Skip to content
Safe Trip
Get Pro
Legal
Effective 7 May 2026 · v1.0, preview

Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Safe Trip for Teams Master Service Agreement and applies when Safe Trip processes personal data on behalf of a Customer in connection with the Service. It is drafted to satisfy GDPR Article 28.

Note: Safe Trip for Teams is in pre-launch. The DPA below is a public preview of the terms that will apply to paying B2B customers. The signed version, including DPA-specific signature blocks and Standard Contractual Clauses, will be issued at the start of every Teams subscription.

1. Roles

For personal data submitted to the Service, the Customer is the Controller and Safe Trip is the Processor. Each party is responsible for its own compliance with applicable data protection laws.

2. Subject matter & duration

Subject matter: provision of the Safe Trip for Teams platform (employee + trip travel-risk visibility, policy enforcement, duty-of-care reporting). Duration: the term of the underlying Master Service Agreement, plus the deletion period in section 8.

3. Nature & purpose of processing

Hosting, transmitting, displaying, and analysing employee and trip data for travel-risk monitoring; sending configured alerts; producing duty-of-care reports.

4. Categories of data subjects & data

Categories of data subjects: Customer’s employees, contractors, and authorised travellers. Categories of personal data: name (optional), work email, employee identifier, country of travel, travel dates, and (Pro+) approximate location while on a trip. The Service does not require special-category data; Customers should not submit sensitive categories (e.g., health data) unless explicitly negotiated.

5. Controller’s instructions

Safe Trip processes personal data only on documented instructions from the Customer, including transfers, unless required by EU or Member-State law. Safe Trip will notify the Customer of such legal requirements before processing, unless that law prohibits notice on important grounds of public interest.

6. Confidentiality

Personnel authorised to process personal data are bound by confidentiality obligations.

7. Security (Art. 32)

Safe Trip implements appropriate technical and organisational measures, including: encryption in transit (TLS 1.2+) and at rest; least-privilege access controls; per-organisation encryption keys for high-sensitivity fields (location data); audit logging of admin access; daily backups with documented restore procedures; and a documented incident-response process. A more detailed security overview is available on request.

8. Sub-processors (Art. 28(2)(4))

The Customer grants general written authorisation for Safe Trip to engage sub-processors. The current list is published at /legal/subprocessors. Safe Trip will give 30 days’ advance notice (60 days for Enterprise) before engaging a new sub-processor; the Customer may object on reasonable grounds and either party may terminate the affected portion of the Service.

9. Data subject rights (Arts. 15 to 22)

Safe Trip will, taking into account the nature of processing, assist the Customer with appropriate technical and organisational measures to fulfil data-subject requests. The Customer remains responsible for responding to those requests directly.

10. Breach notification (Art. 33)

Safe Trip will notify the Customer without undue delay (and no later than 72 hours) after becoming aware of a personal-data breach affecting Customer data, including the information required by Article 33(3).

11. International transfers

Where Safe Trip transfers personal data outside the EU/EEA, the parties incorporate the European Commission’s Standard Contractual Clauses (Decision 2021/914) and, where applicable, the UK addendum.

12. Audits

Safe Trip will make available all information necessary to demonstrate compliance with Article 28 and allow for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits are subject to reasonable notice, scope, and confidentiality.

13. Deletion or return

On termination of the Service, Safe Trip will, at the Customer’s choice, delete or return all personal data, and delete existing copies, unless EU or Member-State law requires storage.

14. Liability & governing law

Liability is governed by the underlying Master Service Agreement. This DPA is governed by the laws of Portugal, without prejudice to any mandatory data-protection laws of the Customer’s jurisdiction.

Contact

Data-protection enquiries: [email protected].