Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the agreement between Lato travel app bv (“Processor”) and the customer entity using the Lato platform (“Controller”).

This DPA applies where Processor processes Personal Data on behalf of Controller in connection with the provision of the Lato platform and related services.

This DPA is intended to satisfy the requirements of Article 28 of the GDPR.

1. Definitions

“GDPR” means Regulation (EU) 2016/679.

“Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” shall have the meanings given in the GDPR.

“Services” means the Lato travel itinerary builder, travel application, collaboration tools, document handling services, and related features provided by Processor.

2. Roles of the Parties

The parties acknowledge and agree that:

• Controller determines the purposes and means of the processing of Personal Data;
• Processor processes Personal Data solely on behalf of Controller and in accordance with Controller’s documented instructions.

Processor acts as a processor for Personal Data submitted to or processed through the Services.

3. Nature and Purpose of Processing

Processor processes Personal Data for the purpose of providing the Services, including:

• creation and management of travel itineraries,
• traveller and contact management,
• trip collaboration,
• travel document handling,
• communication and messaging,
• payment and subscription administration,
• analytics and platform improvement,
• AI-powered travel assistance, document processing, and content generation features,
• customer support and troubleshooting.

4. Categories of Data Subjects

Data Subjects may include:

• Controller’s employees and staff users,
• travellers and end customers,
• trip participants,
• suppliers and business contacts,
• collaborators and invited users.

5. Categories of Personal Data

Depending on Controller’s use of the Services, Processor may process the following categories of Personal Data.

Account Data

• names,
• email addresses,
• phone numbers,
• job titles,
• avatars,
• language and timezone preferences,
• authentication credentials.

Traveller and Contact Data

• names,
• addresses,
• email addresses,
• phone numbers,
• gender,
• nationality,
• date of birth,
• passport number,
• passport expiration date,
• frequent flyer numbers,
• VAT information.

Trip and Collaboration Data

• itinerary information,
• accommodation and transportation details,
• travel schedules,
• chat messages,
• notes,
• uploaded documents,
• tasks,
• supplier notes,
• collaborator notes.

Technical and Usage Data

• IP addresses,
• browser metadata,
• session information,
• analytics data,
• log data.

Payment and Subscription Data

• Stripe customer identifiers,
• subscription information,
• billing metadata.

Processor does not intentionally request or require special category data under Article 9 GDPR. However, Controller acknowledges that uploaded content and free-text fields may contain sensitive personal data depending on Controller’s usage of the Services.

6. Duration of Processing

Processor shall process Personal Data for the duration of the agreement between the parties and thereafter only for as long as necessary to comply with legal obligations, resolve disputes, enforce agreements, or as otherwise permitted under applicable law.

Upon termination of the Services, Controller may request deletion of Personal Data in accordance with applicable law and Processor’s retention and backup policies.

7. Instructions

Processor shall process Personal Data only:

• on documented instructions from Controller,
• as necessary to provide the Services,
• to comply with applicable laws.

Controller instructs Processor to process Personal Data as necessary to provide and improve the Services and related support functions.

Controller is responsible for ensuring that it has a valid legal basis for the processing of Personal Data submitted to the Services, including where applicable obtaining necessary consents and providing required notices to Data Subjects.

8. Confidentiality

Processor shall ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

9. Security Measures

Processor implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

Such measures include, where applicable:

• HTTPS/TLS encryption in transit,
• password hashing using Argon2,
• secure session handling,
• HTTP-only cookies,
• secure cookies in production environments,
• access controls and authentication mechanisms,
• role-based authorization,
• server-side validation,
• logging and monitoring systems,
• infrastructure access restrictions,
• backup and disaster recovery procedures,
• database and infrastructure security controls,
• cloud storage access controls,
• incident response procedures.

Processor regularly reviews and updates security measures where appropriate.

10. Subprocessors

Controller authorizes Processor to engage subprocessors for the provision of the Services.

A current list of subprocessors used by Processor is available at:

https://www.latotravelapp.com/legal/subprocessors

Processor shall impose data protection obligations on subprocessors substantially similar to those set out in this DPA.

Processor may update subprocessors from time to time.

11. International Transfers

Processor may transfer Personal Data outside the European Economic Area (“EEA”) where necessary to provide the Services.

Where Personal Data is transferred outside the EEA, Processor shall implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission,
• reliance on adequacy decisions,
• reliance on the EU-U.S. Data Privacy Framework where applicable,
• or other lawful transfer mechanisms under GDPR.

12. Data Subject Requests

Taking into account the nature of the processing, Processor shall provide reasonable assistance to Controller in responding to requests from Data Subjects under GDPR.

13. Security Incidents

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s Personal Data.

Such notification shall include reasonably available information required under Article 33 GDPR.

14. Audits

Upon reasonable written request and subject to appropriate confidentiality obligations, Processor shall provide information reasonably necessary to demonstrate compliance with this DPA.

Any audit rights shall:

• occur no more than once annually unless required by law,
• be conducted during normal business hours,
• not unreasonably interfere with Processor’s operations,
• be subject to reasonable security and confidentiality requirements.

Processor may satisfy audit obligations through provision of documentation, security questionnaires, certifications, or third-party audit reports where appropriate.

15. Deletion and Return of Data

Upon termination of the Services and upon written request, Processor shall delete or return Personal Data, unless retention is required by applicable law.

Backups may remain temporarily retained in accordance with Processor’s backup and disaster recovery procedures.

16. Limitation of Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set forth in the main agreement between the parties, except where prohibited by applicable law.

17. Governing Law

This DPA shall be governed by the laws governing the main agreement between the parties.

Contact

Questions regarding this DPA may be sent to:

support@latotravelapp.com