably be used, alone or in combination with other data, to identify any natural person; (b) platform usage data, analytics, performance metrics, and operational intelligence, provided such data does not constitute Personal Data; or (c) any methodologies, algorithms, models, or intellectual property independently created or developed by HotelMap that do not incorporate or reveal Personal Data.

“Personal Data” has the meaning given to it in the Regulation.

“Platform” means the HotelMap software platform and related services used to facilitate accommodation bookings, as further described in the Agreement.

“Processing” has the meaning given to it in the Regulation, and “process”, “processes” and “processed” will be interpreted accordingly.

“Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Other applicable data protection regimes are addressed through the definition of “Data Protection Law” and Section 22 of this DPA.

“Services” means the services provided by HotelMap to Partner under the Agreement.

“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission decision of 4 June 2021 and published under document number C(2021) 3972.

“Sub-processor” means any processor who is or will be processing Partner Data as a result of HotelMap’s subcontracting any of its obligations under the Agreement.

“Suppliers” means third-party booking intermediaries, including online travel agencies and rate aggregators, through which HotelMap may source hotel rates and fulfil bookings to ensure the best available rate is presented to attendees. Suppliers are not Accommodation Providers or Sub-processors of HotelMap.

“Technology Sub-processors” means Sub-processors other than Partner-Appointed Third Parties, Accommodation Providers and/or Suppliers, including but not limited to cloud infrastructure providers, payment processing services, API platforms, database systems, security tools, and other software or technology service providers that HotelMap engages to support the technical infrastructure and operation of the Services.

“Third Country” means a country which is not deemed adequate to receive Extended EEA Personal Data under the Data Protection Laws of the applicable Extended EEA Country.

“Transferred Personal Data” means any Extended EEA Personal Data, the transfer of which by a Party is subject to the Standard Contractual Clauses by virtue of this DPA.

“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

References to the UK GDPR in this DPA shall be read together with the relevant provisions of the Data Protection Act 2018 that supplement and implement the UK GDPR.

Where this DPA uses the phrase “without undue delay” without specifying a timeframe, it shall mean as soon as reasonably practicable and in any event within fifteen (15) business days unless a shorter period is specified in this DPA, required by applicable law, or warranted by the urgency of the circumstances. Where this DPA refers to a “reasonable request” or “upon request”, HotelMap shall respond within fifteen (15) business days of receiving a written request unless a different timeframe is specified.

. Description of Data Processing Activities

The Parties agree the following sets out the definitive description of processing activities required by the Regulation in relation to HotelMap’s processing of Partner Data. This Section constitutes the primary processing record for the purposes of Article 28 and Article 30 of the Regulation, and also satisfies the requirements of the SCC Annex I (as supplemented in Annex 1 to this DPA):

Booking details may incidentally include information relating to accessibility requirements or special needs. Where such information constitutes special category data under Article 9 of the Regulation (and the equivalent provision under the UK GDPR), the provisions of Section 12 apply.

. Roles of the Parties

The Parties agree that for the purposes of this DPA and HotelMap’s processing of Partner Data in connection with the Services, HotelMap shall be a data processor and Partner shall act as data controller.

For the avoidance of doubt, where HotelMap contacts attendees directly in connection with the Services (including for booking confirmations, modifications, customer support, or concierge services), HotelMap does so as processor acting on Partner’s instructions and not as a data controller in its own right. Nothing in this DPA creates a joint controller relationship between the Parties.

Notwithstanding the above, HotelMap acts as an independent data controller in respect of certain processing activities that are ancillary to the Services, including managing its business relationship with Partner’s account contacts, operating its platform infrastructure, fraud detection, security monitoring, and fulfilling its own legal and regulatory obligations. Such processing is governed by HotelMap’s own privacy notice and is not subject to Partner’s instructions under this DPA.

. Compliance with Data Protection Laws (Mutual)

Each Party shall comply with its respective obligations under Data Protection Law. Neither Party shall, by its own acts or omissions, cause itself to be in breach of any Data Protection Law.

Partner warrants that it has established and will maintain a valid lawful basis under applicable Data Protection Law for the collection and processing of Partner Data, and for instructing HotelMap to process Partner Data on its behalf under this DPA.

. Purpose and Instructions

HotelMap will not access, use or otherwise process Partner Data, except as necessary to provide the Services to Partner. HotelMap will only process Partner Data in accordance with this DPA, the Agreement, and Partner’s other documented written instructions. HotelMap will notify Partner without undue delay if, in HotelMap’s opinion, any instruction or direction from Partner infringes Data Protection Law.

