Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between the event organizer ("Controller", "you") and ChetsApp UG, operating the EventMann platform ("Processor", "we", "us"). This DPA supplements the Organizer Agreement and Terms of Service.

The following definitions apply throughout this DPA:

• Controller: The event organizer who determines the purposes and means of processing attendee personal data. When you create events and collect attendee information through EventMann, you are the Controller.
• Processor: ChetsApp UG (EventMann), which processes personal data on behalf of the Controller in connection with the provision of the EventMann platform services.
• Data Subject: An identified or identifiable natural person whose personal data is processed. In the context of EventMann, Data Subjects are primarily event attendees.
• Personal Data: Any information relating to a Data Subject, including names, email addresses, booking information, and answers to custom checkout questions.
• Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, combination, erasure, or destruction.
• Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.

This DPA applies to all processing of personal data that ChetsApp UG performs on behalf of the Controller in connection with the EventMann platform. The Processor shall only process personal data on documented instructions from the Controller, except where processing is required by EU or member state law.

The processing covered by this DPA includes:

• Storing and managing attendee registration and booking data
• Processing ticket purchases and payment transactions (in conjunction with Stripe)
• Sending transactional emails on behalf of the Controller (booking confirmations, ticket delivery, event updates)
• Generating reports and analytics based on attendee and booking data
• Facilitating check-in processes through QR code validation
• Storing and delivering responses to custom checkout questions defined by the Controller

The Processor shall not process personal data for any purpose other than providing the EventMann platform services as described in this DPA and the Organizer Agreement, unless explicitly instructed by the Controller or required by applicable law.

The following categories of personal data are processed under this DPA:

Attendee identification data:

• Full name
• Email address
• Phone number (if provided or required by the Controller)

Booking and transaction data:

• Booking reference numbers
• Ticket type and quantity
• Purchase date and time
• Payment status (confirmed, pending, refunded)
• Partial payment information (last 4 digits of card, card brand — received from Stripe)

Custom data fields:

• Responses to custom checkout questions defined by the Controller (e.g., dietary requirements, company name, accessibility needs)

Technical data:

• IP address at the time of booking
• Browser and device information
• QR code check-in timestamps

Special category data: The Processor does not intentionally collect or process special categories of personal data (e.g., health data, biometric data, religious beliefs). If the Controller configures custom checkout questions that elicit such data, the Controller is solely responsible for ensuring an appropriate legal basis and safeguards.

Personal data is processed exclusively for the following purposes:

• Contract performance: Processing bookings, issuing tickets, facilitating payments, and managing event attendance — all in service of the contract between the Controller (Organizer) and the Data Subject (Attendee).
• Communication: Sending transactional emails including booking confirmations, ticket delivery, event updates, and cancellation notices on behalf of the Controller.
• Event management: Enabling check-in functionality, managing attendee lists, processing refund requests, and facilitating ticket transfers as configured by the Controller.
• Reporting: Generating aggregate and individual reports on ticket sales, attendance, revenue, and other metrics for the Controller's event management purposes.
• Platform operation: Maintaining the security, availability, and performance of the EventMann platform, including fraud detection, abuse prevention, and technical troubleshooting.

The Processor shall not use personal data for its own marketing purposes, profiling, or any purpose unrelated to the provision of the EventMann platform services. Anonymized and aggregated data that cannot be linked to individual Data Subjects may be used by the Processor for platform improvement and statistical analysis.

The Controller authorizes the Processor to engage the following sub-processors for the purposes described in this DPA:

• Stripe, Inc. — Payment processing, transaction management, and payout facilitation. Stripe processes payment card data directly and is independently PCI-DSS Level 1 certified. Stripe's data processing terms apply to their handling of payment data. Location: United States, with EU data processing capabilities.
• Hosting provider: Infrastructure hosting and data storage for the EventMann platform. All primary data is hosted within the European Union (Germany). The hosting provider processes personal data solely for the purpose of providing infrastructure services and is bound by a data processing agreement with ChetsApp UG.

The Processor will inform the Controller before adding or replacing any sub-processor. The Controller may object to a new sub-processor within 14 days of notification. If the Controller objects and the parties cannot reach a resolution, the Controller may terminate the affected services.

The Processor shall ensure that all sub-processors are bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the acts and omissions of its sub-processors.

