Schedule C to the SaaS Subscription Agreement
Journey Works, Inc.
This Data Processing Addendum (“DPA”) is entered into by and between Journey Works, Inc. (“Provider” or “Processor”) and the Client identified in the applicable Order Form (“Client” or “Controller”), and forms part of the SaaS Subscription Agreement between the Parties (the “Agreement”). This DPA sets forth the Parties’ obligations with respect to the processing of Personal Data in connection with Provider’s delivery of the Platform.
In the event of a conflict between this DPA and the Agreement, this DPA shall control with respect to the processing of Personal Data.
1.1 “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including without limitation: the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut Data Privacy Act (“CTDPA”); and any other applicable federal, state, or international data privacy or data protection law or regulation.
1.2 “Controller” means the Party that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, the Client is the Controller.
1.3 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.4 “Personal Data” means any information relating to a Data Subject that is processed by Provider on behalf of Client in connection with the Platform, including but not limited to names, email addresses, phone numbers, IP addresses, device identifiers, location data, and any other data that constitutes “personal data,” “personal information,” or an equivalent term under applicable Data Protection Laws.
1.5 “Processor” means the Party that processes Personal Data on behalf of the Controller. For purposes of this DPA, Provider is the Processor.
1.6 “Processing” (and its derivatives) means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
1.7 “Security Incident” means any unauthorized or unlawful access to, acquisition of, use of, disclosure of, or loss of Personal Data processed by Provider under this DPA.
1.8 “Sub-Processor” means any third party engaged by Provider to process Personal Data on behalf of Client in connection with the Platform.
1.9 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), or any successor clauses.
1.10 “Implementation Partner” means a third-party service provider engaged by Provider to perform implementation, development, or support services in connection with the Platform, who may access Client Data only when specifically authorized under a separate statement of work or engagement.
2.1 Roles. With respect to the processing of Personal Data under this DPA: (a) Client is the Controller who determines the purposes and means of processing; and (b) Provider is the Processor who processes Personal Data solely on behalf of and in accordance with Client’s documented instructions.
2.2 Scope of Processing. Provider shall process Personal Data only as necessary to provide the Platform and perform its obligations under the Agreement, and only in accordance with Client’s documented instructions. The details of the processing are set forth in Annex 1 to this DPA.
2.3 Client Obligations. Client represents and warrants that: (a) it has complied with all applicable Data Protection Laws in the collection and transfer of Personal Data to Provider; (b) it has provided all required notices to Data Subjects and obtained all necessary consents or legal bases for the processing; and (c) it has the authority to instruct Provider to process Personal Data as contemplated by this DPA and the Agreement.
3.1 Provider Obligations. Provider shall:
3.2 No Training on Personal Data. Provider shall not use Personal Data to train, improve, or develop any AI models, algorithms, or machine learning systems, whether Provider’s own or those of any Sub-Processor. Provider shall ensure that all AI model Sub-Processors are contractually obligated to the same restriction.
3.3 No Sale or Sharing. Provider shall not sell, share, rent, or disclose Personal Data to any third party for purposes unrelated to the provision of the Platform, and shall not use Personal Data for cross-context behavioral advertising or any purpose other than performing its obligations under the Agreement.
4.1 Technical and Organizational Measures. Provider shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including without limitation:
4.2 Security Review. Provider shall regularly review and update its security measures to address evolving threats and vulnerabilities. Provider shall notify Client of any material changes to its security measures that could adversely affect the security of Personal Data.
5.1 Authorized Sub-Processors. Client hereby provides general written authorization for Provider to engage Sub-Processors to process Personal Data in connection with the Platform. The current list of Sub-Processors is set forth in Exhibit A to this DPA.
5.2 New Sub-Processors. Provider shall notify Client in writing at least thirty (30) days prior to engaging any new Sub-Processor or replacing an existing Sub-Processor. The notice shall identify the new Sub-Processor, describe the processing to be performed, and identify the location of processing.
5.3 Objection Right. Client may object to a new Sub-Processor by notifying Provider in writing within the Notice Period, providing reasonable grounds for the objection related to data protection. If no resolution is reached within thirty (30) days, Client may terminate the affected Order Form without penalty and shall receive a pro-rata refund of any prepaid Fees.
5.4 Sub-Processor Agreements. Provider shall enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those set forth in this DPA, including the restriction on using Personal Data for AI model training.
5.5 AI Model Sub-Processors. Provider acknowledges that its AI model Sub-Processors (including OpenAI, Anthropic, and Google/Gemini) process Client Data through their respective APIs. Provider represents and warrants that: (a) all AI model Sub-Processors have been engaged under API terms that prohibit the use of Client Data for model training; (b) Client Data is transmitted only as necessary to generate Agent outputs; and (c) AI model Sub-Processors do not retain Client Data beyond the duration necessary to process the specific request.
