Data Processing Addendum — JetSetGo LLC
Version 1.2 — Effective date: 2026-05-25 — Last updated: 2026-05-25
Processor: JetSetGo LLC, a New Mexico limited liability company ("JetSetGo", "we", "us", "our"). Controller: each operator-customer of JetSetGo ("Operator", "you", "your"). Contact for privacy questions: privacy@jetsetgo.world
The 90-second summary
If you only read one page of this document, read this one. The legal detail follows.
| What you might be wondering | The short answer |
|---|---|
| What is this document? | The Data Processing Addendum (DPA) between JetSetGo and you. It governs how we handle the personal information of your travellers (your end-customers) on your behalf. |
| Do I have to sign it separately? | JetSetGo onboards customers through a sales-led process that ends with a signed Master Services Agreement (the Agreement). The Agreement incorporates this DPA by reference. So you sign the Agreement, not this DPA separately. If your procurement team wants a signed counterpart of the DPA itself, ask and we will sign it. |
| What law does it follow? | New Mexico (USA) law as the primary frame for the contract, designed to satisfy GDPR Article 28 (EU/UK), the Australian Privacy Act (APPs), the NZ Privacy Act, CCPA / CPRA (USA), PIPEDA and Quebec Law 25 (Canada), and POPIA (South Africa) at the same time. We use one document globally rather than seven jurisdiction-specific variants. |
| Who is the controller, who is the processor? | You are the controller of your travellers' personal information — you decide what to collect, why, how long to keep it, who to share it with. JetSetGo is the processor — we handle that data on your instructions, through the platform. (Different laws use different words for the same idea: Business / Service Provider under CCPA; Responsible Party / Operator under POPIA.) |
| What about my own staff users? | That's a different category. For your operator-account data — your staff logins, your billing details, your support tickets — JetSetGo is the controller, not the processor. That data is governed by our Privacy Policy, not this DPA. |
| Who do you share my travellers' data with? | Only the sub-processors listed in §6 and at jetsetgo.world/sub-processors. We give you 30 days' notice of any change and you can leave without penalty if you object on data-protection grounds. |
| Where does the data live? | Primary hosting in AWS Sydney (ap-southeast-2). Primary Postgres database in Oracle Cloud Infrastructure (Sydney). Some sub-processors are in the United States — Stripe, Firebase, Twilio, AWS US regions for transactional email and global edge. Full table in §6. |
| What about EU/UK travellers? | Their data is transferred to Australia under the European Commission's 2021 Standard Contractual Clauses (Module 2 — controller-to-processor) and the UK IDTA Addendum. Both are incorporated by reference into this DPA. |
| What happens if there's a breach? | We notify you within 24 hours of becoming aware. You decide whether and how to notify travellers and regulators. We assist with the technical facts. See §11. |
| What if I want my data out? | Self-serve export 24/7 via the admin console. Full export on termination. 90-day wind-down period, then we delete from production within 30 days. Backups age out across 12 months. Deletion certificate on request. We never withhold data for unpaid invoices. See §12. |
| Will you sell my travellers' data? | No. Not in identifiable form, not in de-identified form, not in aggregated form. We do not market to your travellers and we do not use their data for cross-context behavioural advertising. |
| Who do I escalate to if something is wrong? | privacy@jetsetgo.world. You can also complain to your local privacy regulator — addresses are in the Privacy Policy. |
1. About this DPA
1.1 What this DPA is
This Data Processing Addendum sets the terms on which JetSetGo processes Personal Data on the Operator's behalf in connection with the Services.
1.2 How it fits with your other JetSetGo terms
This DPA is published as JetSetGo's commitments to its customers regarding the handling of Personal Data on the customer's behalf.
JetSetGo does not offer online self-service sign-up. Customers are onboarded through a sales-led process that ends with a signed Master Services Agreement (the "Agreement") between the customer and JetSetGo. The Agreement incorporates the then-current version of this DPA by reference. By signing the Agreement, the Operator and JetSetGo are bound by this DPA as a contract for the purposes of GDPR Article 28(3), and the analogous binding-contract requirements of the other Applicable Data Protection Laws.
The published version of this DPA is therefore informational for anyone reading it before signing the Agreement (a prospect; a regulator; an operator's compliance team conducting pre-contract diligence), and contractual for any Operator who has signed the Agreement, for the duration of the Agreement.
