DPA

Data Processing Addendum (DPA)

​

Effective Date: The date on which a Customer first uses FastCollab’s services.

​

FastCollab Systems Private Limited (“FastCollab”, “we”, “us”, “our”) provides enterprise travel and expense management services. This Data Processing Addendum (“DPA”) forms part of any agreement or order under which a Customer (“Customer”) uses the services (“Services”). By using the Services, the Customer agrees to this DPA.

​

1) Definitions

​

• “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

• “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, “Personal Data Breach/Security Incident”, “Supervisory Authority”, “Business”, “Service Provider”, “Sell”, and “Share” have the meanings given in applicable Data Protection Laws (GDPR, UK GDPR, CCPA/CPRA, DPDPA 2023).

• “Customer Personal Data” means Personal Data provided to FastCollab by or on behalf of Customer, or collected by FastCollab for Customer, in connection with the Services.

• “Sub-processor” means any processor engaged by FastCollab to process Customer Personal Data.

• “Data Protection Laws” means all laws applicable to the Processing of Personal Data under this DPA, including GDPR, UK GDPR, CCPA/CPRA, DPDPA 2023, and similar laws.

• “SCCs” means the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), as implemented under Section 12.

​

2) Scope, Order of Precedence, and Governing Law

​

• This DPA applies when FastCollab Processes Customer Personal Data subject to Data Protection Laws.

• If there is a conflict between this DPA and the Agreement, this DPA controls to the extent required by Data Protection Laws or the SCCs/UK Addendum.

• Governing law follows the Agreement except where Data Protection Laws require otherwise.

​

3) Roles of the Parties

​

• Customer as Controller/Business (or Processor on behalf of its own clients).

• FastCollab as Processor/Service Provider (or Sub-processor) acting solely on documented instructions from Customer.

​

4) Description of Processing

​

• Purpose: Provision, operation, support, security, and improvement of the Services.

• Data Subjects: Employees, contractors, authorised users, travellers, approvers, finance/SSC users, and relevant business contacts of Customer.

• Categories of Data: Identification and contact data, employment attributes, travel preferences and loyalty numbers, identity/travel document data, itinerary/PNR data, expense and payment data, login and usage metadata, device/network identifiers, support ticket content, and other data uploaded or entered by Customer.

• Sensitive Data: Only where necessary for travel fulfilment (e.g., passport/visa details, limited health or meal preference data provided by Customer). Such data is subject to heightened controls (encryption, access restriction, logging).

• Processing Activities: Collection, storage, organisation, retrieval, use, transmission, disclosure (as instructed), alignment/combination (within Customer’s tenancy), minimisation, pseudonymisation where applicable, and deletion/return.

​

5) Customer Instructions & Responsibilities

​

• FastCollab will Process Customer Personal Data only on documented instructions: the Agreement, this DPA, and Customer’s in-product configurations.

• Customer is responsible for the lawfulness of Personal Data it supplies, for providing required notices to Data Subjects, and for not supplying unnecessary special categories of data.

• Customer remains responsible for fulfilling its controller obligations, including Data Subject rights and regulatory filings.

​

6) No Sale/No Sharing; Purpose Limitation

​

FastCollab does not Sell or Share Customer Personal Data under CCPA/CPRA. Personal Data will only be used for providing the Services, securing and operating the platform, meeting legal obligations, or as otherwise permitted by this DPA and Customer instructions.

​

7) Sub-Processors

​

• Customer authorises FastCollab to use Sub-processors.

• FastCollab will enter into written agreements with Sub-processors imposing data protection obligations materially equivalent to this DPA and remains liable for their performance.

• FastCollab will give advance notice of new Sub-processors (e.g., via email or website). Customer may object on reasonable grounds within 30 days; if no resolution is found, Customer may terminate only the affected Services without penalty.

​

8) Third-Party Travel Service Providers

​

• FastCollab facilitates travel bookings and related transactions. In most cases, the Customer directly engages and contracts with travel management companies, airlines, hotels, rail/bus providers, car rental firms, visa/forex agents, GDS/NDC aggregators, and payment processors.

• These providers act as independent controllers for the Personal Data they receive directly from Customer or via FastCollab’s platform. FastCollab does not maintain separate contracts with them and does not determine their purposes.

• FastCollab transmits only the minimum data necessary for fulfilment and secures such transmissions.

• Customer is responsible for ensuring its chosen travel service providers comply with applicable laws and for executing any required DPAs with them.

​

9) Security Measures

​

• FastCollab maintains administrative, technical, and organisational measures appropriate to the risk, including: encryption in transit and at rest; access control and MFA; least privilege; network segregation; vulnerability management; secure SDLC; logging/monitoring; backups and disaster recovery; and staff training.

• FastCollab periodically reviews, tests, and updates these controls.

​

10) Confidentiality & Personnel

​

FastCollab limits access to Customer Personal Data to personnel who need access for the Services, are bound by confidentiality, and receive appropriate privacy and security training.

​

11) Data Subject Requests & Assistance

​

• FastCollab will forward any Data Subject Request it receives to Customer and will not respond directly unless legally required.

