Data Processing Agreement

Introduction and Applicability

This Data Processing Addendum ("DPA") forms part of the Tiquo Terms of Service or any other written or electronic agreement between Tiquo Ltd ("Tiquo", the Processor) and the customer (the "Controller") governing the use of the Tiquo platform and related services (the "Agreement").

This DPA automatically applies to all customers who use the Tiquo services. By continuing to use the Tiquo platform after the Effective Date, the Controller agrees to this DPA.

This DPA is made pursuant to the UK GDPR, the EU GDPR, and applicable data protection laws. It sets out the obligations of each Party in relation to the processing of Personal Data.

1. Parties

Controller: Any customer using the Tiquo platform, as identified in the Agreement.

Processor: Tiquo Ltd, incorporated in England and Wales with registered office at Flat C, 26 Old Gloucester Street, London, England, WC1N 3AN, company number 16500553.

2. Background and Purpose

2.1 The Controller engages Tiquo to provide a unified management platform for hospitality and wellness businesses (including hotels, restaurants, spas, and venues), which requires Tiquo to process Personal Data on behalf of the Controller.

2.2 This DPA supplements and forms part of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict, except where the Agreement provides greater protection for Personal Data.

3. Definitions

Unless otherwise defined, terms in this DPA have the meaning given in the UK GDPR.

Applicable Data Protection Law: All data protection and privacy laws applicable to a Party, including the UK GDPR, EU GDPR, and Data Protection Act 2018.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, and Supervisory Authority have the meanings set out in the UK GDPR.

TOMs: The technical and organisational measures described in Annex 2.

Sub-processor: Any third party engaged by Tiquo to process Personal Data on behalf of the Controller.

SCCs: The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, the UK Addendum issued by the ICO.

4. Roles and Scope of Processing

4.1 Roles. The Controller acts as the data controller; Tiquo acts as the data processor.

4.2 Instructions. Tiquo shall process Personal Data only on documented instructions from the Controller, as described in this DPA and the Agreement.

4.3 Details of Processing. The subject matter, nature and purpose, duration, types of data, and categories of data subjects are set out in Annex 1.

4.4 Controller Responsibility. The Controller is responsible for ensuring lawful collection and transfer of Personal Data and for configuring the Tiquo platform in a compliant manner.

5. Confidentiality and Personnel

5.1 Tiquo ensures that personnel authorised to process Personal Data are bound by confidentiality and trained in data protection.

5.2 Access to Personal Data is restricted to those with a legitimate business need.

6. Security Measures

Tiquo implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk, as described in Annex 2. These measures may be updated to reflect technological progress without materially reducing protection.

7. Sub-Processing

7.1 The Controller grants Tiquo general authorisation to engage Sub-processors.

7.2 A current list of Sub-processors is available at https://tiquo.co/subprocessors. Tiquo will notify Controllers of new Sub-processors and provide a right to object on reasonable grounds.

7.3 Tiquo remains fully liable for its Sub-processors and ensures they provide no less protection than this DPA.

8. Assistance to the Controller

Tiquo assists the Controller, insofar as possible, with:

• Responding to Data Subject requests;
• Conducting Data Protection Impact Assessments (DPIAs);
• Cooperating with Supervisory Authorities;
• Providing information and access for compliance verification (see Clause 11).

9. Personal Data Breaches

Tiquo shall notify the Controller without undue delay after becoming aware of a Personal Data Breach and shall provide information regarding the nature, consequences, and remedial actions. Tiquo shall cooperate to mitigate and remedy the breach.

10. International Transfers

Tiquo shall not transfer Personal Data outside the UK or EEA except where lawful transfer mechanisms are in place, including adequacy decisions, SCCs, or the UK Addendum, as described in Annex 4.

11. Audits and Information Requests

Tiquo will make available all information reasonably necessary to demonstrate compliance. The Controller may request audits under reasonable notice and frequency. Independent third-party certifications (e.g., ISO 27001, SOC 2) may satisfy audit requirements.

12. Deletion or Return of Personal Data

Upon termination or expiry of the Agreement, Tiquo will delete or return all Personal Data within the timeframes in Annex 6, unless retention is required by law.

13. Liability

Each Party's liability under this DPA is subject to the limitations in the Agreement, except where prohibited by Applicable Data Protection Law.

14. Updates and Changes

Tiquo may update this DPA (including Annexes) to reflect legal or operational changes by providing prior written or public notice. Continued use of the services after such notice constitutes acceptance of the updated DPA.

15. Governing Law and Jurisdiction

This DPA is governed by the laws of ENGLAND AND WALES. Any disputes shall be subject to the exclusive jurisdiction of the courts of ENGLAND AND WALES.

Annex 1 – Details of Processing

Subject Matter: Provision of the Tiquo platform and related support and professional services.

Duration: For the term of the Agreement and any data return/deletion period.

Nature and Purpose: Hosting, storage, transmission, reporting, analysis, backup, configuration, and related processing required to deliver the Tiquo services.

Types of Personal Data: Names, contact details, booking and membership data, preferences, payment identifiers (tokenised), staff data, device data, and any data entered by the Controller.

Special Category Data: Not intentionally processed. The Controller must ensure a lawful basis if entered.

Categories of Data Subjects: Guests, diners, members, staff, and other end users.

Processing Locations: Data is replicated durably across multiple physical availability zones provided by AWS RDS using MySQL.

Annex 2 – Technical and Organisational Measures (TOMs)

Tiquo maintains a security programme aligned to recognised standards (e.g., ISO/IEC 27001):

• Access Control: Role-based access, least privilege, SSO/MFA.
• Encryption: In transit (TLS 1.2+) and at rest (AES-256 or equivalent).
• Secure Development: Secure SDLC, code review, vulnerability scanning.
• Monitoring: Centralised logging, anomaly detection, alerting.
• Business Continuity: Backups, disaster recovery, tested restoration.
• Sub-Processor Oversight: Due diligence and contractual controls.
• Physical/Cloud Security: Reputable data centres, certification alignment.
• Incident Response: Defined procedures and 24/7 escalation.
• Privacy by Design: Product reviews ensuring minimisation and compliance.

Annex 3 – Sub-Processors

Tiquo uses certain third-party Sub-processors to provide hosting, infrastructure, and related services. A current and up-to-date list of Sub-processors is maintained at:

https://tiquo.co/subprocessors

Annex 4 – International Transfers

For transfers outside the UK/EEA without adequacy, the SCCs (Module 2: Controller to Processor and Module 3: Processor to Sub-processor) and UK Addendum apply. Details required by Annexes I–III of the SCCs are provided in Annexes 1–3. Tiquo conducts transfer risk assessments where required.

Annex 5 – Security Incident Response

• Detection & Notification: Breaches notified within 48 hours of confirmation.
• Investigation: Root cause analysis, mitigation, corrective actions.
• Communication: Updates provided as new information becomes available.
• Post-incident Review: Lessons learned, policy updates.

Annex 6 – Data Retention & Deletion

• Personal Data retained for the term of the Agreement.
• On termination, export available within 30 days upon request.
• Deletion within 90 days from backups following export or end of period.
• Deletion certificate available upon request.