> ## Documentation Index
> Fetch the complete documentation index at: https://developers.safarapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Processing Agreement

> DPA template ready to sign — GDPR (EU) + Law 09-08 (Morocco)

<Tip>
  SafarAPI ships with a **ready-to-sign DPA template** drafted by Moroccan counsel and reviewed against GDPR Art. 28 and EDPB guidance. Most pilots sign it as-is.
</Tip>

## What's covered

The SafarAPI Data Processing Agreement (DPA, ref: `SAFARAPI-DPA-v1.0`) defines the conditions under which Safariat processes Personal Data on behalf of the Partner (controller). It covers:

* **Roles** — Partner = controller, Safariat = processor.
* **Scope of processing** — booking lifecycle (search, quote, reservation, cancellation, settlement).
* **Personal Data categories** — minimum-data-required (first name, last name, email, phone; passport only for international flights).
* **Sub-processors** — exhaustive list with regions and safeguards (see Annex 1 below).
* **Security measures** — incorporated by reference from the TOMs annex and the [Security Attestations](/trust/attestations).
* **Data subject rights** — assistance within 10 business days.
* **Sub-processor changes** — 30 days' advance notice with right to object.
* **International transfers** — Standard Contractual Clauses 2021/914 where applicable.
* **Retention** — bookings 10 years (commercial law), audit log 7 years (Bank Al-Maghrib), API metadata 2 years post-termination.
* **Audits** — annual right to request documentation; on-site audit on 30 days' notice.
* **Security incidents** — notification within 72 hours.
* **Governing law** — Moroccan law, courts of Casablanca.

## Sub-processors (current snapshot)

| Sub-processor     | Service                            | Region                 | Safeguards                                              |
| ----------------- | ---------------------------------- | ---------------------- | ------------------------------------------------------- |
| Cloudflare, Inc.  | R2 Object Storage                  | EU-West                | SCCs Module 3, AES-256                                  |
| Contabo GmbH      | Bare-metal hosting (K3s + CNPG)    | Germany                | EU-based, LUKS full-disk encryption                     |
| Backblaze B2 (EU) | Postgres PITR backups (RPO 5 min)  | Germany                | SCCs, AES-256                                           |
| Backblaze B2 (US) | Postgres logical backups (RPO 24h) | US-East                | SCCs, client-side AES-256, EDPB 01/2020 risk assessment |
| Vercel, Inc.      | Frontend hosting                   | Global edge, EU origin | SCCs, no Data Subjects' Personal Data                   |
| Mintlify, Inc.    | Documentation portal               | US                     | No Personal Data — public docs only                     |
| Tailscale Inc.    | Internal VPN mesh                  | Transit only           | No Personal Data transmitted                            |
| Let's Encrypt     | TLS certificate issuance           | US (public service)    | Domain names only                                       |

## Obtaining the DPA

The DPA (`SAFARAPI-DPA-v1.0`) is provided as a signable PDF on request — email
`dpo@safarapi.com`. On production approval, the countersigned copy is included
automatically in your compliance bundle. Reasonable redlines are accepted (see FAQ).

## FAQ

<AccordionGroup>
  <Accordion title="Can we redline the DPA?">
    Yes. The template is a starting point — most pilots sign it as-is, but reasonable redlines are accepted. Send the marked-up version to `dpo@safarapi.com` and we'll respond within 5 business days.
  </Accordion>

  <Accordion title="Do you sign the EU Standard Contractual Clauses?">
    Yes — Module 3 (Processor to Sub-processor) is already embedded in our agreements with Backblaze and Cloudflare for sub-processors that handle Personal Data outside the EU. We will sign Module 4 (Processor to Controller) with the Partner if the Partner is located outside the EU.
  </Accordion>

  <Accordion title="What about Loi 09-08 (Morocco)?">
    The DPA applies Moroccan Law 09-08 in parallel with GDPR. Where the two diverge, the stricter rule applies. We can support a CNDP declaration (`Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel`) on your behalf if required.
  </Accordion>

  <Accordion title="How do you handle data subject requests?">
    Data subjects (travellers) interact with the Partner's distribution channel, not directly with SafarAPI. The Partner forwards rectification, erasure, portability or restriction requests via `dpo@safarapi.com` with the booking number(s) concerned. SafarAPI responds within 10 business days.
  </Accordion>

  <Accordion title="What happens to data when we terminate?">
    On written request, we either (a) export all your data in machine-readable format (CSV or JSON) and delete the working copies, or (b) keep only the records required by Moroccan commercial law (bookings 10 years, audit log 7 years) and delete everything else. The data retention obligations under accounting and audit law cannot be contractually waived.
  </Accordion>
</AccordionGroup>

## Related documents

* [Service Level Agreement (SLA)](/trust/sla) — uptime commitments and credits.
* [Security Attestations](/trust/attestations) — technical and organisational measures snapshot.
* [Security overview](/security/overview) — high-level posture for your security team.

## Contact

* DPA negotiation and signature: `dpo@safarapi.com`
* Sub-processor changes notification subscription: `dpo@safarapi.com` (subject: "Subscribe to sub-processor change notifications")
