1. Scope & roles
This Data Processing Addendum (the “DPA”) applies whenever MB Travel Solutions, operating the Deer Track service (the “Processor”), processes Personal Data on behalf of the Customer (the “Controller”) under the Terms of Service. In case of conflict between the Terms and this DPA on processing of Personal Data, this DPA prevails.
2. Definitions
Terms in capital letters not defined here have the meaning given in the GDPR. Personal Data, processing, controller, processor, subprocessor, data subject, and supervisory authority have the meanings given in GDPR Articles 4 and 28. SCCs means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
3. Subject matter & duration
The subject matter, duration, nature and purpose of the processing, the categories of data subjects and the types of Personal Data are described in Annex I. Processing continues for as long as the Customer’s subscription is active and as needed for the post-termination export window (see section 13).
4. Processor obligations
The Processor will:
- process Personal Data only on documented instructions from the Controller, including with regard to international transfers, unless required to do so by EU or member-state law (in which case the Processor will inform the Controller before processing, unless prohibited);
- ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
- implement the technical and organisational measures set out in Annex II;
- assist the Controller with data-subject requests, security, breach notifications, DPIAs and prior consultations, taking into account the nature of the processing and the information available to the Processor;
- make available all information necessary to demonstrate compliance with Article 28 GDPR and contribute to audits, in accordance with section 12.
The Terms of Service and this DPA constitute the Controller’s complete and final instructions to the Processor in respect of the processing. The Controller may issue additional instructions in writing; the Processor may refuse instructions that conflict with law or this DPA, or charge reasonable fees for additional services.
5. Confidentiality
The Processor will ensure that all personnel and subprocessors with access to Personal Data are bound by written confidentiality obligations no less protective than those in the Terms of Service.
6. Security
The Processor will implement and maintain the technical and organisational security measures set out in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, and the risks to data subjects (GDPR Art. 32). The Processor may update the measures, provided that protection is not materially weakened.
7. Subprocessors
The Controller authorises the Processor to engage subprocessors listed in Annex III, and any future subprocessor we add by following this notice procedure:
- we will notify the Controller of any intended changes to the subprocessor list at least 30 days before the change (by updating the Subprocessors page and by email to subscribers);
- the Controller may object on reasonable, GDPR-related grounds within 30 days; if no resolution is possible, the Controller may terminate the affected portion of the Service for material breach and receive a pro-rated refund of pre-paid, unused fees.
The Processor remains fully liable to the Controller for the performance of each subprocessor and will impose on each subprocessor data-protection obligations no less protective than those in this DPA.
8. International transfers
Where Personal Data is transferred outside the European Economic Area, the SCCs are incorporated into this DPA by reference and apply as follows:
- Module Two (Controller-to-Processor) where the Controller is in the EEA and the Processor is not;
- Module Three (Processor-to-Subprocessor) for Processor-to-Subprocessor transfers;
- Clause 7 (docking) is included;
- Clause 9(a): Option 2 (general written authorisation) applies, with a 30-day notice period as set out in section 7;
- Clause 11(a) — optional independent dispute body: not selected;
- Clause 17 — governing law: the law of the Republic of Lithuania;
- Clause 18(b) — forum: the courts of Vilnius, Lithuania.
- Annex I.A (parties), Annex I.B (description of transfer), Annex I.C (competent supervisory authority — VDAI, Lithuania), and Annex II (TOMs) are completed by reference to the corresponding sections of this DPA.
For transfers subject to the UK GDPR, the parties additionally agree the UK Information Commissioner’s International Data Transfer Addendum to the SCCs. For transfers to or from Switzerland, the SCCs are deemed amended in accordance with the Swiss FDPIC guidance.
9. Data subject rights
Taking into account the nature of the processing, the Processor will assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling its obligations to respond to requests from data subjects. The Service provides self-service functionality for access, rectification, erasure and export of Customer Data. The Processor will promptly forward to the Controller any request received directly from a data subject.
10. Personal data breach
The Processor will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address and mitigate the breach.
11. DPIAs & prior consultation
The Processor will provide reasonable assistance to the Controller with any data protection impact assessment (GDPR Art. 35) and any prior consultation with a supervisory authority (GDPR Art. 36), to the extent relating to the use of the Service.