The Processor implements the following technical and organizational measures to protect personal data, in accordance with Article 32 of the GDPR:

Technical measures:

• Encryption in transit using TLS 1.3 for all data communications
• Encryption at rest for databases containing personal data
• Secure password hashing using bcrypt with appropriate cost factors
• Role-based access control (RBAC) with granular permissions limiting access to personal data
• Rate limiting and brute-force protection on authentication endpoints
• Automated vulnerability scanning and dependency updates
• Regular security patches and system updates

Organizational measures:

• Access to personal data is restricted to authorized personnel on a need-to-know basis
• All personnel with access to personal data are bound by confidentiality obligations
• Audit logging of all access to and modifications of personal data
• Incident response procedures for security events and data breaches
• Regular review and testing of security measures
• Data protection impact assessments for high-risk processing activities

These measures are reviewed and updated periodically to reflect changes in technology, threats, and regulatory requirements. The Controller may request information about specific security measures at any time.

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Articles 15-22 of the GDPR, including:

• Right of access (Art. 15): The Processor shall provide the Controller with the ability to export attendee data in a structured, commonly used, machine-readable format.
• Right to rectification (Art. 16): The Processor shall enable the Controller to correct inaccurate personal data through the platform's attendee management features.
• Right to erasure (Art. 17): Upon request from the Controller, the Processor shall delete personal data of specific Data Subjects, except where retention is required by law (e.g., financial records under German commercial law).
• Right to restriction (Art. 18): The Processor shall support the Controller in restricting processing of personal data where the Data Subject contests accuracy or objects to processing.
• Right to data portability (Art. 20): The Processor shall provide data export functionality in CSV and JSON formats to facilitate portability.
• Right to object (Art. 21): The Controller is responsible for handling objections to processing and instructing the Processor accordingly.

If the Processor receives a request directly from a Data Subject, the Processor shall promptly notify the Controller and shall not respond to the request directly unless authorized by the Controller or required by law.

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. This timeline aligns with the Controller's obligation to notify the supervisory authority under Article 33 of the GDPR.

The breach notification shall include, to the extent available:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of the Processor's data protection point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

The Processor shall cooperate fully with the Controller in investigating and remediating the breach, including:

• Providing additional information as it becomes available
• Taking immediate steps to contain the breach and prevent further unauthorized access
• Assisting the Controller with notifications to Data Subjects where required under Article 34 of the GDPR
• Preserving evidence and logs relevant to the breach investigation

The Processor shall document all personal data breaches, including the facts, effects, and remedial actions taken, regardless of whether notification to the supervisory authority is required.

Upon termination of the Organizer Agreement or upon the Controller's written request, the Processor shall:

• Return data: Provide the Controller with a complete export of all personal data processed on the Controller's behalf, in a structured, commonly used, machine-readable format (CSV or JSON).
• Delete data: Delete all personal data from the Processor's systems within 30 days of receiving the return request or upon termination of the agreement, whichever comes first.
• Confirm deletion: Provide written confirmation of data deletion upon the Controller's request.

Exceptions to deletion: The Processor may retain personal data beyond the deletion deadline where required by applicable law, including:

• Financial transaction records required under German commercial law (HGB Section 257) — retained for up to 10 years
• Tax-relevant records required under the German Fiscal Code (AO Section 147) — retained for up to 10 years
• Data required for the establishment, exercise, or defense of legal claims

Where data is retained under a legal obligation, it shall be restricted from further processing and protected with appropriate security measures. The Processor shall inform the Controller of any legal retention obligations that prevent complete deletion.

Backup copies containing personal data shall be overwritten through the normal backup rotation cycle, which does not exceed 90 days.

This Data Processing Agreement is governed by and construed in accordance with the provisions of the EU General Data Protection Regulation (Regulation (EU) 2016/679), in particular Article 28, which sets out the requirements for data processing agreements between controllers and processors.

To the extent that the GDPR does not address a particular issue, this DPA shall be governed by the laws of the Federal Republic of Germany, including the German Federal Data Protection Act (BDSG). Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Munich (München), Germany.

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced with a valid provision that achieves the original purpose as closely as possible.

This DPA is effective as of the date the Controller creates an organizer account on EventMann and remains in effect for the duration of the Organizer Agreement plus any applicable data retention periods. This DPA may be amended by the Processor with 30 days' prior notice to the Controller. Continued use of the platform after the notice period constitutes acceptance of the amended terms.

ChetsApp UG
Pecserstr 55, 70736 Fellbach, Germany