5.6 Implementation Partners. Provider may engage Implementation Partners who may access Client Data only when: (a) specifically authorized under a separate statement of work; (b) bound by confidentiality obligations no less protective than those in the Agreement; and (c) subject to Provider’s oversight and supervision.
6.1 Assistance. Provider shall assist Client by appropriate technical and organizational measures in fulfilling Client’s obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, data portability, restriction, and objection.
6.2 Forwarding Requests. If Provider receives a request directly from a Data Subject, Provider shall promptly (and in no event later than five (5) business days) notify Client and shall not respond to the request directly unless authorized by Client or required by applicable law.
6.3 Costs. Provider shall provide reasonable assistance at no additional charge. If Client’s requests require substantial effort beyond Provider’s standard obligations, Provider may charge reasonable fees upon prior notice and agreement.
7.1 Notification. Provider shall notify Client of any Security Incident without undue delay and in no event later than seventy-two (72) hours after becoming aware of the Security Incident. The notification shall include:
7.2 Cooperation. Provider shall cooperate with Client and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
7.3 No Notification on Behalf of Client. Provider shall not notify any Data Subject, regulatory authority, or third party on Client’s behalf without Client’s prior written authorization, except where required by applicable law.
7.4 Record Keeping. Provider shall maintain a record of all Security Incidents and shall make such records available to Client upon request.
8.1 Transfer Mechanisms. To the extent that Provider processes Personal Data originating from the EEA, the United Kingdom, or Switzerland in a country that has not been recognized as providing an adequate level of data protection, the Parties shall ensure appropriate safeguards are in place, including the Standard Contractual Clauses (SCCs) or any successor transfer mechanism.
8.2 Transfer Impact Assessment. Provider shall, upon Client’s reasonable request, cooperate with Client in conducting a transfer impact assessment.
8.3 U.S. Processing. The Parties acknowledge that as of the Effective Date, Provider’s primary infrastructure and Sub-Processors are located in the United States. Provider shall notify Client in writing before processing Personal Data in any additional jurisdiction.
9.1 Audit Rights. Client may, no more than once per twelve (12) month period (unless a Security Incident has occurred or a regulatory authority requires an audit), audit Provider’s compliance with this DPA upon thirty (30) days’ prior written notice.
9.2 Third-Party Auditors. Client may engage a qualified, independent third-party auditor, provided that the auditor is bound by confidentiality obligations and is not a competitor of Provider.
9.3 Compliance Reports. In lieu of an on-site audit, Provider may make available its most recent SOC 2 Type II report (or equivalent), penetration test summary, and/or other relevant compliance certifications.
9.4 Costs. Client shall bear the costs of any audit it initiates, except where the audit reveals a material non-compliance by Provider.
10.1 Retention During Term. Provider shall retain Personal Data only for as long as necessary to provide the Platform, or as required by applicable law.
10.2 Deletion Upon Termination. Upon expiration or termination of the Agreement, Provider shall, at Client’s election: (a) return all Personal Data in a commercially reasonable format; or (b) securely delete all Personal Data. Provider shall complete deletion within thirty (30) days following the Data Retrieval Period.
10.3 Certification. Upon Client’s written request, Provider shall certify in writing that all Personal Data has been deleted in accordance with this Section 10.
10.4 Sub-Processor Deletion. Provider shall ensure that all Sub-Processors delete Personal Data in accordance with the same timeline and standards required of Provider.
11.1 Vector Embeddings. The Platform may convert Client Data into vector embeddings for storage in vector databases (currently Supabase’s vector database functionality). Vector embeddings are derived representations of Client Data and are treated as Client Data for all purposes under this DPA. Upon termination, vector embeddings shall be deleted along with all other Client Data.
11.2 AI Model Inputs and Outputs. When Client Data is submitted to third-party AI models via their APIs: (a) the data is transmitted in encrypted form; (b) the AI provider processes the data to generate a response and does not retain the data beyond the duration of the API request; (c) the generated output becomes part of Client Data and is subject to the same protections; and (d) no Client Data is used by the AI provider for model training or improvement.
11.3 Prompt and Context Data. System prompts, agent configurations, and contextual data used by the Platform to customize AI model behavior for Client are treated as Client’s Confidential Information and Client Data. Provider shall not use such data for any purpose other than providing the Platform to Client.
11.4 Liability Flow-Down. Provider shall flow down the data protection and no-training obligations of this DPA to all AI model Sub-Processors. If an AI model Sub-Processor modifies its terms in a manner that would materially reduce protections afforded to Client Data, Provider shall: (a) notify Client within thirty (30) days; (b) evaluate alternative providers; and (c) if necessary, cease routing Client Data to the affected provider.