Partner’s documented instructions for the purposes of this DPA are constituted by: (i) the Agreement; (ii) this DPA; and (iii) any subsequent written instructions provided by Partner’s designated contact via the communication channel specified in Section 7. Where HotelMap is required by applicable law to process Partner Data otherwise than on Partner’s instructions, HotelMap shall inform Partner of that legal requirement before processing unless the law prohibits such notification.

HotelMap shall comply with any reasonable request from Partner requiring HotelMap to amend, transfer or delete Partner Data, provided that such request is consistent with HotelMap’s obligations under Data Protection Law and the Agreement.

HotelMap shall not sell, license, or otherwise transfer Partner Data to any third party for that third party’s independent commercial use.

Nothing in this DPA shall restrict or limit HotelMap’s rights under the Agreement. Separately from the processing of Partner Data on Partner’s instructions, HotelMap may independently: (a) create aggregated, anonymised or de-identified data and analytics that cannot reasonably be used to identify any natural person or be attributed to Partner, which HotelMap may use for producing anonymised industry insights and benchmarks and informing HotelMap’s commercial strategy; and (b) subject to the anonymisation requirements in (a) above, develop and improve the Platform, Services, algorithms, methodologies, and operational procedures. For the avoidance of doubt, these activities relate solely to irreversibly anonymised or aggregated data and do not constitute processing of Partner Data or Personal Data. HotelMap does not use identifiable Personal Data for platform improvement or product development purposes.

. Personnel and Access Controls (Mutual)

Each Party will restrict access to the other Party’s data to its personnel who need to access such data to provide or receive the Services. Each Party will ensure that any of its personnel who process data under this DPA: (i) are bound by written contractual confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (ii) are bound by data protection and data security obligations which are at least as restrictive as this DPA; (iii) have received appropriate training on data protection requirements; and (iv) will only process Personal Data in accordance with the documented instructions of the controller, unless required to do so by law.

. Point of Contact

Each Party will provide the other with a designated point of contact in respect of the activities covered by this DPA. HotelMap’s contact for data protection matters is Privacy@HotelMap.com .

HotelMap has assessed the requirement to appoint a Data Protection Officer under Article 37 of the Regulation and has determined that a statutory DPO appointment is not required under its current processing activities. Data protection enquiries should be directed to Privacy@HotelMap.com .

. Security (Mutual)

Each Party will implement and maintain appropriate technical and organisational measures to protect the other Party’s data at all times against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure, access, or processing. Such measures shall at a minimum meet the requirements of applicable Data Protection Law and ensure the protection of the rights of data subjects. Partner shall ensure that its personnel, Affiliates, and any third parties who access HotelMap’s Platform or systems comply with equivalent security standards and do not compromise the security or integrity of the Platform.

Where HotelMap demonstrates compliance with equivalent security standards through existing certifications, assessments, or frameworks (including but not limited to PCI DSS compliance, ICO registration, and annual penetration testing), Partner may accept such compliance as satisfying the security requirements of this DPA. The specific technical and organisational measures are described further in Annex 2 to this DPA.

Each Party will take all reasonable steps to ensure the reliability of any of its staff who may have access to, or are authorised to process, data under this DPA and ensure such staff have committed themselves to obligations of confidentiality or are under statutory obligations of confidentiality.

. Disclosure and Government Access (Mutual)

Neither Party will voluntarily disclose the other Party’s data to any government, authority or other third party except where required by applicable law or regulation. Where legally permitted, each Party will provide prior written notice to the other before making any such disclosure and provide the other Party with reasonable opportunity to challenge or limit the scope of the disclosure. Where possible, the notice will (a) attach a copy of the request, and (b) if not covered by (a), specify (i) the identity of the requester, (ii) the scope and purposes of the request and (iii) the date of the request and any deadline for a response. Where applicable law (including national security provisions) prohibits prior notification, the disclosing Party shall notify the other as soon as the legal prohibition is lifted.

. Personal Data Breach Management (Mutual)

HotelMap shall notify Partner of any Data Breach affecting Partner Data without undue delay and in any event no later than forty-eight (48) hours after becoming aware of a confirmed Data Breach. For the avoidance of doubt, the general fifteen (15) business day response timeframe defined in Section 1 does not apply to breach notifications under this Section. Partner shall notify HotelMap of any Data Breach affecting HotelMap’s systems or data, or any breach that may affect the security of the Services, without undue delay.

