Data Processing Addendum (DPA)

 

Effective Date: The date on which a Customer first uses FastCollab's services.
 

Last Updated: September 2025

 

This Data Processing Addendum ("Addendum" or "DPA") is entered into between FastCollab Systems Private Limited ("FastCollab", "we", "us", "our") and the Customer (as defined in the Agreement) and forms part of any agreement, terms of service, or order under which Customer uses FastCollab's enterprise travel and expense management services ("Services") (the "Agreement"). By using the Services, Customer agrees to this DPA.

​

Customer enters into this DPA on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with FastCollab. For the purposes of this DPA only, and except where otherwise indicated, references to "Customer" shall include Customer and such Affiliates.

​

1. Definitions

 

In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

​

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control or ownership with either Customer or FastCollab (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

• "Customer Personal Data" means any Personal Data provided by or made available by Customer to FastCollab or collected by FastCollab on behalf of Customer which is Processed by FastCollab to perform the Services.

• "Controller to Processor SCCs" means the standard contractual clauses for cross-border transfers published by the European Commission on June 4, 2021 governing the transfer of EU Area Personal Data to Third Countries as adopted by the European Commission, the Swiss Federal Data Protection and Information Commissioner ("Swiss FDPIC") relating to data transfers to Third Countries (collectively "EU SCCs"); (ii) the international data transfer addendum ("UK Transfer Addendum") adopted by the UK Information Commissioner's Office ("UK ICO") for data transfers from the UK to Third Countries; or (iii) any similar such clauses adopted by a data protection regulator relating to Personal Data transfers to Third Countries, including without limitation any successor clauses thereto.

• "Data Protection Laws" means any local, state, or national law regarding the processing of Personal Data applicable to FastCollab in the jurisdictions in which the Services are provided to Customer, including, without limitation, privacy, security, and data protection law.

• "EU Area" means the European Union, European Economic Area, United Kingdom, and Switzerland.

• "EU Area Law" means (i) Regulation (EU) 2016/679 ("EU GDPR") together with applicable legislation implementing or supplementing the same; (ii) the EU GDPR as saved into United Kingdom Law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance ("Swiss DPA"); (iv) any other law relating to data protection, security, or privacy of individuals that applies in the EU Area; or (v) any successor or amendments thereto.

• "Security Incident" or "Personal Data Breach" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by FastCollab.

• "Services" means the services to be supplied by FastCollab to Customer or Customer's Affiliates pursuant to the Agreement.

• "Sub-processor" means any processor engaged by FastCollab to process Customer Personal Data.

• "Third Country" means countries that, where required by applicable Data Protection Laws, have not received an adequacy decision from an applicable authority relating to cross-border data transfers of Personal Data.

• The terms "Business", "Business Purpose", "Commercial Purpose", "Contractor", "Controller", "Data Subject", "Personal Data", "Process"/"Processing", "Processor", "Sell", "Service Provider", "Share", "Supervisory Authority", and "Third Party" have the same meanings as described in applicable Data Protection Laws and cognate terms shall be construed accordingly.

​​

2. Scope, Order of Precedence, and Governing Law

 

2.1 This DPA applies to FastCollab's Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws.

​

2.2 This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.

 

2.3 In the event of any inconsistency between provisions, they will take priority in this order: (a) any Standard Contractual Clauses or other cross-border transfer mechanisms, (b) this DPA, (c) the Agreement. In the event that any provision of this DPA and/or the Agreement contradicts the Controller to Processor SCCs, the Controller to Processor SCCs will control.

​

3. Roles of the Parties

 

3.1 The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, and as more fully described in Annex 1 hereto, Customer acts as a Business or Controller (or Processor on behalf of its own clients), and FastCollab acts as a Service Provider or Processor (or Sub-processor where applicable).

​

3.2 Customer shall be solely responsible for ensuring timely communications to Customer's Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required to enable compliance with Data Protection Laws.

 

3.3 Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents.

​

4. Description and Purpose of Personal Data Processing

 

4.1 In Annex 1 to this DPA, the Parties have mutually set out their understanding of the subject matter and details of the Processing of Customer Personal Data. The Parties may make reasonable amendments to Annex 1 on mutual written agreement as reasonably necessary to meet requirements of Data Protection Laws.

​

4.2 The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement and any Order Form(s).

​

5. Data Processing Terms

​

5.1 Customer Obligations

 

Customer shall:

• Comply with all applicable Data Protection Laws in connection with the performance of this DPA

• Process Customer Personal Data within the Services in accordance with applicable Data Protection Laws

• Be solely responsible for the lawfulness of Personal Data it supplies

• Provide required notices to Data Subjects

• Not provide FastCollab with any special categories of data unless necessary for the Services

• Not provide unnecessary data concerning a natural person's health, religion or other special categories as defined in Article 9 of the GDPR unless required for travel fulfilment

​​

5.2 FastCollab Obligations

 

FastCollab shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall:

​

a) Process solely on instructions: Process Customer Personal Data for the purposes of the Agreement and as set out in Annex 1, solely on the documented instructions of Customer. The Agreement, this DPA, and Customer's use of the Services' features are Customer's written instructions.