Operators whose procurement processes require a separately-signed counterpart of the DPA (in addition to the MSA-incorporation route) may request one — JetSetGo will sign a counterpart in the form published here without re-negotiating substance.
1.3 Who this applies to
This DPA applies whenever JetSetGo processes Personal Data on the Operator's behalf — which is, in practice, all the time the Services are running. It does not apply to JetSetGo's processing of the Operator's own account data, for which JetSetGo is the controller; that processing is governed by the JetSetGo Privacy Policy (the "Privacy Policy"), not this DPA.
1.4 Single global document
JetSetGo publishes one DPA globally rather than per-jurisdiction variants. The body of this DPA is drafted to satisfy GDPR Article 28 (and the equivalents under UK GDPR, the Australian Privacy Act, NZ Privacy Act 2020, CCPA / CPRA, PIPEDA, Quebec Law 25, and POPIA) simultaneously. Where a specific jurisdiction requires additional terms, those are surfaced in the relevant section (most commonly §9 for CCPA / CPRA and §10 for EU/UK cross-border transfers).
2. Definitions
The following terms are used throughout this DPA.
- Agreement — the Master Services Agreement signed between the Operator and JetSetGo into which this DPA is incorporated by reference.
- Applicable Data Protection Law — each of the GDPR, UK GDPR, the Australian Privacy Act 1988 (Cth) including the Australian Privacy Principles (APPs) and the Notifiable Data Breaches scheme, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA / CPRA), the other US state consumer-privacy laws now in force, the NZ Privacy Act 2020, PIPEDA, Quebec Law 25, POPIA, and any other privacy law applicable to the processing.
- Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority — the meanings given in GDPR Article 4 and the analogous concepts in the other Applicable Data Protection Laws.
- Business, Service Provider, Sell, Share, Sensitive Personal Information, Personal Information — the meanings given in CCPA section 1798.140.
- Responsible Party — the meaning given in POPIA.
- "Operator" in this DPA — the JetSetGo operator-customer (the same person as the Operator under the Agreement), who acts as Controller / Business / Responsible Party with respect to Traveller Personal Data. Note: under POPIA, the term "Operator" has a different meaning (a Processor); where this DPA uses "Operator" it means our customer in the Agreement sense, not the POPIA sense.
- Traveller Personal Data — Personal Data of travellers (the Operator's end-customers) and persons included in a booking made by a traveller, processed by JetSetGo on the Operator's behalf through the Services. This is "Personal Data" under GDPR / UK GDPR / Australian Privacy Act and "Personal Information" under CCPA / CPRA, in each case to the extent of the relevant law.
- Operator Account Data — Personal Data of the Operator's own staff, billing contacts, and account administrators, processed by JetSetGo as a Controller in its own right. Out of scope of this DPA; governed by the Privacy Policy.
- Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- Services — the JetSetGo software platform and the related services described in the Agreement.
- Sub-processor — a third party engaged by JetSetGo to process Personal Data on the Operator's behalf.
- EU SCCs — the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- UK Addendum — the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, in force 21 March 2022 (Version B1.0).
3. Roles and scope
3.1 With respect to Traveller Personal Data, the Operator is the Controller (GDPR / UK GDPR), Business (CCPA / CPRA), Responsible Party (POPIA), or analogous role; JetSetGo is the Processor, Service Provider, Operator (POPIA), or analogous role.
3.2 With respect to Operator Account Data, JetSetGo is the Controller / Business / Responsible Party. The Privacy Policy governs that processing — not this DPA.
3.3 This DPA applies for the duration of the Services and survives termination to the extent required by §12 (return and deletion) and §14 (audits).
