Data Proccessing Addendum

updated on: 3 February 2026

1. Introduction and Scope

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between HQ Rental Software (“Processor” or “HQ”) and Customer (“Controller”) and governs the processing of Personal Data (as defined below) by HQ on behalf of Controller.

This DPA applies when Customer is located in the European Economic Area (“EEA”), Switzerland, or the United Kingdom and uses the Services to process Personal Data of data subjects located in those jurisdictions.

2. Definitions

For purposes of this DPA:

“Controller” means the Customer who determines the purposes and means of processing Personal Data.
“Data Protection Laws” means all applicable laws relating to data protection, privacy and security, including the GDPR, and any implementing, derivative or related legislation, rule and regulation, in each case as amended or replaced from time to time.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person processed by HQ on behalf of Controller in connection with the Services.
“Processing” has the meaning given in the GDPR and “process”, “processes” and “processed” shall be construed accordingly.
“Processor” means HQ Rental Software, which processes Personal Data on behalf of Controller.
“Services” means the HQ Rental Software platform and related services provided to Controller under the Terms of Service.
“Sub-processor” means any third party appointed by HQ to process Personal Data on behalf of Controller in connection with the Services.

3. Roles and Responsibilities

3.1 Controller and Processor

The parties acknowledge and agree that with respect to Personal Data processed in connection with the Services, Controller is the data controller and HQ is the data processor.

3.2 Controller’s Responsibilities

Controller shall:

Ensure it has all necessary rights and consents to provide Personal Data to HQ for processing under this DPA;
Comply with all applicable Data Protection Laws in its use of the Services;
Ensure that its instructions to HQ comply with applicable Data Protection Laws; and
Inform HQ immediately if it believes HQ is processing Personal Data in violation of applicable Data Protection Laws.

4. Nature and Purpose of Processing

4.1 Processing Details

HQ shall process Personal Data only as necessary to provide the Services and as instructed by Controller, which instructions are set forth in the Terms of Service and this DPA.

Subject Matter:

Processing of Personal Data necessary for the provision of car rental management software services.

Duration:

For the term of the Services agreement, including any renewal periods, and for the retention period required for backups and legal compliance.

Purpose:

To enable Controller to manage car rental operations, including online bookings, customer management, payment processing, and operational reporting.

Nature of Processing:

Storage, retrieval, organization, modification, backup, and deletion of Personal Data through the Services.

Categories of Data Subjects:

Controller’s customers (car rental customers), employees, and authorized users of the Services.

Types of Personal Data:

Contact information (names, email addresses, phone numbers)
Identification data (driver’s license information, passport data)
Financial data (payment card metadata, transaction history)
Booking and rental information (reservation details, vehicle data, rental periods)
Usage data (IP addresses, login information, system access logs)

5. Processor Obligations (Article 28 GDPR)

5.1 Processing Instructions

HQ shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by EU or Member State law. In such case, HQ shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5.2 Confidentiality

HQ shall ensure that persons authorized to process Personal Data are subject to confidentiality obligations, whether by contract or statutory duty.

5.3 Security of Processing

Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, HQ shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

Pseudonymization and encryption of Personal Data where appropriate;
The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems;
The ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

Specific Security Measures:

Encryption: Data encrypted in transit and at rest
Access Controls: Role-based access control, multi-factor authentication, regional permission restrictions
Audit Logging: Comprehensive logging of all data access and modifications, retained for minimum 6 months
Infrastructure Security: Regular security updates, vulnerability scanning, penetration testing, DDoS protection
Data Backup: Encrypted backups stored in AWS S3 and Glacier with geographic redundancy

5.4 Sub-processors

Controller provides general authorization for HQ to engage Sub-processors to process Personal Data, provided HQ complies with the following requirements:

HQ maintains a list of Sub-processors at https://hqrentalsoftware.com/dpa-subprocessors/ (the “Sub-processor List”);
Controller may object to a new Sub-processor if it has reasonable grounds relating to data protection compliance;
HQ imposes data protection obligations on Sub-processors that provide at least the same level of protection as this DPA, including appropriate data transfer mechanisms where Sub-processors are located outside the EEA.

