Data Processing Agreement

Evnyo is authorised to process on the Customer's behalf personal data necessary to provide Services as defined in the Terms. Characteristics of such processing are summarised in the table below, in accordance with Article 28 UK GDPR requirements:

Remarks: Categories of data subjects for such processing are primarily Guests designated by the Customer (professional or individual contacts invited to events). The Customer may also enter data concerning internal users (e.g., organising colleague contact details) on the platform – such Customer user data generally relates to the Customer account itself and is processed as part of service operation (e.g., access management). Finally, Customer-specific data (such as billing information, credentials) is processed by Evnyo as Data Controller for commercial relationship management (cf. Evnyo Privacy Policy), and is not detailed here as outside this Agreement's scope.

It is agreed that if the Customer uses Services to process Data or Data categories or for purposes other than those described above, this is at their own risk. Evnyo shall not be liable for regulatory non-compliance arising from processing not provided for by the Parties. The Customer undertakes to use the platform only for purposes for which it is intended, in accordance with the Terms and this table.

As Data Controller, the Customer undertakes to:

• Compliance and documented instructions: Comply fully with applicable data protection regulations (UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003) for processing performed via Evnyo. The Customer determines processing purposes and means entrusted to Evnyo and warrants that instructions given to Evnyo are documented, compliant with the contract and applicable regulations. Any Customer instruction exceeding Service scope or contrary to applicable laws will not be executed by Evnyo. The Customer will use the platform in accordance with contractual documents and will not instruct Evnyo to process data in violation of applicable laws and regulations.

• Lawfulness of processed data: Ensure personal data entrusted to Evnyo has been collected and is processed by the Customer in compliance with UK GDPR and applicable UK data protection legislation. This includes, without limitation: prior information to data subjects from the point of data collection, providing all mandatory information required under Articles 13 and 14 UK GDPR (controller identity, invitation purpose, legal basis – consent or legitimate interest, data subject rights, retention periods, etc.). The Customer must provide Guests with clear information, for example via their own privacy policy or information text provided during email collection. When the processing legal basis is consent (particularly for marketing emails/SMS to individuals under PECR), obtain valid and demonstrable consent from each data subject prior to sending invitations. The Customer must be able to prove that the Guest has consented to receive invitations, or alternatively, that sending relies on another valid legal basis (e.g., legitimate interest in B2B communications with respected right to object under PECR). Consider data subject objection rights (e.g., if a Guest has objected to receiving solicitations, ensure they are no longer imported or invited). Generally, process via Evnyo only adequate, relevant and limited data necessary for the pursued purposes (data minimisation principle under UK GDPR).

• Accuracy and updates: Ensure Guest data accuracy and update when necessary. Evnyo provides tools enabling the Customer to rectify or delete data; it is the Customer's responsibility to satisfy any rectification requests from data subjects. Evnyo may, where possible, assist the Customer in maintaining accurate data according to instructions.

• Customer security measures: Implement appropriate Customer-side security measures to ensure data protection when using the platform. For example, the Customer must secure account access (strong passwords, two-factor authentication if available) and ensure data confidentiality when exporting or downloading information from Evnyo.

• Compliant platform use: Not misuse Evnyo functionalities to collect or process sensitive or highly personal data without prior Evnyo agreement. The platform may contain free fields (e.g., possibility for Customer to enter personalised message) not intended for sensitive data (such as health data, racial origin, opinions, etc.). The Customer undertakes not to introduce such special data. Evnyo disclaims liability for non-compliant use of these fields by the Customer.

• Cooperation: More generally, cooperate in good faith with Evnyo to enable processing compliance. For example, in case of audit or information requests (see Section 4.5), the Customer will participate reasonably.

The Customer acknowledges retaining full responsibility for personal data processed on their behalf. The Customer remains responsible for overall processing compliance towards data subjects and authorities, within their Data Controller obligations framework. Evnyo assumes Data Processor responsibility in accordance with Article 28 UK GDPR, particularly regarding security, confidentiality and cooperation. In case of Customer breach of Data Controller obligations, resulting financial and legal consequences fall under their responsibility, subject to Evnyo's own responsibility as Data Processor.