4. Subject matter, nature, purpose, duration
| Item | Detail |
|---|---|
| Subject matter | JetSetGo's provision of a booking, reservation, point-of-sale, manifest, and operational SaaS platform to the Operator. |
| Nature | Hosting, processing, transmission, display, backup, and aggregation of Personal Data for the Operator's booking and operational workflows. |
| Purpose | Enabling the Operator to take and manage bookings from travellers; running operational tooling; producing reports for the Operator; communicating with travellers on the Operator's behalf (booking confirmations, weather-cancellation alerts, refund notifications). |
| Duration | The term of the Services, plus the post-termination wind-down in §12. |
| Categories of Data Subjects | Travellers (the Operator's end-customers), and where relevant their group members (companions, family members) included in a booking. |
| Types of Personal Data | Identifiers (name, date of birth, email, phone); booking and transaction details; optional traveller attributes (accessibility needs, dietary requirements, special requests, emergency contact details); identification documents where the Operator's product requires them (passport details, driver's licence); payment proxies (Stripe customer references; last 4 digits of card; payment and refund status — no full card numbers held by JetSetGo); communications history. |
| Sensitive categories | Where the Operator's product collects them: passport / ID document data; accessibility / health-related dietary fields; medical or accessibility needs disclosed at booking. Handled per §7. |
5. JetSetGo's obligations as Processor
JetSetGo shall:
5.1 Process Personal Data only on the Operator's documented instructions, including with regard to transfers to a third country, unless required by law to do otherwise (and where so required, JetSetGo will inform the Operator of that legal requirement before processing unless that law prohibits notification on important grounds of public interest). The Operator's instructions are set out in the Agreement, the Operator's configuration of the Services, and any further documented instructions provided in writing.
5.2 Inform the Operator if JetSetGo believes an instruction infringes Applicable Data Protection Law (without obligation to provide legal advice).
5.3 Ensure persons authorised to process Personal Data have committed to confidentiality or are under a statutory duty of confidentiality. Confidentiality survives termination of employment or engagement.
5.4 Implement appropriate technical and organisational measures as set out in Annex II, to ensure a level of security appropriate to the risk.
5.5 Engage Sub-processors only in accordance with §6.
5.6 Assist the Operator by appropriate technical and organisational measures, taking into account the nature of the processing, in fulfilling its obligation to respond to Data Subject rights requests (GDPR Articles 12–22; CCPA / CPRA consumer rights; analogous rights under the other Applicable Data Protection Laws). The assistance mechanism is in §8.
5.7 Assist the Operator in complying with its obligations under GDPR Articles 32–36 (security, breach notification, data protection impact assessments, prior consultation) and the analogous obligations under the other Applicable Data Protection Laws.
5.8 Return or delete all Personal Data in accordance with §12.
5.9 Make available to the Operator all information necessary to demonstrate compliance with this DPA, and allow audits in accordance with §14.
6. Sub-processors
6.1 General authorisation
The Operator gives JetSetGo a general authorisation to engage Sub-processors. The current list of Sub-processors is published at jetsetgo.world/sub-processors and reproduced below.
6.2 Current Sub-processors
| Sub-processor | What they do for us | Personal Data they touch | Legal entity country | Data-residency / processing region |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Primary hosting and infrastructure — EC2 (backend services: FastAPI, Hasura self-hosted, background workers); S3 (object storage); SES (transactional email — booking confirmations, password resets, weather-cancellation alerts); Secrets Manager; CloudFront (CDN); Amplify (build infrastructure) | All Operator and Traveller Personal Data passing through the application layer; transactional email content; build artefacts | United States (Amazon Web Services, Inc.) | ap-southeast-2 (Sydney, Australia) for production and backups; some Amplify build infrastructure in US regions |
| Oracle Cloud Infrastructure | Primary production Postgres database | All Operator and Traveller Personal Data stored in the primary relational database | United States (Oracle Corporation) | Sydney, Australia |
| Google LLC (Firebase Authentication) | Operator-staff identity / login / SSO support (SAML 2.0 and OIDC) | Email, hashed password, login telemetry of Operator staff users (no Traveller data) | United States | Multi-region (Google datacentres in US, EU, and Asia per Google Cloud's Auth backend) — Authentication scope only; Firestore is not used |
| Stripe | Payments processing. Stripe is a controller in its own right for fraud, AML, KYC and tax-reporting purposes; listed here for transparency. Your contracting entity is Stripe Payments Australia Pty Ltd (ABN 41 160 180 343) for AU-resident Operators, or the Stripe entity for your jurisdiction (e.g. Stripe Payments Europe Ltd for EU/UK, Stripe, Inc. for US) | Cardholder data (held by Stripe, not by JetSetGo), payout data, payer identity, fraud-prevention signals | United States (Stripe, Inc.), Ireland (Stripe Payments Europe Ltd), Australia (Stripe Payments Australia Pty Ltd, ABN 41 160 180 343) | US for global controller functions; jurisdiction-specific Stripe entity for the merchant-of-record relationship |
| Twilio, Inc. | SMS and voice messaging — booking notifications, OTPs, weather alerts | Recipient phone number, message content | United States | Routing per recipient country; messaging metadata stored in the United States; Australian endpoints used where available |
| Cloudflare, Inc. | DNS, edge proxy, DDoS protection, rate limiting | Request metadata, IP addresses | United States | Global edge network; metadata and logs in the United States |
6.3 Notice of changes
JetSetGo will give the Operator at least 30 days' notice of any new or replaced Sub-processor by email to the Operator's account-owner and via an in-product banner, and by updating the published list.
