Legal

Data Processing Agreement

Last updated: 29 May 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Customer”, “you”) and Viva Travel Holdings Pty Ltd (ACN 636 285 651), trading as AccessibleOz(“Accessible Oz”, “we”, “us”), and applies where, in your use of the AccessibleOz Itinerary Studio (the “Service”), we process personal data on your behalf. Where there is any conflict between this DPA and the Terms of Service on the subject of data protection, this DPA prevails.

This DPA is intended to satisfy Article 28 of the EU General Data Protection Regulation (GDPR) and the UK GDPR, and to support compliance with the Australian Privacy Act 1988 (Cth) and the New Zealand Privacy Act 2020, where those laws apply.

1. Definitions

Terms such as “controller”, “processor”, “data subject”, “personal data”, “processing”, “special category data”, and “supervisory authority” have the meanings given in the GDPR. “Data Protection Law” means each privacy or data protection law applicable to the processing under this DPA. “Customer Personal Data” means personal data we process on your behalf in providing the Service, as described in Annex 1.

2. Roles of the parties

  • For traveller personal datathat you input into the Service (including travellers' names and accessibility needs), you are the controller and we are your processor. You determine the purposes and means of processing; we process on your instructions.
  • For your own account, billing, and usage data, we are an independent controller, and our handling of that data is governed by our Privacy Policy, not this DPA.

3. Processing on instructions

We will process Customer Personal Data only:

  • on your documented instructions, including as set out in this DPA and the Terms of Service and as given through your use of the Service; and
  • as required by a law to which we are subject, in which case we will inform you of that requirement before processing unless the law prohibits it.

We will tell you if, in our opinion, an instruction infringes Data Protection Law.

4. Your obligations as controller

You warrant that:

  • you have a lawful basis to provide the Customer Personal Data to us and to instruct us to process it;
  • where the data includes special category data or sensitive information (such as accessibility or health-related information about a traveller), you have obtained any consent and met any condition required by Data Protection Law;
  • you have given data subjects any privacy notice required by law; and
  • your instructions to us comply with Data Protection Law.

5. Confidentiality

We ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations.

6. Security

We implement appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, having regard to the state of the art, the costs of implementation, and the nature of the data. A summary of those measures is in Annex 3.

7. Sub-processors

You give us general authorisation to engage the sub-processors listed in Annex 2 to process Customer Personal Data. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance.

We will give you reasonable notice (by updating our sub-processor list and notifying you where you have asked to be notified) before adding or replacing a sub-processor. You may object on reasonable data protection grounds within 14 days. If we cannot resolve your objection, you may terminate the affected part of the Service.

8. Data subject requests

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, so far as possible, to respond to requests from data subjects to exercise their rights. If we receive a request directly from a data subject relating to Customer Personal Data, we will, unless legally required to act, refer the data subject to you, and notify you of the request.

9. Assistance with compliance

Taking into account the nature of processing and the information available to us, we will assist you in meeting your obligations relating to security, personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities.

10. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide the information you reasonably need to meet your own breach-notification obligations.

11. Deletion or return

On termination of the Service, we will, at your choice, delete or return Customer Personal Data, and delete existing copies, except to the extent we are required by law to retain it. De-identified or aggregated data that is no longer personal data may be retained.

12. Audits and information

We will make available to you the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, notice, frequency, and security conditions. We may satisfy this obligation by providing relevant third-party certifications or reports where available.

13. International transfers

Where our provision of the Service involves a transfer of Customer Personal Data out of the EEA, the United Kingdom, Australia, or New Zealand to a country without an adequacy decision, the transfer is made under an appropriate transfer mechanism, namely the EU-US Data Privacy Framework and its UK extension where the recipient is certified, and/or the European Commission's Standard Contractual Clauses (module two, controller to processor) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed by reference to Annexes 1 to 3.

14. Liability and governing law

The liability provisions of the Terms of Service apply to this DPA. This DPA is governed by the law that governs the Terms of Service, except where Data Protection Law requires otherwise.

15. How to accept this DPA

This DPA applies automatically where we act as your processor. If you require a signed copy, contact privacy@accessibleoz.com.


Annex 1: Details of processing

  • Subject matter: provision of the AccessibleOz Itinerary Studio.
  • Duration: for the term of your subscription, plus any retention period in the Privacy Policy.
  • Nature and purpose: building, storing, and generating travel itineraries and related documents, and responding to quote and net-rate requests.
  • Types of personal data: traveller name; traveller accessibility needs (which may include health-related or special category data); itinerary details; and any other personal data you choose to input.
  • Categories of data subjects: travellers (and, where applicable, their authorised representatives) whose information you input.

Annex 2: Authorised sub-processors

Sub-processorPurposeLocation
SupabaseDatabase and authenticationAustralia (Sydney)
StripePayment processingUnited States
SendGrid (Twilio)Transactional emailUnited States
VercelApplication hosting and CDNUnited States (edge regions may vary)
Google Maps PlatformLocation and place dataGlobal
AnthropicAI scoring of candidate suppliers (Claude API)United States

Annex 3: Technical and organisational security measures (summary)

  • Access controls and least-privilege access to systems holding personal data.
  • Encryption of personal data in transit.
  • Authentication and session management through our identity provider.
  • Logging and monitoring for unusual activity and abuse.
  • Restriction of personal data to the providers listed in Annex 2.
  • Retention and deletion in line with our Privacy Policy.
  • Contractual commitment from our AI provider that inputs are not used to train its models.