The notifying Party will include in the notice (a) to the extent possible at the time: (i) the nature of the Data Breach (including the categories and approximate number of individuals and records involved), (ii) the likely consequences of the Data Breach, and (iii) any steps taken or proposed to address and/or mitigate the Data Breach, and (b) a point of contact. If it is not possible to provide any of the information required at the time of the notice, the notifying Party will provide such information as soon as possible thereafter.

Each Party will provide all cooperation and information reasonably requested by the other in respect of a Data Breach, including regular updates on the investigation, mitigation and remedial steps. Each Party will take all reasonable steps to mitigate the effects and to minimise any damage resulting from any Data Breach for which it bears responsibility.

. Assistance, Data Subject Requests and Regulatory Cooperation

Each Party will provide any cooperation or assistance reasonably requested by the other in connection with steps that the other Party takes to comply with Data Protection Law insofar as they relate to the Services. This includes, where applicable, reasonable assistance with: (i) responding to requests from data subjects or authorities; (ii) notifying data breaches to affected individuals or authorities; (iii) carrying out data protection impact assessments; and (iv) prior consultations with supervisory authorities.

If HotelMap becomes aware that any processing of Partner Data under this DPA is likely to result in a high risk to the rights and freedoms of data subjects, HotelMap shall inform Partner without undue delay so that Partner may assess whether a data protection impact assessment is required.

HotelMap shall notify Partner within five (5) business days of receiving a request from a data subject for access to that person’s Partner Data, and shall provide reasonable cooperation to assist Partner in responding within the applicable statutory period. Where HotelMap receives a data subject request directly from an attendee relating to Partner Data, HotelMap shall redirect the request to Partner within the timeframe specified in this Section. Where the request relates to HotelMap’s own controller processing activities, HotelMap shall respond directly in accordance with its own privacy notice. Each Party shall inform the other without undue delay of any enquiry, complaint, notice or other communication it receives from any supervisory authority, other organisation or individual, relating to the processing of data under this DPA.

Neither Party shall respond to a supervisory authority enquiry, complaint, notice or other communication relating to the other Party’s data or processing activities without the prior written consent of the other Party, except where the responding Party is legally required to respond within a timeframe that does not permit obtaining prior consent, in which case the responding Party shall inform the other of its intended response and the legal basis as soon as reasonably practicable.

. Personal Data Retention

HotelMap will retain Partner Data for the duration of the Agreement and, following the conclusion of each event, only for so long as necessary to fulfil the specific purpose for which it was collected. Booking and financial records may be retained for up to seven (7) years after the relevant event date where specifically required for tax compliance, financial record-keeping, or legal claims defence. All other categories of Partner Data will be reviewed and deleted in accordance with HotelMap’s documented retention schedule. Technical and operational data will be retained for no longer than thirty-six (36) months. Partner may instruct HotelMap in writing to delete Partner Data sooner, subject to HotelMap’s legal retention obligations.

HotelMap shall maintain a documented retention schedule setting out the categories of Partner Data retained, the applicable retention periods, and the legal basis for retention, and shall make this schedule available to Partner within fifteen (15) business days of a written request. Data required to honour data subject opt-out preferences shall be retained for as long as necessary to give effect to those preferences.

HotelMap does not knowingly process special categories of personal data (as defined in Article 9 of the Regulation) unless explicitly instructed to do so by Partner in writing and with appropriate safeguards in place. Bookings on the Platform must be made by individuals aged 18 or over. HotelMap does not knowingly collect or process personal data from children under the age of 16 in a digital consent context (Article 8 of the Regulation), or from any individual under the age of 18 for the purposes of making accommodation bookings. If HotelMap becomes aware that it has received such data without appropriate consent or instruction, it shall promptly notify Partner.

. Return and Deletion of Personal Data

On termination or expiry of the relevant processing or this DPA, for whatever reason, HotelMap shall cease all use of Partner Data for the provision of Services and shall, within ninety (90) days and at Partner’s election communicated in writing within thirty (30) days of termination, either: (a) transfer all Partner Data to Partner or a nominated third party (in a mutually agreed format and method); or (b) securely and permanently delete all Partner Data including all existing copies. HotelMap shall use reasonable efforts to remind Partner of the upcoming election deadline. If Partner does not communicate its election within thirty (30) days, HotelMap shall securely delete all Partner Data, subject to the retention rights set out in this Section. HotelMap shall certify deletion in writing upon Partner’s reasonable request.

