Data Processing Agreement

GDPR-compliant data processing terms

Last Updated: February 4, 2026
Version: 1.0

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Customer" or "Data Controller") and GuestlistOnline (the "Processor" or "we") and governs the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR).

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Controller" means the Customer who determines the purposes and means of processing Personal Data
  • "Data Processor" means GuestlistOnline, which processes Personal Data on behalf of the Data Controller
  • "Sub-processor" means any third party appointed by GuestlistOnline to process Personal Data
  • "Services" means the GuestlistOnline event management platform

2. Scope and Role of the Parties

2.1 Data Controller

The Customer acts as the Data Controller and determines the purposes and means of processing Personal Data of their event attendees, guests, and team members.

2.2 Data Processor

GuestlistOnline acts as the Data Processor and processes Personal Data solely on behalf of and in accordance with the documented instructions of the Data Controller.

3. Description of Processing

3.1 Subject Matter and Nature

GuestlistOnline provides an event management platform that enables the Data Controller to:

  • Create and manage events
  • Manage guest lists and attendee information
  • Send email invitations and communications
  • Process event registrations and RSVPs
  • Manage check-ins and door scanning
  • Process payments for paid events (via Stripe)
  • Coordinate team members and staff

3.2 Categories of Personal Data

  • Contact information (name, email address, phone number)
  • Account information (username, password hash, profile picture)
  • Event data (event attendance, RSVP status, check-in records)
  • Payment information (processed by Stripe, not stored by GuestlistOnline)
  • Communication preferences and notes
  • IP addresses and device information (for security and analytics)

3.3 Categories of Data Subjects

  • Event organizers (Customers)
  • Event attendees and guests
  • Team members and door staff
  • Website visitors

3.4 Duration of Processing

GuestlistOnline processes Personal Data for the duration of the Customer's use of the Services and for the retention periods specified in our Privacy Policy (typically 2 years after an event, or until deletion by the Customer).

4. Data Controller Obligations

The Data Controller shall:

  • Ensure it has all necessary legal bases for processing Personal Data
  • Provide clear and transparent privacy notices to data subjects
  • Ensure it has obtained all necessary consents
  • Only provide instructions to GuestlistOnline that comply with applicable data protection laws
  • Respond to data subject requests directly or via GuestlistOnline's self-service tools

5. Data Processor Obligations

GuestlistOnline shall:

  • Process Personal Data only on documented instructions from the Data Controller
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Data Controller in responding to data subject requests
  • Notify the Data Controller without undue delay after becoming aware of a personal data breach
  • Delete or return all Personal Data to the Data Controller after the end of the provision of Services
  • Make available all information necessary to demonstrate compliance with GDPR

6. Security Measures

GuestlistOnline implements the following security measures:

  • Encryption: TLS/SSL encryption for all data transmission; encrypted storage for sensitive data
  • Access Controls: Role-based access control; authentication required for all access
  • Infrastructure: EU-hosted database (AWS eu-central-1, Frankfurt, Germany)
  • Monitoring: Audit logging and security monitoring
  • Backups: Regular automated backups with encryption
  • Incident Response: Documented breach notification procedures

7. Sub-processors

7.1 General Authorization

The Data Controller provides general authorization for GuestlistOnline to engage Sub-processors for processing Personal Data.

7.2 Current Sub-processors

A current list of Sub-processors is available at: guestlistonline.com/subprocessors

Current Sub-processors include:

  • Supabase (database): EU data hosting
  • Vercel (hosting): Application infrastructure
  • Stripe (payments): Payment processing
  • Hostnet (email): Transactional email delivery

7.3 Changes to Sub-processors

GuestlistOnline will notify the Data Controller of any changes to Sub-processors via email or by updating the Sub-processors page. The Data Controller may object to new Sub-processors within 30 days of notification.

8. Data Transfers

Personal data is primarily stored and processed within the European Union (AWS eu-central-1, Frankfurt, Germany).

Where Sub-processors process data outside the EU, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Data Subject Rights

GuestlistOnline provides self-service tools to assist the Data Controller in fulfilling data subject rights:

  • Right of Access: Data export functionality in account settings
  • Right to Rectification: Profile editing capabilities
  • Right to Erasure: Account deletion functionality
  • Right to Portability: JSON data export

10. Data Breach Notification

In the event of a personal data breach, GuestlistOnline will:

  • Notify the Data Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories and approximate numbers of affected data subjects
  • Describe the likely consequences and measures taken or proposed to address the breach
  • Provide contact details for further information

11. Audit Rights

GuestlistOnline shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for audits upon reasonable notice. The Data Controller may conduct audits or appoint independent auditors, subject to confidentiality obligations.

12. Data Deletion and Return

Upon termination of Services or at the Data Controller's request:

  • The Data Controller may export all Personal Data using self-service tools
  • GuestlistOnline will delete all Personal Data within 30 days unless legally required to retain it
  • Deletion is irreversible and includes all copies and backups

13. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations of liability set out in the Terms of Service. Each party shall indemnify the other for damages resulting from non-compliance with their respective obligations under this DPA.

14. Term and Termination

This DPA shall remain in effect for as long as GuestlistOnline processes Personal Data on behalf of the Data Controller. The DPA will automatically terminate upon termination of the Terms of Service.

15. Governing Law

This DPA shall be governed by the laws of the Netherlands and subject to the jurisdiction of the courts of Amsterdam, Netherlands.

16. Contact

For questions about this DPA or data processing practices:
Email: go@guestlistonline.com
Address: GuestlistOnline, Netherlands

See also: Privacy Policy · GDPR Compliance · Terms of Service · Subprocessors List
← Back to GuestlistOnline
Start for free today

Ready to streamline your event management?

Join thousands of organizers who trust GuestlistOnline for their events. Get started in minutes — no credit card required.

Get Started Free
Free for small events No credit card required GDPR compliant