This Data Processing Addendum is incorporated into every customer agreement with AncillaryOffers, Inc. and governs the processing of personal data on behalf of customers.
Roles and responsibilities
The customer is the controller; AncillaryOffers is the processor. Each party is responsible for its own compliance with applicable data protection laws.
Subject matter and duration
Personal data is processed only for the duration of the customer agreement and only to provide the services described therein.
Categories of personal data
Traveler identifiers, contact details, transaction history, and any other personal data the customer chooses to send to the platform under the agreement.
Security measures
The technical and organizational measures listed on our security page apply. Annex II of this DPA mirrors that list in formal contract language.
Subprocessors
The current subprocessor list is at /trust/subprocessors. Customers can subscribe to change notifications.
International transfers
Standard Contractual Clauses (Module 2 — controller-to-processor) and the EU-US Data Privacy Framework apply where relevant.
Audit rights
Customers may audit our compliance via independent third-party reports (SOC 2, ISO 27001 once available) and once-annual on-site audits with reasonable notice.
Signing
To countersign this DPA, email legal@ancillaryoffers.com with your contracting entity name and signing contact.