Last Updated: 12-08-2025

This Data Processing Agreement (“DPA”) forms part of the agreement between Aloftk (“Processor”) and the customer using Aloftk services (“Controller”).
It applies whenever Aloftk processes personal data on behalf of the Controller.

1. Purpose & Scope

1.1 This DPA sets out the terms under which Aloftk processes personal data for the Controller in providing hotel booking and event accommodation services.
1.2 The processing will be carried out in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and other relevant laws.

2. Roles of the Parties

• Controller: The entity that determines the purposes and means of processing personal data.
• Processor: Aloftk, which processes personal data on the Controller’s behalf and only on documented instructions.

   

3. Nature of Processing

Aloftk processes personal data solely for:

• Facilitating hotel and accommodation bookings.
• Managing reservations, itineraries, and event-related travel.
• Providing customer support and platform functionality.
• Performing analytics and service improvements (as instructed by the Controller).
  

4. Categories of Data & Data Subjects

• Data Subjects: Event attendees, employees, contractors, travel coordinators, and guests.
• Types of Data: Names, contact details, travel dates, booking preferences, payment details, communications.
  

5. Processor Obligations

Aloftk will:

1. Process data only on documented instructions from the Controller.
2. Ensure authorized personnel are bound by confidentiality.
3. Implement appropriate technical and organizational security measures.
4. Use only approved Sub-processors and remain responsible for their work.
5. Notify the Controller at least 30 days before engaging a new Sub-processor.
6. Notify the Controller within 24 hours of any personal data breach.
7. Assist the Controller in responding to data subject requests and regulatory obligations.
8. Delete or return all personal data upon termination of services unless retention is required by law.
   

6. Sub-processors

Aloftk may engage the following types of sub-processors:

• Hosting Providers (e.g., AWS, Hetzner)
• Payment Processors (e.g., Stripe)
• Email Service Providers (e.g., Google)

A current list of sub-processors is maintained and can be provided upon request.

7. Security Measures

Aloftk applies industry-standard measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control and multi-factor authentication.
• Regular vulnerability scans and penetration testing.
• Secure data backups and disaster recovery procedures.
  

8. Data Breach Notification

If Aloftk becomes aware of a personal data breach, it will:

• Notify the Controller without undue delay, and in any case within 24 hours.
• Provide details of the nature of the breach, likely impact, and steps taken to mitigate it.
  Cooperate fully in breach management and reporting.
  

9. International Data Transfers

If personal data is transferred outside the EEA, UK, or other regions with applicable restrictions, Aloftk will ensure adequate safeguards, such as:

• European Commission Standard Contractual Clauses (SCCs).
• UK International Data Transfer Addendum.
• Other lawful transfer mechanisms
  

10. Audit Rights

The Controller may, at its own cost and with reasonable notice, conduct audits to verify Aloftk’s compliance with this DPA. Audits will be conducted during normal business hours and without undue disruption.

11. Liability

The liability provisions in the main service agreement apply to this DPA. In the event of a conflict between this DPA and the main agreement, this DPA will take precedence for matters related to data protection.

12. Updates to This DPA

Aloftk may update this DPA from time to time to reflect changes in laws, best practices, or services offered. The “Last Updated” date at the top will be revised, and continued use of the services constitutes acceptance of the updated terms.