Sojern Inc. Data Processing Addendum

Last Updated: February 26, 2025

This Data Processing Addendum, inclusive of Schedules 1 and 2 (“DPA”) sets out the essential terms required by Sojern, Inc., a Delaware corporation with its principal place of business located at 575 Market Street, 4th Floor, San Francisco, CA 94105 USA (“Sojern”). For the purposes of this DPA, the company that is a party to the Agreement (as defined below) in which this DPA is incorporated is referred to as “Company”.

1. Definitions

“Agreement” means any and all agreements between the parties under which Sojern receives, collects, accesses or otherwise processes Personal Data for the purposes pursuant to the applicable data provider or service agreement. This DPA incorporates the terms and conditions of the Agreement and as set forth below. In the event of a conflict between the DPA and the Agreement, the terms of this DPA shall govern and prevail. All capitalized terms used but not defined herein shall have their respective meanings as set forth in the Agreement.

“Personal Data” means any information relating to an identified or identifiable natural person who can be directly or indirectly identified.

“Service” means the services provided by Sojern or Company, as applicable, under the Agreement.

2. Application of DPA

For the purposes of the processing carried out by Sojern pursuant to the Agreement, Sojern’s role as a data processor or data controller with respect to Personal Data processed by Sojern shall be set forth in the applicable Agreement.

3. Use of Personal Data

Except as expressly permitted herein or in writing by Company, Sojern will not directly or indirectly (a) disclose, sell, distribute or transmit Personal Data to any third party, or (b) use Personal Data for any purpose other than to provide Company the Service under the Agreement, and in accordance with all applicable privacy and data protection laws. Sojern will ensure that each person authorized to process Personal Data is subject to a duty of confidentiality with respect to that Personal Data. 

4. Compliance with Law; Other Instructions

Each party certifies it understands its obligations under applicable privacy and data protection laws and shall process Personal Data in accordance with all applicable privacy and data protection laws. Where Sojern is acting as a data processor, Sojern will perform the processing as documented and instructed by Company in the Agreement, unless otherwise notified by a regulatory authority that such processing does not comply with applicable privacy and data protection laws, in which case Sojern will promptly provide Company with written notice of that regulatory notice and may cease processing Personal Data until the regulatory issue is resolved.

To the extent required by applicable Data Protection Law, Company shall only instruct Sojern to Process Personal Data for those purposes permitted under applicable privacy and data protection laws and shall disclose Personal Data to Sojern only for the limited and specified purposes specified in the Agreement. Company reserves the right, upon reasonable notice, to take reasonable and appropriate steps to help ensure that Sojern uses Personal Data transferred in a manner consistent with Sojern’s obligations under applicable privacy and data protection laws, including reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data. Sojern shall notify Company if it makes a determination that it can no longer meet its obligations under applicable privacy and data protection laws.     

Where the Agreement specifies that Sojern is acting as a “third party” under the California Consumer Protection Act (CCPA): 

Sojern shall only process Personal Data during the term of the Agreement to provide or perform the Service, specifically for the limited and specific purpose of providing the Service or as otherwise instructed or permitted in writing by Company. For clarity, the Services provided by Sojern are enumerated on Company’s Order Form.

Sojern shall comply with all applicable obligations under the CCPA and provide the same level of privacy protection as required by the CCPA and shall provide notice if it can no longer meet its obligations under the CCPA.

Sojern grants Company the right to (a) take reasonable and appropriate steps to help ensure that Supplier uses Personal Data in a manner consistent with its obligations under the CCPA and (b) upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

5. Records; Cooperation for Compliance

Each party will maintain a written or electronic record of the processing of Personal Data. Each party will reasonably cooperate with the other party in complying with applicable privacy and data protection laws with respect to data impact assessments, records of processing, related requests or consultations with data protection authorities, and audits in accordance with the applicable Agreement to enable Company to confirm that Sojern have complied with its obligations under applicable privacy and data protection laws and the Agreement.

6. Sojern Privacy Policy

The parties acknowledge that Sojern does not maintain a direct relationship with individuals whose Personal Data is provided to Sojern. As such, where required by applicable privacy and data protection laws, Company will make available the Sojern Privacy Policy available at https://www.sojern.com/privacy/privacy-policy/ to individuals whose Personal Data is processed by Sojern.