12.1 Term. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon expiration or termination of the Agreement.
12.2 Governing Law. This DPA shall be governed by the same governing law as the Agreement.
12.3 Amendments. Provider may update this DPA from time to time to reflect changes in Data Protection Laws or Sub-Processors, upon thirty (30) days’ prior written notice to Client.
12.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
| Element | Description |
|---|---|
| Subject Matter | Processing of Personal Data by Provider in connection with the provision of the Journey Works AI-powered SaaS platform for tourism, destination marketing, and hospitality organizations. |
| Duration of Processing | For the duration of the Agreement plus the Data Retrieval Period, plus any legally required retention period. |
| Nature of Processing | Collection, storage, organization, retrieval, consultation, use (including AI-assisted analysis and content generation), disclosure by transmission to Sub-Processors, alignment, combination, erasure, and destruction. |
| Purpose of Processing | To provide the Platform and Agents subscribed to by Client, including: website visitor engagement; content creation and strategy; event and conference management; data analytics and reporting; partner management; sales automation; HR operations; workflow automation; and all related Platform functionality. |
| Categories of Data Subjects | Website visitors; tourists and travelers; event attendees and speakers; Client’s employees and contractors; Client’s business partners and stakeholders; newsletter subscribers; leads and prospects; hotel guests (where applicable). |
| Categories of Personal Data | Names; email addresses; phone numbers; mailing addresses; IP addresses; device and browser identifiers; location data; travel preferences and interests; event registration data; employment data (where HR agents are used); communication history; website interaction data; and any other Personal Data submitted by Client to the Platform. |
| Sensitive Data | The Platform is not designed to process sensitive or special categories of Personal Data (e.g., health data, biometric data, racial/ethnic origin, political opinions, religious beliefs). If Client submits such data, Client does so at its own risk and is solely responsible for ensuring compliance with applicable Data Protection Laws. |
Provider shall maintain this Sub-Processor List and update it in accordance with Section 5 of the DPA. Client may subscribe to updates by contacting Provider at privacy@journeyworks.ai.
| Sub-Processor | Purpose | Data Processed | Location | Compliance |
|---|---|---|---|---|
| Supabase, Inc. | PostgreSQL database, vector database, authentication, file storage | All Client Data including databases, files, auth credentials, vector embeddings | United States | SOC 2 Type II; HIPAA; ISO 27001 in progress |
| Render Services, Inc. | API hosting, application runtime, compute | Client Data in transit; application processing | United States | SOC 2 Type II; SOC 3; ISO 27001 |
| Airbyte, Inc. | Database syncing and ETL pipelines | Client Data in transit during sync operations | United States | SOC 2 Type II; ISO 27001 |
| Browserless, Inc. | Headless browser automation for web search and data retrieval | Search queries; transient data only (not stored) | United States | No SOC 2/ISO. Transient processing only; subject to vendor risk assessment. |
| Sub-Processor | Purpose | Data Processed | Location | Compliance |
|---|---|---|---|---|
| n8n GmbH | Workflow automation and orchestration engine | Client Data in transit during workflow execution | Germany / United States | SOC 2 Type II; SOC 3; GDPR compliant |
| Sub-Processor | Purpose | Location | Compliance | Training Opt-Out |
|---|---|---|---|---|
| OpenAI, L.L.C. | AI model inference for Agent functionality | United States | SOC 2 Type II; ISO 27001, 27017, 27018, 27701 | Yes — API data not used for training |
| Anthropic, PBC | AI model inference for Agent functionality | United States | SOC 2 Type I & II; SOC 3; ISO 27001:2022; ISO/IEC 42001:2023 | Yes — API data not used for training |
| Google LLC (Gemini) | AI model inference for Agent functionality | United States | SOC 2 Type II; SOC 3; ISO 27001, 27017, 27018; FedRAMP High | Yes — Paid API data not used for training |
| Partner | Purpose | Data Access | Location |
|---|---|---|---|
| Unchained Group, LLC | Platform implementation, development, and technical support services | Access to Client Data only when specifically retained under a separate SOW; no standing access | United States |
| Provider | Purpose | Data Access | Location | Compliance |
|---|---|---|---|---|
| GitHub, Inc. (Microsoft) | Source code repository and version control | None — source code only; no Client Data | United States | SOC 2 Type II; SOC 3; ISO 27001 |
Note Regarding Browserless, Inc.: Browserless, Inc. does not currently hold SOC 2 or equivalent compliance certifications. Mitigating factors: (a) Browserless processes only transient search query data that is not stored; (b) no Client Data at rest passes through Browserless systems; (c) all data transmission occurs over encrypted connections; and (d) Provider conducts ongoing vendor risk assessments.
Note Regarding Implementation Partners: Implementation Partners do not have standing access to Client Data. Access is granted only on a project-by-project basis under a separate statement of work (SOW) that defines the scope, duration, and purpose of access. Provider retains responsibility for supervising all Implementation Partner activities.