Skip to content
← All legal documents

Data Processing Addendum

GDPR / UK GDPR terms governing our processing of personal data on behalf of business customers.

Effective: July 1, 2026 · v1.0 (Draft)

Draft — pending legal review. This document is provided in good faith and is being finalized with counsel. It is not yet a binding agreement and does not constitute legal advice. Questions: legal@tourist-sos.com.

This Data Processing Addendum is offered to business customers who need contractual GDPR / UK GDPR terms governing how Tourist SOS LLC, a Delaware limited liability company processes personal data on their behalf. It is designed to be read alongside our Terms of Service, Privacy Policy, Trust & Security page, and Subprocessors list. If your organization requires a signed or countersigned version, contact us using the details below.

1. Introduction & scope

This Data Processing Addendum (“DPA”) supplements and forms part of the Terms of Service or other written agreement (the “Agreement”) between Tourist SOS LLC, a Delaware limited liability company (“Tourist SOS,” “we,” “us”) and the business customer that has agreed to the Agreement (the “Controller” or “Customer”).

This DPA applies to the extent that Tourist SOS processes Personal Data on behalf of the Customer in the course of providing the services described in the Agreement, where such Personal Data is subject to Applicable Data Protection Law. In that context, the Customer is the “Controller” (or “Business”) and Tourist SOS is the “Processor” (or “Service Provider”) of that Personal Data.

If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA governs. Capitalized terms not defined in this DPA have the meaning given in the Agreement.

2. Definitions

  • “Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, as applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and the UK Data Protection Act 2018, and other comparable state, federal, or national data protection laws.
  • “Controller” means the entity that determines the purposes and means of the processing of Personal Data (sometimes referred to as a “Business” under comparable laws).
  • “Processor” means the entity that processes Personal Data on behalf of, and on the documented instructions of, a Controller (sometimes referred to as a “Service Provider”).
  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Tourist SOS on behalf of the Customer under the Agreement.
  • “Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, storage, use, disclosure, and deletion.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
  • “Subprocessor” means any third party engaged by Tourist SOS to process Personal Data on behalf of the Customer in connection with the services.

3. Roles & instructions

The parties acknowledge and agree that with regard to the processing of Personal Data, the Customer is the Controller and Tourist SOS is the Processor, except where the Customer acts as a processor on behalf of a third party, in which case Tourist SOS is a subprocessor.

Tourist SOS will process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by law to which Tourist SOS is subject. In that case, Tourist SOS will inform the Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. The Agreement (including this DPA) constitutes the Customer's documented instructions as of the effective date.

Tourist SOS will promptly notify the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Law.

4. Confidentiality

Tourist SOS ensures that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and receive appropriate training on the handling of Personal Data in accordance with this DPA.

5. Security measures

Tourist SOS implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

These measures include, without limitation: encryption of data in transit and, where appropriate, at rest; access controls and least-privilege principles governing who may access Personal Data; and logging of meaningful actions taken on Customer data. A fuller, current description of our security posture is maintained at tourist-sos.com/trust, which is provided for informational purposes and does not itself form part of this DPA.

6. Subprocessors

The Customer provides Tourist SOS with general authorization to engage Subprocessors to process Personal Data in connection with the services, provided that Tourist SOS imposes data protection obligations on each Subprocessor that are substantially equivalent to those set out in this DPA.

Tourist SOS remains liable to the Customer for the performance of each Subprocessor's obligations. Our current list of Subprocessors is maintained at tourist-sos.com/subprocessors. We will provide notice of the addition or replacement of a Subprocessor by updating that page, and, where required by Applicable Data Protection Law or the Agreement, will provide the Customer a reasonable opportunity to object on legitimate data protection grounds before the new Subprocessor begins processing Personal Data.

7. Data-subject requests

Taking into account the nature of the processing, Tourist SOS will provide reasonable assistance to the Customer, insofar as this is possible, to help the Customer respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). If Tourist SOS receives such a request directly from a Data Subject regarding Personal Data it processes on the Customer's behalf, it will not respond directly except to direct the Data Subject to the Customer, unless legally required to do otherwise, and will promptly notify the Customer of the request.

8. Personal-data breach

Tourist SOS will notify the Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Personal Data processed on the Customer's behalf. Tourist SOS will provide the information reasonably available to it about the breach and will cooperate with, and provide reasonable assistance to, the Customer to enable the Customer to comply with its own breach-notification obligations under Applicable Data Protection Law.

9. International transfers

Where Tourist SOS transfers Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, such transfer will be governed by an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum (IDTA), each incorporated by reference and deemed executed between the parties to the extent required by Applicable Data Protection Law.

10. Deletion or return

On termination or expiration of the Agreement, and at the Customer's written request, Tourist SOS will delete or return all Personal Data processed on the Customer's behalf, and will delete existing copies unless applicable law requires storage of the Personal Data, in which case Tourist SOS will isolate and protect that Personal Data from further processing except to the extent required by that law.

11. Audits

Tourist SOS will make available to the Customer information reasonably necessary to demonstrate compliance with the obligations in this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to reasonable advance notice, confidentiality protections, and no more than annually except where required by a supervisory authority or following a Personal Data breach. Details of scope, timing, and cost allocation for any audit will be agreed between the parties in advance.

12. Liability & term

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA remains in effect for as long as Tourist SOS processes Personal Data on behalf of the Customer under the Agreement, and terminates automatically upon termination or expiration of the Agreement, subject to the Deletion or Return section above.

13. Contact

Questions about this DPA, or requests to execute a countersigned copy, Standard Contractual Clauses, or a UK IDTA, may be sent to our Data Protection contact at privacy@tourist-sos.com or our legal team at legal@tourist-sos.com. Privacy and data-subject requests may be sent to privacy@tourist-sos.com. Our mailing address is 401 Ryland Street, Ste 200A, Reno, NV 89502, USA.

This DPA reflects our standard terms as of July 1, 2026 and is being finalized with counsel. Where a customer agreement requires different or additional terms (for example, a customer-supplied DPA or specific Standard Contractual Clauses module), the terms agreed in writing between the parties will control.