Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Data Controller") and Brandum B.V., trading as GuestlistOnline (the "Processor" or "we") and governs the processing of personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). The Processor is registered in the Netherlands under KvK number 98509802, with registered office at Bachstraat 29, 1921EW Akersloot, Netherlands.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Controller" means the Customer who determines the purposes and means of processing Personal Data
• "Data Processor" means Brandum B.V. (trading as GuestlistOnline), which processes Personal Data on behalf of the Data Controller
• "Sub-processor" means any third party appointed by the Processor to process Personal Data
• "Services" means the GuestlistOnline event management platform operated by Brandum B.V.

2. Scope and Role of the Parties

2.1 Data Controller

The Customer acts as the Data Controller and determines the purposes and means of processing Personal Data of their event attendees, guests, and team members.

2.2 Data Processor

GuestlistOnline acts as the Data Processor and processes Personal Data solely on behalf of and in accordance with the documented instructions of the Data Controller.

3. Description of Processing

3.1 Subject Matter and Nature

GuestlistOnline provides an event management platform that enables the Data Controller to:

• Create and manage events
• Manage guest lists and attendee information
• Send email invitations and communications
• Process event registrations and RSVPs
• Manage check-ins and door scanning
• Process payments for paid events (via Stripe)
• Coordinate team members and staff

3.2 Categories of Personal Data

• Contact information (name, email address, phone number)
• Account information (email-based login, hashed password, profile picture)
• Event data (event attendance, RSVP status, check-in records)
• Payment information (processed by Stripe; card data is never stored by the Processor)
• Communication preferences and notes
• IP addresses and device information (for security and analytics)

3.3 Categories of Data Subjects

• Event organizers (Customers)
• Event attendees and guests
• Team members and door staff
• Website visitors

3.4 Duration of Processing

The Processor processes Personal Data for the duration of the Customer's use of the Services. The Customer determines the retention of guest, event and team data through the Services and may delete it at any time using the self-service tools described in Section 12.

4. Data Controller Obligations

The Data Controller shall:

• Ensure it has all necessary legal bases for processing Personal Data
• Provide clear and transparent privacy notices to data subjects
• Ensure it has obtained all necessary consents
• Only provide instructions to GuestlistOnline that comply with applicable data protection laws
• Respond to data subject requests directly or via GuestlistOnline's self-service tools

5. Data Processor Obligations

In line with Article 28(3) GDPR, the Processor shall:

• Process Personal Data only on documented instructions from the Data Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organisational security measures as set out in Section 6 (Article 32 GDPR)
• Assist the Data Controller in responding to data subject requests (Articles 12-22 GDPR)
• Assist the Data Controller in ensuring compliance with Articles 32 to 36 GDPR, including in relation to data protection impact assessments (DPIAs) and prior consultation with supervisory authorities
• Notify the Data Controller without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach
• Delete or return all Personal Data to the Data Controller after the end of the provision of Services, in accordance with Section 12
• Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR

6. Security Measures (Article 32 GDPR)

The Processor implements the following technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk:

• Encryption in transit: TLS 1.2+ for all data transmission between clients, the application, and sub-processors
• Encryption at rest: AES-256 encryption for the production database, file storage, and automated backups
• Pseudonymisation: Passwords stored as one-way hashes; payment card data tokenised by Stripe and never stored on Processor systems
• Access controls: Role-based access control (RBAC), row-level security (RLS) on every database table containing Personal Data, MFA on administrative accounts, and the principle of least privilege for staff
• Infrastructure: Production database hosted in the EU (AWS eu-central-1, Frankfurt, Germany) via Supabase; application served from EU edge regions
• Confidentiality, integrity, availability and resilience: Audit logging, automated daily backups with point-in-time recovery, separation of production and non-production environments, and security hardening of database functions (search_path, parameterised queries)
• Restoration: Documented procedures for restoring availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• Regular testing and review: Periodic security audits and remediation of vulnerabilities (most recent audit: February 2026)
• Incident response: Documented breach notification procedures consistent with Article 33 GDPR

A more detailed description of TOMs (Anlage TOM) is available to Customers on request via go@guestlistonline.com.

7. Sub-processors

7.1 General Authorisation

The Data Controller provides general written authorisation for the Processor to engage Sub-processors for the processing of Personal Data, subject to the conditions in this Section 7.

7.2 Current Sub-processors

A current list of Sub-processors, with location, purpose and EU-compliance status, is maintained at guestlistonline.com/subprocessors.

Current Sub-processors include:

• Supabase (database, authentication, file storage): EU-only hosting (AWS eu-central-1, Frankfurt)
• Vercel (application hosting and edge network): EU routing for EU users; SCCs in place for any non-EU processing
• Stripe (payment processing): Used only for paid events; SCCs in place
• Hostnet (transactional email delivery): EU-only (Netherlands)

7.3 Changes to Sub-processors

The Processor will notify the Data Controller of any intended addition or replacement of Sub-processors by email to the account contact at least 30 days in advance. The Data Controller may object on reasonable data-protection grounds within 30 days of notification. If the parties cannot resolve the objection, the Data Controller may terminate the Services in accordance with the Terms of Service.