7. Notice, Consent, and Opt-Out

Company shall provide notice to, and obtain consents from, individuals as required by applicable privacy and data protection laws regarding Company’s collection, use, and disclosure of Personal Data. If applicable privacy and data protection laws require mechanisms by which individuals may exercise rights, including but not limited to opt-out rights, Company (or such other party who is responsible for the collection of Personal Data on behalf of Company), shall provide such mechanism to individuals. Company will be presumed to have provided appropriate notices and have obtained appropriate consents, if required, from any individuals whose Personal Data is provided to Sojern. Company shall promptly provide, upon request and at any time by Sojern, proof that appropriate consents have been obtained by Company from relevant individuals.      

8. Individual Privacy Rights

Each party will reasonably cooperate with the other party in response to any requests or complaints from individuals relating to the processing of Personal Data under the Agreement and pertaining to privacy rights under applicable privacy and data protection laws. If Sojern receives a request from an individual, Sojern will promptly: (a) forward the request to Company to manage the request; and (b) where Sojern is a data processor, implement Company’s decision with respect to how the request will be managed.

9. EU Personal Data

The parties acknowledge that Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) may be transferred to or processed by Sojern in a country or territory recognized as ensuring adequate protection under relevant privacy and data protection law. The parties also agree that transfers of such Personal Data to Sojern may be made in accordance with a solution, other than standard contractual clauses, that enables the lawful transfer of personal data to a third country in accordance with applicable privacy and data protection law (a “Transfer Solution.”) This includes, but is not limited to, an approved data protection framework recognized as ensuring that participating entities provide adequate protection of Personal Data. 

To the extent Personal Data originating outside the USA (including the European Economic Area (EEA), the United Kingdom, or Switzerland) is transferred to Sojern, the data processing requires adequacy under the laws of the country of the Company, no adequacy decision or Transfer Solution applies, and the required adequacy can be met by the terms of this DPA, then the parties agree that this DPA incorporates by reference, as applicable, the (EU) 2021/914 European Commission standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016-679 by EU/EEA controllers to processors established outside the EU/EEA (“Module 2”) and/or by EU/EEA controllers to controllers established outside the EU/EEA (“Module 1”), and as they are amended or replaced from time to time by the European Commission (collectively, the “Clauses”). For convenience purposes, the Clauses hyperlinked above are generated based on the text made available by the European Commission for the sole purpose to incorporate the Clauses into the Agreement, select the appropriate Module(s), and to add information in the Appendix as permitted by the Clauses. For purposes of Personal Data transfers, Company shall be the “data exporter” and Sojern shall be the “data importer” (even if Company is an entity located outside the EU/EEA, provided the Company is otherwise subject to the Regulation (EU) 2016-679). Where the Clauses apply, Company and Sojern will be deemed to have entered into the Clauses in their respective names and on their own behalf, and the parties’ names, addresses, contact details, roles, and activities related to the Personal Data transferred under these Clauses will be provided in the Agreement. The execution of the Agreement shall be deemed execution of the Clauses, specifically execution of Annex I.A of the Clauses. To the extent there is any conflict between the terms of this DPA and the Clauses, the applicable Clauses shall govern and prevail.

1. Controller to Controller. For the purposes of Module 1, (i) Schedule 1 to this DPA shall take the place of Annex I.B of Module 1; (ii) Schedule 2 to this DPA shall take place of Annex II of Module 1; and (iii) under Clause 11(a) of Module 1, the optional text provided is selected; (iv) under Clause 17 of Module 1, OPTION 1 is selected, and the EU Member State is Ireland; and (v) under Clause 18(b) of Module 1 the courts of Ireland are selected.
2. Controller to Processor. For the purposes of Module 2, (i) Schedule 1 to this DPA shall take the place of Annex I.B of Module 2; (ii) Schedule 2 of this DPA shall take place of Annex II of Module 2; (iii) under Clause 9(a) of Module 2, OPTION 2: GENERAL WRITTEN AUTHORISATION is selected, and the time period for advance notice is thirty (30) days; (iv) under Clause 11(a) of Module 2, the optional text provided is selected; (v) under Clause 17 of Module 2, OPTION 1 is selected, and the EU Member State is Ireland; and (vi) under Clause 18(b) of Module 2 the courts of Ireland are selected.
3. FISA Section 702 and Executive Order 12333. Sojern shall notify Company immediately and cease accepting Personal Data if Sojern becomes aware that it has become subject to data sharing or disclosure requirements as envisioned under Section 702 Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333 of the United States. If further guidance is released by the European Data Protection Board or another regulatory authority that the Company is regulated by on what further adequate measures are required for the international export of Personal Data, Sojern shall promptly implement any further adequate measures.

