Legal
Data Processing Agreement (DPA)
Last updated: 2026-05-25
Document supplementary to the TurIA Terms and Conditions. In the event of a discrepancy regarding the processing of the personal data of the Client's end users, this Agreement prevails.
This Data Processing Agreement (the "Agreement" or "DPA") governs the processing of personal data that Turia Core Limited carries out on behalf of the Client when providing the services of the TurIA platform. It forms an integral part of the contract between the two parties and is perfected upon acceptance of the Terms and Conditions or upon contracting the services.
This Agreement is intended, in particular, for Clients subject to Regulation (EU) 2016/679 (GDPR) or equivalent regulations requiring them to formalise a data processing arrangement with their providers. Its purpose is to offer the Client the safeguards its regulations require when personal data under its responsibility is processed through the Platform.
1. Parties
- Data processor: Turia Core Limited, a company incorporated in Hong Kong, with registration number 80323428 and registered office at Unit B, 12/F, Hang Seng Causeway Bay Building, 28 Yee Wo Street, Causeway Bay, Hong Kong (hereinafter, "TurIA").
- Data controller: the natural or legal person that contracts TurIA's services, identified in its account and in the contract (hereinafter, the "Client" or the "Controller").
The Client acts as data controller with respect to the personal data of its end users. TurIA acts as processor, processing such data solely on behalf of and according to the Client's instructions.
2. Definitions
The terms "personal data", "processing", "controller", "processor", "data subject", "personal data breach" and "supervisory authority" have the meaning given to them by applicable data protection regulations, in particular the GDPR. "Sub-processor" means any third party engaged by TurIA to process personal data on behalf of the Client.
3. Subject matter and scope
The purpose of the Agreement is to enable TurIA to process, on behalf of the Client, the personal data necessary to provide the contracted services (among others, TurIA Assistant, TurIA Bookings and TurIA Analytics). The details of the processing —categories of data and data subjects, purpose, nature and duration— are described in Annex I.
TurIA will process the personal data exclusively to provide the services and comply with the Client's instructions, and will not use it for its own purposes or disclose it to third parties except as provided in this Agreement or by legal obligation.
4. Duration
This Agreement will remain in force for as long as TurIA provides services to the Client that involve the processing of personal data on its behalf. The confidentiality obligations and those relating to the return or deletion of data will survive its termination.
5. Controller's instructions
TurIA will process personal data only following the Client's documented instructions, including those relating to international transfers, unless a legal obligation requires otherwise, in which case TurIA will inform the Client of that requirement before processing, unless legally prohibited.
The Client's initial instructions are those resulting from the Terms and Conditions, this Agreement and the configuration and normal use of the Platform. The Client may give additional reasonable instructions in compliance with the regulations. If TurIA considers that an instruction infringes applicable data protection regulations, it will inform the Client without delay.
6. TurIA's obligations (Processor)
TurIA undertakes to:
- (a) Process personal data only in accordance with the Client's documented instructions.
- (b) Ensure that persons authorised to process the data have committed to confidentiality or are under an equivalent statutory obligation of confidentiality.
- (c) Adopt the appropriate technical and organisational measures described in Annex II to ensure a level of security appropriate to the risk.
- (d) Comply with the conditions for engaging sub-processors set out in clause 10.
- (e) Assist the Client, as far as possible, in responding to requests from data subjects exercising their rights (clause 11).
- (f) Assist the Client in complying with its obligations regarding security, breach notification and impact assessments, taking into account the nature of the processing and the information available.
- (g) At the Client's choice, return or delete the personal data at the end of the provision of the services, in accordance with clause 15.
- (h) Make available to the Client the information necessary to demonstrate compliance with these obligations and allow audits in accordance with clause 14.
7. Client's obligations (Controller)
The Client undertakes to:
- (a) Have a valid legal basis for processing the personal data it loads onto the Platform and to have informed the data subjects in accordance with applicable regulations.
- (b) Give TurIA lawful instructions that comply with data protection regulations.
- (c) Comply, in its capacity as controller, with its corresponding obligations, including handling data subjects' rights regarding the data under its responsibility.
- (d) Ensure, beforehand and throughout the processing, compliance with the regulations applicable to its activity.
The Client is solely responsible for the lawfulness of the data it processes through the Platform and for the instructions it gives to TurIA.
8. Personnel and confidentiality
TurIA guarantees that staff with access to personal data are subject to a duty of confidentiality and have received appropriate data protection training. Access is limited to those who need it to provide the services.
9. Security of processing
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of data subjects, TurIA will apply the appropriate technical and organisational measures described in Annex II, which it may update to maintain or improve the level of security, without this entailing any reduction of the safeguards.
10. Sub-processors
The Client gives TurIA general authorisation to engage sub-processors for the provision of the services. The list of sub-processors authorised as of the date appears in Annex III.