HotelMap may retain Partner Data following termination or expiry for so long as is reasonably necessary to: (i) complete any outstanding hotel bookings, including bookings for future events confirmed prior to termination; (ii) finalise any outstanding transactions and process refunds; (iii) resolve disputes; and (iv) complete operational wind-down activities. HotelMap shall be entitled to retain specific Partner Data if required to do so by applicable law, including retention for financial record-keeping, tax compliance, legal claims defence, and to honour data subject opt-out preferences.

HotelMap shall maintain documentation of data deletion activities undertaken pursuant to this Section, including the date of deletion, the categories of data deleted, and the basis for deletion, and shall provide such documentation to Partner within fifteen (15) business days of a written request.

Upon Partner’s reasonable request, HotelMap shall provide Partner Data in a structured, commonly used and machine-readable format via API or such other export method as is supported by the Platform, to facilitate Partner’s compliance with data portability requests from data subjects.

. Data Capture and Evidence in the Event of an Incident

Partner shall pay HotelMap a fee (based on HotelMap’s standard consultancy rates) for any data retrieval, forensic analysis, or specific extraction of Partner Data requested by Partner that is outside the scope of the standard Services or beyond the standard functionality of the Platform. For the avoidance of doubt, the fees described in this Section do not apply to HotelMap’s statutory obligations to cooperate and assist Partner in the event of a Data Breach (Section 10) or regarding general compliance assistance (Section 11), which are provided at no additional cost.

. Record Keeping

HotelMap will maintain records of processing as required for processors under Article 30(2) of the Regulation in respect of Partner Data. Such records shall include: (i) the name and contact details of HotelMap as processor and of each Partner on whose behalf processing is carried out; (ii) the name and contact details of HotelMap’s data protection officer (where applicable); (iii) the categories of processing carried out on behalf of Partner; (iv) the categories of recipients to whom Partner Data have been or will be disclosed; (v) where applicable, transfers of Partner Data to a Third Country, including identification of the country and the transfer mechanism relied upon; and (vi) a general description of the technical and organisational security measures referred to in this DPA. HotelMap will provide Partner a copy of such records within fifteen (15) business days of a written request.

. Information and Audit

HotelMap will make available to Partner all information reasonably necessary to demonstrate HotelMap’s compliance with this DPA, including existing certifications, independent audit reports, penetration test summaries, and equivalent third-party assurance documentation.

Partner (or its appointed independent third-party auditor, subject to reasonable confidentiality obligations) may conduct audits of HotelMap’s processing of Partner Data to verify compliance with this DPA. Any such audit shall be: (i) notified in writing at least thirty (30) business days in advance; (ii) conducted during normal business hours; (iii) limited in scope to HotelMap’s processing of Partner Data; and (iv) conducted no more than once per calendar year, unless required by a supervisory authority. Where HotelMap has provided recent, relevant third-party audit reports, certifications, or compliance documentation that reasonably address Partner’s compliance concerns, Partner shall accept such documentation in lieu of an on-site audit unless Partner can demonstrate specific concerns not addressed by the documentation. Partner shall bear all reasonable costs associated with any audit. HotelMap shall cooperate with and provide reasonable assistance for any audit or inspection by a supervisory authority.

Partner’s audit rights under this Section relate to HotelMap’s own processing activities. Where Partner requires assurance regarding Technology Sub-processors, HotelMap shall use reasonable efforts to make available relevant compliance documentation, certifications, or audit reports obtained from those Sub-processors.

. Sub-processors and Data Transfers

Technology Sub-processors

HotelMap may appoint Technology Sub-processors to perform its obligations under this DPA provided that:

HotelMap engages Technology Sub-processors including but not limited to cloud infrastructure providers, payment processors, security tools, API platforms, and other technology service providers as necessary to operate and deliver the Services. HotelMap shall maintain a current list of Technology Sub-processors by category and geographic region which shall be made available to Partner on request. This list shall be updated prior to any material change taking effect.

HotelMap shall inform Partner of any material changes to its Technology Sub-processors (including the engagement of a new category of Sub-processor or a change resulting in Partner Data being processed in a new geographic region) by updating the information available upon request. Partner may raise objections to such changes, or documented concerns about a specific Technology Sub-processor’s risk to the security or protection of Partner Data, by contacting Privacy@HotelMap.com . HotelMap shall consider any such objection or concern in good faith and provide Partner with information reasonably necessary to address it. HotelMap retains sole discretion over its technology stack, subject to its continuing obligations under this DPA.