10. Security Safeguards

Each party shall implement and maintain appropriate technical, physical, and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

1. Personal Data Breach. Upon becoming aware of a Personal Data breach under applicable privacy and data protection laws, each party will notify the other in writing without undue delay and within the time frame required under applicable privacy and data protection laws. Each party will reasonably cooperate with the other to mitigate, where possible, the adverse effects of a Personal Data breach.
2. Data Storage; Deletion of Personal Data Post-Termination. Sojern implements technical security measures to guard against unauthorized access to Personal Data, including encrypting Personal Data in electronic form while in transit and at rest in storage on Sojern networks or systems. Sojern’s obligations with respect to Personal Data in the event of termination of the Agreement are set forth in the Term and Termination section of the Agreement, subject to any data retention terms of the applicable Agreement. At Company’s direction, Sojern shall delete or return all personal data to Company as requested at the end of the provision of services, unless retention of the personal data is required by law. 

11. Sub-processors

Company grants a general authorization to Sojern to use other data processors for the processing of Personal Data (“Sub-processors”), who are bound by confidentiality and data protection obligations consistent with this DPA and applicable privacy and data protection laws, listed at www.sojern.com/legal/partner-list/. Where required by the Agreement or where Sojern is acting as a data processor, Sojern will inform Company of any changes concerning the addition or replacement of Sub-processors by updating the above-mentioned list, thereby giving Company an opportunity to object to such changes, and instructions for objections are provided at the same URL. If Company reasonably objects to a change and Sojern is unable to resolve such objection, Company may terminate the Agreement and DPA.

12. Application of DPA

This DPA shall remain in full force and effect until the latter of (a) the Agreement(s) remains in effect, and (b) Sojern retains copies of Personal Data. Either party may terminate this DPA immediately upon a material breach of this DPA or a regulatory authority and/or a tribunal or court with jurisdiction finds that processing of Personal Data by the parties materially violates applicable privacy and data protection laws, provided however, that the non-breaching party must provide notice of the alleged breach, and such breach shall have remained uncured for a period of fifteen (15) days following such notice.

13. Governing Law

This DPA shall be deemed to have been made in and shall be construed pursuant to the laws of the State of California, USA, without regard to conflicts of laws provisions thereof.

SCHEDULE 1

Description of Transfer

Categories of data subjects whose personal data is transferred

Travelers and other customers of the Company.

Categories of personal data transferred

Personal Data transferred by Company is provided in accordance with the Agreement, and may include but is not limited to:

• Information in connection with a unique online identifier, such as a cookie ID, mobile device ID, hashed or plain email address, advertising ID, and Company-assigned customer ID numbers.
• Information in connection with an individual’s device, such as IP address, device type, browser type, date and time stamp of clicks and web visits, URLs visited, and other technical information.
• Information in connection with an individual's travel, such as the number and types of travellers, currency/rates/fares/fees, search and booking information (such as departure and arrival date, and destination country or city), reward or loyalty program information, and accommodation or service preferences (such as room, flight seat or car type, and facilities and amenities preferences).

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous basis, for the duration of the applicable Agreement.

Nature of the processing

Collection of online browsing information through the use of cookies and other tracking technologies.

Purpose(s) of the data transfer and further processing

For any lawful purpose in connection with the Services provided under the Agreement between data exporter and data importer, particularly targeted advertising based on online browsing information. No further processing is permitted. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the applicable Agreement, unless at the choice of data exporter Personal Data is deleted or returned.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-processors are listed at www.sojern.com/legal/partner-list/ as permitted by Model 1 Clause 9(a).

• Subject matter of the processing:  The sub-processors provide hosting, storage, and processing infrastructure and services to enable Sojern to provide services to its clients. Additionally, sub-processors serve digital advertisements on websites, mobile apps, and other Internet-connected properties, issue reports on performance of advertising campaigns, and provide a platform that facilitates the sale of online impressions/inventory through real-time auctions.
• Nature of the processing:  Cloud hosting providers store and process data provided by Sojern’s clients, and demand-side-platforms process data for programmatic media buying and advertising services. 
• Duration of the processing:  For the length of the agreement between Sojern and the sub-processors, subject to the retention periods therein.

