Data Processing Addendum

You (the customer) are the controller of your guests' personal data. We (Expedition) are the processor, processing only on your documented instructions.

Subject matter: providing Expedition's SaaS to you. Duration: for the term of your subscription, plus the 30-day soft-delete window.

• Your guests, leads, co-hosts, and back-office partners
• Identification data: name, email, phone
• Booking data: trips, prices, payments, balances
• Optional: dietary, medical, emergency contact, passport (encrypted at rest)

We engage the following sub-processors. Updates notified at least 30 days before they take effect.

• Stripe — payments and billing
• Resend — transactional email
• Cloudflare — CDN, image transformation, R2 storage
• Hetzner / Coolify host — Postgres, app hosting (EU)
• Sentry — error tracking
• Axiom — log aggregation
• Better Stack — uptime monitoring

See /security for the full posture: tenant isolation via Postgres RLS, EU residency, TLS 1.2+, encryption at rest, application-layer encryption for sensitive fields, audit log on every write, nightly off-region backups with quarterly tested restores.

You can fulfil access, deletion, correction, and portability requests for your guests via the in-app tools. We assist as needed and respond to your support tickets within statutory timeframes.

Your tenant data is stored in the EU by default. Stripe processes payment data per its own DPA, which uses Standard Contractual Clauses for any necessary transfers.

We provide reasonable assistance for audits. We can supply security documentation, sub-processor list, penetration test summaries on request.

On termination, we offer a 30-day window for data export. After the window, all tenant data is hard-purged within 30 days.