The travel-tech house behind Reservationhub, TripGic, TripMargin, UmrahCore & YourTripDesk
[email protected]
Home· Data Processing Agreement

Data Processing Agreement

This page sets out the terms under which Innovate Solution processes personal data on behalf of customers using our software products. It is written to meet the requirements of GDPR Article 28 and equivalent provisions in other data-protection regimes. Wholesale travel agencies, OTAs, and other B2B customers can request a counter-signed bilateral DPA via the contact details at the bottom of this page.

Version 2.0 · Last updated: 1 January 2026 · Effective date: 1 January 2026

Plain-English summary. When you use one of our platforms (Reservationhub, TripGic, TripMargin, UmrahCore, YourTripDesk), your customers' personal data flows through our systems so the bookings, communications, and operations can happen. You remain the controller of that data; we act as your processor. This document lays out how we handle that responsibility — security, sub-processors, breach notification, audit rights, and what happens when our agreement ends. If you need a signed copy with your company name on it, email [email protected] or use the form at the bottom.

1. Definitions

The terms below have the meanings given in the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent national legislation:

  • "Controller" — the customer (e.g. a wholesale travel agency) that determines the purposes and means of processing personal data.
  • "Processor" — Innovate Solution, processing personal data on behalf of the Controller.
  • "Personal Data" — any information relating to an identified or identifiable natural person, processed under the Principal Agreement between the parties.
  • "Data Subject" — the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-processor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Principal Agreement" — the master service agreement, order form, or terms of service between the Controller and Innovate Solution.
  • "Processing" — any operation performed on Personal Data, including collection, storage, transmission, retrieval, alteration, and deletion.

2. Subject matter and duration

The subject matter of the processing is the provision of travel-technology platforms by Innovate Solution to the Controller under the Principal Agreement. Processing continues for the duration of the Principal Agreement and any subsequent data-return or data-deletion period defined in Section 13 below.

3. Nature and purpose of processing

Innovate Solution processes Personal Data for the following purposes only:

  • Operating the platform services purchased by the Controller (Reservationhub, TripGic, TripMargin, UmrahCore, YourTripDesk).
  • Facilitating bookings, ticketing, refunds, exchanges, and other travel-business operations on the Controller's behalf.
  • Providing customer support to the Controller and, where authorised, to the Controller's customers.
  • Ensuring the security, integrity, and availability of the platforms.
  • Producing aggregated, anonymised statistical reports.
  • Complying with applicable law and lawful instructions from competent authorities.

The Processor will not process Personal Data for any other purpose without the prior written instruction of the Controller.

4. Categories of personal data

Depending on the platform and modules used by the Controller, the following categories of Personal Data may be processed:

  • Identification data: names, dates of birth, nationalities, passport / national ID numbers.
  • Contact data: email addresses, phone numbers, postal addresses, WhatsApp numbers.
  • Travel data: bookings, PNRs, ticket numbers, itineraries, frequent-flyer numbers, seat preferences, special-service requests.
  • Payment data: payment-method identifiers (tokens), billing addresses, partial card numbers. Full card numbers are tokenised by our PCI-DSS-certified payment processors and are not stored by Innovate Solution.
  • Communication data: messages exchanged between the Controller's agents and customers via YourTripDesk channels (WhatsApp, email, SMS, etc.).
  • Account & usage data: login credentials, IP addresses, browser data, timestamps, audit logs.
  • Religious / pilgrimage data (UmrahCore only): pilgrim group membership, mahram status, visa application data, group itineraries.

5. Categories of data subjects

The Personal Data processed under this DPA relates to the following categories of Data Subjects:

  • The Controller's employees and authorised users.
  • The Controller's downstream retail agents (where the Controller is a wholesaler).
  • The Controller's customers (travellers, pilgrims, corporate-account holders).
  • Travel companions and additional passengers identified in bookings.
  • Emergency contacts named by travellers.

6. Obligations of the Processor

Innovate Solution, as Processor, undertakes that it will:

  • Process only on documented instructions from the Controller, including with regard to transfers to a third country or international organisation, unless required to do so by applicable law.
  • Ensure confidentiality: persons authorised to process Personal Data are bound by confidentiality obligations, whether contractual or statutory.
  • Implement appropriate technical and organisational measures (see Section 9 below) to ensure a level of security appropriate to the risk.
  • Respect the conditions for engaging Sub-processors (see Section 8 below).
  • Assist the Controller, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, objection).
  • Assist the Controller in complying with its obligations regarding security, breach notification, data-protection impact assessments, and prior consultation with supervisory authorities.
  • At the choice of the Controller, delete or return all Personal Data at the end of the provision of services (see Section 13).
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits (see Section 11).

7. Obligations of the Controller

The Controller warrants that it has, and will maintain throughout the term of the Principal Agreement:

  • A lawful basis for collecting and processing the Personal Data it transfers to Innovate Solution.
  • All necessary consents, notices, and authorisations from Data Subjects.
  • Compliance with its own obligations under applicable data-protection law.

The Controller is responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data.

8. Sub-processors

The Controller provides general written authorisation for Innovate Solution to engage Sub-processors. The current list of Sub-processors is published below and updated when changes occur. The Controller may object to new Sub-processors on reasonable grounds within 30 days of notification; if no commercially reasonable resolution is found, the Controller may terminate the affected service.

Innovate Solution imposes data-processing terms on each Sub-processor that are no less protective than those in this DPA, and remains liable to the Controller for the acts and omissions of its Sub-processors.

