Try it for free
Request a free demo
Try it for free
Request a free demo

COMPANY

Data Processing Agreement

EVENTBOOST — DATA PROCESSING ADDENDUM (DPA)

under Article 28 GDPR

Version: 2026.02 — Effective Date: February 14th 2026

1. Parties, incorporation, precedence

1.1 Parties.

This Data Processing Addendum (“DPA”) is entered into between:

(a) the customer/organizer using the Services (“Customer” or “Controller”); and

(b) the Eventboost group company acting as the contracting entity identified in the Order and/or invoice (“Eventboost” or “Processor”).

1.2 Incorporation.

This DPA is incorporated by reference into the Agreement (Master Terms + Order).

1.3 Precedence.

In the event of a conflict, this DPA prevails solely with respect to the processing of personal data.

2. Definitions

GDPR terms have the meaning set out in the GDPR. “Customer Data” means data and content submitted to the Services by or on behalf of Customer, including Attendee personal data processed by Eventboost on Customer’s behalf.

3. Roles

3.1

For Attendee personal data processed for Customer’s events: Customer is Controller and Eventboost is Processor.

3.2

For account, billing, security, support and relationship data, Eventboost may act as Controller under its Privacy Notice (not governed by this DPA).

4. Article 28(3) details

4.1 Subject matter: provision of Eventboost Services and related support.

4.2 Duration: the term of the Agreement, plus the period required for return/export and deletion per Section 11.

4.3 Nature and purpose: hosting, storage, event registration management, check-in, badge, transactional event communications, reporting/analytics features configured by Customer, integrations requested by Customer, and support operations.

4.4 Categories of data subjects and personal data: see Annex A.

5. Documented instructions

5.1 Eventboost processes Customer Data only on documented instructions from Customer, including platform configurations and written requests.

5.2 If Eventboost believes an instruction infringes applicable data protection law, it will inform Customer.

5.3 No independent use. Eventboost will not use Attendee personal data processed on Customer’s behalf for its own marketing purposes, unless required by law or Customer provides a lawful written instruction.

5.4 Special categories / criminal data. Customer should not submit special categories of data (Art. 9 GDPR) or criminal data (Art. 10 GDPR) unless strictly necessary, and Customer has a valid legal basis and provides required notices/consents.

6. Confidentiality

Eventboost ensures that persons authorized to process Customer Data are bound by confidentiality obligations.

7. Security (Art. 32 GDPR)

Eventboost implements appropriate technical and organizational measures. A minimum summary is provided in Annex B. Eventboost may update security measures to reflect technical evolution while maintaining an appropriate level of security.

8. Subprocessors

8.1 Customer grants Eventboost a general authorization to appoint subprocessors.

8.2 A current list of subprocessors is available upon request.

8.3 Eventboost will impose data protection obligations on subprocessors no less protective than those in this DPA.

8.4 Objection. The customer may object on reasonable grounds of data protection; the parties will work in good faith to reach a solution. If no solution is reasonably available, Customer may terminate the affected Services in accordance with the Agreement.

9. Assistance

Eventboost will provide reasonable assistance for data subject requests (Arts. 15–22 GDPR) and for DPIAs/consultations (Arts. 35–36 GDPR), as appropriate and subject to the nature of the Services.

10. Personal data breaches

Eventboost will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data and will share available information to support the Customer’s compliance with the Arts. 33–34 GDPR.

11. Return and deletion

Upon termination, Eventboost will make Customer Data available for export via standard features for a limited period, and then delete or anonymize Customer Data, subject to applicable legal obligations and routine backups, as described in the Agreement/Privacy documentation.

12. Audits and compliance (Art. 28(3)(h))

Eventboost will make available information reasonably necessary to demonstrate compliance. Audits will be primarily document-based. On-site audits are permitted only with reasonable prior notice, no more than once per year, during business hours, under confidentiality and security constraints, and at Customer’s cost, unless legally required. Eventboost may provide independent reports/certifications as an alternative where reasonable.

13. International transfers

13.1 For transfers outside the EEA to non-adequate countries, Eventboost will use appropriate safeguards under Chapter V GDPR, including the EU SCCs (Commission Implementing Decision (EU) 2021/914).

13.2 UK. Where UK GDPR applies, Eventboost will use the UK Addendum to the EU SCCs or the IDTA, as applicable.

13.3 Switzerland. Where Swiss law applies (nFADP/FADP), SCCs will be supplemented with Swiss-required adaptations.

13.4 The minimum measures are described in Annex D.

14. Liability

Liability and limitations are governed by the Agreement and mandatory law. This DPA does not expand Eventboost’s liability beyond what is required by law.

ANNEX A

DETAILS OF PROCESSING (Art. 28(3) GDPR)

1. Subject matter

Provision of the Eventboost SaaS Services for the Customer’s event management activities (e.g., event setup, registration pages, attendee management, invitations and communications, check-in, badge printing, reporting, integrations/APIs, and ticketing where enabled under the Order).

2. Duration

For the term of the applicable Agreement/Order and thereafter for the retention periods described below:

  • Single Event data: typically available in the Customer’s backend for 12 months after the event ends (unless otherwise agreed).
  • Post-expiry account/event retention: typically up to 6 months after expiry (including trial) to allow export/reactivation, subject to legal obligations and/or cyclical backups under the DPA and Privacy Notice.

3. Nature and purpose

Collection, recording, organisation, structuring, storage, consultation, use, disclosure (limited to subprocessors), deletion/destruction as necessary to provide the Services, ensure security and carry out instructions.

4. Categories of data subjects

  • Attendees (guests, registrants, participants);
  • Speakers/sponsors/exhibitors/vendors;
  • Customer Authorized Users;
  • Customer contact lists/imports.

5. Categories of personal data

  • Identifiers and contact details;
  • Event registration data;
  • Technical data (logs, IP addresses);
  • Communications metadata;
  • Ticketing data (where applicable).

ANNEX B

TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)

B1. Security governance (ISMS / ISO 27001)

Eventboost maintains a security governance framework aligned with ISO/IEC 27001, targeting completion of certification by May 2026.

B2. Access control

Access limited to authorised personnel on a least privilege basis with strong authentication.

B4. Encryption

Encryption in transit via TLS/HTTPS and at rest for systems and backups.

ANNEX C

SUBPROCESSORS

Customer grants a general authorisation for Eventboost to engage subprocessors. A current list is available upon request.

ANNEX D

INTERNATIONAL TRANSFERS

Eventboost ensures transfers comply with GDPR, UK GDPR, and Swiss law using EU SCCs and appropriate safeguards.

Intelligent event management for modern organizations

Product & Solutions

 Privacy Policy | Terms of Service | Cookie Policy | Data Processing Agreement (DPA) | Security & Compliance

ISO 27001 Certified

GDPR Compliant

256-bit SSL Encryption

This website is property of Eventboost SA, headquartered in Corso San Gottardo 46e, 6830 Chiasso, CH (company registration number CH-501.3.018.972-3, VAT number CHE-177.500.574 IVA). All rights reserved © Copyright 2014-2026. Eventboost is a registered trademark ®. The available services on this website are provided by Eventboost & its Partners.

Eventboost Srl, via Carloforte 60, 09123 Cagliari CA - Italy, Phone +39 070 70 400 79, VAT code: IT03858700929. Eventboost Inc., 230 Park Avenue, 3rd Floor West, New York, NY 10169 - USA