As Data Processor, Evnyo undertakes to respect the following obligations, in accordance with Article 28 UK GDPR:

4.1. Processing in accordance with instructions

Evnyo will process Guest personal data only on documented Customer instructions and solely to provide Services as defined in the Contract. This includes technical operations necessary such as hosting, storage, email/SMS sending, invitation formatting, response tracking, maintenance and support.

Evnyo will not decide processing purposes or means beyond Customer instructions. Evnyo will particularly refrain from any data use for other purposes (own marketing, profiling, etc.), any data sale or rental, and any merging of Guest data with other databases, except contrary legal obligation.

If Evnyo considers a Customer instruction constitutes UK GDPR violation or other applicable provisions, it will promptly inform the Customer. Similarly, if Evnyo is required by UK or EU law to process beyond instructions (e.g., disclosure on judicial order), it will inform the Customer before processing (unless law prohibits for important public interest reasons).

Evnyo guarantees that personal data processed for the Customer will be kept strictly confidential. To this end, Evnyo undertakes to:

• Disclose Guest data only to personnel, sub-processors or service providers needing access for Service execution purposes, and only to the extent strictly necessary for their involvement.
• Ensure such authorised persons are subject to legal or contractual confidentiality obligations. Evnyo integrates confidentiality clauses compliant with this Agreement requirements into employment contracts or service agreements.
• Not copy, reproduce or use Guest data for purposes other than those provided by the Contract, and not retain data copies beyond what is necessary for service or legal compliance.
• Ensure data-processing personnel are trained in data protection requirements and sensitised to confidentiality importance.

This confidentiality obligation continues even after contract end.

Evnyo will implement all appropriate technical and organisational security measures to guarantee security level adapted to risk, in accordance with Article 32 UK GDPR. Evnyo undertakes to maintain security level compliant with state of the art. Considering state of knowledge, implementation costs and data nature, Evnyo particularly takes the following measures:

• Data logical security: Server and database protection against intrusions (firewalls, intrusion detection systems), communication encryption (e.g., TLS for web interfaces, secure SMTP for outgoing emails), strict access control policies (data access reserved to aforementioned authorised persons, with strong authentication). Guest data stored on servers is hosted in a secure environment respecting industry standards (secure data centres, 24/7 monitoring, etc.).
• Physical security: Data is hosted via cloud hosting services recognised for their security (see Sub-processing below).
• Resilience and integrity: Regular data backups to prevent data loss, integrity tests, disaster recovery plan in case of major incident, to ensure Customer data availability where possible.
• Security testing and audits: Evnyo periodically conducts platform security assessments (internal tests, external audits if necessary) to identify and correct vulnerabilities. These tests are conducted confidentially and results may be communicated to the Customer upon legitimate request, subject to confidentiality.

Evnyo undertakes to notify the Customer of any personal data breach (security incident accidentally or unlawfully causing destruction, loss, alteration, unauthorised disclosure or access to personal data) of which it becomes aware concerning Customer data. This notification will be made within 72 hours after incident discovery, or without undue delay where the 72-hour period cannot be met. Evnyo will provide the Customer with all relevant information about breach nature, potentially affected data, probable consequences and corrective measures taken, to enable the Customer, if necessary, to notify this incident to the competent data protection authority (Information Commissioner's Office) and/or data subjects, in accordance with Articles 33 and 34 of the UK GDPR. The Parties will cooperate in good faith in case of incident to mitigate effects and assist with any regulatory reporting obligations.

The Customer expressly consents to Evnyo engaging sub-processors (also called subordinate processors or third-party service providers) to carry out specific processing activities on the Customer's behalf, as part of Service provision. This may include the following categories: cloud hosting, email and SMS sending services, technical analysis tools, AI data correction, etc.