Accommodation Providers as Independent Controllers

The Parties acknowledge that hotels, accommodation providers, and other Room Suppliers (“Accommodation Providers”) are independent data controllers in respect of the personal data they receive to fulfil accommodation bookings. When HotelMap transmits booking data to an Accommodation Provider, it does so on Partner’s documented instructions as controller, and the Accommodation Provider processes that data under its own privacy policies and legal basis as an independent controller. Accommodation Providers are not Sub-processors of HotelMap.

HotelMap acknowledges that its role in selecting and curating Accommodation Providers and negotiating rates means it plays a facilitative role in the data flow beyond pure transmission. HotelMap maintains this DPA, its privacy practices, and appropriate safeguards for data in transit accordingly. Nothing in this Section is intended to exclude any liability that cannot lawfully be excluded under Data Protection Law.

HotelMap may source hotel rates through third-party booking suppliers, including online travel agencies and rate aggregators (“Suppliers”), to ensure the best available rate is presented to attendees. Where booking data is transmitted via a Supplier, HotelMap shall include appropriate data protection provisions in its agreements with such Suppliers and shall transmit only the minimum personal data necessary to fulfil the booking.

Where an Accommodation Provider is located in a Third Country, Partner acknowledges that the transfer of booking data to that provider is a consequence of Partner’s decision as controller to hold an event in that location and to direct attendees to book accommodation there. Partner, as controller, is responsible for ensuring that an appropriate legal basis exists for such transfer. Upon reasonable request, HotelMap shall provide Partner with information about the countries in which Accommodation Providers are located for specific events, and shall provide reasonable cooperation to Partner in establishing appropriate transfer safeguards where required.

Partner-Appointed Third Parties

Where Partner, to the extent permitted under the Agreement, authorises or directs a third party ("Partner-Appointed Third Party") to access or use the Platform on Partner's behalf, or where HotelMap integrates with such a third party at Partner's direction to deliver the Services, the following shall apply:

The Technology Sub-processor notification and objection provisions in this Section do not apply to Accommodation Providers or Partner-Appointed Third Parties. Accommodation Providers are independent controllers; where transfers to Accommodation Providers in Third Countries require appropriate safeguards, Partner as controller is responsible for determining the applicable transfer mechanism. Where a Partner-Appointed Third Party processes Partner Data in a Third Country, Partner as controller is responsible for ensuring that an appropriate legal basis and transfer mechanism exists for such transfer. Upon reasonable request, HotelMap shall provide Partner with information about the countries in which Partner-Appointed Third Parties are processing Partner Data in connection with specific Partner events.

. International Data Transfers

Limited processing of Partner Data outside the EU/EEA may occur in the ordinary course of providing the Services, including through Technology Sub-processors, Partner-Appointed Third Parties and/or Accommodation Providers, and Suppliers operating in countries where Partner's events take place.

. Standard Contractual Clauses

This Section does not apply to Partner-Appointed Third Parties, which are governed by Section 17.

. Transfers from the UK

Where Transferred Personal Data originates from the UK, the UK Approved Addendum (template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses) shall apply to amend the Standard Contractual Clauses in respect of such transfers. The mandatory tables of the UK Approved Addendum shall be deemed completed by reference to the information set out in Annex 1 and Section 19 of this DPA. References to the UK Approved Addendum shall be read as references to any replacement or successor mechanism issued by the ICO.

. Additional Country Requirements

Where Partner directs HotelMap to process personal data in or from any country which restricts the processing, export, or use of personal data outside that country, the Parties shall cooperate to ensure compliance with such local requirements. Any costs and implementation timelines associated with meeting country-specific data requirements shall be mutually agreed. Country-specific restrictions arising from Partner’s choice of event locations are a consequence of Partner’s decisions as controller.

In the event that any data transfer mechanism relied on by the Parties is invalidated or suspended by a competent authority, each Party shall promptly notify the other and the Parties shall work together in good faith to implement an alternative lawful transfer mechanism as soon as practicable. Pending implementation of an alternative mechanism, each Party shall comply with the directions of the relevant supervisory authority regarding the continuation or cessation of processing.