 

b) Purpose limitation: Not Sell or Share Customer Personal Data under CCPA/CPRA, nor use, retain, disclose, or otherwise Process Customer Personal Data outside of the business relationship with Customer or for any commercial purpose except as required or permitted by law.

 

c) Confidentiality: Ensure that personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

d) Security measures: Implement and maintain the technical and organizational measures set out in Annex 2, taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing, including:

• Pseudonymization and encryption of Customer Personal Data

• Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems

• Ability to restore availability and access to Customer Personal Data in a timely manner

• Regular testing, assessing and evaluating effectiveness of security measures

 

e) Sub-processors: Customer hereby generally authorizes FastCollab to engage Sub-processors, subject to FastCollab:

• Notifying Customer at least thirty (30) days in advance of any intended changes to Sub-processors

• Including materially equivalent data protection obligations in contracts with Sub-processors

• Remaining liable for Sub-processor performance

 

f) Government requests: To the extent legally permissible, promptly notify Customer of legally binding requests for disclosure of Customer Personal Data. Where requests are not legally binding, FastCollab will reject them and notify Customer where lawful.

 

g) Data Subject rights: Reasonably assist Customer with Data Subject requests, taking into account the nature of Processing. Customer agrees to pay FastCollab for reasonable time and expenses incurred.

 

h) Security Incident notification: Upon becoming aware of a Security Incident involving Customer Personal Data, notify Customer without undue delay and no later than 24 hours, including available information required for Customer's compliance with breach reporting obligations.

 

i) Regulatory assistance: Provide reasonable assistance with Customer's obligations pursuant to Articles 32 to 36 of the GDPR, including privacy impact assessments and prior consultations with Supervisory Authorities.

 

j) Deletion/return: Upon termination or expiry of the Agreement, at Customer's option, either return or delete all Customer Personal Data, unless retention is required by law.

 

k) Records: Maintain necessary records to demonstrate compliance with obligations for Processing Customer Personal Data.

 

l) Audit rights: Make available information necessary to demonstrate compliance and allow for audits, including inspections, by Customer or its mandated auditor, subject to:

• Reasonable prior notice

• Conduct during normal business hours

• Minimizing disruption to operations

• No more than once per year (except after Security Incidents or regulatory requirements)

• Customer bearing its costs and FastCollab's reasonable expenses

​​

6. No Sale/Sharing and Business Purposes

 

6.1 FastCollab does not Sell or Share Customer Personal Data. FastCollab will not combine Customer Personal Data with Personal Data from other sources except as necessary to perform the Services.

​

6.2 For processing involving California consumers, FastCollab processes Personal Data for the following Business Purposes:

• Helping to ensure security and integrity

• Debugging to identify and repair errors

• Performing services on behalf of the business (maintaining accounts, customer service, processing transactions, verifying information, providing analytics)

• Undertaking internal research for technological development

• Maintaining quality or safety of services

• Retaining service providers or contractors as subcontractors

• Building or improving service quality

• Preventing, detecting, or investigating security incidents or illegal activity

​​

7. Sub-Processors

 

7.1 Customer authorizes FastCollab to use Sub-processors listed in Annex 3 (available at privacy@fastcollab.com or upon request).

​

7.2 FastCollab will notify Customer of new Sub-processors via email at least 30 days in advance. Customer may object on reasonable grounds; if no resolution is found, Customer may terminate affected Services without penalty.

 

7.3 FastCollab enters written agreements with Sub-processors imposing materially equivalent data protection obligations and remains liable for their performance.

​

8. Third-Party Travel Service Providers

 

8.1 FastCollab facilitates bookings with travel management companies, airlines, hotels, and other travel providers that Customer directly contracts with.

​

8.2 These providers act as independent controllers for Personal Data they receive. FastCollab transmits only minimum necessary data for fulfillment and secures such transmissions.