6.4 Right to object
If the Operator reasonably objects to a new Sub-processor on data-protection grounds within 30 days of notice, the Operator may terminate the affected Services (or the whole Agreement, at its option) without penalty and exercise its data-export entitlement under §12.
6.5 Costless exit on objection
An Operator exercising the termination right in §6.4 retains the 90-day wind-down period at the current pricing. No early-termination fee applies.
6.6 Flow-down
JetSetGo will impose on each Sub-processor data-protection obligations substantially equivalent to those in this DPA by way of a written contract.
6.7 Liability for Sub-processors
JetSetGo remains liable to the Operator for the acts and omissions of its Sub-processors as if they were JetSetGo's own, subject to the liability cap in the Agreement.
7. Sensitive data and Sensitive Personal Information
7.1 JetSetGo handles Sensitive Personal Information only as necessary to provide the Services and on the Operator's documented instructions. JetSetGo does not use Sensitive Personal Information for any purpose beyond the operation of the Services and necessary security.
7.2 California residents have a Right to Limit Use of Sensitive Personal Information under CPRA. The Operator-Business actions the request; JetSetGo assists.
7.3 The Operator is responsible for obtaining any heightened consent required for Sensitive Personal Information under Applicable Data Protection Law (GDPR Article 9; APP 3; Quebec Law 25; POPIA section 26; analogous provisions).
8. Data Subject rights
8.1 JetSetGo will, by appropriate technical and organisational measures, assist the Operator in responding to Data Subject rights requests within the time-frames required by Applicable Data Protection Law.
8.2 The Operator is responsible for responding to Data Subject requests directed to it. JetSetGo will not respond on the Operator's behalf to substantive rights requests. Notwithstanding this, JetSetGo will respond directly to a Data Subject's access or correction request to the extent required by Applicable Data Protection Law (including APP 12 of the Australian Privacy Act) where the Operator-Controller does not or cannot respond, and will inform the Operator of any such direct response.
8.3 If JetSetGo receives a request directly from a Data Subject relating to the Operator's Personal Data, JetSetGo will:
(a) acknowledge the request to the Data Subject and inform them that the Operator is the Controller / Business / Responsible Party;
(b) forward the request to the Operator within 5 business days;
(c) not action the request substantively except on the Operator's instruction, subject to §8.2.
8.4 Assistance commitments:
- Data export of a single Data Subject's records — within 5 business days of Operator request.
- Erasure of a single Data Subject's records — within 30 days of Operator request, subject to any legal retention obligation (tax, regulatory, litigation hold) that JetSetGo will identify and document.
- Rectification — actionable by the Operator directly via the platform UI.
- Portability — machine-readable export (CSV per table plus JSON schema) available via the admin console at any time.
8.5 Where Applicable Data Protection Law permits JetSetGo to charge for excessive or manifestly unfounded requests, JetSetGo will not do so for routine assistance.
9. CCPA / CPRA — Service Provider terms
This §9 applies where the Operator is a "Business" and JetSetGo is a "Service Provider" under the CCPA / CPRA. The terms below apply in addition to the rest of this DPA.
9.1 JetSetGo shall not:
(a) Sell Personal Information.
(b) Share Personal Information for cross-context behavioural advertising.
(c) Retain, use, or disclose Personal Information outside the direct business purpose set out in this DPA and the Agreement.
