Data Processing Agreement

Capitalised terms not defined here have the meaning given in the GDPR or UK GDPR. 'Customer' means the entity that has accepted Randvu's Terms of Service. 'Customer Personal Data' means personal data Randvu processes on behalf of Customer. 'Sub-processor' means any third party engaged by Randvu to process Customer Personal Data.

The Customer is the controller of Customer Personal Data. Randvu is the processor and processes Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country, unless required to do otherwise by applicable law.

Randvu processes Customer Personal Data to provide the Service as described in the Terms of Service and any order form. Processing covers booking management, communications, billing, support, and analytics necessary to operate the Service. The categories of data subjects include Customer's staff and Customer's clients/guests. Categories of personal data include identifiers, contact details, and booking-related data.

Customer authorises Randvu to engage Sub-processors to process Customer Personal Data, subject to:

• A written contract imposing data-protection obligations no less protective than those in this DPA.
• Randvu remaining responsible for the performance of each Sub-processor.
• Randvu maintaining a list of current Sub-processors and providing notice of additions or replacements, with a reasonable opportunity to object on legitimate data-protection grounds.

Randvu implements appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include:

• Encryption of data in transit and of sensitive fields at rest.
• Access controls and the principle of least privilege.
• Logging, monitoring, and regular review of security events.
• Personnel confidentiality obligations and security training.
• Vendor risk management and incident-response procedures.

Taking into account the nature of the processing, Randvu will provide reasonable assistance to enable Customer to respond to requests from data subjects exercising their rights under applicable data-protection laws (access, rectification, erasure, restriction, portability, and objection). If Randvu receives a request directly, it will redirect the data subject to the Customer.

Randvu will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably available to Randvu to enable Customer to meet its notification obligations under applicable laws.

Where Randvu transfers Customer Personal Data to a country outside the EEA, the UK, or Switzerland that has not been deemed to provide an adequate level of protection, the parties rely on Standard Contractual Clauses or another lawful transfer mechanism, incorporated by reference into this DPA.

Randvu will make available to Customer information necessary to demonstrate compliance with this DPA. Customer may, at its expense and no more than once per year (except where required by a regulator or following a Personal Data Breach), audit Randvu's compliance, with reasonable advance notice and during normal business hours, subject to confidentiality obligations.

On termination or expiry of the Service, Randvu will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, unless retention is required by applicable law.

This DPA takes effect when Customer accepts the Terms of Service and remains in force for as long as Randvu processes Customer Personal Data on behalf of Customer.