 

8.3 Customer is responsible for ensuring its chosen travel service providers comply with applicable laws.

​

9. Security Measures

 

FastCollab maintains administrative, technical, and organizational measures appropriate to the risk as detailed in Annex 2, including:

• Encryption in transit (TLS/HTTPS) and at rest

• Multi-factor authentication and access controls

• Network segregation and firewalls

• Vulnerability management and patching

• Secure software development lifecycle

• 24/7 monitoring and logging

• Backup and disaster recovery with multi-availability zones

• Regular penetration testing and security assessments

• ISO 27001 compliance standards

​​

10. International Transfers

 

10.1 Where Customer Personal Data is transferred outside its origin to a Third Country, FastCollab uses appropriate safeguards:

​

a) For EU/EEA transfers: EU SCCs (Module Two - controller to processor) with:

• Clause 7: Optional docking clause applies

• Clause 9: Option 2 applies with 30-day notice for sub-processors

• Clause 11: Optional language does not apply

• Clause 17: Option 1 applies, governed by Irish law

• Clause 18(b): Disputes resolved before courts of Republic of Ireland

 

b) For UK transfers: EU SCCs as modified by UK Transfer Addendum, with conflicts resolved per Sections 10-11 of UK Addendum

 

c) For Swiss transfers: EU SCCs with modifications:

• References to GDPR interpreted as Swiss DPA

• References to EU/Union interpreted as Switzerland

• Governed by Swiss law with Swiss court jurisdiction

 

10.2 FastCollab processes Personal Data using AI/ML technologies within secure cloud infrastructure regions, in accordance with this DPA and applicable Data Protection Laws.

​

11. Security Incidents

 

11.1 FastCollab will notify Customer without undue delay and within 24 hours of becoming aware of a Security Incident.

 

11.2 Notifications will include:

• Nature of the incident

• Categories and approximate number of Data Subjects affected

• Categories and approximate number of Personal Data records concerned

• Likely consequences

• Measures taken or proposed to address the incident

• Contact point for more information

 

11.3 FastCollab will investigate, mitigate effects, document outcomes, and provide reasonable assistance for Customer's compliance obligations.

​

12. Warranties

 

Each party warrants that it will comply with applicable Data Protection Laws. FastCollab warrants it will maintain appropriate technical and organizational measures and impose equivalent obligations on Sub-processors.

​

13. Liability and Indemnification

 

13.1 Liability remains as defined in the Agreement. Nothing limits Data Subjects' non-waivable rights under applicable law or SCCs/UK Addendum.

 

13.2 To the extent permissible by law, Customer shall defend and indemnify FastCollab and its Affiliates from claims arising from Customer's breach of this DPA or Data Protection Laws.

​

14. Data Protection Officer

 

For privacy matters and Data Subject requests, contact:
 

Data Protection Officer (Naresh Komirishetty)
Email: privacy@fastcollab.com
Or your usual FastCollab representative

​

15. Severability

 

If any section of this DPA is held unlawful or unenforceable, it shall not invalidate other sections.

​

16. Changes

 

FastCollab may update this DPA to reflect changes in law or Services, provided protection is not materially reduced. Material adverse changes will be notified in advance where practicable.

​

17. Priority of Signed DPAs

 

If Customer has a separately signed Data Processing Addendum with FastCollab, that signed DPA governs to the extent it conflicts with this page.

​

Annex 1: Description of Processing Activities

​

List of Parties

 

Data Exporter (Controller):

• Name: Customer (as defined in Agreement)

• Address: As set forth in relevant Order Form

• Contact: As set forth in relevant Order Form

• Activities: Recipient of Services provided by FastCollab

• Role: Controller/Business

Data Importer (Processor):

• Name: FastCollab Systems Private Limited

• Address: 91springboard - Hitech, opposite Sarath City Capital Mall, Kondapur, Laxmi Cyber City, Whitefields, Hyderabad, Telangana 500084

• Contact: Data Protection Officer, privacy@fastcollab.com

• Activities: Provision of Services to Customer

• Role: Processor/Service Provider

​​

Processing Information

 

Categories of Data Subjects:

• Employees, contractors, authorized users

• Travelers, approvers, finance/SSC users

• Customer's business contacts and vendors

Categories of Personal Data:

• Identification and contact data (names, email IDs, phone numbers)

• Employment attributes (employee ID, department, grade, reporting manager)

• Travel preferences and loyalty program numbers

• Identity/travel document data (passport, visa details where necessary)

• Itinerary/PNR data

• Expense and payment data

• Login credentials and usage metadata

• Device/network identifiers

• Support ticket content

• Other data uploaded by Customer

Sensitive Personal Data: Only where necessary for travel fulfillment:

• Passport/visa details for international travel

• Limited health data (meal preferences, accessibility requirements)

• Subject to heightened security controls

 

Processing Activities: Collection, storage, organization, structuring, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination (within Customer tenancy), restriction, erasure, destruction

​

Purpose:

• Travel booking and fulfillment

• Expense management and reimbursement workflows

• Policy compliance and approvals

• Analytics and reporting

• Account administration

• Platform security and reliability

• Customer support

• Service improvement

 

Duration: Term of Agreement plus any legally required retention period

Frequency of Transfer: Continuous during provision of Services

​

Annex 2: Technical and Organizational Security Measures

​

1. Security Management System

​

• Organization: Designated qualified security personnel for Information Security Program