8.1 Current Sub-processor list

Sub-processor Purpose Data hosting region
Amazon Web Services (AWS) Cloud infrastructure, storage, compute, transactional email (SES). Singapore, Ireland, USA (region depends on customer location).
Google LLC Email delivery, productivity (Google Workspace), analytics. EU / USA.
Cloudflare, Inc. CDN, DDoS protection, DNS, web application firewall. Global (edge).
Stripe Payments Payment-card processing, payout reconciliation (PCI DSS Level 1). Ireland, USA.
Amadeus, Sabre, Travelport Global Distribution Systems — flight inventory, ticketing, PNR management. Madrid, Texas, Atlanta (respectively).
Hotelbeds, TBO, RateHawk Hotel inventory aggregation and booking. Spain, India, Cyprus (respectively).
Meta Platforms (WhatsApp Business) YourTripDesk WhatsApp channel — message delivery via WhatsApp Business API. EU, USA.
Twilio YourTripDesk SMS channel, multi-region SMS delivery. USA (global termination).
Sentry, Datadog Error tracking and performance monitoring (no Personal Data ingested by design). USA, EU.

This list is maintained on a best-efforts basis. To receive automated notifications of changes, email [email protected] and ask to be added to the Sub-processor change notification list.

9. Security measures

Innovate Solution implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit — TLS 1.2 or higher for all data in transit. HSTS enforced on customer-facing endpoints.
  • Encryption at rest — AES-256 encryption on all databases and backups containing Personal Data.
  • Access controls — role-based access; multi-factor authentication mandatory for administrative access; quarterly access reviews.
  • Network security — perimeter firewalls, intrusion detection, web application firewall, DDoS mitigation.
  • Vulnerability management — automated dependency scanning, quarterly penetration tests, annual third-party security assessment.
  • Backup and disaster recovery — daily encrypted backups; recovery objectives and tested restoration procedures.
  • Personnel — background checks on staff with administrative access; mandatory security training; confidentiality agreements.
  • Logging and monitoring — security event logging with tamper-evident retention; 24/7 security monitoring.
  • Secure development — code review, automated testing, separation of production from non-production environments.

10. Personal data breach notification

Upon becoming aware of a Personal Data breach affecting the Controller's data, Innovate Solution will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware.
  • Provide a description of the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed.
  • Provide updates as additional information becomes available.
  • Cooperate with the Controller's investigation and remediation efforts.

The breach notification address is [email protected]. Controllers are responsible for maintaining a current notification address with us.

11. Audit rights

The Controller, or a mutually agreed third-party auditor bound by appropriate confidentiality obligations, has the right to audit Innovate Solution's compliance with this DPA, subject to:

  • Reasonable advance written notice (not less than 30 days).
  • Audits conducted during normal business hours, no more than once per calendar year except where a Personal Data breach has occurred.
  • Reasonable scope, limited to the Personal Data of the Controller.
  • The Controller bearing its own audit costs.

To minimise audit burden, Innovate Solution makes available on request: SOC 2 Type II reports (where available), ISO 27001 attestations, penetration test summaries, and the most recent security assessment.

12. International data transfers

Where Personal Data is transferred outside the European Economic Area or the United Kingdom, the transfer is governed by one or more of the following safeguards, as applicable:

  • Adequacy decisions of the European Commission or the UK Information Commissioner's Office.
  • Standard Contractual Clauses (EU 2021/914 and the UK International Data Transfer Addendum).
  • Binding Corporate Rules of the Sub-processor where applicable.

Customers based in the EU/UK can request a copy of the executed Standard Contractual Clauses by writing to [email protected].

13. Return and deletion of personal data

Upon termination or expiration of the Principal Agreement, the Controller may choose to:

  • Return all Personal Data in a structured, commonly used, machine-readable format. The Controller must initiate this request within 30 days of termination; data is available for return for 60 days thereafter.
  • Delete all Personal Data. Deletion is initiated within 30 days of the termination date and completed within a further 90 days, including from backup systems (subject to backup rotation cycles).

Where the Controller does not specify a preference within 30 days of termination, Innovate Solution will delete the Personal Data in accordance with the second option above.

Notwithstanding the above, Innovate Solution may retain Personal Data to the extent required by applicable law (for example, financial records, tax records, regulatory reporting), in which case the retained data continues to be processed solely for the legally required purpose and remains subject to the security and confidentiality provisions of this DPA.

14. Liability and indemnity

The liability of each party under this DPA is subject to the liability provisions of the Principal Agreement. Nothing in this DPA limits or excludes either party's liability where such limitation or exclusion is not permitted by applicable law.

15. Order of precedence

In the event of any conflict between this DPA and the Principal Agreement, this DPA prevails to the extent of the conflict, but only with respect to data-protection matters.

16. Governing law and jurisdiction

This DPA is governed by the laws of the Republic of Singapore. The courts of Singapore have exclusive jurisdiction over disputes arising under or in connection with this DPA, except where mandatory rules of the Controller's home jurisdiction require otherwise.

17. How to request a signed bilateral DPA

Most customers can accept this published DPA by reference in the Principal Agreement. Customers required by their own legal or procurement teams to obtain a counter-signed bilateral DPA can request one by:

  • Emailing [email protected] with the company name, legal entity, and primary contact.
  • Including the request in the contact form under "Why are you interested?".

We aim to return a counter-signed DPA within 5 business days. There is no fee for executing the standard published DPA. Material amendments are reviewed case-by-case and may take longer.

18. Contact

For all data-protection enquiries under this DPA:

  • Email: [email protected]
  • Or write to:
    Innovate Solution — Legal Department
    101 Kitchener Road, #03-02, Jalan Besar Plaza
    Singapore 208511
    Singapore