BETWEEN:

1).Truvi Technologies Ltd, a company incorporated in the United Kingdom under registration number 11871938, whose registered office is at 3^rd Floor, 1 Ashley Road, Altrincham, Cheshire, United Kingdom, WA14 2DT (“Truvi”) and

2)The “Client “

BACKGROUND

A. Truvi is a Trust and Safety SaaS platform for short-term, vacation rentals, providing services which enable short-term vacation rental operators to screen, and identity check their guests. The services include advanced screening to help the Client identify and prevent fraud and bad actors in the staying at properties.

B. The Parties wish to enter this Agreement to record and formalise their data processing and handling arrangements in relation to the Commercial Agreement between the Parties.

IT IS NOW AGREED BY THE PARTIES AS FOLLOWS:

1.INTERPRETATION AND DEFINITIONS

1.1.The following terms shall have the following meanings for the purposes of this Agreement:

“Agreement” the terms and conditions herein including all Schedules and appendices;

“Appendix” the appendices to this Agreement;

“Approved” means a status allocated to a booking with no significant risks identified following Validation;

“Booking” means a confirmed stay that has been registered with Truvi.

“Business Day” Monday to Friday (excluding bank or public holidays in England and Wales);

“Client” means the details specified in the Order Form;

“Commencement Date” the date specified in Clause 2 of this Agreement;

“Commercial Agreement” means the contractual agreement governing the commercial relationship between the Parties, to which this Agreement relates;

“Data Subject Request” means an actual or purported request or notice or complaint from (or on behalf of) a Data Subject exercising his rights under the Data Protection Legislation;

“Data Protection Legislation” means any applicable laws relating to the processing of Personal Data, including the GDPR;

“Data Protection Particulars” means, in relation to any Processing under this Agreement: (a) the subject matter and duration of the Processing: (b) the nature and purpose of the Processing; (c) the type of Personal Data being Processed; and (d) the categories of Data Subjects;

“Data Transfer” means transferring the Personal Data to, and/ or accessing the Personal Data from and/ or Processing the Personal Data within, a jurisdiction or territory that is outside of the country in which Truvi is located;

“Sub-processor” means a third party, including an affiliate of Truvi, that Processes Personal Data and Confidential information as a sub-contractor to Truvi;

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L119/1, 4.5.2016;

“Good Industry Practice” means, at any time, the exercise of that degree of care, skill, diligence, prudence, efficiency, foresight and timeliness which would be reasonably expected at such time from a leading and expert company like the Intermediary, such company seeking to comply with its contractual obligations in full and complying with all applicable laws (including the Data Protection Legislation);

“Guest” means both the lead guest who makes a Booking and any accompanying occupants;

“Material Adverse Impact” means a materially detrimental effect on: (i) the benefit that a Party would derive under this Agreement; or (ii) the reputation of a Party or any members of its group, as appropriate; or (iii) a Party’s relationship with the Data Subject, including, in each case, as a result of such Data Subject Request or correspondence with a supervising authority resulting in: (i) threatened or actual enforcement action (whether formal or informal) by a Regulator for an infringement of the Data Protection Legislation; or (ii) a prospective or actual claim by a Data Subject or third party (whether for breach of contract, negligence or any other tort, under statute or otherwise);

”Personnel” means all persons engaged or employed from time to time by the relevant party, including employees, consultants, contractors and permitted agents;

“Property Damage” means the damage caused to any Property, its fixtures and/or fittings, or its Contents, caused by the actions or inactions, whether accidental, deliberate or otherwise, of a guest (or any accompanying occupants) during a Booking. For avoidance of doubt, this does not include Cosmetic Damage and/or Wear and Tear;

“Rejected” means a status allocated to a Booking when significant risks have been identified following Validation;

“Security Requirements” means the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation (including, in particular, the seventh data protection principle of the DPA and/ or the measures set out in Article 32(1) of the GDPR (taking due account of the matters described in Article 32(2) of the GDPR)) as applicable;

“Shared Personal Data” means the Personal Data to be shared between the Parties, as provided in APPENDIX 1, including Confidential Information;

“Truvi Services” means the Services provided to the Client under the Commercial Agreement;

“Validation” means the protocols and processes performed by Truvi in order to allocate a “Approved” or ”Rejected” status to any Booking;

”Watchlist” means an internal Truvi owned database of third parties that will be given “Rejected” status by Truvi based on the outcome of a Validation, intelligence, and/or previous experience;

“Wear and Tear” means the type of gradual deterioration to a Property’s Fixtures and /or fittings, or its contents which could reasonably be expected through normal usage over time.

