EVENTBOOST — DATA PROCESSING ADDENDUM (DPA)

under Article 28 GDPR

Version: 2026.02 — Effective Date: February 14th 2026

1. Parties, incorporation, precedence

1.1 Parties.

This Data Processing Addendum (“DPA”) is entered into between:

(a) the customer/organizer using the Services (“Customer” or “Controller”); and

(b) the Eventboost group company acting as the contracting entity identified in the Order and/or invoice (“Eventboost” or “Processor”).

1.2 Incorporation.

This DPA is incorporated by reference into the Agreement (Master Terms + Order).

1.3 Precedence.

In the event of a conflict, this DPA prevails solely with respect to the processing of personal data.

2. Definitions

GDPR terms have the meaning set out in the GDPR. “Customer Data” means data and content submitted to the Services by or on behalf of Customer, including Attendee personal data processed by Eventboost on Customer’s behalf.

3. Roles

3.1

For Attendee personal data processed for Customer’s events: Customer is Controller and Eventboost is Processor.

3.2

For account, billing, security, support and relationship data, Eventboost may act as Controller under its Privacy Notice (not governed by this DPA).

4. Article 28(3) details

4.1 Subject matter:

provision of Eventboost Services and related support.

4.2 Duration:

the term of the Agreement, plus the period required for return/export and deletion per Section 11.

4.3 Nature and purpose:

hosting, storage, event registration management, check-in, badge, transactional event communications, reporting/analytics features configured by Customer, integrations requested by Customer, and support operations.

4.4 Categories of data subjects and personal data:

see Annex A.

5. Documented instructions

5.1

Eventboost processes Customer Data only on documented instructions from Customer, including platform configurations and written requests.

5.2

If Eventboost believes an instruction infringes applicable data protection law, it will inform Customer.

5.3

No independent use. Eventboost will not use Attendee personal data processed on Customer’s behalf for its own marketing purposes, unless required by law or Customer provides a lawful written instruction.

5.4

Special categories / criminal data. Customer should not submit special categories of data (Art. 9 GDPR) or criminal data (Art. 10 GDPR) unless strictly necessary, and Customer has a valid legal basis and provides required notices/consents.

6. Confidentiality

Eventboost ensures that persons authorized to process Customer Data are bound by confidentiality obligations.

7. Security (Art. 32 GDPR)

Eventboost implements appropriate technical and organizational measures. A minimum summary is provided in Annex B. Eventboost may update security measures to reflect technical evolution while maintaining an appropriate level of security.

8. Subprocessors

8.1

Customer grants Eventboost a general authorization to appoint subprocessors.

8.2

A current list of subprocessors is available upon request.

8.3

Eventboost will impose data protection obligations on subprocessors no less protective than those in this DPA.

8.4

Objection. The customer may object on reasonable grounds of data protection; the parties will work in good faith to reach a solution. If no solution is reasonably available, Customer may terminate the affected Services in accordance with the Agreement.

9. Assistance

Eventboost will provide reasonable assistance for data subject requests (Arts. 15–22 GDPR) and for DPIAs/consultations (Arts. 35–36 GDPR), as appropriate and subject to the nature of the Services.

10. Personal data breaches

Eventboost will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data and will share available information to support the Customer’s compliance with the Arts. 33–34 GDPR.

11. Return and deletion

Upon termination, Eventboost will make Customer Data available for export via standard features for a limited period, and then delete or anonymize Customer Data, subject to applicable legal obligations and routine backups, as described in the Agreement/Privacy documentation.

12. Audits and compliance (Art. 28(3)(h))

Eventboost will make available information reasonably necessary to demonstrate compliance. Audits will be primarily document-based. On-site audits are permitted only with reasonable prior notice, no more than once per year, during business hours, under confidentiality and security constraints, and at Customer’s cost, unless legally required. Eventboost may provide independent reports/certifications as an alternative where reasonable.

13. International transfers

13.1

For transfers outside the EEA to non-adequate countries, Eventboost will use appropriate safeguards under Chapter V GDPR, including the EU SCCs (Commission Implementing Decision (EU) 2021/914).

13.2

UK. Where UK GDPR applies, Eventboost will use the UK Addendum to the EU SCCs or the IDTA, as applicable.

13.3

Switzerland. Where Swiss law applies (nFADP/FADP), SCCs will be supplemented with Swiss-required adaptations.

13.4

The minimum measures are described in Annex D.

14. Liability

Liability and limitations are governed by the Agreement and mandatory law. This DPA does not expand Eventboost’s liability beyond what is required by law.

 

ANNEX A

DETAILS OF PROCESSING (Art. 28(3) GDPR)

1. Subject matter

Provision of the Eventboost SaaS Services for the Customer’s event management activities (e.g., event setup, registration pages, attendee management, invitations and communications, check-in, badge printing, reporting, integrations/APIs, and ticketing where enabled under the Order).

2. Duration

For the term of the applicable Agreement/Order and thereafter for the retention periods described below:

  • Single Event data: typically available in the Customer’s backend for 12 months after the event ends (unless otherwise agreed).
  • Post-expiry account/event retention: typically up to 6 months after expiry (including trial) to allow export/reactivation, subject to legal obligations and/or cyclical backups under the DPA and Privacy Notice.

3. Nature and purpose

Collection, recording, organisation, structuring, storage, consultation, use, disclosure (limited to subprocessors), deletion/destruction as necessary to:

  • provide the Services;
  • ensure security, business continuity, support and maintenance;
  • carry out the Customer’s documented instructions (including platform configurations and support requests).