5.5 Assistance with Data Subject Rights

HQ shall, taking into account the nature of processing, assist Controller by appropriate technical and organizational measures in fulfilling Controller’s obligation to respond to requests from data subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing).

Where a data subject submits a request directly to HQ, HQ shall promptly forward such request to Controller unless prohibited by law.

5.6 Assistance with Compliance

HQ shall, taking into account the nature of processing and information available to HQ, provide reasonable assistance to Controller in ensuring compliance with obligations under Data Protection Laws regarding:

Security of processing (Article 32 GDPR);
Personal data breach notification (Articles 33-34 GDPR);
Data protection impact assessments (Article 35 GDPR); and
Prior consultation with supervisory authorities (Article 36 GDPR).

5.7 Personal Data Breach Notification

HQ shall notify Controller without undue delay upon becoming aware of a Personal Data breach affecting Controller’s Personal Data. Such notification shall include, to the extent possible:

Description of the nature of the breach, including the categories and approximate number of data subjects and Personal Data records concerned;
The likely consequences of the breach;
Measures taken or proposed to address the breach and mitigate its possible adverse effects.

5.8 Deletion or Return of Personal Data

Upon termination or expiry of the Services, HQ shall, upon Controller’s request, delete or return all Personal Data to Controller, unless applicable law requires continued storage.

5.9 Audit Rights

HQ shall make available to Controller information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller. Controller shall provide HQ with reasonable prior written notice of any intended audit. Any audit shall be conducted during regular business hours, subject to HQ’s security and confidentiality policies, and shall not unreasonably interfere with HQ’s business activities.

6. International Data Transfers

6.1 Data Locations

Customer data from EEA-based customers is primarily stored in HQ’s Netherlands data center (operated by DigitalOcean). This data is replicated to HQ’s United States infrastructure (operated by Linode) for the following purposes:

Backup and disaster recovery (AWS S3 and Glacier);
Centralized application processing and analytics;
Internal admin operations and reporting;
Staging and development environments for troubleshooting and support.

Additionally, Personal Data may be accessed by HQ personnel located globally for technical support, system maintenance, and customer service purposes.

6.2 Transfer Mechanisms

Where Personal Data is transferred from the EEA to countries that have not received an adequacy decision from the European Commission, HQ relies on the following mechanisms:

6.2.1 Standard Contractual Clauses

The parties agree that, for transfers of Personal Data to the United States and other third countries without an adequacy decision, the Standard Contractual Clauses adopted by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “Standard Contractual Clauses” or “SCCs”) shall apply, as incorporated by reference in Annex A to this DPA.

The Standard Contractual Clauses are deemed completed as follows:

Module: Module 2 (Controller to Processor) applies.
Data exporter: Controller (as identified in the Terms of Service).
Data importer: HQ Rental Software, Mahaaiweg 4, Willemstad, Curaçao.
Competent supervisory authority: The supervisory authority in the Member State where Controller is established or, if Controller is not established in the EU, the supervisory authority of the Member State where Controller’s representative (if any) is established.
Clause 7 (Docking clause): Optional docking clause does not apply.
Clause 9 (Use of sub-processors): Option 2 (General authorization with notice) applies, as described in Section 5.4 of this DPA.
Clause 11 (Redress): Optional clause does not apply.
Clause 17 (Governing law): The laws of [Member State where Controller is established] shall apply. If Controller is not established in a Member State, the laws of Ireland shall apply.
Clause 18 (Choice of forum and jurisdiction): The courts of [Member State where Controller is established] shall have jurisdiction. If Controller is not established in a Member State, the courts of Ireland shall have jurisdiction.

6.2.2 Supplementary Measures

In addition to the Standard Contractual Clauses, HQ has implemented the following supplementary technical, organizational, and contractual measures to ensure an adequate level of protection for Personal Data transferred to third countries:

Technical Measures:

End-to-end encryption of data in transit using TLS 1.3 with strong cipher suites;
Encryption of data at rest using AES-256 encryption;
Encryption key management with keys stored separately from encrypted data;
Pseudonymization of certain data fields where feasible.

