Data Processing Agreement

Overview

This Data Processing Agreement ("DPA") supplements the JourneyFuse Terms of Service and forms part of the contract between JourneyFuse LLC ("Processor") and the Customer ("Controller") for processing of personal data on the JourneyFuse platform ("the Service").

This DPA applies whenever JourneyFuse processes personal data on behalf of a Customer, including personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (CCPA/CPRA), and equivalent laws in other jurisdictions.

1. Roles

For data the Customer uploads to the Service about their clients, travelers, suppliers, and contacts, the Customer is the Controller and JourneyFuse is the Processor. For account-level data about the Customer's own users (workspace owners, admins, agents), JourneyFuse is an independent Controller as described in the Privacy Policy.

2. Subject Matter and Duration

JourneyFuse processes personal data only to provide and support the Service, for the duration of the Customer's subscription, plus a defined retention period for backups and legal compliance after termination.

3. Categories of Data and Data Subjects

Data subjects: the Customer's clients and travelers, the Customer's suppliers and contacts, and the Customer's own staff (workspace users).

Categories of personal data: contact details, traveler profile data, passport details, trip preferences and itineraries, communications, financial records (commissions, invoices), and tokenized payment references. Card numbers themselves are never processed by JourneyFuse, they are tokenized in-browser by Evervault before reaching JourneyFuse servers.

4. Processor Obligations

• Process personal data only on documented instructions from the Controller (the Service itself constitutes those instructions)
• Ensure personnel authorized to process personal data are bound by confidentiality
• Implement appropriate technical and organizational measures (described in Section 7)
• Assist the Controller with data subject requests and with notifications to supervisory authorities
• Delete or return personal data at the end of the engagement, subject to legal retention obligations
• Make available information necessary to demonstrate compliance and allow for audits as described in Section 9

5. Sub-processors

The Controller authorizes JourneyFuse to engage the sub-processors listed at /sub-processors. JourneyFuse remains responsible for sub-processor compliance.

JourneyFuse will provide advance notice via the sub-processors page and to account contacts before adding or replacing a sub-processor. The Controller may object on reasonable data-protection grounds; if a resolution cannot be reached, the Controller may terminate the affected portion of the Service.

6. International Data Transfers

JourneyFuse processes data on infrastructure located in the United States. Customers who require formal international data transfer mechanisms (including Standard Contractual Clauses for transfers from the EEA, UK, or Switzerland) can request them by emailing privacy@journeyfuse.com. We will work with the Customer to put the appropriate mechanism in place before any covered transfer begins.

7. Technical and Organizational Measures

• Encryption in transit: TLS 1.2+ on every connection
• Encryption at rest: AES-256 via Supabase; payment card data tokenized in-browser by Evervault and never stored by JourneyFuse
• Tenant isolation: Postgres Row-Level Security enforced at the database layer; cross-workspace access is impossible even with application bugs
• Authentication: Supabase Auth with password hashing; TOTP-based two-factor authentication available and enforceable per workspace
• Access controls: production access is restricted to JourneyFuse's founder and explicitly authorized engineers
• Monitoring: Sentry for application errors with PII scrubbed; rate limiting via Upstash
• Backup and recovery: encrypted backups via Supabase
• Incident response: notification to affected Customers without undue delay, and in any case within 72 hours of confirmed personal data breach

8. Data Subject Requests

JourneyFuse provides self-serve access, correction, export, and deletion tools inside the Service. Where additional assistance is required to respond to a data subject request (access, rectification, erasure, restriction, portability, or objection under GDPR; access, deletion, correction, opt-out under CCPA), JourneyFuse will assist the Controller without undue delay. Requests can also be sent to privacy@journeyfuse.com.

9. Audits

JourneyFuse will make available to the Controller, on reasonable notice and no more than once per twelve-month period, the information necessary to demonstrate compliance with this DPA, including current sub-processor information, security documentation, and (where available) third-party audit reports from infrastructure providers.

10. Return or Deletion of Data

On termination of the Service, the Customer may export their data using built-in CSV export tools or by request. JourneyFuse will delete or anonymize personal data within 30 days of account closure, subject to legitimate legal retention obligations (financial records, fraud prevention, dispute resolution).

11. Signing this DPA

This DPA is automatically incorporated into the Terms of Service for every Customer. Customers who require a separately countersigned copy (with Standard Contractual Clauses or other international transfer mechanisms attached, if applicable) can request one by emailing privacy@journeyfuse.com with "DPA Request" in the subject line. We will return a signed copy promptly, typically within a week.

For enterprise security reviews, we can complete reasonable vendor security questionnaires on request.