Data Processing Agreement

1. Definitions

In this DPA, 'Personal Data', 'Processing', 'Data Subject', 'Controller', 'Processor', and 'Sub-processor' have the meanings given in GDPR Article 4. 'Platform' means the Guide Connect web and mobile applications. 'Guide Data' means personal data of guides processed through the Platform. 'Agency Data' means personal data of agency staff processed through the Platform.

2. Scope and Duration

• This DPA applies to all processing of Personal Data by Guide Connect on behalf of the Controller through the Platform.
• The DPA remains in effect for the duration of the Controller's subscription and for 1 year thereafter (covering the data deletion period).
• Processing activities covered: marketplace facilitation, guide profile access, tour management, messaging, incident reporting, external guide contact storage.

3. Categories of Data Subjects and Personal Data

• Guides: professional profiles, contact information, credentials, availability, engagement history, location data (during active tours)
• Agency staff: account information, role, communication records
• External guides (non-registered): name, email, phone, notes (stored by agency, Controller responsibility)
• Tourists: names and personal details only when included in incident reports (joint controller arrangement applies)

4. Controller Obligations

• The Controller must have a lawful basis for processing Personal Data accessed through the Platform.
• When storing personal data of external guides (non-registered individuals), the Controller is responsible for informing those individuals about the processing per GDPR Article 14 within one month of collection.
• The Controller must not use Guide Data for purposes other than those facilitated by the Platform (staffing, communication, tour management).
• The Controller is responsible for informing affected tourists when incident reports contain their personal data, where practical.

5. Processor Obligations

• Guide Connect processes Personal Data only on documented instructions from the Controller, except where required by EU or Member State law.
• Guide Connect ensures that persons authorised to process Personal Data have committed to confidentiality.
• Guide Connect implements appropriate technical and organisational security measures as described in Clause 9.
• Guide Connect assists the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, objection).
• Guide Connect assists the Controller with obligations under Articles 32-36 (security, breach notification, DPIAs, prior consultation).
• At the Controller's choice, Guide Connect deletes or returns all Personal Data after the end of the provision of services, unless EU or Member State law requires storage.
• Guide Connect makes available all information necessary to demonstrate compliance and allows for audits.

6. Sub-processors

Guide Connect uses the following sub-processors. The Controller provides general written authorisation for the use of these sub-processors:

• Linode / Akamai - Cloud hosting and file storage (EU Frankfurt)
• Mailgun (Sinch) - Email delivery (EU Germany)
• PostHog - Product analytics (EU Frankfurt, consent-gated)
• Straumur - Payment processing (Iceland, EEA)
• Expo - Mobile push notifications (US, SCCs in place)
• Google Cloud Vision - Incident form OCR (EU endpoint)

Guide Connect will inform the Controller of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object. If the Controller objects on reasonable data protection grounds, Guide Connect will use reasonable efforts to make available an alternative or allow the Controller to terminate.

7. International Data Transfers

All primary data processing occurs within the EU/EEA (Linode Frankfurt). One sub-processor (Expo) is located in the United States. Standard Contractual Clauses (SCCs) approved by the European Commission are in place for this transfer. No other international transfers occur.

8. Data Breach Notification

• Guide Connect will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach.
• The 48-hour window gives the Controller sufficient time to meet the 72-hour GDPR Article 33 notification deadline to the supervisory authority.
• The notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
• Guide Connect will assist the Controller in notifying affected data subjects where required under GDPR Article 34.

9. Security Measures

• Encryption in transit (HTTPS/TLS) for all data transmission
• Field-level encryption at rest for sensitive data (payment tokens, tax IDs, bank accounts)
• bcrypt password hashing with appropriate cost factor
• Role-based access control with principle of least privilege
• Automated data retention enforcement via scheduled tasks
• Audit logging of administrative actions (365-day retention)
• EU-only data hosting (Linode Frankfurt)
• Self-hosted error tracking and routing (no external data leakage)
• Regular security updates and dependency patching

10. Joint Controller Arrangement (Incident Reports)

For incident reports created during tour execution, Guide Connect, the guide, and the agency act as joint controllers under GDPR Article 26:

• The guide creates the incident report and determines its content
• The agency manages, reviews, and resolves the incident
• Guide Connect stores the report, defines the data model, and enforces retention periods
• Each party is independently responsible for their processing activities
• The agency is responsible for informing affected individuals (tourists) about processing where practical
• Default retention: 5 years. Agencies may request extended retention up to 10 years for liability purposes.

11. Data Subject Rights

• Guide Connect provides technical mechanisms for data subjects to exercise their rights directly (account settings, data export, account deletion).
• When a data subject exercises their rights through the Controller, Guide Connect will assist the Controller in responding within the required timeframe.
• Guide Connect will not respond directly to data subject requests unless instructed by the Controller or required by law.

12. Data Retention and Deletion

• Financial records: retained 7 years per Icelandic tax law, regardless of subscription status.
• Non-financial agency data: deleted 1 year after subscription cancellation.
• Guide data: anonymised (not deleted) 90 days after account deletion request. Tour records preserved with personal identifiers removed.
• External guide contacts: deleted 1 year after agency subscription cancellation.
• Incident reports: 5 years default, up to 10 years at agency written request.
• Full retention schedule available in the Privacy Policy, Section 6.

13. Audit Rights

• The Controller may audit Guide Connect's compliance with this DPA with reasonable prior notice (minimum 30 days).
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt Guide Connect's operations.
• The Controller shall bear its own costs of any audit.
• Guide Connect may satisfy audit requests by providing relevant certifications, audit reports, or compliance documentation.

14. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law or for damages arising from non-compliance with this DPA.

15. Governing Law

This DPA is governed by Icelandic law. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the District Court of Reykjavik.

For questions about this DPA, contact privacy@guideconnect.is.