TurIA will impose on its sub-processors, by contract, data protection obligations equivalent to those of this Agreement, and will be liable to the Client for their compliance.
TurIA will inform the Client of any addition or replacement of sub-processors with reasonable notice, giving the Client the opportunity to object on reasonable grounds relating to data protection. In the event of an unresolved objection, the Client may terminate the affected part of the service.
11. Assistance to the Controller
Data subjects' rights. Where a data subject sends TurIA a request to exercise rights (access, rectification, erasure, objection, restriction, portability or others), TurIA will forward it to the Client without delay and will not respond directly unless instructed by the Client or required by law. TurIA will assist the Client, through the Platform's features or reasonable measures, in handling such requests.
Impact assessments. TurIA will provide the Client with reasonable assistance in carrying out data protection impact assessments and, where applicable, in prior consultations with the supervisory authority, taking into account the nature of the processing and the information available.
12. Personal data breaches
TurIA will notify the Client, without undue delay after becoming aware of it, of any breach of the security of the personal data processed on behalf of the Client. The notification will include, as far as possible, the information reasonably available so that the Client can comply with its own notification obligations, and will be accompanied by the measures adopted or proposed.
TurIA's notification obligation does not imply any acknowledgement of fault or liability with respect to the incident.
13. International transfers
For the provision of the services, personal data may be processed in infrastructure or by sub-processors located outside the European Economic Area, including TurIA's place of establishment.
Where personal data subject to the GDPR is transferred to a country that does not offer an adequate level of protection, the parties will adopt a valid transfer mechanism in accordance with the regulations, with the Standard Contractual Clauses approved by the European Commission deemed incorporated by reference, with TurIA acting as data importer, together with the supplementary measures that are necessary. The foregoing applies to the extent that such a mechanism is required of the Client under its regulations.
14. Audit
TurIA will make available to the Client the information reasonably necessary to demonstrate compliance with this Agreement. The Client may carry out audits, itself or through an independent third party bound by confidentiality, with reasonable notice, no more than once a year (except at the request of a supervisory authority or following a security incident), during working hours and without affecting the operation or security of other clients. TurIA may satisfy these requests by providing reports, certifications or equivalent documentation where this is sufficient.
15. Return or deletion of data
At the end of the provision of the services, TurIA, at the Client's choice, will return the personal data in a commonly used format or delete it, together with existing copies, unless a legal obligation requires its retention. This provision applies consistently with the retention period set out in the Terms and Conditions (thirty days to download the account data after the end of the contract).
16. Liability
The liability of the parties arising from this Agreement will be governed by the provisions of the Terms and Conditions and by applicable data protection regulations. Each party will be liable to the other for the damages caused by the breach of the obligations corresponding to it under this Agreement.
17. Governing law
This Agreement is governed by the laws of the Hong Kong Special Administrative Region, without prejudice to the mandatory provisions of the data protection regulations applicable to the Client. Jurisdiction is determined in accordance with the corresponding clause of the Terms and Conditions.
Annex I — Processing details
- Controller: the Client.
- Processor: Turia Core Limited.
- Subject matter of the processing: provision of the TurIA platform services contracted by the Client.
- Nature and purpose: hosting, management, automated communication (including the AI assistant), booking management and analytics, according to the contracted products.
- Duration: that of the contractual relationship between the parties.
- Categories of data subjects: the Client's end users and contacts (for example, travellers, the Client's prospective and actual customers).
- Categories of personal data: identification and contact data (name, email, phone), booking or enquiry data, content of the communications managed through the Platform and technical browsing data. The Client undertakes not to include special categories of data unless strictly necessary and in compliance with the regulations.
Annex II — Technical and organisational measures
By way of example, TurIA applies measures such as:
- Encryption of communications and role-based access control with authentication.
- Logical segregation of each client's data in a multi-tenant environment.
- Backups and recovery procedures.
- Access logging and traceability of relevant operations.
- Application of security updates and infrastructure hardening.
- Staff duty of confidentiality and access limited on a need-to-know basis.
- Incident management and security breach notification procedures.
TurIA reviews and improves these measures on an ongoing basis.
Annex III — Authorised sub-processors
As of the date of this Agreement, TurIA uses the following categories of sub-processors:
| Category | Purpose | Location |
|---|---|---|
| Cloud infrastructure provider | Hosting and processing of the Platform | Outside the EEA (details available on request) |
| Stripe | Payment processing | Per its policy |
| Meta / WhatsApp | Assistant messaging channel | Per its policy |
| AI model providers | Processing of the assistant's queries | Per its policy |
TurIA will keep this list updated and provide it to the Client on request.
Turia Core Limited — turia.tech
Questions about this document? info@turia.tech