DATA PROCESSING AGREEMENT

TABLE OF CONTENTS

1. ROLES AND SCOPE

For personal data that the Customer uploads, imports, or otherwise instructs us to process for event administration, attendee lists, invitations, tickets/QR codes, check-in/check-out, organization or team workspaces, and related operational purposes, the Customer is generally the controller and CheckInOS is generally the processor, unless applicable law, the Privacy Policy, or a signed agreement states otherwise.

CheckInOS may act as an independent controller for its own purposes (for example account security, waitlist, terms acceptance records, platform abuse prevention, support, billing where enabled, and analytics where lawfully implemented). Identity providers such as Google or Microsoft, and Customer-connected integrations, are governed by their own terms and notices unless a specific processor relationship is confirmed in writing.

2. INSTRUCTIONS

We process Customer Personal Data only on documented instructions, including the agreement incorporating this DPA, product configuration, uploads, API use, support requests, and instructions from authenticated Customer administrators.

If we believe an instruction infringes applicable data protection law, we will inform the Customer unless EU or Member State law prohibits us from doing so.

3. PROCESSOR OBLIGATIONS (ARTICLE 28)

Where we act as processor, we will, in accordance with GDPR Article 28 (and equivalent provisions where applicable):

• process personal data only on documented instructions;
• ensure that persons authorized to process personal data are bound by confidentiality;
• implement appropriate technical and organizational security measures;
• engage subprocessors only on terms that meet Article 28 requirements and remain responsible for their performance of processing obligations;
• assist the Customer with data subject requests, breach notifications, and (where applicable) data protection impact assessments and prior consultation, taking into account the nature of processing and information available to us;
• delete or return personal data after the end of services or on documented instruction, subject to legal retention, security, and backup rotation; and
• make available information necessary to demonstrate compliance and allow for audits as described below.

4. CUSTOMER RESPONSIBILITIES

The Customer is responsible for lawful basis, transparency to data subjects, minimizing data (including custom attendee fields), accuracy, retention choices, workspace access, exports, and connected applications. The Customer must not submit special-category data, criminal-offence data, children's data, or other high-risk personal data through the Services without prior written agreement with CheckInOS and appropriate safeguards.

5. NO SECONDARY USE OF ORGANIZER DATA

We do not use Customer-controlled attendee or event personal data for our own marketing, unrelated advertising, unrelated product analytics, model training, or unrelated profiling. We do not send independent promotional communications to attendees using organizer data; permitted communications are those necessary for the Services (for example transactional tickets, invitations, or service/security notices where lawful).

6. SECURITY

We implement measures appropriate to the risk, which may include authentication controls, access scoping for teams and events, password hashing, secure sessions, short-lived verification codes where used, signed time-limited QR/ticket tokens, and selected security and legal event logging. No method of transmission or storage is completely secure; organizers remain responsible for account hygiene, permissions, and secure handling of exports.

7. SUBPROCESSORS AND TRANSFERS

We may use subprocessors to provide the Services. The current list is published at /subprocessors. We will impose written data protection obligations on subprocessors. Where personal data is transferred outside the EEA, UK, or Switzerland, we use appropriate safeguards required by law (for example Standard Contractual Clauses, UK addenda, or adequacy decisions), as documented for each relevant vendor.

We will provide reasonable prior notice of intended changes to subprocessors. You may object on reasonable data protection grounds within the period stated in your main agreement or, if none, within 30 days of notice.

8. DATA SUBJECT REQUESTS

For requests relating to personal data processed on your behalf, we will assist you within a reasonable time so you can meet applicable deadlines. If we receive a request directly from an attendee or other data subject about data you control, we may refer them to you unless the law requires otherwise. We generally do not modify or delete your attendee records on a data subject's request alone without your instruction, except where the law requires us to act.

9. PERSONAL DATA BREACHES

If we become aware of a personal data breach affecting personal data we process for you as processor, we will notify you without undue delay and provide information reasonably available to us to help you meet your own notification obligations. Notice may be rolled out in phases as an investigation proceeds.

10. DELETION AND RETURN

After the end of the relevant Services or on your verified instructions, we will delete or return personal data we process as processor, subject to legal obligations, dispute resolution, security, fraud prevention, and backup cycles. Backup copies may persist until rotated or overwritten in the ordinary course, and are protected from routine processing. Specific timeframes may be set out in your order form or main agreement.

11. AUDITS

On reasonable request, we will make available information necessary to demonstrate compliance with our processor obligations. Audits are typically conducted remotely and may be satisfied through questionnaires, security summaries, and subprocessor documentation. On-site or intrusive audits are subject to confidentiality, security, availability limits, and the need to protect other customers. We may charge reasonable fees for repetitive or excessive audit requests where permitted by law and your agreement.

12. CONTACT

Questions about this DPA or processor processing may be sent to events@checkinos.com.