The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processor” and “Processing” shall have the meanings set out in the GDPR (and “Process” and “Processed” shall be construed accordingly). “Sensitive Personal Data” means Personal Data that reveals such categories of data as are listed in Article 9(1) of the GDPR. For the purposes of this Agreement, Personal Data includes Sensitive Personal Data.

1. 1. In this Agreement:

1. 1. 1. the headings in this Agreement are for ease of reference only and shall not affect the interpretation of this Agreement;
      2. references in this Agreement to a clause, sub-clause, or appendix are, unless otherwise expressly provided, references to that clause or sub-clause in, or appendix to, this Agreement. The appendices are incorporated as part of this Agreement, and references to “this Agreement” or any part thereof or other document referred to herein shall be references to the same as amended in accordance with this Agreement from time to time;
      3. unless the context otherwise requires, the singular shall include the plural and vice versa and words denoting any gender shall include all other genders unless otherwise expressly provided;
      4. references herein to any statute, enactment, order, regulation, code of practice, guidance or other similar instrument shall be construed as a reference to the statute, enactment, order, regulation, code of practice, guidance or instrument as amended by any subsequent statute, enactment, order, regulation, code of practice, guidance or instrument or as contained in any subsequent re-enactment thereof;
      5. any reference to a person in this Agreement includes natural persons, partnerships, unincorporated associations, trusts, trade unions, incorporated bodies, statutory bodies, local government bodies and public authorities and any other entity capable of legal personality;
      6. the words and phrases “other”, “including” and “in particular” do not limit the generality of any preceding words and words which follow them shall not be construed as being limited in scope to these same class as the preceding words where a wider construction is possible;
      7. where expressions in this Agreement are not specifically defined and are capable of having a special meaning according to the usage or custom of the business of the short-stay vacation rental sector, such expressions are to be interpreted accordingly.

2. COMMENCEMENT AND TERM  

2.1.This Agreement shall commence and have legal effect from the commencement of the Services under the Commercial Agreement (to which this Data handling and processing agreement is attached as a schedule to)  until the last Guest has completed their Approved Booking with the Client (the “Term”).

2.2.Notwithstanding clause 2.1 the above, the Parties shall be able to terminate this Agreement only as outlined in the Commercial Agreement between the Parties.

 

3. DATA PROTECTION 

3.1.Each Party shall comply with its respective and applicable obligations under the Data Protection Legislation whether acting as Controller or Processor. For the purposes of this Agreement the Client is a Controller and Truvi is both a Processor and Controller.

3.2.Truvi will ensure that it is not subject to prohibitions or restrictions which would restrict it from complying with the Data Protection Legislation, or which would restrict either Party from Processing the Personal Data under this Agreement.

3.3.Truvi shall maintain up to date records of its processing activities performed on behalf of the Client in accordance with the record keeping requirements under applicable Data Protection Legislation.

3.4.The Parties acknowledge and agree that APPENDIX 2 (Data Protection Particulars) of this Agreement is an accurate description of the Data Protection Particulars.

3.5.The Parties shall not retain or process Shared Personal Data for longer than is necessary to carry out the Truvi Services, unless otherwise required by Data Protection Legislation.

3.6.The Parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/ or industry.

3.7.The Parties shall implement appropriate technical and organisational measures to protect the Shared Personal Data and Confidential Information against unauthorised or unlawful Processing (as applicable) and against accidental loss, destruction, damage, alteration or disclosure, which measures shall include, as appropriate:

3.7.1.the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3.7.2.the ability to restore the availability and access to Shared Personal Data (solely as necessary for Truvi to provide the services stipulated under the Commercial Agreement) in a timely manner in the event of a physical or technical incident;

3.7.3.a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring compliance with the security requirements.

3.8.Truvi shall ensure that any Shared Personal Data is returned to the Client or destroyed in the following circumstances:

3.8.1.on termination of its involvement in this Agreement;

3.8.2.on expiry of the Commercial Agreement;

3.8.3.once processing of the Shared Personal Data is no longer necessary for the purposes it was originally shared for; or

3.8.4.at the Client’s reasonable request (the Client accepts and agrees that any such request may impact the provision of the Services under the Commercial Agreement),

save for instances where the Guests have failed to meet their liability for Property Damage and/or been placed on the Watchlist.

