Odysseic
01Introduction
This Data Processing Addendum (the "DPA") forms an integral part of, and is incorporated by reference into, the Odysseic Terms of Service (the "Agreement") between Odysseic Ventures Pte. Ltd. (UEN 202604236H) ("Odysseic") and the Customer that has accepted the Agreement (the "Customer").
It applies whenever Odysseic processes Personal Data on the Customer's behalf in the course of providing the Service — principally personal data about Divers (end-users of the Customer) that the Customer collects through Odysseic's booking surfaces, dashboard, APIs, or transactional email infrastructure. This DPA is binding from the moment the Customer accepts the Agreement; no separate signature is required.
Short version. The Customer (the dive operator) is the controller of Diver personal data. Odysseic is the processor — we host and transmit the data on the Customer's instructions, with documented security measures, vetted sub-processors, and breach notification commitments. If the Customer is established in the EEA, the UK, or Switzerland, the relevant Standard Contractual Clauses (or equivalent transfer mechanism) apply between the parties as set out in section 9.
02Definitions
Capitalised terms not defined here have the meanings given in the Agreement.
| Data Protection Laws | All laws, regulations, and binding guidance applicable to the processing of Personal Data under this DPA, including (as applicable) the Singapore Personal Data Protection Act 2012 (the "PDPA"), the EU General Data Protection Regulation 2016/679 (the "GDPR"), the UK GDPR and the UK Data Protection Act 2018, the Swiss Federal Act on Data Protection, and other comparable data-protection legislation in the jurisdictions where the Customer operates or where Data Subjects reside. |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person that the Customer or its Authorized Users submit to the Service, or that the Service collects about Divers and other Data Subjects on the Customer's behalf — including the categories listed in Annex 1. |
| Special Category Data | Personal Data falling within Article 9 GDPR (or equivalent under other Data Protection Laws), notably health-related data such as the standardised diver Medical Declaration the Customer may collect through the Service. |
| Data Subject | The individual to whom Personal Data relates — primarily Divers, but also (where the Customer chooses to record them in the Service) emergency contacts, accompanying minors, referring agents, and the Customer's own staff. |
| Controller / Processor / Sub-processor | As defined under the GDPR. The PDPA's "organisation" / "data intermediary" distinction is read as the functional equivalent. |
| Processing | Any operation performed on Personal Data, including collection, storage, retrieval, transmission, use, disclosure, erasure, and destruction. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data processed by Odysseic on the Customer's behalf. |
| SCCs | The EU Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), as published at eur-lex.europa.eu/eli/dec_impl/2021/914. |
| UK Addendum | The UK International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018. |
| Swiss Addendum | The Swiss FDPIC-approved adjustments to the SCCs for transfers of Personal Data subject to the Swiss FADP. |
03Roles & scope
For the purposes of Data Protection Laws and in respect of the Personal Data covered by this DPA:
- The Customer is the Controller (or, where the Customer is itself a processor for an upstream controller, the controller's processor) of the Personal Data.
- Odysseic is the Processor (or sub-processor where the Customer is itself a processor).
This DPA does not apply to Personal Data that Odysseic collects and processes in its own right as a Controller — for example, the Customer's billing data, the contact details of the Customer's owners and staff for account administration, or marketing-site visitor data. Those processing activities are governed by our Privacy Policy.
Each party will comply with the Data Protection Laws applicable to its role. The Customer is responsible for the lawful basis for collecting and using the Personal Data, for providing privacy notices to Data Subjects, for honouring rights requests addressed to it, and for ensuring that its instructions to Odysseic comply with the Data Protection Laws.
04Subject matter, duration, nature & purpose
The subject matter, duration, nature, purpose, categories of Data Subjects, and types of Personal Data processed under this DPA are set out in Annex 1. The duration of Processing is the term of the Agreement, plus any post-termination retention period required under section 13 or by law.
05Customer instructions
Odysseic will process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country, unless Odysseic is required to process Personal Data by a law to which it is subject — in which case Odysseic will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
The Customer's documented instructions consist of:
- This DPA and the Agreement;
- The configuration choices the Customer makes in the Service (policies, listings, scheduling rules, email templates, retention settings, exports, deletions);
- Reasonable instructions given in writing through the in-product messaging system, support tickets, or email to privacy@odysseic.com.
Odysseic will promptly inform the Customer if, in its opinion, an instruction infringes Data Protection Laws (GDPR Article 28(3) final paragraph, or equivalent). Odysseic may suspend the affected processing while the parties resolve the issue.