. Liability and Indemnity

HotelMap Indemnity: HotelMap shall indemnify Partner against reasonable costs, claims, fines, losses and liabilities arising from HotelMap’s failure to comply with this DPA and/or Data Protection Law in respect of HotelMap’s processing of Partner Data, subject to the exclusions and limitations set out below.

Partner Indemnity: Partner shall indemnify HotelMap against reasonable costs, claims, fines, losses and liabilities arising from: (i) Partner’s breach of this DPA or Data Protection Law in its capacity as controller; (ii) Partner’s instructions to HotelMap that breach Data Protection Law; or (iii) claims arising from Partner's decisions regarding event locations, Partner-Appointed Third Party engagement, or data processing in Third Countries where such decisions are made by Partner as controller.

Exclusions: HotelMap shall not be liable for losses arising from: (i) Partner’s instructions, acts, or omissions; (ii) the data processing practices of Accommodation Providers, who are independent controllers and not Sub-processors of HotelMap; (iii) acts or omissions of Partner-Appointed Third Parties to the extent beyond HotelMap's reasonable ability to prevent through its contractual arrangements with such providers; or (iv) Partner’s decisions regarding event locations and the consequent engagement of Accommodation Providers and Partner-Appointed Third Parties in those locations.

Cap: Each Party’s total liability under this DPA shall be subject to any limitation of liability provisions set out in the Agreement. Where the Agreement does not specify a data protection liability cap, each Party’s total liability shall not exceed the total amounts paid or payable by either Party to the other under the Agreement in the twelve (12) months immediately preceding the breach.

The indemnity and liability provisions in this Section apply to civil claims between the Parties only and do not purport to cover, limit, or transfer regulatory fines or penalties imposed directly on either Party by a supervisory authority.

. General Provisions

If any provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this DPA, and the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

This DPA shall remain in force for the duration of the Agreement and shall automatically terminate upon termination or expiry of the Agreement, subject to the survival of any provisions that by their nature are intended to survive termination (including Sections 13, 14, 15, and 23).

In the event of a material change in Data Protection Law that renders any provision of this DPA unlawful or impracticable, the Parties shall negotiate in good faith to amend this DPA to achieve compliance while preserving, to the extent possible, the commercial intent of the original provision.

This DPA shall be governed by the law of England and Wales. For the avoidance of doubt, this governing law applies to the DPA as a whole but does not override the module-specific governing law requirements of the Standard Contractual Clauses set out in Section 19.

This DPA may only be amended by written agreement signed by authorised representatives of both Parties. For the avoidance of doubt, amendments to the Agreement do not automatically amend this DPA unless the amendment expressly states that it varies this DPA.

In the event of conflict between this DPA and any data processing terms proposed or presented by Partner, this DPA shall prevail unless the Parties have expressly agreed otherwise in a signed written amendment.

Annex 1 – SCC Annex I (Cross-Reference to Section 2)

This Annex serves as Annex I to the Standard Contractual Clauses (where applicable). The definitive description of processing activities is set out in Section 2 of this DPA, which constitutes the primary record for Article 28 and Article 30 purposes. The information below supplements Section 2 with the additional detail required by the SCC Annex I format.

Annex I, Part A: List of Parties

Annex I, Part B: Description of Transfer

Annex I, Part C: Competent Supervisory Authority

Annex 2 – Technical and Organisational Security Measures

HotelMap maintains, as a minimum, the following technical and organisational measures. HotelMap may supplement or substitute equivalent or superior controls as technology and best practice evolve:

• Industry-standard TLS/SSL encryption for all web traffic and end-to-end encryption for sensitive communications.
• Secure API gateways with strict authentication controls.
• VPN requirements for remote administrative access.
• Regular security audits and vulnerability assessments, including annual penetration testing.
• PCI DSS compliance for payment information processing.
• Real-time monitoring for unauthorised access attempts.
• Data minimisation practices to limit exposure risk.
• Access controls based on the principle of least privilege.
• Cloud infrastructure hosted within the EU/EEA/UK AWS regions.
• ICO registration (ZA203467) as required under UK Data Protection Law.
• Documented incident response and business continuity procedures.
• Encryption at rest and in transit for all stored and transmitted Partner Data.
• Multi-factor authentication for administrative access to systems processing Partner Data.
• Employee security awareness training programme.
• Secure development lifecycle practices for Platform development.

Where HotelMap demonstrates compliance with equivalent security standards through existing certifications, assessments, or frameworks, Partner may accept such compliance as satisfying the requirements of this Annex 2.