Data Processing Agreement


OnSeason Limited — UK GDPR | Article 28 Processing Terms | Version 1.0

This Data Processing Agreement (“DPA”) forms part of, and is subject to, the Master Services Agreement between OnSeason Limited (company number 17167619, registered office Unit 16 Diss Business Hub, Hopper Way, Diss, England, IP22 4GT) (“OnSeason”, “Processor”) and the customer that has entered into an Order Form (the “Customer”, “Controller”). It records the terms on which OnSeason processes Personal Data on the Customer’s behalf in connection with the Calry service and related OnSeason products (the “Services”).

Roles. For the purposes of this DPA and the Data Protection Laws, the Customer is the controller and OnSeason is the processor in respect of the Personal Data described in Annex 1. Where the Customer is itself a processor acting on behalf of a third-party controller, the Customer appoints OnSeason as sub-processor and warrants it has authority to do so.

1. Definitions

1.1 “Data Protection Laws” means the UK GDPR, the Data Protection Act 2018 and all other applicable data protection and privacy laws. “UK GDPR” means the retained EU law version of Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland. Terms such as “controller”, “processor”, “data subject”, “personal data”, “processing”, “personal data breach” and “supervisory authority” have the meanings given in the Data Protection Laws. “Personal Data” means personal data processed by OnSeason on the Customer’s behalf under the Services, as described in Annex 1.

2. Scope & Instructions

2.1 OnSeason will process the Personal Data only: (a) to provide and support the Services in accordance with the Agreement; (b) as documented in Annex 1; and (c) on the Customer’s further documented lawful instructions, including as necessary to comply with law.

2.2 The Customer instructs OnSeason to process the Personal Data as necessary to provide the Services and as set out in this DPA and the Agreement. The Customer confirms that these instructions are lawful and that it has all necessary rights, consents and legal bases to provide the Personal Data to OnSeason and to have it processed as contemplated.

2.3 OnSeason will inform the Customer if, in its opinion, an instruction infringes the Data Protection Laws (without obligation to provide legal advice).

3. OnSeason’s Obligations

3.1 Confidentiality. OnSeason will ensure that persons authorised to process the Personal Data are bound by an appropriate duty of confidentiality and process it only on the Customer’s instructions.

3.2 Security. OnSeason will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 UK GDPR. Those measures are summarised in Annex 2 and are supported by OnSeason’s information security management system aligned with ISO/IEC 27001:2022. OnSeason may update its security measures from time to time provided the level of protection is not materially reduced.

3.3 Sub-processors. The Customer gives general authorisation for OnSeason to engage the sub-processors listed in Annex 3 to process the Personal Data. OnSeason will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for its sub-processors’ acts and omissions. OnSeason will give the Customer at least thirty (30) days’ prior notice of any intended addition or replacement of a sub-processor (for example, by email or a subscribable list), during which the Customer may object on reasonable data-protection grounds; if the Parties cannot resolve the objection, the Customer may terminate the affected Services as its sole remedy.

3.4 Assistance. Taking into account the nature of the processing and the information available to it, OnSeason will provide reasonable assistance to the Customer, by appropriate technical and organisational measures, to help the Customer: (a) respond to requests from data subjects exercising their rights under the Data Protection Laws; and (b) comply with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, data protection impact assessments and prior consultation).

3.5 Data subject requests. If OnSeason receives a request from a data subject relating to the Personal Data, it will not respond directly (except to confirm receipt or as legally required) and will promptly forward the request to the Customer.

3.6 Personal data breach. OnSeason will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting the Personal Data, and will provide sufficient information to allow the Customer to meet its own notification obligations, together with reasonable assistance and details of remedial measures taken.

3.7 Records. OnSeason will maintain records of its processing activities as required by Article 30(2) UK GDPR and make them available to the Customer or a supervisory authority on reasonable request.

4. Audits

4.1 OnSeason will make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 UK GDPR and this DPA.

4.2 The Customer’s audit rights are satisfied primarily by OnSeason providing, on reasonable request and no more than once in any 12-month period (subject to confidentiality), its current security certifications and third-party audit reports (such as its ISO/IEC 27001 certificate and SOC 2 Type II report, once available).

