Terms & Policies · Data Processing

Data Processing Addendum

EffectiveJune 6, 2026
Last updatedJune 6, 2026
EntityMG Innovation Lab, Inc. (DBA Globaleur)
Contactlegal@globaleur.com

01Scope & roles

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer," the controller) and MG Innovation Lab, Inc. DBA Globaleur ("Globaleur," the processor) for the provision of the Globaleur platform (the "Services"). It governs Globaleur’s processing of personal data on Customer’s behalf and reflects the parties’ obligations under applicable data-protection laws, including the EU/UK GDPR and US state privacy laws.

02Definitions

Terms such as "personal data," "processing," "controller," "processor," "data subject," and "supervisory authority" have the meanings given in applicable data-protection law. "Subprocessor" means any third party engaged by Globaleur to process personal data.

03Details of processing

Subject matterProvision of the Globaleur AI platform
DurationTerm of the underlying agreement
Nature & purposeHosting, processing, and generating recommendations from traveler signals
Data subjectsCustomer’s travelers, members, and end users
Data categoriesIdentifiers, itinerary & loyalty data, behavioral signals, and content of interactions

Customer must not provide special-category data except as expressly agreed in writing.

04Customer instructions

Globaleur processes personal data only on documented instructions from Customer, including as set out in the agreement and this DPA, unless required by law. Globaleur will inform Customer if, in its opinion, an instruction infringes applicable data-protection law.

05Confidentiality

Globaleur ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and receive data-protection and security training.

06Security measures

Globaleur implements and maintains appropriate technical and organizational measures to protect personal data, including:

  • encryption of data in transit and at rest;
  • logical tenant isolation and least-privilege access controls;
  • network segmentation, monitoring, and logging;
  • secure software-development and change-management practices; and
  • business continuity and disaster-recovery procedures.

07Subprocessors

Customer authorizes Globaleur to engage subprocessors to support the Services. Globaleur imposes data-protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance. Globaleur will give notice of intended changes to subprocessors, allowing Customer to object on reasonable data-protection grounds.

The current subprocessors are:

SubprocessorPurposeLocation
Cloud infrastructure providerInfrastructure hosting, storage, networking, security, and service availabilityUnited States and/or other regions used to provide the Services
AI model and orchestration providerModel inference, AI processing, orchestration, and related service functionalityUnited States and/or other regions used to provide the Services
Analytics providerProduct analytics, usage measurement, diagnostics, and service improvementUnited States and/or other regions used to provide the Services
Email, CRM, and communications providerCustomer communications, sales operations, support, and relationship managementUnited States and/or other regions used to provide the Services

Globaleur will maintain an up-to-date list of subprocessors and make such list available upon request or through a designated webpage or notice mechanism.

08Data subject requests

Taking into account the nature of the processing, Globaleur will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to data-subject requests to exercise their rights. If Globaleur receives a request directly from a data subject, it will, where legally permitted, direct the request to Customer.

09Personal data breach

Globaleur will notify Customer without undue delay, and in any case within seventy-two (72) hours of becoming aware of a personal data breach affecting Customer personal data. Globaleur will provide information reasonably necessary for Customer to meet its notification obligations, including, where available, the nature of the breach, the categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.

10International transfers

Where processing involves transfer of personal data out of the EEA, UK, or Switzerland, the parties rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum, as applicable), which are incorporated by reference, together with supplementary measures where required.

11Audits

Globaleur makes available information necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by Customer or an auditor it mandates, subject to reasonable confidentiality and frequency limits. Globaleur may satisfy audit requests by providing third-party certifications and reports (e.g., SOC 2).

12Return & deletion

Upon termination of the Services, Globaleur will, at Customer’s choice, delete or return all Customer personal data and delete existing copies unless retention is required by law. Backup copies are deleted in line with documented retention schedules.