Data Processing Agreement (DPA)

Last updated: November 1, 2025

This Data Processing Agreement (“DPA”) forms part of the Voyant Terms of Service between PixelMakers Studio Srl under Voyant brand (“Voyant,” “Processor”) and the customer organization that has executed or accepted those Terms (“Customer,” “Controller”).

1. Definitions

For this DPA:

  • "Applicable Data Protection Law" means all laws and regulations relating to data protection, privacy, and the processing of Personal Data, including the EU GDPR (2016/679), the UK GDPR, and the CCPA/CPRA where applicable.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed under the Agreement.
  • "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the meanings set out in the GDPR.
  • "Subprocessor" means any third party engaged by Voyant to process Personal Data on behalf of the Customer.
  • "Workspace" refers to an operational unit within a Tenant as defined in the Terms of Service.
  • "Region" means the data-residency location (EU or US) selected by the Customer at the Workspace level.

2. Roles of the Parties

  • The Customer acts as the Data Controller.
  • Voyant acts as the Data Processor for Personal Data that the Customer submits or stores in the Services.
  • The Customer is responsible for ensuring that its use of the Services complies with all applicable Data Protection Laws.

3. Subject Matter and Duration

Voyant processes Personal Data solely for the purpose of providing, supporting, and improving the Services as described in the Agreement.
Processing continues for the duration of the Agreement and until deletion of all Customer data as provided in Section 9.

4. Nature and Purpose of Processing

Voyant will process Personal Data to:

  • Host and store Customer data within the chosen Region
  • Manage user authentication and access control
  • Facilitate communications, bookings, and transactional operations
  • Provide analytics, search, and AI-assisted features
  • Deliver customer support and maintain service reliability

5. Categories of Data and Data Subjects

  • Data Subjects: End customers, travelers, and agency staff whose data the Customer enters into the Services.
  • Categories of Data: Names, contact details, booking references, traveler preferences, payment metadata (no card details), and other operational information entered by the Customer.
  • Voyant does not intentionally process special categories of data (e.g., health, religion, biometrics).

6. Data Residency and Transfers

  1. Customer may select an EU or US Region for each Workspace.
  2. Voyant stores and processes all PII within the selected Region.
  3. Region-Scoped Vendors (Neon, Pinecone, GCP) operate separate EU and US deployments to maintain data locality.
  4. Global Vendors (e.g., WorkOS, Twilio, Mailchimp, Stripe, Cloudflare, Resend, Intercom) provide supporting services that may involve limited cross-border transfers (metadata only).
  5. Where Personal Data is transferred outside the EEA or UK, Voyant relies on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

7. Confidentiality and Security

  1. Voyant ensures that all personnel authorized to process Personal Data are bound by confidentiality obligations.
  2. Voyant implements appropriate technical and organizational measures, including:
    • Encryption of data at rest and in transit
    • Role-based access controls
    • Network segmentation and logging
    • Multi-region redundancy and backup
    • Regular security testing and monitoring

8. Subprocessors

  1. Customer authorizes Voyant to engage the subprocessors listed in the Privacy Policy.
  2. Voyant shall ensure each Subprocessor is bound by written terms providing equivalent data-protection obligations as this DPA.
  3. Voyant will notify Customers of material changes to the Subprocessor list and allow reasonable objection where required by law.

9. Deletion and Return of Data

Upon termination of the Agreement or upon written request:

  • Voyant will, within 30 days, delete or return all Customer Personal Data in its possession.
  • Backups will be purged within 90 days.
  • Certain data may be retained where required by law (e.g., billing records).

10. Customer Responsibilities

The Customer is responsible for:

  • Providing lawful instructions and ensuring a valid legal basis for processing
  • Managing consents and data-subject rights within its own user base
  • Avoiding submission of unnecessary or sensitive data to the Services
  • Using secure authentication and access controls within its Workspaces

11. Data Subject Rights Assistance

Voyant shall, to the extent legally permitted, assist the Customer in fulfilling its obligations to respond to requests from Data Subjects under Applicable Law (access, correction, deletion, portability, etc.).

12. Audit and Compliance

Upon reasonable written notice (and not more than once per year), Customer may request Voyant’s most recent third-party security or compliance audit summary (e.g., SOC 2 Type II).
Voyant will provide additional information reasonably necessary to demonstrate compliance with this DPA.

13. Incident Notification

Voyant will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer data, describing:

  • The nature of the breach
  • Likely consequences
  • Measures taken or proposed to mitigate its effects

Voyant will cooperate with Customer and regulatory authorities as required.

14. Use of Aggregated Data

Voyant may process anonymized or aggregated data for service analytics and improvement, provided such data cannot identify any individual or Customer.

15. Liability

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement.

16. Termination and Survival

This DPA automatically terminates upon deletion of all Customer Personal Data.
Sections 7 (Security), 9 (Deletion), and 15 (Liability) survive termination.

17. Governing Law

This DPA is governed by the laws of Romania, and disputes shall be resolved in the competent courts of Ploiesti, unless otherwise required by Applicable Law.

Annex I – Description of Processing

Subject Matter

Processing of Personal Data for travel-management and booking operations

Nature & Purpose

Hosting, storage, communication, analytics, AI-assisted features

Duration

For the term of the Agreement and until deletion of data

Data Subjects

Customers, travelers, and agency employees

Categories of Data

Names, contact details, booking references, communications, payment metadata

Special Data Categories

None intentionally processed

Frequency

Continuous as required to deliver the Services

Annex II – Technical and Organizational Measures

  1. Encryption at rest and in transit (AES-256, TLS 1.2+)
  2. Access control and authentication via WorkOS SSO and RBAC
  3. Audit logging of administrative actions
  4. Logical separation of Tenant/Workspace data
  5. Secure software development and vulnerability scanning
  6. Regular penetration testing and code review
  7. Business-continuity and disaster-recovery plans
  8. Vendor risk assessment and DPA alignment
  9. Continuous monitoring for unauthorized access

Annex III – Subprocessors

Voyant engages the subprocessors listed in Section 10 of the Privacy Policy, including region-scoped vendors (GCP, Neon, Pinecone, Algolia, Clickhouse) and global vendors (WorkOS, Twilio, Stripe, Mailchimp, Resend, Cloudflare, Vercel, etc.).

By using Voyant’s Services, the Customer acknowledges and agrees to this Data Processing Agreement.

Need this signed? Send us an email.