(d) Retain, use, or disclose Personal Information outside the direct business relationship between JetSetGo and the Operator.
(e) Combine Personal Information received from the Operator with Personal Information received from another source or collected from JetSetGo's own interactions with consumers, except as expressly permitted under CCPA section 1798.140(ag)(1)(D)(i)–(iv) (specifically: detecting security incidents, protecting against malicious activity, debugging, short-term transient use, and the other narrow business purposes listed).
9.2 JetSetGo shall assist the Operator in responding to verifiable consumer rights requests (right to know, delete, correct, opt-out of sale/sharing, limit use of Sensitive Personal Information).
9.3 JetSetGo will notify the Operator within 5 business days if it determines it can no longer meet its obligations under the CCPA or CPRA.
9.4 The Operator may take reasonable and appropriate steps to ensure that JetSetGo uses Personal Information consistent with the Operator's CCPA / CPRA obligations, including the audit mechanism in §14.
9.5 JetSetGo certifies that it understands the prohibitions in this §9 and will comply with them.
10. International transfers — EU SCCs and UK IDTA Addendum
10.1 Where Personal Data of Data Subjects in the EU, EEA, Switzerland, or the United Kingdom is transferred to JetSetGo in Australia (Australia is not adequacy-recognised by the European Commission or the UK ICO), the following safeguards apply.
10.2 EU 2021 Standard Contractual Clauses (Module 2 — Controller to Processor) are incorporated into this DPA by reference, with the following pre-completed elections:
(a) Clause 7 (Docking clause): not applicable for the initial parties; available to future joiners.
(b) Clause 9(a) (Sub-processor authorisation): Option 2 (general written authorisation) — 30 days' notice as set out in §6.
(c) Clause 11(a) (Independent dispute resolution): the optional language is not included.
(d) Clause 17 (Governing law): the law of the Republic of Ireland.
(e) Clause 18(b) (Choice of forum): the courts of Ireland.
(f) Annexes I, II, and III: completed below.
10.3 UK International Data Transfer Addendum is incorporated into this DPA by reference where Personal Data of Data Subjects in the United Kingdom is transferred to JetSetGo in Australia. The Addendum applies on top of the EU SCCs in §10.2 with the following pre-completed tables:
(a) Table 1 — Parties: as identified in Annex I below.
(b) Table 2 — Selected SCCs, Modules and Clauses: Module 2 (Controller-to-Processor), with the elections in §10.2.
(c) Table 3 — Appendix Information: as in Annexes I, II, and III below.
(d) Table 4 — Ending this Addendum when the Approved Addendum Changes: neither party.
10.4 Transfer Impact Assessment. JetSetGo has conducted and maintains a Transfer Impact Assessment evaluating the legal framework in Australia and the practical effect on the protection of EU/UK Personal Data. The TIA is available to Operators on request, subject to confidentiality.
10.5 Australian Privacy Act — coverage and APP 8 cross-border accountability. JetSetGo, as a foreign business subject to the Australian Privacy Act 1988 (Cth) under section 5B by virtue of handling personal information of individuals in Australia in the course of carrying on business there, is bound by the Australian Privacy Principles (APPs), including APP 8 (cross-border disclosure). JetSetGo's reasonable steps to ensure overseas Sub-processors meet APP-equivalent standards include due diligence at onboarding and annually, contractual flow-down of obligations substantially equivalent to those in this DPA, encryption in transit and at rest, access controls and audit logging, and periodic review of each Sub-processor's published certifications and incident history.
10.6 NZ IPP 12. Australia is on the New Zealand Privacy Commissioner's list of countries with comparable privacy laws. The transfer of NZ Personal Data to JetSetGo in Australia is permitted under Information Privacy Principle 12.
10.7 POPIA cross-border transfers from South Africa to Australia are governed by this DPA as the "binding agreement" under section 72(1)(a) of POPIA.
10.8 Quebec Law 25 cross-border assessment. The Quebec Operator-Controller is responsible for its own Law 25 cross-border transfer assessment. JetSetGo provides as input: its technical and organisational measures (Annex II), the description of the legal framework in Australia (available on request), and this DPA.
11. Breach notification
11.1 24-hour SLA. JetSetGo will notify the Operator without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach affecting the Operator's Personal Data.