06Personnel confidentiality
Odysseic will ensure that any person it authorises to process Personal Data — employees, contractors, advisors — is bound by a written confidentiality obligation, has received appropriate data-protection training, and accesses Personal Data only on a documented need-to-know basis under the principle of least privilege.
07Security measures
Odysseic will implement and maintain the technical and organisational measures set out in Annex 2 to ensure a level of security appropriate to the risk, in line with Article 32 GDPR and equivalent requirements under other Data Protection Laws. The measures take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of Data Subjects.
Where the Customer's instructions include Processing of Special Category Data (notably Medical Declarations), Odysseic applies the enhanced access controls and retention treatment described in Annex 2.
Odysseic may update the measures from time to time, provided the overall level of protection is not materially reduced. The published version of Annex 2 is the version then in force.
08Sub-processors
8.1 General written authorisation
The Customer gives Odysseic general written authorisation to engage sub-processors to process Personal Data on its behalf, subject to the conditions in this section. The list of sub-processors engaged by Odysseic at the effective date of this DPA is set out in Annex 3 and is maintained in current form at the URL stated there.
8.2 Selection and flow-down
Before engaging a sub-processor, Odysseic will (a) carry out reasonable due diligence on the sub-processor's data-protection and security posture, and (b) enter into a written contract that imposes data-protection obligations no less protective than this DPA, including the obligations in Articles 28(3) and 32 GDPR and the international-transfer safeguards in section 9 below.
8.3 Notice of changes & objection
Odysseic will give the Customer at least 30 days' prior written notice of the addition or replacement of a sub-processor (via in-product notification or email to the Customer's account-administrator address, and an update to the sub-processor list URL). During that 30-day notice period the Customer may object on reasonable data-protection grounds. The parties will discuss the objection in good faith. If Odysseic cannot reasonably accommodate the objection, the Customer's sole and exclusive remedy is to terminate the affected portion of the Service or the Agreement under the termination provisions of the Agreement, without further liability of either party except for accrued fees.
8.4 Liability
Odysseic remains fully liable to the Customer for the performance of each sub-processor's obligations under its contract with Odysseic to the same extent Odysseic is liable for its own performance under this DPA.
09International data transfers
Odysseic is established in Singapore. Its sub-processors operate infrastructure in Singapore, the European Economic Area, the United Kingdom, Switzerland, and the United States, among other locations (see Annex 3).
9.1 EEA & UK transfers
Where the Customer is established in the EEA or the UK and transfers Personal Data to Odysseic for Processing under this DPA, the parties agree:
- For transfers subject to the GDPR, the SCCs (Module Two, Controller to Processor) are incorporated into and form part of this DPA. The Customer is the data exporter; Odysseic is the data importer. Clause 7 (docking) is included. Clause 9(a) Option 2 (general written authorisation, with 30-day notice) applies, in line with section 8.3 above. Clause 11(a) Option (independent dispute resolution) is not included. Clause 17 Option 1 (governing law = Member State of the data exporter) applies; where the exporter is not in the EEA, the law of the Republic of Ireland. Clause 18(b) (forum) = the courts of the Member State identified in Clause 17, or Ireland by default. The Annexes to the SCCs are filled in by reference to this DPA: Annex I.A (Parties) — the parties to this DPA; Annex I.B (Description of transfer) — Annex 1 of this DPA; Annex II (Technical and organisational measures) — Annex 2 of this DPA; Annex III (Sub-processors) — Annex 3 of this DPA.
- For transfers subject to the UK GDPR, the parties incorporate the UK Addendum to the SCCs. Part 1 of the UK Addendum is completed by reference to the SCCs as above; the parties select Importer's Option in Table 4.
- For transfers subject to the Swiss FADP, the parties incorporate the Swiss Addendum to the SCCs, with references to "EU Member State" read as references to Switzerland and references to the GDPR read as references to the FADP, in line with FDPIC guidance.
The parties are deemed to have signed the SCCs / UK Addendum / Swiss Addendum at the same time as the Customer accepted the Agreement.
9.2 Other jurisdictions
Where transfers are subject to the PDPA, Odysseic will, in line with section 26 of the PDPA, take appropriate steps to ensure that Personal Data transferred outside Singapore is protected to a standard comparable to the PDPA — typically through contractual commitments equivalent to those in the SCCs. For other jurisdictions, Odysseic will rely on the appropriate transfer mechanism available under local law.