3.9.Following the deletion of Shared Personal Data, Truvi shall notify the Client that the Shared Personal Data in question has been deleted and promptly provide confirmation in writing that it has done so.

3.10.Each Party shall cooperate with the other Party and use its best endeavours to assist the other Party in all data reporting obligations in the event of a breach of the Data Protection Legislation in connection with this Agreement and each Party further undertake to notify the other Party of any breach of the Data Protection Legislation, this Clause 3 (Data Protection) or of any actual, suspected, threatened or ‘near miss’ Personal Data Breach which may have occurred in connection with this Agreement as soon as reasonably practicable (and in any event, within seventy-two (72) hours) upon becoming aware of the same, and:

3.10.1.implement any measures necessary to restore the security of compromised Personal Data; and

3.10.2.assist the other Party to make any notifications to any supervisory authority and affected Data Subjects.

3.11.Truvi shall ensure that only those personnel who need to have access to the Shared Personal Data and Confidential Information are granted access to such Shared Personal Data or Confidential Information (and only for the purposes of the performance of this Agreement) and that all of the personnel required to access the Shared Personal Data and Confidential Information have been informed of the confidential nature of such data and have committed themselves to protecting its confidentiality and to complying with the obligations imposed on Truvi set out in this Agreement.

3.12.Truvi shall take reasonable steps to ensure the reliability of any of its Personnel who shall have access to the Personal Data for the purposes of this Agreement and ensure that each member of Personnel shall have:

3.12.1.undergone, and shall continue to receive on an annual basis, reasonable levels of training in Data Protection Legislation and in the care and handling of Personal Data; and

3.12.2.entered into appropriate contractually binding confidentiality undertakings

3.13.Each Party shall notify the other Party promptly (and in any event within forty-eight (48) hours) following its receipt of any Data Subject Request or correspondence with a supervising authority which that Party believes, acting reasonably is likely to have a Material Adverse Impact on the other Party.

3.14.To the extent that a Party (the ”Processing Party”) is Processing the Personal Data on behalf of the other Party (the “Controlling Party”) under this Agreement, the Processing Party agrees and warrants that it shall, in addition to its obligations in Clauses 3.4 to 3.7 (inclusive):

3.14.1.Process Personal Data only on behalf of the Controlling Party in compliance with the Controlling Party’s instructions from time to time and this Agreement;

3.14.2.unless prohibited by law, notify the Controlling Party without undue delay if it considers, in its opinion (acting reasonably) that it is required by Data Protection Legislation to act other than in accordance with the instructions of the Controlling Party, including where it believes that any of the Controlling Party’s instructions under Clause 3.14.1 infringe any of the Data Protection Legislation;

3.14.3.without prejudice to the generality of Clause 3.1, not sub-contract the performance of any of its obligations under this Agreement without the prior written consent of the Controlling Party;

3.14.4.following such a notification provided in Clause 3.13, shall:

a. not disclose any Personal Data in response to any Data Subject Request or regulatory correspondence without the Controlling Party’s prior written consent; and

b. it will give reasonable assistance required by the Controlling Party in respect of any such Data Subject Request or correspondence with a supervising authority.

3.14.5.use all reasonable endeavours, in accordance with Good Industry Practice, to assist the Controlling Party to comply with the obligations imposed on the Controlling Party by the Data Protection Legislation.

3.15.The Parties acknowledge that for the purposes of this sub-clause, transfers of Personal Data shall mean any sharing of Personal Data by Truvi with a third party, and shall include the following:

a. subcontracting the processing of Shared Personal Data;

b. granting a third-party Controller access to the Shared Personal Data.

3.15.1.If Truvi appoints a Sub-Processor to Process the Shared Personal Data, it shall comply with the relevant provisions of the Data Protection Legislation. Truvi shall not appoint a Sub-Processor without the prior specific or general written authorisation of the Client shall be deemed given with respect to those Sub-Processors identified under APPENDIX 3 below), and where such authorisation is received will ensure an agreement is entered into with the relevant Sub-Processor that includes terms which are substantially the same as the terms set out in this Agreement; and remain liable to the Client for the performance of the Sub-Processor’s obligations;

3.15.2.Truvi may not modify, amend, remove, or alter the contents of the Shared Personal Data or Confidential Information, nor disclose, sell, or permit the disclosure of any of the Shared Personal Data or Confidential Information to any third party without the prior written authorisation of the Client, except as specifically permitted in the Agreement.