Organizational Measures:

Strict access controls limiting personnel access to Personal Data on a need-to-know basis;
Multi-factor authentication for all administrative access;
Regional permission controls allowing restriction of staff access to EEA data;
Comprehensive audit logging of all data access with 6-month minimum retention;
Mandatory confidentiality agreements for all employees and contractors;
Regular security awareness training for all personnel;
Incident response procedures for data breaches and unauthorized access.

Contractual Measures:

All Sub-processors are bound by equivalent or more stringent data protection obligations;
Sub-processor contracts include appropriate data transfer mechanisms (SCCs or adequacy decisions);
Right to audit Sub-processor compliance with data protection obligations.

6.3 Transfer Impact Assessment

HQ has conducted a transfer impact assessment pursuant to the recommendations of the European Data Protection Board. Based on this assessment, HQ has determined that:

The nature of the data processed is primarily business and transactional data related to car rental operations;
The supplementary measures implemented provide effective protection against access by public authorities in third countries;
HQ has no reason to believe it would be subject to measures by public authorities that would create a conflict with its data protection obligations;
In the unlikely event of a government access request, HQ would challenge any unlawful or overbroad requests and notify Controller to the extent legally permissible.

7. Liability and Indemnification

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Terms of Service. The parties agree that any regulatory penalties imposed on one party due to the other party’s non-compliance with this DPA shall be considered a direct damage for which the non-compliant party shall be liable to the compliant party.

8. Term and Termination

This DPA shall remain in effect for so long as HQ processes Personal Data on behalf of Controller. Upon termination of the Services or this DPA, HQ shall delete or return Personal Data as specified in Section 5.8. The provisions regarding confidentiality, liability, and governing law shall survive termination.

9. General Provisions

9.1 Order of Precedence

In the event of any conflict or inconsistency between this DPA and the Terms of Service, this DPA shall prevail to the extent of the conflict with respect to the processing of Personal Data.

9.2 Amendments

HQ may update this DPA from time to time to reflect changes in Data Protection Laws, regulatory guidance, or HQ’s data processing practices.

9.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be replaced with a valid and enforceable provision that most closely approximates the intent and economic effect of the invalid or unenforceable provision.

9.4 Entire Agreement

This DPA, together with the Terms of Service and any applicable Order Forms, constitutes the entire agreement between the parties concerning the processing of Personal Data and supersedes all prior or contemporaneous discussions, agreements, or representations.

Annex A: Standard Contractual Clauses

The Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, are incorporated by reference into this DPA.

The full text of the Standard Contractual Clauses is available at:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

The parties agree that Module 2 (Controller to Processor) of the Standard Contractual Clauses applies, with the specifications set forth in Section 6.2.1 of this DPA.

10. Contact Information

Data Protection Inquiries:

For questions about this DPA, data processing practices, or to exercise rights under this DPA, Controller may contact HQ at: [email protected]

Sub-Processor List:

The current Sub-Processor List is available at: https://hqrentalsoftware.com/dpa-subprocessors

ACKNOWLEDGMENT

By accepting the Terms of Service or continuing to use the Services after the effective date of this DPA, Controller acknowledges that it has read, understood, and agrees to be bound by this Data Processing Addendum, including the Standard Contractual Clauses incorporated by reference.

This DPA is effective as of the date Controller first accepts the Terms of Service that reference this DPA or, for existing customers, effective upon posting.

HQ RENTAL SOFTWARE

Mahaaiweg 4

Willemstad, Curaçao

Email: [email protected]

Website: hqrentalsoftware.com

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
_icl_current_language	1 day	Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
_ga	2 years	Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information on how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number of visitors, the source where they have come from, and the pages visited in an anonymous form.

Cookie	Duration	Description
1P_JAR	1 month	Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
VISITOR_INFO1_LIVE	5 months 27 days

Data Proccessing Addendum

Sorry, but You need to be on a desktop or laptop to sign up for a trial.

Start your 7-day free trial with HQ Rental Software