4.3 Where those materials are not sufficient to demonstrate compliance in the specific circumstances, the Customer (or an independent auditor bound by confidentiality, and not a competitor of OnSeason) may conduct an on-site audit on at least thirty (30) days’ prior written notice, no more than once per year (except where required by a supervisory authority or following a personal data breach), during business hours, in a manner that does not disrupt OnSeason’s operations, and at the Customer’s cost.

5. International Transfers

5.1 Processing locations. The Customer acknowledges that OnSeason stores and processes the Personal Data on servers located in both the United Kingdom / European Economic Area (EEA) and the United States. Any transfer of Personal Data to the United States, or to any other country not covered by UK or EU adequacy regulations, is made subject to an appropriate transfer safeguard as set out below and completed in Annex 1.

5.2 Transfer mechanisms. For Personal Data subject to the UK GDPR, the Parties incorporate by reference the UK International Data Transfer Agreement (IDTA), or alternatively the UK Addendum to the EU Standard Contractual Clauses. For Personal Data subject to the EU GDPR, the Parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), with the Customer as data exporter and OnSeason as data importer, using the module appropriate to the relationship (controller-to-processor or, for onward transfers to sub-processors, processor-to-processor).

5.3 Data Privacy Framework alternative. Where the US recipient (whether an OnSeason entity or a sub-processor) is certified under the EU–US Data Privacy Framework and its UK Extension, the Parties may rely on that framework’s adequacy decision as the transfer basis in place of the SCCs/IDTA for the relevant data.

5.4 Supplementary measures. OnSeason will assist the Customer, on request, with a transfer risk assessment and will maintain supplementary technical measures (including encryption of Personal Data in transit and at rest) to protect Personal Data transferred outside the UK/EEA.

6. Return & Deletion

6.1 On termination or expiry of the Services, and at the Customer’s choice, OnSeason will delete or return all Personal Data and delete existing copies, unless the Data Protection Laws require continued storage. OnSeason will complete this within a reasonable period, and in any event within ninety (90) days, save that Personal Data held in routine backups will be deleted in the ordinary course of the backup rotation and remains protected by this DPA until then.

7. Liability & General

7.1 This DPA is subject to the limitations and exclusions of liability set out in the Master Services Agreement. In the event of any conflict between this DPA and the Agreement concerning the processing of Personal Data, this DPA prevails.

7.2 This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, consistent with the Agreement.

7.3 OnSeason may update this DPA to reflect changes in the Data Protection Laws or guidance from a supervisory authority, provided that no such update reduces the protections afforded to data subjects; material changes are subject to the change-notice process in the Agreement.

A1. Annex 1 — Details of Processing

ItemDetail
Subject matterProvision of the Calry unified PMS API and related OnSeason infrastructure services to the Customer under the Agreement.
DurationFor the term of the Agreement, plus the return/deletion period in clause 6.
Nature & purposeReceiving, transmitting, synchronising and (where applicable) temporarily caching data between the Customer’s systems and connected Property Management Systems and other integrations, to enable the Services.
Types of Personal DataThe full range of personal data present in the Customer’s connected systems and stored by the Services, which may include: identity and contact data (name, email, phone, address); reservation and stay data; guest communications and messages; financial and payment-related data; and government-issued identification data (e.g. passport/ID details) where collected for guest registration. Special-category data (Article 9 UK GDPR) must not be submitted unless expressly agreed in writing.
Categories of data subjectsThe Customer’s guests/end users and the Customer’s own staff/administrators using the Services.
Processing & storageOnSeason stores and processes the Personal Data on its servers located in the United Kingdom / EEA and the United States, for the duration of the Agreement plus the deletion period in clause 6.
Transfer mechanismUS transfers: UK IDTA (or UK Addendum to EU SCCs) for UK GDPR data, and EU SCCs (2021/914) for EU GDPR data; or reliance on the EU–US Data Privacy Framework + UK Extension where the US host is certified.

A2. Annex 2 — Technical & Organisational Security Measures

OnSeason maintains an information security management system aligned with ISO/IEC 27001:2022 and is pursuing ISO/IEC 27001:2022 certification and SOC 2 Type II attestation. Its measures include, at a minimum:

A3. Annex 3 — Authorised Sub-processors

The Customer authorises the following sub-processors.

Sub-processorPurposeLocation
Amazon Web ServicesCloud hosting / data storageUnited Kingdom / EEA and United States
StripePayment processingIreland / United States