Data Processing Addendum

Capitalised terms such as Controller, Processor, Processing, Personal Data, Data Subject, Business, Service Provider and Personal-Data Breach carry the meanings assigned in applicable privacy statutes, including Regulation (EU) 2016/679 (“GDPR”), the United Kingdom GDPR and the California Consumer Privacy Act (as amended). The individual who registers for, purchases or otherwise interacts with an event via the Services is referred to as a “Consumer,” and the Personal Data that identify or relate to such Consumer are referred to collectively as “Consumer Data.” “Data-Protection Laws” means all laws and regulations that apply to the Processing of Personal Data in the jurisdictions where either party operates. “Technical and Organisational Security Measures” describes the safeguards published in the Security section. References to “SCCs” mean the Standard Contractual Clauses issued by the European Commission under Decision 2021/914 (Module 2), and references to the “UK SCC Addendum” mean the United Kingdom International Data-Transfer Addendum (version B1.0).

 

2.1 When using the Services, the Organizer acts as a Business under applicable U.S. privacy laws and as a Data Controller under the GDPR, because it determines the purposes and means of Processing Consumer Data. Eventzilla acts solely as a Processor and will process Consumer Data only on documented instructions derived from the Main Agreement, this DPA or configuration settings selected by the Organizer.

 

2.2 The Organizer represents and warrants that it has provided all notices and obtained all consents required by Data-Protection Laws to share Consumer Data with Eventzilla. The Organizer further warrants that special-category data will not be collected through the Services unless the Organizer has established a lawful basis and complied with any heightened obligations that attach to such data.

 

2.3 Processing by Eventzilla is limited to the duration of the Main Agreement and to the purposes of facilitating event creation, ticketing and attendee engagement; Consumer Data classes may include name, e-mail address, payment token identifiers, event attendance details and any additional information the Organizer elects to solicit. Data Subjects are the Consumers who engage with the Organizer’s events through the Services.

3.1 Organizer Duties. The Organizer shall process Consumer Data in a manner that is lawful, fair and transparent, configure privacy and retention tools provided by Eventzilla, and respond to Data-Subject requests using the self-service dashboards. Eventzilla will offer reasonable and prompt support when those dashboards cannot by themselves satisfy a legitimate request. The Organizer indemnifies Eventzilla against liability arising from Consumer Data collected or processed in breach of Data-Protection Laws.

 

3.2 Eventzilla Duties. Eventzilla will:  (a) process Consumer Data solely to deliver, maintain and improve the Services;  (b) ensure staff with access to Consumer Data are bound by confidentiality;  (c) apply the Technical and Organisational Security Measures published on the Security Page and update them as needed to maintain appropriate protection; and  (d) notify the Organizer without undue delay after confirming a Personal-Data Breach and provide information sufficient to meet the Organizer’s notification obligations.

 

3.3 Sub-Processors. Eventzilla relies on specialist service partners whose names appear in the Sub-Processors list. By keeping an active account, the Organizer authorises Eventzilla to engage those partners. Eventzilla imposes data-protection terms on each Sub-Processor that are no less protective than the obligations in this DPA and remains responsible for their performance. The Organizer may object, on reasonable privacy grounds, to a material change in the Sub-Processor list; if no resolution is reached, the Organizer may disable the affected functionality without penalty.

 

3.4 Retention and Deletion. Consumer Data persist while the Organizer retains them in an active account. Encrypted backups exist solely for continuity purposes and expire automatically after a limited interval. Upon written instruction, Eventzilla will delete live copies of Consumer Data, unless retention is required by law.

 

3.5 Audit and Verification. Eventzilla will, upon reasonable request, provide summaries of third-party certifications or audit reports demonstrating adherence to the security and privacy controls referenced in this DPA. Where additional verification is required by Data-Protection Laws, Eventzilla will permit an inspection under appropriate confidentiality safeguards and with reasonable advance notice.

 

3.6 Conflict and Amendment. If a provision of this DPA conflicts with the Main Agreement, this DPA controls for Personal-Data matters. Eventzilla may amend this DPA to reflect changes in law or functionality by posting a revised version; continued use of the Services after the effective date constitutes acceptance. If any provision is held unenforceable, the remainder of the DPA remains in force.

4.1 Primary hosting location. Consumer Data are stored and processed in Amazon Web Services us-east-1 (USA).

 

4.2 EEA transfers. For Personal Data exported from the European Economic Area, the parties rely on the SCCs (Module 2 – Controller→Processor), which are incorporated into this DPA by reference and deemed fully executed by the parties. Clause 17 (law) and Clause 18 (forum) reference the laws and courts of Ohio, USA.

 

4.3 United Kingdom transfers. For Personal Data exported from the United Kingdom, the parties adopt the UK SCC Addendum, completed with the information contained in this DPA, and select Ohio, USA for Table 4 (governing law and forum).

 

4.4 Swiss transfers. For Personal Data exported from Switzerland, references in the SCCs to the GDPR are interpreted as references to the Swiss Federal Data-Protection Act, and the Swiss Federal Data-Protection and Information Commissioner is deemed the competent supervisory authority.

 

4.5 Other mechanisms. Where Data-Protection Laws recognise additional lawful transfer mechanisms ( e.g., adequate-country decisions or certification schemes ), the parties may rely on such mechanisms instead of, or in addition to, the SCCs.