Data Processing Agreement (DPA)
Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR)
This Data Processing Agreement ("DPA") forms part of the agreement between the travel agency subscribing to the Ziyara.io platform (the "Agency", acting as controller) and Ziyara.io (acting as processor) for the provision of the Ziyara.io agency management service (the "Service"). It applies automatically to every Agency subscription. A countersigned copy is available on request at info@ziyara.io. Also available in German (Deutsch).
1. Subject matter and duration
Ziyara.io processes personal data on behalf of the Agency to the extent necessary to provide the Service: management of pilgrim records, groups, rooming, flights, payments, documents, communication (e-mail/SMS/WhatsApp), and related features. This DPA applies for the duration of the Agency's subscription and until all personal data has been deleted or returned in accordance with Section 10.
2. Nature and purpose of processing
Storage, organization, structuring, retrieval, use, transmission (e.g. sending communications instructed by the Agency, generating manifests and rooming lists), and deletion of personal data, solely for the purpose of operating the Agency's Umrah/Hajj travel administration within the Service.
3. Categories of data subjects and personal data
- Data subjects: the Agency's pilgrims (customers), prospective customers (inquiries), and the Agency's staff, guides and service partners.
- Personal data: identity data (name, date of birth, passport number, national ID, passport scans and photos), contact data (phone, e-mail, address), travel data (group, flights, rooming, visa status, vaccination dates), payment records (amounts, dates, balances — no card data), and communication content.
- Special categories (Art. 9 GDPR): participation in Umrah/Hajj travel may indirectly reveal religious beliefs; limited health-related data may be recorded (e.g. vaccination dates). The Agency warrants that it has a valid legal basis (typically the data subject's explicit consent) for this data.
4. Obligations of the processor (Ziyara.io)
Ziyara.io shall:
- process personal data only on the Agency's documented instructions, including as given through the Service's functions, unless required by EU or Member State law;
- ensure that persons authorized to process the data have committed themselves to confidentiality;
- implement appropriate technical and organizational measures pursuant to Art. 32 GDPR (Section 6 below);
- respect the conditions for engaging sub-processors (Section 5 below);
- taking into account the nature of the processing, assist the Agency with appropriate technical and organizational measures in fulfilling its obligation to respond to data subject requests (Arts. 12–23 GDPR);
- assist the Agency in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, data protection impact assessments), taking into account the information available to Ziyara.io;
- at the Agency's choice, delete or return all personal data at the end of the provision of the Service (Section 10);
- make available all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits (Section 9).
5. Sub-processors
The Agency grants Ziyara.io general authorization to engage the sub-processors listed at ziyara.io/subprocessors. Ziyara.io will inform the Agency of intended additions or replacements of sub-processors that process pilgrim data at least 14 days in advance (via e-mail or in-app notice), giving the Agency the opportunity to object. Ziyara.io imposes data protection obligations on each sub-processor equivalent to those in this DPA and remains fully liable to the Agency for the performance of each sub-processor's obligations.
6. Technical and organizational measures (Art. 32 GDPR)
- Hosting of application and database in the EU (Hetzner, Germany); file storage on AWS S3 in the EU (Frankfurt, eu-central-1).
- Encryption in transit (TLS) for all connections; encryption at rest (AES-256) for sensitive identity fields such as passport numbers and national IDs; short-lived signed URLs for file access.
- Strict multi-tenant isolation: each Agency's data is scoped to that Agency at the application level.
- Role-based access control within the Agency; two-factor authentication; audit logging of data changes.
- Administrative access by Ziyara.io support staff only for support purposes, logged and 2FA-protected.
- Encrypted backups with defined retention, stored separately from the primary infrastructure; documented restore procedure.
- Vulnerability management: dependency updates, error monitoring, and security patching of the underlying platform.
7. International transfers
Core service data is stored in the EU. Where a sub-processor processes personal data outside the EEA/UK, the transfer is protected by an appropriate safeguard under Chapter V GDPR: EU Standard Contractual Clauses, an adequacy decision, or certification under the EU–US Data Privacy Framework, as set out in the sub-processor list.
8. Personal data breach notification
Ziyara.io shall notify the Agency without undue delay after becoming aware of a personal data breach affecting the Agency's data, and shall provide the information reasonably required for the Agency to comply with its own notification obligations under Arts. 33 and 34 GDPR (nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed).
9. Audits and information
On written request (no more than once per year, unless a supervisory authority requires otherwise or a breach has occurred), Ziyara.io will provide the Agency with the information necessary to demonstrate compliance with this DPA, including summaries of security measures and sub-processor arrangements. Where this is insufficient, the Agency may conduct — at its own cost, with at least 30 days' notice, during business hours and without disrupting operations — an audit limited to the processing of its own data.
10. Deletion and return of data
During the subscription, the Agency can export its complete data (ZIP archive with structured JSON/CSV and files) self-service from the agency panel and can delete individual records at any time. Upon termination of the Service and at the Agency's choice, Ziyara.io will delete or return all personal data: live data is deleted within 30 days of the confirmed account deletion; residual copies in encrypted backups expire with the backup rotation thereafter, unless EU or Member State law requires longer storage.
11. Obligations of the controller (Agency)
The Agency is responsible for the lawfulness of the processing (including a legal basis for special-category data under Art. 9 GDPR, typically explicit consent obtained during booking), for the accuracy of the data entered, for informing its customers (Arts. 13/14 GDPR), for handling data subject requests addressed to it, and for using the Service's communication features (e-mail/SMS/WhatsApp) in compliance with applicable marketing and privacy laws.
12. Miscellaneous
In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection. Liability is governed by the Terms of Service and Art. 82 GDPR. If individual provisions of this DPA are invalid, the remainder stays unaffected. This DPA is provided in English and German; in case of discrepancies, the English version prevails.
Version 1.0 — 12 July 2026. Questions and signed copies: info@ziyara.io
See also: Sub-processors · GDPR & Data Protection · Privacy Policy