Current sub-processors engaged by Evnyo include (non-exhaustive list):

• Supabase – Database & File Hosting: Supabase is our application infrastructure provider. Role: PostgreSQL database hosting containing Evnyo data (accounts, events, invitations, responses, etc.), and associated file storage (e.g., event images) in dedicated space. Location: European Union. We use Supabase's European servers (EU region) so all data and files are hosted exclusively in Europe. Stored data is encrypted at rest and accessible only to Evnyo applications and authorised administrators.

• Vercel – Front-end Hosting: Vercel is our application front-end hosting platform (Evnyo website and user interface). Role: web application and static content distribution to end users, via global content delivery network (CDN) for optimal performance. Location: primarily United States (Vercel Inc.), with worldwide CDN (including European servers). Transfer guarantees: Vercel is EU-US Data Privacy Framework certified and offers standard Data Processing Addendum compliant with UK GDPR.

• Postmark – Transactional Email Sending: emailing service used to route Evnyo-generated emails. Role: reliable sending of event-related transactional emails (e.g., invitations, registration confirmations, reminders, post-event follow-ups) on organiser's behalf. Location: primarily United States, with redundant infrastructures. Transfer guarantees: Postmark offers standard Data Processing Addendum (DPA) compliant with UK GDPR requirements and contractual guarantees for international transfers.

• Twilio – Transactional SMS Sending: platform used for SMS sending (e.g., invitations or SMS reminders, verification messages) to participants providing telephone numbers. Role: route SMS to contact telephone operators. Location: Twilio Inc. is US company but has EU presence. Transfer guarantees: Twilio has Binding Corporate Rules (BCR) approved by European authorities and offers Data Processing Addendum compliant with UK GDPR.

• CookieYes – Consent Management Platform: cookie consent management tool. CookieYes deploys cookie banner on our site and records each user's cookie choices. Role: ensure non-essential trackers activate only with consent, and retain proof of user consent or refusal. Location: CookieYes Limited is UK-registered company.

• OpenAI – Artificial Intelligence: advanced AI service used via API for specific functionalities (e.g., correcting poorly formatted data, generating images on demand). Role: algorithmic processing of submitted content to produce result (corrected file or generated image) returned to Evnyo. Location: United States (OpenAI, Inc.). Guarantees: According to OpenAI API terms of use, transmitted data is not used by OpenAI to train AI models and is automatically deleted from their systems within maximum 30 days after processing.

• Stripe – Payment Processing: payment platform used to process payments from our event organiser clients and billing for our services. Role: secure processing of credit card payments, bank transfers, and other payment methods, as well as billing and subscription management. Location: Stripe Europe, Ltd. (Ireland) for European clients, with infrastructure distributed across Europe and SEPA compliance. Transfer guarantees: Stripe has comprehensive UK GDPR certifications and applies Standard Contractual Clauses (SCCs) for any transfers outside the UK where required, alongside adequacy decisions where applicable.

• OVH – Domain Name & DNS Management: OVHcloud is our registrar and DNS host for evnyo.com domain. Role: technical domain name management, DNS records and ancillary function hosting. Location: France (OVH, French company). Personal data: minimal data – OVH essentially processes technical data (visitor DNS queries).

Evnyo ensures all sub-processors have validated transfer mechanisms for transfers outside the UK (BCR, Standard Contractual Clauses, adequacy decisions, UK Addendum where applicable) and their standard DPAs meet Article 28 UK GDPR requirements. Evnyo undertakes that each sub-processor offers sufficient guarantees regarding implementing appropriate technical and organisational measures, ensuring processing meets UK GDPR requirements and guarantees data subject rights protection. Evnyo concludes with each sub-processor written contract imposing data protection obligations equivalent to this Agreement, particularly regarding confidentiality, security and breach notification.

Evnyo remains fully responsible to the Customer for sub-processor performance of data protection obligations. Evnyo will supervise these sub-processors and remain the Customer's sole contact point.

Information and objection right: Evnyo will keep the Customer informed of any planned changes concerning addition or replacement of important sub-processors involving Customer personal data processing. This information will be provided via notification (e.g., in Customer admin interface or by email) at least 15 days before change. The Customer may raise reasonable and legitimate objections to such changes within this 15-day period. Objection must be motivated in good faith, for example if Customer believes new sub-processor presents insufficient compliance guarantees.