11.2 Content of notification. The notification will include, to the extent known:
(a) the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) the likely consequences of the breach;
(c) the measures taken or proposed to address the breach and mitigate its possible adverse effects;
(d) the name and contact details of JetSetGo's incident-response lead.
Where some of this information is not yet known, JetSetGo will provide it in subsequent updates without undue delay as it becomes available.
11.3 Joint allocation:
(a) Platform-caused breach affecting multiple Operators — JetSetGo leads regulator notification where it is the holder; coordinates with affected Operators on individual notifications, recognising that the Operator owns the customer relationship and may prefer to deliver the per-individual notification itself.
(b) Operator-caused breach (admin error, weak credentials, staff misuse on the Operator side) — the Operator leads; JetSetGo provides forensics, evidence, and assistance; JetSetGo parallel-notifies its own regulators where required as the holder.
(c) Operator Account Data only (no Traveller Personal Data) — JetSetGo notifies and leads.
11.4 Cost. JetSetGo bears the cost of notification for platform-caused breaches. The Operator bears the cost of notification for Operator-caused breaches.
11.5 Cooperation. JetSetGo will cooperate with the Operator's regulator notifications — including the GDPR 72-hour clock to a Supervisory Authority, the OAIC Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), the UK ICO, the Quebec CAI, the Office of the Privacy Commissioner of Canada, the NZ Office of the Privacy Commissioner, and the South African Information Regulator — and provide technical information as needed.
11.6 The Operator is responsible for notifying its travellers (Data Subjects) and its own regulator where Applicable Data Protection Law requires.
12. Return and deletion
12.1 During the term — the Operator can self-serve a full export of its Personal Data 24/7 via the admin console, in CSV per table plus a JSON schema document describing the structure. SQL dump is available on request within 14 days. No fee.
12.2 On termination:
(a) 90-day wind-down period. The 90-day post-termination period is the wind-down period described in the Agreement. During that period, in addition to read-only export via the admin console and API, the Operator may continue to fulfil in-flight bookings, use the POS and check-in apps, and process refunds on pre-termination bookings, all on the same fee terms.
(b) 30-day production deletion. After the 90-day window closes, JetSetGo deletes Personal Data from production systems within 30 days.
(c) Backup aging. Personal Data may persist in encrypted, immutable backups for up to 12 months from the production-deletion date, after which it is aged out. JetSetGo does not access backups other than for limited disaster-recovery and legal-hold purposes.
(d) Deletion certificate. JetSetGo provides a written deletion certificate on request after the production-deletion step is complete.
12.3 Legal hold. JetSetGo may retain Personal Data for longer where required by law (tax, regulatory, litigation), in which case it will limit the retention to what is required and continue to apply the security measures in Annex II.
12.4 No ransom. JetSetGo will not withhold export pending payment of arrears. Outstanding invoices are pursued separately.
12.5 Operational logs and de-identified aggregates. Operational logs (audit logs, security logs, performance logs) are retained for the periods set out in the Privacy Policy and Annex II. De-identified, aggregated data that no longer constitutes Personal Data under GDPR Recital 26 (or its analogues in other Applicable Data Protection Laws) is not subject to the deletion obligations in this §12.
13. Operator obligations
13.1 The Operator warrants that it has a lawful basis for the collection and use of Traveller Personal Data through the Services, and that it has provided travellers with a privacy notice that meets the requirements of Applicable Data Protection Law in each jurisdiction it operates in. The Operator's privacy notice must disclose that JetSetGo acts as a sub-processor / service provider / operator (POPIA) for the Operator.
13.2 The Operator is responsible for honouring traveller rights requests within the time-frames required by Applicable Data Protection Law, with JetSetGo's assistance under §8.
13.3 The Operator will not use the Services to process Personal Data in breach of Applicable Data Protection Law, the Acceptable Use clauses of the Agreement, or the prohibitions in this DPA. The Operator acknowledges that the Privacy Act 1988 (Cth) statutory tort of serious invasions of privacy (introduced by the Privacy and Other Legislation Amendment Act 2024) is a separate cause of action available to individuals, and that the Operator's indemnity to JetSetGo under the Agreement covers third-party claims arising from the Operator's unlawful use of the Services.
