Data Processing Addendum
This Data Processing Addendum (the “DPA”) supplements the Terms of Service between TripGoGo (“SplitGoGo”) and the Customer. It applies whenever SplitGoGo processes personal data on the Customer’s behalf in the course of providing the service.
1. Roles
For personal data the Customer sends to SplitGoGo through the API, the Customer is the controller and SplitGoGo is the processor. Each party will comply with its obligations under applicable data-protection law, including the GDPR where it applies.
2. Scope and purpose of processing
SplitGoGo processes personal data only to provide the service set out in the Terms: that is, to record participants, transactions, splits, and settlements; to compute balances and settlement plans; and to deliver related events to Customer-configured endpoints. Categories of data typically processed include participant identifiers, display names, email addresses (where provided), and amounts.
3. Processor obligations
- process personal data only on documented instructions from the Customer (including those given through the API);
- ensure that personnel authorised to access personal data are bound by confidentiality;
- implement appropriate technical and organisational measures (see Section 5);
- assist the Customer in responding to data-subject requests and regulator enquiries; and
- on termination, delete or return Customer personal data on request within a reasonable period, except where retention is required by law.
4. Subprocessors
The Customer authorises SplitGoGo to engage subprocessors (for example, hosting providers, error-tracking services, and transactional-email providers) to assist in providing the service. SplitGoGo will impose data-protection obligations on each subprocessor that are substantially similar to those set out in this DPA. A current list of subprocessors is available on request.
5. Security
SplitGoGo maintains technical and organisational measures designed to protect personal data, including encryption of data in transit, hashed storage of credentials and signing secrets, tenant-scoped access enforcement at the data-access layer, and an immutable audit trail of significant actions taken through the API.
6. Personal-data breaches
SplitGoGo will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer personal data, and will provide information reasonably needed for the Customer to meet its own notification obligations.
7. International transfers
Where transfers of personal data are made out of the European Economic Area, the parties will rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses, which are incorporated by reference where required.
8. Audits
SplitGoGo will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for audits conducted by the Customer or its mandated auditor on reasonable prior notice and at the Customer’s expense, subject to mutually agreed confidentiality terms.
9. Contact
Questions or notices under this DPA can be sent to privacy@splitgogo.com.