3.15.3.Truvi may not transfer Shared Personal Data to any national borders, sub-processor (unless listed in APPENDIX 3) or other third party located outside of the country in which the Data Processor is located unless it has the Client’s prior consent in writing, and unless it:

a. complies with the provisions of the Data Protection Legislation in the event the third party is a joint controller; and

b. ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with the Data Receiver’s obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.

 

4. INDEMNIFICATION

4.1.Notwithstanding anything set forth in the Agreement, Truvi shall indemnify, defend, and hold harmless the Client, against all third-party claims, proceedings, actions, damages, costs, fines, expenses and any other liabilities incurred as a result of any claim made or brought in respect of any loss, damage or distress caused which may arise out of, or in direct consequence of, any Personal Data Breach or other unauthorised Processing, unlawful Processing, destruction of, and/or damage to, any Personal Data processed by the Processing Party, its employees or agents in their performance of this Agreement.

 

5.GOVERNING LAW AND JURISDICTION

5.1.This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) is governed by and shall be construed according to English law and the Parties irrevocably submit to the exclusive jurisdiction of the English courts.

---

APPENDIX 1

DATA PROCESSED

What types of personal data do the Parties share?

Full details of the personal data the Parties share, where we get it from and what we do with it are set out in the table below.

You provide us with the personal data relating to Guest, Host, Booking and Property details in order that we can provide Truvi Services. We may obtain some personal data from your Users as governed by our Privacy & Data Protection Policy. The personal data listed below is provided to Truvi by the Client.

Category of Personal Data	Types of Personal Data shared	Source of Data
“Guest details”	Name, e-mail address, phone number	Client
“Contact details including name and email address”	Contact details including name and email address	Client
“Booking details”	Booking information including Booking creation data, check-in and check-out dates and Booking channel	Clients
“Property details”	Geographical information, along with any conditions of use	Client

 

APPENDIX 2

DATA PROTECTION PARTICULARS

What do we do with the Personal Data shared with us and why?

We process the data as outlined in this document in order to provide Truvi Services and on the basis of Truvi’s prevailing legitimate interest according to Article 6(1)(f) General Data Protection Regulation (”GDPR”).

The table below sets out the different purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

Category of Personal Data	Purpose	Lawful basis
Guest details	To confirm identity of the Guest for Validation. In the event where the Guest does not meet their contractual liability under Guest Agreement, the Guest details shall be used to maintain an accurate Watchlist.	Necessary for the purposes of Truvi’s and the Client’s legitimate interests, enabling searches to be conducted to prevent fraud, advancing their business purposes. Necessary for the provision of Truvi’s Services to the Client
Host details	To facilitate searches on the Platform.  To facilitate resolution in the event of a Property Damage and the incident has been raised with Truvi.	Necessary for the provision of Truvi’s services to the Client.
Booking details	To assist in the facilitation of a resolution in the event of a Property Damage and the incident has been raised with Truvi.	Necessary for the Provision of Truvi’s Services to the Client.
Property details	To assist in the facilitation of a resolution in the event of a Property Damage and the incident has been raised with Truvi.	Necessary for the provision of Truvi’s services to the Client.

 

Each of the Parties acknowledges and agrees that the table below provides an accurate description of the scope, nature and purpose of processing by Truvi, the duration of the processing and the types of Personal Data and categories of Data Subject.

 

The subject matter and duration of the Processing	To help the Clients to assess the risk posed by Guests. Guests Processing is only required and completed when requested by the Client and will not be ongoing once the search has been completed and the results made available to them.
The nature and purpose of the Processing	Processing is necessary to evaluate the risk posed by a Guest and to Validate the personal data provided by the Guest. This Validation is to identify inaccuracies and anomalies which again are associated with the risk posed by the Guest.
The type of Personal Data being Processed	Personal Data as defined within Data Protection legislation such as name, telephone number, and email addresses.
The categories of Data Subjects	The Client will be providing Truvi with personal data associated with the User in relation to a short-term property rental.

 

---

 

APPENDIX 3

This list identifies the Sub-processors authorised to access the Client’s Personal Data to perform Truvi Services:

Name of Sub-processor	Services provided by Sub- processor	Country location(s) of Processing by Sub-processor
Seon	Data screening	Servers in EU (Ireland)
MS Azure	Application hosting	Servers in EU (Ireland)