• Policies: Management-reviewed security policies updated annually

• Standards: ISO 27001 compliance

• Assessments: Annual third-party risk assessments

• Risk Treatment: Penetration testing, vulnerability management, patch management

​​

2. Personnel Security

​

• Background checks where legally permissible

• Written confidentiality agreements at hire

• Regular privacy and security training

• Role-specific certifications where appropriate

• Immediate access revocation upon termination

​​

3. Access Controls

​

• Access Management: Formal request/review/approval process

• Authentication: Multi-factor authentication for all users

• Privilege Management: Least privilege and need-to-know principles

• Password Policies: Complex passwords, regular expiry, account lockout

• Access Reviews: Periodic reviews to ensure appropriate access

• Audit Trails: Comprehensive logging of system access

​​

4. Data Center and Network Security

​

Infrastructure:

• Industry-standard cloud hosting (AWS/Azure/GCP)

• Multi-availability zones for resilience

• Regular backup restoration testing

• Disaster recovery planning and testing

Network Security:

• Data transmission via HTTPS/TLS

• Virtual firewalls and network segmentation

• Intrusion detection and prevention systems

• DDoS protection

Vulnerability Management:

• Regular vulnerability scanning

• Risk-based remediation (Critical/High priority)

• Security patches applied promptly

​​

5. Data Security

​

• Encryption: At rest and in transit

• Key Management: Secure key storage and rotation

• Data Segregation: Logical isolation in multi-tenant environment

• Data Minimization: Collection limited to necessary data

• Pseudonymization: Where applicable

​​

6. Operations Security

​

• Monitoring: 24/7 security monitoring and alerting

• Logging: Comprehensive security event logging

• Incident Response: Documented procedures and playbooks

• Change Management: Controlled deployment processes

• Backup: Regular automated backups with offsite storage

​​

7. Physical Security

​

• Data center physical access controls

• Environmental controls (temperature, humidity)

• Fire detection and suppression

• Uninterruptible power supplies

​​

8. Vendor Management

​

• Due diligence on Sub-processors

• Contractual security requirements

• Regular reviews and audits

​​

9. Testing and Assurance

​

• Annual penetration testing

• Quarterly vulnerability assessments

• Security code reviews

• Third-party audits/certifications

​​

10. Privacy by Design

​

• Privacy impact assessments for new features

• Data protection built into system design

• Customer-configurable privacy controls

• Support for Data Subject rights

​​

Annex 3: Sub-Processors

​​​

FastCollab engages the following sub-processors to provide its services.

This list is kept current and will be updated with at least 30 days’ advance notice for any changes.

​

Categories of sub-processors may include:

​

• Cloud hosting and infrastructure service providers

• Email delivery services

• Compliance and audit automation platforms

• Customer support and ticketing tools

• Productivity and collaboration platforms

• Source code hosting and version control platforms

• Artificial intelligence / large language model APIs used to provide support and error analysis

 

Each sub-processor is bound by a written agreement imposing data protection obligations equivalent to those in this DPA.

 

Current Sub-processor List

​

• Amazon Web Services, Inc. (AWS) – Cloud infrastructure & services: EC2, S3, RDS/MySQL, Lambda, CloudWatch monitoring, networking, encryption at rest & transit, SQS message queues, Simple Email Service (SES) for transactional emails (also hosts self-managed databases such as MongoDB and ClickHouse)
  Region: India (Mumbai)

• Zilliz Inc. (Milvus Cloud) – Managed vector database storing AI embeddings for log analysis & conversational features
  Region: United States

• OpenAI, L.L.C. – Large Language Model API used for AI assistance (support queries, log/error analysis)
  Region: United States

• Atlassian Pty Ltd (Jira Service Management Cloud) – Helpdesk / support ticketing system for customer issues and service requests
  Region: Germany / Ireland (EU)

• Google LLC (Google Workspace) – Corporate productivity suite (Gmail, Drive, Docs, Sheets, Meet) used for business communication and document collaboration
  Region: United States & EU data centres

• GitHub, Inc. – Source code hosting, version control and issue tracking platform (may include customer-related logs/config in code)
  Region: United States

 

Disclosure about other parties

​

FastCollab integrates, at the customer’s request, with identity providers (SSO / SAML / OIDC), HRMS platforms (e.g., SAP SuccessFactors, Workday, Oracle HCM, PeopleSoft) and finance/ERP systems (e.g., SAP, Oracle, payroll/expense tools). These systems are owned and contracted directly by the customer; FastCollab does not engage or instruct these vendors.

​

FastCollab also connects to Travel Management Companies (TMCs) and their chosen suppliers (airlines, hotels, ground transport, payment gateways such as HDFC Bank, Razorpay). These entities act as independent controllers or processors for the customer and are not FastCollab sub-processors.

​

For questions about this DPA, please contact our Data Protection Officer at privacy@fastcollab.com