Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Platform Agreement between wakesys sàrl ("Processor", "wakesys", "we", "us") and the Park identified in the Order Form ("Controller", "Park", "you", "your").

This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR.
• "Personal Data" means any information relating to an identified or identifiable natural person processed by wakesys on behalf of the Controller.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any third party engaged by wakesys to process Personal Data on behalf of the Controller.
• "Personal Data Breach" means a breach of security leading to unauthorized disclosure of, or access to Personal Data.
• "Standard Contractual Clauses" means the contractual clauses adopted by the European Commission for international data transfers.

2. Scope and Roles

2.1 Roles

• You (the Park) are the Controller. You determine the purposes and means of processing Personal Data of your Customers.
• wakesys is the Processor. We process Personal Data only on your behalf and according to your documented instructions.

2.2 Subject Matter

This DPA applies to the processing of Personal Data by wakesys in connection with providing the Platform services.

2.3 Duration

This DPA will remain in effect for the duration of the Platform Agreement.

3. Details of Processing

3.1 Nature and Purpose

wakesys processes Personal Data to provide the Platform services, including:

• Processing and managing bookings
• Processing payments
• Managing digital waivers
• Sending transactional emails
• Providing customer management features
• Generating reports and analytics

3.2 Categories of Data Subjects

• Customers who book or purchase through the Platform
• Guests added to bookings by Customers
• Visitors who sign waivers or register on-site

3.3 Types of Personal Data

4. Controller Obligations

As the Controller, you are responsible for:

• Ensuring you have a lawful basis for processing Personal Data
• Providing appropriate privacy notices to Data Subjects
• Obtaining necessary consents where required
• Responding to Data Subject requests
• Compliance with applicable data protection laws

5. Processor Obligations

5.1 Processing Instructions

wakesys will:

• Process Personal Data only on your documented instructions
• Inform you if we believe an instruction violates Data Protection Laws

5.2 Confidentiality

wakesys ensures that persons authorized to process Personal Data are bound by confidentiality obligations.

5.3 Security Measures

Technical Measures:

• Encryption of data in transit (TLS 1.2+/HTTPS)
• Encryption of data at rest (AES-256) for sensitive data
• Secure password hashing (bcrypt with salt)
• Secure hosting infrastructure (AWS and Fly.io)
• Automated backups with encryption
• Network firewalls and intrusion detection (via hosting providers)

Organizational Measures:

• Employee confidentiality agreements
• Principle of least privilege for data access
• Access restricted to essential personnel only
• Sub-processors limited to established, GDPR-compliant providers
• Regular review of access rights

5.4 Assistance with Data Subject Rights

wakesys will assist you in responding to Data Subject requests (access, rectification, erasure, portability, etc.) by providing relevant features in the Platform and reasonable cooperation. You are responsible for responding directly to Data Subjects.

5.5 Assistance with Compliance

Taking into account the nature of processing and information available, wakesys will assist you with data protection impact assessments and consultations with supervisory authorities, to the extent required.

5.6 Audit Rights

wakesys will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Such audits shall be conducted with reasonable prior notice (at least 30 days) and during normal business hours, no more than once per year unless required by a supervisory authority. The Controller shall bear the costs of any audit, including any reasonable charges for wakesys staff time and resources involved.

6. Sub-processors

6.1 Authorization

You authorize wakesys to engage Sub-processors. wakesys remains fully liable for the acts and omissions of its Sub-processors.

6.2 Current Sub-processors

6.3 Changes to Sub-processors

wakesys will notify you of any intended changes to Sub-processors at least 30 days before the change.

7. International Data Transfers

7.1 Primary Storage

Personal Data is primarily stored within the European Union (AWS and Fly.io, Frankfurt, Germany).

7.2 Transfers Outside the EU/EEA

Where Personal Data is transferred to countries outside the EU/EEA, wakesys ensures appropriate safeguards are in place, including Standard Contractual Clauses.

8. Personal Data Breach

8.1 Notification

wakesys will notify you without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach.

8.2 Cooperation

wakesys will cooperate with you to investigate, mitigate, and remediate the breach.

9. Data Deletion and Return

Upon termination of the Platform Agreement:

• You may request an export of your Personal Data within 30 days
• wakesys will delete the Personal Data after 30 days or upon your confirmation

10. Contact Information

Data Protection Contact
wakesys sàrl
3, montée St. Hubert
8387 Koerich
Luxembourg

Email: info@wakesys.com

11. Governing Law

This DPA is governed by the laws of Luxembourg. Any disputes shall be resolved exclusively in the courts of Luxembourg City, Luxembourg.