Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developers.safarapi.com/llms.txt

Use this file to discover all available pages before exploring further.

SafarAPI ships with a ready-to-sign DPA template drafted by Moroccan counsel and reviewed against GDPR Art. 28 and EDPB guidance. Most pilots sign it as-is.

What’s covered

The SafarAPI Data Processing Agreement (DPA, ref: SAFARAPI-DPA-v1.0) defines the conditions under which Safariat processes Personal Data on behalf of the Partner (controller). It covers:
  • Roles — Partner = controller, Safariat = processor.
  • Scope of processing — booking lifecycle (search, quote, reservation, cancellation, settlement).
  • Personal Data categories — minimum-data-required (first name, last name, email, phone; passport only for international flights).
  • Sub-processors — exhaustive list with regions and safeguards (see Annex 1 below).
  • Security measures — incorporated by reference from the TOMs annex and the Security Attestations.
  • Data subject rights — assistance within 10 business days.
  • Sub-processor changes — 30 days’ advance notice with right to object.
  • International transfers — Standard Contractual Clauses 2021/914 where applicable.
  • Retention — bookings 10 years (commercial law), audit log 7 years (Bank Al-Maghrib), API metadata 2 years post-termination.
  • Audits — annual right to request documentation; on-site audit on 30 days’ notice.
  • Security incidents — notification within 72 hours.
  • Governing law — Moroccan law, courts of Casablanca.

Sub-processors (current snapshot)

Sub-processorServiceRegionSafeguards
Cloudflare, Inc.R2 Object StorageEU-WestSCCs Module 3, AES-256
Contabo GmbHBare-metal hosting (K3s + CNPG)GermanyEU-based, LUKS full-disk encryption
Backblaze B2 (EU)Postgres PITR backups (RPO 5 min)GermanySCCs, AES-256
Backblaze B2 (US)Postgres logical backups (RPO 24h)US-EastSCCs, client-side AES-256, EDPB 01/2020 risk assessment
Vercel, Inc.Frontend hostingGlobal edge, EU originSCCs, no Data Subjects’ Personal Data
Mintlify, Inc.Documentation portalUSNo Personal Data — public docs only
Tailscale Inc.Internal VPN meshTransit onlyNo Personal Data transmitted
Let’s EncryptTLS certificate issuanceUS (public service)Domain names only

Download

DPA template (Markdown)

Source-of-truth document — versioned in Git, signable as-is after filling placeholders.

DPA template (PDF)

Generated quarterly — request the latest signed version from dpo@safarapi.com.

FAQ

Yes. The template is a starting point — most pilots sign it as-is, but reasonable redlines are accepted. Send the marked-up version to dpo@safarapi.com and we’ll respond within 5 business days.
Yes — Module 3 (Processor to Sub-processor) is already embedded in our agreements with Backblaze and Cloudflare for sub-processors that handle Personal Data outside the EU. We will sign Module 4 (Processor to Controller) with the Partner if the Partner is located outside the EU.
The DPA applies Moroccan Law 09-08 in parallel with GDPR. Where the two diverge, the stricter rule applies. We can support a CNDP declaration (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel) on your behalf if required.
Data subjects (travellers) interact with the Partner’s distribution channel, not directly with SafarAPI. The Partner forwards rectification, erasure, portability or restriction requests via dpo@safarapi.com with the booking number(s) concerned. SafarAPI responds within 10 business days.
On written request, we either (a) export all your data in machine-readable format (CSV or JSON) and delete the working copies, or (b) keep only the records required by Moroccan commercial law (bookings 10 years, audit log 7 years) and delete everything else. The data retention obligations under accounting and audit law cannot be contractually waived.

Contact

  • DPA negotiation and signature: dpo@safarapi.com
  • Sub-processor changes notification subscription: dpo@safarapi.com (subject: “Subscribe to sub-processor change notifications”)