9.3 Onward transfers
Where a sub-processor is located outside the originating jurisdiction, Odysseic will impose equivalent transfer safeguards on the sub-processor (flow-down of SCCs, UK Addendum, or Swiss Addendum as applicable).
10Data subject rights
The Service provides functionality through the operator dashboard that enables the Customer to access, correct, export, and delete Personal Data — and so to respond to Data Subject rights requests addressed to it without Odysseic's involvement.
Where Odysseic receives a Data Subject request relating to Personal Data processed on the Customer's behalf, it will:
- Promptly inform the Data Subject that Odysseic acts as processor for the Customer and direct them to the Customer; and
- Notify the Customer of the request without undue delay and provide reasonable assistance, taking into account the nature of the Processing, to allow the Customer to respond within the statutory deadline.
Odysseic will not respond to the Data Subject on the substance of the request without the Customer's prior written authorisation, unless required by law.
11Personal data breaches
Odysseic will notify the Customer of a Personal Data Breach affecting the Customer's Personal Data without undue delay after becoming aware of it, and in any event within 72 hours where reasonably possible — recognising that the Customer's own 72-hour notification window to its supervisory authority under GDPR Article 33 starts when the Customer becomes aware.
The notification will include, to the extent then known:
- The nature of the breach, the categories and approximate number of Data Subjects and Personal Data records affected;
- The likely consequences of the breach;
- The measures Odysseic has taken or proposes to take to address the breach, including mitigation steps;
- A point of contact (typically the Odysseic incident lead) for further information.
Where information is not available at the time of initial notification, Odysseic will provide it as soon as reasonably possible in follow-up communications. Odysseic will cooperate in good faith with the Customer on any required notification to Data Subjects or supervisory authorities, but will not itself notify a supervisory authority or Data Subjects of a breach relating to the Customer's Personal Data without the Customer's prior written agreement, except where Odysseic is itself required by law to do so.
12DPIAs & prior consultation
Taking into account the nature of the Processing and the information available to it, Odysseic will provide reasonable assistance to the Customer in carrying out data-protection impact assessments (DPIAs) and in any related prior consultation with a supervisory authority under Articles 35–36 GDPR or equivalent. Assistance will be provided through the Customer's usual support channels and may include factual information about the Service, sub-processors, and the security measures in Annex 2 that the Customer cannot reasonably obtain from Odysseic's published documentation.
13Return & deletion
On termination or expiry of the Agreement — and at any earlier point on the Customer's written request — Odysseic will, at the Customer's choice:
- Make Personal Data available to the Customer for export through the Service's standard export tools for a period of 30 days after termination, after which Odysseic will delete the Personal Data; or
- Delete the Personal Data within 30 days of termination without an interim export period.
In either case, all Personal Data will be deleted, anonymised, or returned within 90 days of termination, except where retention of all or part of the Personal Data is required by applicable law (for example, tax or accounting records, audit logs, fraud-prevention logs, and incident records). Where retention is required by law, Odysseic will continue to protect the data in accordance with this DPA until secure deletion becomes possible.
On the Customer's written request, Odysseic will provide written confirmation that the deletion or return has been carried out.
14Audits & inspections
Odysseic will make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under this DPA and Article 28 GDPR (or equivalent), and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, in line with this section.
14.1 Standard audit channel
The Customer's audit right is primarily satisfied by Odysseic providing, on written request and subject to confidentiality:
- The most recent versions of relevant third-party security attestations or reports Odysseic holds or that its sub-processors publish (e.g., SOC 2 Type II, ISO/IEC 27001), where available;
- Written responses to security and data-protection questionnaires that are reasonable in scope;
- Annex 2 (TOMs), updated to current state.
14.2 On-site inspection
The Customer may, no more than once in any 12-month period, conduct or mandate an on-site inspection of Odysseic's facilities and records relevant to the Processing, subject to: (a) at least 30 days' prior written notice; (b) execution of a reasonable confidentiality undertaking by the Customer's auditor; (c) the audit being conducted during normal business hours, in a manner that does not unreasonably disrupt Odysseic's operations; (d) scope, methodology, and duration agreed in advance; (e) the auditor not being a competitor of Odysseic. The Customer bears its own audit costs and reimburses Odysseic for the reasonable cost of personnel time engaged in supporting the audit at Odysseic's standard professional services rates, except where the audit reveals a material breach of this DPA by Odysseic, in which case Odysseic bears its own costs.
14.3 For cause
The frequency cap in section 14.2 does not apply where (i) a supervisory authority requires the audit, or (ii) the Customer has reasonable grounds to suspect a material breach of this DPA that has not been remediated within a reasonable period after notification to Odysseic.