13.4 The Operator will obtain any required consent for children's data collected through the Services and comply with COPPA, GDPR Article 8, Quebec Law 25 children provisions, POPIA section 34, and analogous laws.
13.5 The Operator will provide JetSetGo with accurate and up-to-date information necessary for JetSetGo to fulfil its obligations under this DPA (including identifying the categories of Data Subjects, the jurisdictions in which the Operator operates, and any heightened-sensitivity processing).
13.6 Breach of any of the Operator obligations in this §13 triggers the indemnity in the Agreement.
14. Audits
14.1 Information and documentation. JetSetGo will, on the Operator's reasonable request, make available information reasonably necessary to demonstrate compliance with this DPA.
14.2 Third-party reports. Where available, JetSetGo will provide third-party audit reports (SOC 2 Type II when achieved; ISO 27001 certificate when achieved) under confidentiality. JetSetGo does not currently hold SOC 2 Type II or ISO 27001 certification — it will say so when it does. JetSetGo's security practices are informed by both frameworks.
14.3 Questionnaire response. JetSetGo will respond to a reasonable security / privacy questionnaire from the Operator.
14.4 Remote audit. The Operator may conduct a remote audit at its own cost, once per calendar year, with at least 30 days' written notice, of reasonable scope and duration, subject to written confidentiality obligations and no on-site access to JetSetGo's premises or Sub-processor facilities. The Operator and JetSetGo will agree on a mutually convenient time and on the auditor (who must not be a competitor of JetSetGo).
14.5 Suspected-breach audit. Where there is a documented, reasonable suspicion that JetSetGo has materially breached this DPA and the suspicion relates to a breach affecting the Operator's Personal Data, the audit may be conducted with shorter notice and at JetSetGo's cost, with scope agreed between the parties.
14.6 Regulator audits. Where a Supervisory Authority requires an audit of JetSetGo's processing of the Operator's Personal Data, JetSetGo will cooperate and the cost allocation will follow the regulator's determination.
15. Liability
15.1 The liability cap and carve-outs in the Agreement apply to claims arising under this DPA, including claims arising under the EU SCCs and UK Addendum, to the maximum extent permitted by Applicable Data Protection Law.
15.2 Where Applicable Data Protection Law or the EU SCCs provide that the parties cannot limit their liability to Data Subjects, this DPA does not purport to do so. Statutory penalties imposed by a regulator on either party are not subject to the inter-party liability cap.
15.3 Higher caps for data-related claims may be negotiated as part of the Master Services Agreement. The cap referenced in this DPA reflects JetSetGo's standard position and may be varied by written agreement between the parties.
16. Order of precedence
Where there is a conflict between documents, the order of precedence is:
- The EU SCCs and UK Addendum (incorporated under §10), to the extent of any conflict and subject to applicable law.
- This DPA.
- The body of the Privacy Policy.
- The Master Services Agreement signed by the Operator and JetSetGo.
17. Governing law of this DPA
This DPA is governed by the law of the State of New Mexico, United States of America, with non-exclusive jurisdiction in the state and federal courts located in New Mexico.
The exception is the EU Standard Contractual Clauses (§10): per Clause 17 of the SCCs, those Clauses themselves are governed by the law of the Republic of Ireland for the purposes of Data Subject claims under them, with the courts of Ireland as the forum. The UK Addendum is governed by the law of England and Wales for the purposes of Data Subject claims under it.
Nothing in this §17 prevents JetSetGo or the Operator from asserting non-excludable consumer-protection rights or non-excludable privacy rights that apply under the law of the Operator's place of establishment or the place where the affected Data Subject resides — those rights are preserved.
18. Variation of this DPA
JetSetGo may vary this DPA on 30 days' written notice to the Operator's account-owner and via an in-product banner, with the variation published on this DPA page and a changelog entry.
If the Operator does not accept a material variation, the Operator may terminate the Agreement without penalty within 30 days of the notice and exercise its data-export entitlement under §12. JetSetGo does not rely on "continued use of the Services constitutes acceptance" as a basis for material variations affecting the Operator's data-protection rights.