12. Audit rights
On reasonable written notice (and not more than once per 12 months, except as required by a supervisory authority or following a Personal Data Breach), the Controller may audit the Processor’s compliance with this DPA. Audits will primarily be satisfied by providing copies of the Processor’s then-current third-party certifications and reports (e.g., ISO 27001, SOC 2). Where these are insufficient, the Controller and the Processor will agree on the scope, timing and reasonable cost of any further audit, conducted during business hours, with reasonable notice, and subject to confidentiality.
13. Deletion & return
On termination of the Service, the Processor will, at the Controller’s choice, return or delete all Personal Data processed on the Controller’s behalf. The Controller may export Personal Data using in-product tools for up to 30 days after termination; thereafter Personal Data will be deleted within 90 days from active systems and within 180 days from backups, except to the extent retention is required by EU or member-state law (in which case the Processor will maintain confidentiality and not actively process the data).
14. Liability
Each party’s liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA limits the rights of data subjects under the GDPR.
15. General
This DPA is an integral part of the Terms of Service and may not be modified except by a written amendment signed by both parties or by an updated version published by the Processor in accordance with the change-management process in the Terms.
Annex I — Processing details
A. List of parties
Data exporter (Controller) — the Customer entity identified in the Order Form or account. Activities: as set out in Annex I.B. Role: Controller.
Data importer (Processor) — MB Travel Solutions, company code 306998943, V. Nagevičiaus g. 3, LT-08237 Vilnius, Lithuania. Activities: operating the Deer Track tour-building software. Role: Processor.
B. Description of transfer / processing
- Categories of data subjects: the Controller’s employees, contractors and Authorised Users; the Controller’s clients and Travellers; the Controller’s suppliers and business contacts.
- Categories of Personal Data: names, email addresses, phone numbers, postal addresses, account credentials; travel itinerary details, booking and supplier records; financial and invoicing details; passport / identity-document data that the Controller chooses to upload; dietary or accessibility notes; communications content; usage and audit logs.
- Sensitive data: the Service is not designed to process special-category data (GDPR Art. 9). If a Controller chooses to upload such data (e.g., dietary requirements indicating health or religion), the Controller must apply additional safeguards and a valid Article 9 condition. The Processor will treat such data with the measures in Annex II.
- Frequency of transfer: continuous, for the duration of the subscription.
- Nature of processing: hosting, storage, transmission, retrieval, indexing, analysis, generation of derivative work product (e.g., quotes, invoices), backup, deletion.
- Purpose: providing the Service in accordance with the Terms.
- Period of retention: as set in the Terms and this DPA.
C. Competent supervisory authority
State Data Protection Inspectorate of the Republic of Lithuania (Valstybinė duomenų apsaugos inspekcija, VDAI), vdai.lrv.lt.
Annex II — Technical & organisational measures
The Processor uses the following measures, which it may update without materially weakening protection. These describe our current practices and the controls we aim to maintain as the platform matures; the narrative overview is published on our Security page.
Access control
- We use multi-factor authentication for administrative access.
- Role-based access; least-privilege principle; periodic access reviews.
- Single sign-on offered on relevant plans; password policies enforced.
Encryption
- TLS 1.2+ for all data in transit.
- Encryption at rest for databases, object storage and backups (AES-256 or equivalent).
- Encrypted secrets management; no production secrets in source control.
Network & infrastructure security
- Production systems are designed to run on hardened infrastructure in EU regions (see Subprocessors).
- We aim to keep production, staging and development environments segregated.
- Network protection typically includes a Web Application Firewall and DDoS mitigation.
- Vulnerability scanning and dependency monitoring.
Application security
- We aim to follow a secure SDLC with code review and CI/CD.
- We aim to use independent specialists for periodic penetration testing of production systems as the platform matures.
- Responsible-disclosure process at security@deertrack.net.
Operations
- Centralised logging and alerting; restricted log access.
- Encrypted backups with restoration tested periodically.
- Incident-response process with defined roles and timelines.
- Business continuity and disaster recovery procedures, reviewed periodically.
Personnel
- Confidentiality obligations in employment and contractor agreements.
- Security and privacy training for personnel.
- Background checks where permitted by law and proportionate to role.
Vendor management
- Security review of subprocessors before engagement; written data-protection terms with each.
- Periodic re-review of critical subprocessors.
Annex III — Subprocessors
The current list of authorised subprocessors is published and maintained at /legal/subprocessors. That page is incorporated into this DPA by reference and updated in accordance with section 7.