15Liability & indemnity
Each party's liability under or in connection with this DPA is governed by — and is included within — the limitation of liability set out in the Agreement (Section 17, "Limitation of liability"). There is no separate liability cap under this DPA. The carve-outs set out in the Agreement (fraud, gross negligence, wilful misconduct, and other liability that cannot be limited or excluded under applicable law) apply equally here.
Where the SCCs, UK Addendum, or Swiss Addendum impose a non-derogable liability standard between data exporter and data importer, that standard prevails to the extent of conflict, but only for the specific claims and remedies governed by those clauses.
16Conflict & precedence
In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA prevails. In the event of any conflict between this DPA and the SCCs / UK Addendum / Swiss Addendum, the SCCs / UK Addendum / Swiss Addendum prevail, but only to the extent of the conflict and only with respect to Processing within their respective scope.
17Term & termination
This DPA takes effect on the date the Customer accepts the Agreement (or, for Customers existing at the introduction of this DPA, on the effective date stated at the top of this page) and remains in force for as long as Odysseic processes Personal Data on the Customer's behalf. The provisions of sections 11 (Personal Data Breaches relating to Personal Data still held post-termination), 13 (Return & deletion), 14 (Audits, for the residual data), 15 (Liability), and the international-transfer safeguards in section 9 (for any Personal Data not yet deleted) survive termination.
18Governing law
This DPA is governed by the laws of Singapore, consistent with the Agreement, except where the SCCs, UK Addendum, or Swiss Addendum specify a different governing law for matters within their respective scope. The dispute-resolution provisions of the Agreement (Section 20) apply, except that disputes arising from the SCCs / UK Addendum / Swiss Addendum are governed by the dispute-resolution mechanism in those clauses.
A1Annex 1 — Details of processing
| Data exporter (Controller) | The Customer, as identified in the Agreement and in the Customer's account record on the Service. |
|---|---|
| Data importer (Processor) | Odysseic Ventures Pte. Ltd., UEN 202604236H, 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914. Contact: privacy@odysseic.com. |
| Subject matter | Provision of the Odysseic Service to the Customer, including the operator dashboard, hosted booking page, embed widget, APIs, and transactional email infrastructure. |
| Nature of Processing | Hosting, storage, retrieval, transmission, organisation, indexing, sending of transactional emails, generation of reports for the Customer, secure deletion, and incident response. |
| Purpose of Processing | To enable the Customer to take and manage Bookings, deliver dive activities to Divers, communicate with Divers about their Bookings, comply with the Customer's safety and regulatory obligations, and operate the Customer's business through the Service. |
| Categories of Data Subjects | Divers, their emergency contacts, accompanying minors (with parental consent), referring agents, and the Customer's Authorized Users. |
| Types of Personal Data | Identity and contact data (name, date of birth, nationality, email, phone, emergency contact, passport/ID where required by regulator); booking details; certification and dive experience; Special Category Data (Medical Declarations, where the Customer collects them through the Service); payment metadata (transaction IDs, amounts, status, last four of card — never full card numbers or bank credentials); correspondence and support records; usage/device data (IP, browser, timestamps) collected by the Service for security and debugging. |
| Frequency | Continuous, for the duration of the Agreement. |
| Duration of Processing | The term of the Agreement plus the post-termination retention and deletion period set out in section 13. |
| Retention (controlled by Customer) | The Customer determines how long it retains Diver records in the Service, subject to its own legal-retention obligations. Defaults and configuration are exposed in the operator dashboard. |
| Competent supervisory authority | For the data exporter under the SCCs: the supervisory authority of the Member State in which the Customer is established (or, where the Customer is established outside the EEA, the supervisory authority indicated by the EU representative or, by default, the Irish Data Protection Commission). |
A2Annex 2 — Technical & organisational measures
Odysseic implements and maintains the following measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage. Measures are designed to comply with Article 32 GDPR and equivalent requirements under other Data Protection Laws.
A2.1 Pseudonymisation & encryption
- Encryption in transit — TLS 1.2 or higher for all connections between the Customer, Data Subjects, Odysseic, and its sub-processors.
- Encryption at rest — Personal Data is held in encrypted-at-rest databases and object storage operated by Odysseic's sub-processors (e.g., Supabase, Vercel).
- Authentication credentials (passwords) are stored as salted hashes; session tokens are short-lived JWTs.