7.4 Sub-processor Obligations

The Processor shall enter into a written contract with each Sub-processor imposing data protection obligations equivalent to those set out in this DPA, in accordance with Article 28(4) GDPR, and remains fully liable to the Data Controller for the performance of each Sub-processor's obligations.

8. International Data Transfers

Personal Data is primarily stored and processed within the European Union (AWS eu-central-1, Frankfurt, Germany).

Where a Sub-processor processes Personal Data outside the European Economic Area, the Processor relies on an appropriate transfer mechanism under Chapter V GDPR, including the European Commission's Standard Contractual Clauses (Decision 2021/914) and, where relevant, an adequacy decision.

Following the Schrems II ruling, the Processor has assessed the legal regimes of relevant third countries and implements supplementary technical and organisational measures (such as encryption in transit, encryption at rest, and access controls) where required. A summary Transfer Impact Assessment (TIA) is available to the Data Controller on request.

9. Data Subject Rights

The Data Controller is responsible for responding to data subject requests. The Processor provides the following self-service tools so the Data Controller can fulfil these requests directly through the Services:

• Right of Access (Art. 15): Full account export as a downloadable JSON file from Profile → Export My Data
• Right to Rectification (Art. 16): Profile, event, and guest fields are editable directly in the application
• Right to Erasure (Art. 17): Per-guest delete, per-event delete (removes all associated guest data), and full account deletion from Profile → Delete Account
• Right to Data Portability (Art. 20): JSON export covering profile, events, guests, team memberships, and door-staff assignments
• Right to Restriction and Objection (Art. 18, 21): Honoured by the Data Controller through guest- or event-level deletion or by contacting the Processor

Where a data subject contacts the Processor directly, the Processor will, taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, insofar as possible.

10. Data Breach Notification

In the event of a personal data breach affecting Personal Data processed under this DPA, the Processor will:

• Notify the Data Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories and approximate numbers of affected data subjects
• Describe the likely consequences and measures taken or proposed to address the breach
• Provide contact details for further information

11. Audit Rights

The Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller, upon reasonable prior notice and subject to appropriate confidentiality obligations. The Processor may satisfy audit requests by providing existing third-party certifications, audit reports, or written responses where these adequately address the request.

12. Data Deletion and Return

12.1 Customer-Controlled Deletion

The Data Controller can permanently delete Personal Data from the production environment at any time using the self-service tools built into the Services:

• Per-guest deletion: Remove individual guests from any event
• Per-event deletion: Delete an event together with all of its guests, RSVPs, check-ins, team assignments and queued communications
• Full account deletion: Delete the Data Controller's account and all associated Personal Data (events, guests, check-ins, team memberships, door-staff assignments, SMTP settings, Stripe Connect linkage, profile and authentication record) from Profile → Delete Account

Deletions performed via these tools are executed immediately against the production database and are irreversible. The Processor does not impose a retention period on the Data Controller and does not delete Personal Data on a fixed schedule; retention is determined by the Data Controller.

12.2 Export

Before deletion, the Data Controller may export all Personal Data associated with their account as a JSON file via Profile → Export My Data (Article 20 GDPR).

12.3 Termination of Services

On termination of the Services, the Data Controller is responsible for exporting and deleting Personal Data using the tools described above prior to closing the account. If Personal Data remains in the account at the time of termination, the Processor will, at the Data Controller's written request, delete or return the remaining Personal Data within a reasonable period and in any event no later than 30 days after the request, unless retention is required by Union or Member State law.

12.4 Backups

Encrypted backups are retained by the underlying database provider (Supabase) on a rolling schedule of up to 30 days. Personal Data deleted from the production environment is automatically purged from backups as the backup rotation expires; during this short window backups are not used to serve the application and access is strictly limited to disaster recovery.

13. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations of liability set out in the Terms of Service. Each party shall indemnify the other for damages resulting from non-compliance with their respective obligations under this DPA.

14. Term and Termination

This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Data Controller. The DPA will automatically terminate upon termination of the Terms of Service. Sections that by their nature should survive termination (including confidentiality, audit rights for the period of processing, and deletion obligations) shall survive.

15. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the Netherlands. The competent courts of Amsterdam, the Netherlands, shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA, without prejudice to any mandatory jurisdiction of the supervisory authority or the courts of the data subject's habitual residence under Article 79 GDPR.

16. Contact

For questions about this DPA or our data processing practices:
Processor: Brandum B.V. (trading as GuestlistOnline)
Address: Bachstraat 29, 1921EW Akersloot, Netherlands
KvK: 98509802  ·  VAT: NL868525698B01
Email: go@guestlistonline.com