4. Categories of data subjects

  • Attendees (guests, registrants, participants);
  • Speakers/sponsors/exhibitors/vendors linked to the Customer’s events;
  • Customer Authorized Users (admins, staff, check-in operators);
  • Customer contact lists/imports (invitations/communications), where uploaded.

5. Categories of personal data (typical; depends on Customer configuration)

  • Identifiers and contact details (name, email, phone, company, job title, city/country);
  • Event registration data (form answers, preferences, sessions, badge fields, check-in status);
  • Technical data (access logs, account identifiers, audit logs, IP address where collected, device/browser info);
  • Communications metadata (email sends, RSVP, bounces where applicable);
  • Ticketing (if enabled): ticket and transaction-related information (note: full payment card data is typically processed by the third-party payment processor under its own model).

Special categories (Art. 9 GDPR): not processed by default. Customer is responsible for avoiding such data unless strictly necessary and supported by a lawful basis; if used, it must be documented and may require additional safeguards.

6. Processing operations

Hosting, backups, restore, messaging (if enabled), support, incident handling, security monitoring, access and permissions management.

7. Roles

  • Customer: Controller of Attendee and related event data.
  • Eventboost: Processor on behalf of Customer, under documented instructions.

Eventboost may act as Controller for account/billing/relationship data as described in the Privacy Notice.

 

ANNEX B

TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)

Security Measures are risk-based and appropriate to the processing (Art. 32 GDPR).

B1. Security governance (ISMS / ISO 27001)

Eventboost maintains a security governance framework to protect confidentiality, integrity and availability. Eventboost has initiated an information security programme aligned with ISO/IEC 27001, including the maturation of an ISMS, targeting completion of the certification process by May 2026 (subject to unforeseen circumstances and the independent outcome of the certification body’s assessment).

For clarity, the obligation to implement and maintain appropriate Security Measures applies regardless of certification; any certification, if and when achieved, is informational and does not automatically expand contractual warranties, obligations or remedies.

B2. Access control and identity management

  • Access limited to authorised personnel on a least privilege basis.
  • Strong authentication for privileged/admin access; role segregation where applicable.
  • Joiner/mover/leaver processes for provisioning and deprovisioning.
  • Logical separation of environments (e.g., production/test) where applicable.

B3. Application security and SDLC

  • Secure development practices; vulnerability handling and patching based on risk.
  • Change management and controlled deployments; traceability where applicable.
  • Hardening and secure configuration of components.

B4. Encryption and data protection

  • Encryption in transit via TLS/HTTPS.
  • Encryption at rest or equivalent protections for systems and backups where applicable.
  • Logical tenant/customer data segregation where applicable.

B5. Logging, monitoring and audit trails

  • Logging of relevant administrative and security events; retention per internal policy.
  • Monitoring, alerting, and observability for availability/performance and anomalies.

B6. Availability, backup and disaster recovery

  • Regular backups and reasonable restore procedures, tested/validated periodically.
  • Business continuity and resilience measures; incident response and recovery planning.
  • Scheduled maintenance windows and emergency maintenance for security/stability.

B7. Incident management and personal data breaches

  • Incident management lifecycle (triage, containment, remediation, post-incident review).
  • Breach notification to Customer without undue delay and reasonable cooperation (Arts. 33–34 GDPR), as set out in the DPA.

B8. Subprocessor security

  • Use of subprocessors subject to contractual obligations materially equivalent to the DPA.
  • Risk-based due diligence and documentary controls for critical subprocessors.

B9. Training and confidentiality

  • Confidentiality obligations for personnel; periodic training/awareness where appropriate.

B10. Physical security

  • Hosting typically relies on cloud/data centre providers implementing industry-standard physical and environmental controls.

Note: These TOM categories may evolve over time as part of continuous improvement, provided the overall security level is not materially reduced in light of the addressed risks.

 

ANNEX C

SUBPROCESSORS

C1. General authorisation

Customer grants a general authorisation for Eventboost to engage subprocessors (Art. 28(2) GDPR) to provide the Services.

C2. List and updates

Eventboost maintains and makes available an up-to-date subprocessor list (e.g., in a “Subprocessors” page within the Legal Hub or an equivalent document), typically including:

  • subprocessor name;
  • processing/hosting location (countries/regions);
  • service description (hosting, email, support, analytics, etc.).

C3. Notice and objection

Eventboost will provide reasonable notice of material changes. The customer may object in writing on reasonable data protection grounds; the parties will cooperate in good faith to find a commercially reasonable alternative or mitigation. If not feasible, Eventboost may terminate the affected module/service in accordance with the Agreement, limited to the impacted scope.

C4. Flow-down obligations

Eventboost enters into written agreements with subprocessors imposing obligations materially equivalent to this DPA, including security and assistance commitments.

 

ANNEX D

INTERNATIONAL TRANSFERS

D1. General

Eventboost will ensure international transfers comply with applicable transfer rules (GDPR, UK GDPR, Swiss law).

D2. EU/EEA (GDPR)

For transfers to non-adequate countries, Eventboost will apply the EU Standard Contractual Clauses (Decision (EU) 2021/914) and appropriate supplementary measures on a risk basis.

D3. United Kingdom

Where UK GDPR applies, Eventboost will apply the UK Addendum to the EU SCCs or the IDTA, as applicable, as reflected in the DPA.

D4. Switzerland

Where applicable, Eventboost will apply the Swiss-recognised contractual clauses/adjustments required under Swiss data protection law (FADP/nFADP) for cross-border transfers.

D5. Documentation

Upon reasonable request, Eventboost will make available information about the applicable transfer mechanism (e.g., SCC/UK Addendum reference) and relevant subprocessors, subject to confidentiality and security constraints.