Competent Supervisory Authority

The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

SCHEDULE 2

Misure tecniche e organizzative, comprese misure tecniche e organizzative per garantire la sicurezza dei dati

1. Generale. Sojern stabilirà, implementerà e manterrà adeguate misure amministrative, tecniche e organizzative progettate per proteggere contro il trattamento non autorizzato o illegale dei Dati personali e contro la perdita, la distruzione o il danneggiamento accidentale dei Dati personali. Queste misure saranno adeguate a rispettare le leggi applicabili sulla protezione dei dati e Sojern rispetterà in ogni momento le sue politiche di sicurezza delle informazioni e il suo programma di sicurezza delle informazioni.

2. Politiche e standard di sicurezza delle informazioni. Sojern manterrà politiche, standard e procedure di sicurezza delle informazioni. Queste politiche, standard e procedure devono essere mantenute aggiornate e riviste ogni volta che vengono apportate modifiche pertinenti ai sistemi informativi che utilizzano o archiviano i dati personali.

3. Gestione delle vulnerabilità. Sojern manterrà un programma di gestione delle vulnerabilità per tutti i sistemi che trattano i dati personali che include, a titolo esemplificativo, la scansione delle vulnerabilità interne ed esterne con i risultati della valutazione del rischio e piani formali di riparazione per risolvere eventuali vulnerabilità identificate.

4. Valutazione del rischio. Sojern condurrà valutazioni periodiche del rischio per identificare e valutare i rischi ragionevolmente prevedibili per la sicurezza, la riservatezza e l'integrità dei record contenenti Dati personali e valuterà e migliorerà, ove necessario, l'efficacia delle sue misure di protezione per limitare tali rischi.

5. Classificazione dei dati. Sojern manterrà politiche e procedure per classificare le risorse informative sensibili, chiarire le responsabilità in materia di sicurezza e promuovere la consapevolezza di tutti i dipendenti.

6. Crittografia. Sojern implementerà meccanismi di crittografia standard del settore e suite di crittografia avanzate (si consiglia AES a 256 bit) per l'archiviazione e la trasmissione. Sojern accetterà connessioni su canali crittografati (si consiglia TLS).

7. Sicurezza della rete. Sojern proteggerà la propria rete utilizzando un approccio di difesa approfondito che utilizza apparecchiature disponibili in commercio e tecniche standard del settore, inclusi, a titolo esemplificativo, firewall, sistemi di rilevamento delle intrusioni, elenchi di controllo degli accessi e protocolli di routing.

8. Controlli contro virus e malware. Sojern proteggerà i dati personali da codici dannosi e installerà e manterrà software di protezione da virus e malware su qualsiasi sistema che gestisca i dati personali.

9. Controllo degli accessi. Sojern applicherà il principio del privilegio minimo laddove l'accesso ai Dati personali sia concesso solo a coloro all'interno dell'organizzazione che hanno esigenze aziendali per tale accesso e le autorizzazioni saranno limitate alla quantità minima richiesta per svolgere la specifica funzione lavorativa.

10. Luogo del trattamento. I dati personali saranno trattati da Sojern negli Stati Uniti, fatte salve le leggi sulla protezione dei dati applicabili che potrebbero richiedere diversamente.

11. Risposta agli incidenti. Sojern manterrà un programma di risposta agli incidenti di sicurezza dei dati e documenterà tutti i sospetti incidenti di sicurezza dei dati. Sojern indagherà su eventuali incidenti di sicurezza dei dati e adotterà tutte le misure necessarie per eliminare o contenere l'incidente di sicurezza dei dati.

12. Personale. Sojern manterrà un programma di sensibilizzazione e formazione sulla sicurezza delle informazioni e formerà il personale responsabile di Sojern sulle misure di protezione dei dati e sulle protezioni generali in materia di sicurezza informatica.

13. Fornitore. Sojern manterrà un programma di gestione dei fornitori che valuterà tutti i fornitori con cui Sojern scambia dati personali. Tali fornitori saranno tenuti a rispettare standard di sicurezza dei dati non meno restrittivi di quelli stabiliti nel presente documento.

‍