• FastCollab will provide reasonable assistance for Customer to respond to requests, conduct DPIAs, or consult supervisory authorities, considering the nature of Processing and available information.

​

12) International Transfers

​

• Where Customer Personal Data is transferred outside its origin, FastCollab uses appropriate safeguards such as SCCs (Modules 2/3) and the UK Addendum.

• FastCollab will not engage in onward transfers inconsistent with the applicable transfer mechanism.

• If a transfer safeguard is invalidated, the parties will cooperate to implement alternatives.

​

13) Security Incidents

​

• FastCollab will notify Customer without undue delay and no later than 24 hours after becoming aware of a Security Incident involving Customer Personal Data.

• Notifications will include available details, mitigation steps, and a contact point. Updates will follow as more information becomes available.

• FastCollab will investigate, mitigate, and assist Customer as reasonably necessary.

​

14) Government & Third-Party Requests

​

To the extent legally permitted, FastCollab will promptly notify Customer of any legally binding request for disclosure of Customer Personal Data by a public authority or third party. Where requests are not legally binding, FastCollab will reject them and notify Customer where lawful.

​

15) Audit, Information, and Records

​

• FastCollab will maintain records necessary to demonstrate compliance and will make reasonable information available upon request.

• No more than once per year (or additionally after a material Security Incident or regulator request), Customer may audit FastCollab’s Processing of Customer Personal Data. Audits require reasonable notice, must minimise disruption, and preserve confidentiality.

• FastCollab may first provide standard security/privacy questionnaires or third-party certifications; if insufficient, an on-site or virtual audit may follow.

• Customer bears its audit costs and FastCollab’s reasonable expenses.

​​

16) Deletion/Return

​

Upon termination or expiry of Services (or earlier on request), FastCollab will delete or return Customer Personal Data (and delete copies), unless retention is legally required. Any retained data remains protected under this DPA.

​

17) Data Retention & Minimisation

​

FastCollab retains Customer Personal Data only as long as necessary to provide the Services, meet legal obligations, resolve disputes, and enforce agreements. Afterwards, data is deleted or irreversibly anonymised under documented schedules.

​

18) Warranties

​

Each party warrants that it will comply with applicable Data Protection Laws. FastCollab warrants that it will maintain appropriate Technical and Organisational Measures and impose equivalent obligations on its Sub-processors.

​

19) Liability

​

Liability remains as defined in the Agreement. Nothing in this DPA limits Data Subjects’ non-waivable rights under applicable law or the SCCs/UK Addendum.

​

20) Changes

​

FastCollab may update this DPA to reflect changes in law, SCCs/UK Addendum, or Services, provided protection is not materially reduced. Material adverse changes will be notified in advance where practicable.

​

21) Priority of Signed DPAs

​

If a Customer has a separately signed Data Processing Addendum with FastCollab, that signed DPA will govern to the extent it conflicts with or differs from this page.

​

22) Contact

​

For privacy matters, contact privacy@fastcollab.com or your usual FastCollab representative.

​​

Annex A — Processing Details (Summary)

​

• Subject Matter & Duration: Processing Customer Personal Data to provide the Services for the term of the Agreement and any legally required retention period.

• Nature & Purpose: Booking facilitation, expense management workflows, approvals, analytics/reporting, account administration, platform security and reliability, and customer support.

• Types of Personal Data: Identification, contact, employment attributes, travel preferences, loyalty numbers, identity/visa details, itinerary/PNR, payments/expense data, usage and device data, and support/ticket data. Limited special categories only where required for travel fulfilment.

• Data Subjects: Customer’s authorised users, employees, contractors, travellers, approvers, SSC/finance staff, and vendor contacts entered by Customer.

• Transfers: As necessary to provide Services, including to Customer-selected travel providers and authorised Sub-processors, subject to Section 12.

​

Annex B — Technical & Organisational Measures

​

• Information Security Program: Documented policies, risk assessments, asset management, vendor risk reviews, secure SDLC, change management.

• Access Controls: Role-based access, least privilege, MFA for privileged access, periodic reviews, logging/audit trails.

• Data Security: Encryption in transit and at rest, key management, data segregation in multi-tenant environment, data minimisation, pseudonymisation where applicable.

• Operations Security: Vulnerability scanning, patching, hardening, EDR/monitoring, backups, disaster recovery testing, high availability.

• Physical Security: Industry-standard data centre controls via hosting providers, network segmentation, firewalls.

• Incident Response: 24×7 monitoring, IR playbooks, breach triage, containment, eradication, recovery, root-cause analysis, corrective actions.

• Personnel & Training: Background checks where lawful, confidentiality agreements, regular privacy/security training.

• Testing & Assurance: Periodic penetration testing and vulnerability assessments, third-party audits or certifications where available.

• Sub-processor Management: Due diligence, DPAs, security reviews, and ongoing monitoring.

• Privacy by Design: Incorporate privacy impact considerations in feature development; provide configuration options for Customer policies.

​

Annex C — Sub-Processors

​

• FastCollab uses certain Sub-processors (e.g., cloud hosting, email/SMS, analytics, support). A current list is available on request. FastCollab will provide advance notice of material changes as described in Section 7.