A2.2 Confidentiality, integrity, availability, resilience
- Row-level security on all multi-tenant tables in the database, with access scoped to the authenticated user's role and to the operator they belong to. A Customer's Personal Data is not visible to other Customers.
- Role-based access control in the application layer (site_admin, operator_admin, operator_staff, user roles).
- Multi-factor authentication is available for operator accounts and is recommended for all Authorized Users.
- Backups are taken automatically by the database sub-processor and retained for a rolling retention window.
- Application-layer audit trail for sensitive changes (bookings, policies, pricing).
A2.3 Restore capability
In the event of a physical or technical incident, Odysseic relies on its database sub-processor's point-in-time recovery capability to restore the availability of and access to Personal Data. Recovery procedures are tested as part of platform-level infrastructure operations.
A2.4 Testing & assurance
- Dependency monitoring and timely application of security patches.
- Vulnerability tracking through advisories from sub-processors and OSS dependencies.
- Pre-release review of changes that touch authentication, authorisation, RLS, payments, or schema migrations.
- Where available, reliance on sub-processor independent attestations (SOC 2 Type II, ISO/IEC 27001).
A2.5 Access controls & need-to-know
- Production data access is restricted to a small number of Odysseic personnel on a need-to-know basis.
- Access to Special Category Data (Medical Declarations) is further restricted to personnel with a direct operational need (e.g., incident response, customer support of the relevant Customer).
- Access is logged. Personnel access is reviewed periodically and revoked promptly on role change or departure.
A2.6 Personnel
- All Odysseic personnel are bound by written confidentiality obligations that survive their engagement.
- Personnel receive data-protection and security training on onboarding and at appropriate intervals thereafter.
A2.7 Vendor & sub-processor management
- New sub-processors are evaluated for data-protection posture, hosting region, and contract terms before engagement.
- A current list of sub-processors is published at the URL in Annex 3.
A2.8 Incident management
- Documented incident-response process covering detection, triage, containment, recovery, root-cause analysis, and notification.
- Customer notification of confirmed Personal Data Breaches in line with section 11.
A2.9 Email transparency
Booking-related emails sent through the Service CC both Diver and Customer with a real reply-to set so the parties correspond directly. This is a deliberate transparency control: it prevents Odysseic from positioning itself between the Customer and the Diver and prevents covert rewriting of recipient or reply-to addresses.
A2.10 Physical security
Personal Data processed under this DPA is held in data-centre infrastructure operated by Odysseic's sub-processors; physical security is governed by those sub-processors' published controls. Odysseic does not operate its own production data centres.
A3Annex 3 — Approved sub-processors
The current list of sub-processors engaged by Odysseic in the provision of the Service is maintained at odysseic.com/dpa#annex-3 (this page). The snapshot below reflects the state of the list at the effective date stated at the top of this page. Customers can subscribe to notifications of changes through the in-product settings or by emailing privacy@odysseic.com.
Note: the providers below are the sub-processors Odysseic engages to deliver the Service. The Customer's separately connected booking-payment provider (e.g., Stripe, Xendit, Doku on the Customer's own merchant account) is not a sub-processor of Odysseic — it is the Customer's own independent processor of payment data.
| Sub-processor | Purpose | Hosting region(s) |
|---|---|---|
| Supabase Inc. | Managed Postgres database, authentication, edge functions, and object storage. Hosts the bulk of Personal Data processed under this DPA. | Singapore (ap-southeast-1). |
| Vercel Inc. | Web application and edge runtime hosting for the marketing site, operator dashboard, hosted booking page, and embed widget. | Global edge network (US-headquartered). |
| Postmark (Wildbit, LLC) or Resend, Inc. | Delivery of transactional emails — booking confirmations, receipts, password resets, policy updates. The provider in use at any time is identified to the Customer in the dashboard. | United States (with global delivery). |
| Functional Software, Inc. (Sentry) | Error and crash reporting. May incidentally capture Personal Data appearing in stack traces or breadcrumbs; configured to scrub identifiers where practical. | United States / EU (depending on configured org region). |
| Stripe, Inc. | Subscription billing for the Customer (not Diver-data processing). Included for transparency: Stripe processes the Customer's own billing data on Odysseic's behalf to bill the Customer for the Subscription and Per-Booking Fees. Stripe does not process Diver Personal Data on Odysseic's behalf. | United States / Ireland (Stripe-controlled). |
Where Odysseic adds, replaces, or removes a sub-processor, the table above will be updated and the Customer will be notified in line with section 8.3.