Last updated June 3, 2026
This Data Processing Agreement (DPA) forms part of the agreement between a customer using CheckInOS as an organizer (Customer or Organizer) and CheckInOS V.O.F (CheckInOS, we, us) for event management, attendee management, ticketing, check-in, and related services (Services). It applies where CheckInOS processes personal data on behalf of the Customer under the EU GDPR, UK GDPR, Swiss FADP, or similar laws.
This DPA sets out processor commitments aligned with GDPR Article 28(3) together with the Annex below. The governing contract is your agreement with CheckInOS (including our Terms of Service). See also the Privacy Policy, Subprocessor List, and Cookie Policy.
For personal data the Customer uploads, imports, or instructs us to process for events, attendees, tickets, check-in, and related operations, the Customer is generally the controller and CheckInOS is the processor.
CheckInOS acts as an independent controller for its own account security, billing, terms acceptance logs, platform abuse prevention, and similar purposes described in the Privacy Policy.
Where we act as processor, we will comply with Article 28(3) requirements, including:
The Customer is responsible for lawful basis, privacy notices to attendees, data minimization, accuracy, retention choices, workspace access controls, and responses to data subject requests for data it controls. The Customer must not submit special-category or children's data without prior written agreement and appropriate safeguards.
We do not use Customer-controlled attendee data for our own marketing, unrelated advertising, model training, or unrelated profiling. Permitted communications are transactional or service-related (e.g. tickets, invitations, security notices).
We maintain measures appropriate to risk, including:
No system is perfectly secure. The Customer remains responsible for credential hygiene, exports, and permissions on its side.
Current subprocessors are listed at /subprocessors with added dates and status. We impose data protection obligations on subprocessors. International transfers use appropriate safeguards (e.g. SCCs) where required.
We will give reasonable prior notice of intended subprocessor changes by email to organization owners/admins and/or in-product notice, and by updating /subprocessors with the effective date. The Customer may object on reasonable data protection grounds within 30 days of notice.
If the Customer objects on reasonable grounds and we cannot reasonably accommodate the objection (for example by an alternative subprocessor or configuration), the Customer may terminate the affected Services or the agreement to the extent required by law, without penalty for that portion, or we may suspend use of the new subprocessor for that Customer's data until resolved.
Duration: For the term of the Customer's use of the Services and as stated in Section 10 (deletion/return).
Subject matter: Event management, attendee registration, ticketing, check-in/check-out, communications, and related operations via CheckInOS.
Categories of data subjects: Event attendees, ticket buyers, invitees, and Customer personnel using the platform.
Types of personal data: Identity and contact data (name, email), ticket/registration data, check-in timestamps, custom fields configured by the Customer, and related operational metadata.
Nature and purpose of processing: Storage, organization, transmission, ticketing, QR validation, analytics for the Customer, and transactional messaging on documented instructions.
We will assist the Customer, taking into account processing nature and available information, so the Customer can fulfill data subject rights (access, rectification, erasure, restriction, portability where applicable) within reasonable timeframes.
If we receive a request about data the Customer controls, we may refer the data subject to the Customer. We generally do not delete or alter Customer attendee records without Customer instruction, except where law requires us to act.
If we become aware of a personal data breach affecting Customer personal data we process as processor, we will notify the Customer without undue delay and provide information reasonably available to help the Customer meet its notification obligations to authorities and data subjects.
We will cooperate with the Customer's investigation and mitigation efforts, including implementing reasonable containment steps where within our control. Notice may be provided in phases as facts develop. Automated breach detection is not guaranteed.
Where a data protection impact assessment (DPIA) or prior consultation with a supervisory authority is required in connection with the Customer's use of the Services, we will provide reasonable assistance with available documentation (processing description, subprocessors, TOMs summary) upon request, subject to confidentiality and proportionality.
On verified instruction or end of Services, we will delete or return Customer personal data we process as processor, except where retention is required by law, dispute resolution, security, or backup rotation.
Attendee retention policy (target): one year after an event ends, traceable attendee identifiers (name, email, custom fields) should be removed or anonymized; anonymized event and attendee IDs may be retained for organizer analytics. Automated enforcement is planned via a scheduled worker—until then, Customers may request manual processing. See Privacy Policy for platform-account retention.
On reasonable request, we provide information to demonstrate compliance. Audits are typically remote (questionnaires, security summaries, subprocessor documentation). Intrusive or on-site audits require mutual scheduling, confidentiality, and may incur reasonable fees for repetitive requests where permitted.
CheckInOS V.O.F KvK: 42067930 Nieuwe Emmasingel 111, 5611AM Eindhoven, Netherlands