Annex I — Description of the transfer
A. List of Parties
| Role | Party | Address | Contact |
|---|---|---|---|
| Data Exporter (Controller) | The Operator | As stated in the Operator's account record | The Operator's privacy contact as stated in its own privacy notice |
| Data Importer (Processor) | JetSetGo LLC (a New Mexico limited liability company) | New Mexico, United States | privacy@jetsetgo.world |
B. Description of the transfer
- Categories of data subjects — Travellers (the Operator's end-customers) and persons included in a booking made by a Traveller.
- Categories of personal data — identifiers (name, date of birth, email, phone); booking and transaction details; optional traveller attributes (accessibility, dietary, special requests, emergency contact details); identification documents where the Operator's product requires them (passport details, driver's licence); payment proxies (Stripe references; no full card numbers held by JetSetGo); communications history.
- Sensitive data — where collected by the Operator's product: passport / ID document data; accessibility / health-related dietary fields; medical or accessibility needs disclosed at booking. Handled per §7.
- Frequency of transfer — continuous, for the duration of the Services.
- Nature of processing — hosting, processing, transmission, display, backup, aggregation.
- Purpose of the transfer and further processing — provision of the Services to the Operator, as described in this DPA and the Agreement.
- Retention period — as set out in §8 of the body of the Privacy Policy and §12 of this DPA.
- Sub-processors — as published at jetsetgo.world/sub-processors and reproduced in §6 of this DPA; categories and locations identified there.
C. Competent Supervisory Authority
The competent Supervisory Authority is determined by the Data Exporter's place of main establishment in accordance with GDPR Article 4(23). Where Article 4(23) does not identify a single Supervisory Authority, the Irish Data Protection Commission acts as the supervising authority for the purposes of the EU SCCs in this DPA.
For UK transfers, the competent authority is the Information Commissioner's Office (ICO).
Annex II — Technical and organisational measures
JetSetGo applies the following measures to ensure the security of Personal Data.
- Encryption in transit — TLS 1.2 or higher on all public endpoints.
- Encryption at rest — AES-256 or equivalent for production databases, backups, and object storage.
- Multi-tenant isolation — schema-per-tenant separation in the primary database, with row-level security enforced at the data layer.
- Card data — Stripe handles cardholder data via Stripe's hosted card-collection flow. JetSetGo does not store full card numbers, CVVs, or expiry dates. PCI-DSS scope is minimised accordingly.
- Access control — role-based access with least-privilege defaults; multi-factor authentication for production access; quarterly access reviews. SSO support (SAML 2.0 and OIDC) for Operator staff via Firebase Authentication.
- Secrets management — production credentials stored in AWS Secrets Manager; no hard-coded credentials in source code or configuration.
- Logging and monitoring — audit logging of access to Personal Data retained for 12 months; security event monitoring; on-request export of audit logs to Operators.
- Network security — Cloudflare edge with no exposed origin IP, rate limiting, DDoS protection; firewall and intrusion-detection controls within AWS.
- Personnel — confidentiality obligations; security and privacy training at onboarding and annually; background checks where appropriate; immediate revocation of access on departure.
- Sub-processor management — due diligence at onboarding and annually; contractual flow-down of obligations.
- Vulnerability management — periodic security testing; continuous dependency scanning; patch management discipline.
- Incident response — documented procedure with 24-hour notification SLA to Operators; quarterly review of process.
- Resilience and backup — daily backups; cross-region disaster-recovery copy in AWS Singapore; recovery time and recovery point objectives documented internally and available on request to Operators under NDA.
- Data minimisation — platform design choices that collect only the information needed for the booking; configurable retention windows at the Operator level.
- Pseudonymisation and anonymisation — for aggregated analytics use, k-anonymity ≥10 standard with re-identification risk assessment.
- Physical security — handled by AWS and Oracle Cloud Infrastructure for the underlying datacentres (each operates under SOC 2 / ISO 27001 / equivalent frameworks); no JetSetGo-operated physical data centres.
- Framework alignment — JetSetGo aligns its controls with the SOC 2 and ISO 27001 frameworks. Formal certification is on the roadmap; JetSetGo does not currently claim either certification.
Annex III — List of Sub-processors
The list is published and maintained at jetsetgo.world/sub-processors and reproduced in §6 of this DPA. Operators are notified of changes per §6.3 of this DPA (30 days' notice; costless objection right on data-protection grounds).
End of Data Processing Addendum.