For unresolved objection concerning new sub-processor, Evnyo may, at its choice, either forego engaging this sub-processor or propose alternative solution to Customer. If no acceptable solution is found, Customer may terminate contract without penalty due to this objection. Such termination will be considered legitimate and non-faulty on Evnyo's part.

Upon contractual relationship end, i.e., in case of Terms termination or expiration, the Customer has the option to recover all personal data processed on their behalf via Evnyo. Evnyo provides, upon Customer request, data in standard readable format (e.g., CSV export of guest lists and responses).

The Customer must exercise this restitution option before contract end date or at latest within 15 days following. Beyond this, Evnyo will proceed with complete deletion of Customer personal data still in its possession, according to following schedule:

• Immediate active deletion: Immediately after contract end, Evnyo will make Customer data inaccessible on platform (account deactivated). Data may be temporarily retained in system backups.
• Definitive erasure: Absent contrary Customer instruction, Evnyo will erase all Customer personal data within maximum 90 days after event end or contract termination, whichever occurs first. This includes active database deletion and backup overwriting or encryption still containing such data. Upon written Customer request, Evnyo may certify in writing effective data destruction once completed.

If Customer wishes data restitution before deletion, Evnyo may assist (this service may be charged if generating significant cost). In any case, Evnyo will retain no Customer personal data beyond mentioned period, except longer legal retention obligation. For example, Evnyo may retain connection or transaction logs incidentally containing personal data if law requires, but in this case such data will remain protected and separately archived.

Evnyo's confidentiality and security obligations continue to apply while Evnyo retains data.

For emergency termination (immediate suspension for serious breach), Customer has 7 days to recover data via automated export from interface. After this period, normal deletion procedure applies (maximum 90 days according to above-defined modalities).

For any questions or instructions relating to personal data protection under this Agreement, the Customer may contact Evnyo's data protection referent. This referent does not have DPO status within Article 37 UK GDPR meaning. Contact details are indicated in the Privacy Policy and/or on Evnyo site (e.g., dedicated email address such as privacy@evnyo.com).

Evnyo undertakes to process any Customer request relating to this Agreement promptly.

7.1. Document hierarchy

This Agreement forms part of Terms of Service. For contradiction between Terms provision and Agreement provision concerning personal data processing, Agreement prevails. For conflict between contractual documents and mandatory legal obligations, the latter automatically prevail. Other Terms provisions remain fully applicable for everything not covered in Agreement.

7.2. Duration

Evnyo's Data Processor obligations under this Agreement apply throughout Service provision duration involving personal data processing on Customer's behalf, and until data deletion. Obligations that by nature endure (confidentiality, assistance, etc.) will survive as needed after contract end.

7.3. Applicable law and jurisdiction

This Agreement is subject to same law as Terms of Service (see Article 9 of Terms), with mandatory application of UK GDPR and Data Protection Act 2018 provisions. Any dispute relating to performance or interpretation will be settled according to dispute resolution modalities provided in Terms. Nevertheless, for data protection-specific disputes, Parties will cooperate in good faith to find regulation-compliant solution and, if necessary, consult competent supervisory authority (e.g., ICO) for advice.

7.4. Entirety and modification

This Agreement constitutes entire agreement of Parties regarding data protection for Evnyo Services. It may be supplemented or modified by writing signed by both Parties (including explicit electronic consent). Evnyo reserves right to propose Agreement updates in case of regulatory or Service evolution, following same modalities as Terms of Service modification. Customer will be informed of any substantial modification and may refuse it by terminating Service before implementation if prejudicial.

For clause nullity declaration by court, parties undertake to negotiate in good faith its replacement with equivalent and lawful clause.

By signing or electronically accepting Terms of Service, Customer and Evnyo acknowledge having read and understood this Agreement and undertake to respect all provisions.

Last updated: 10/06/2025 Applicable law: French law with mandatory UK provisions Jurisdiction: French courts with mandatory UK competence Compliance: UK GDPR, Data Protection Act 2018, PECR