Capitalized terms used but not defined in this DPA have the meanings given in the underlying agreement. “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and related terms have the meanings given under the GDPR.

Customer is the Controller of Customer Personal Data and Otaly is the Processor, processing Customer Personal Data only on Customer’s documented instructions, including those set out in the underlying agreement, this DPA, and the Customer’s use of the Services.

For California law, the parties acknowledge that Otaly is a “Service Provider” and Customer is a “Business.” Otaly will not (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than the business purpose specified in the agreement; or (c) combine Personal Data with personal information from other sources, except as permitted by law.

Subject matter: provision of the Services. Duration: for the term of the agreement and as long thereafter as Otaly retains Customer Personal Data in accordance with the agreement and applicable law. Nature and purpose: provision of the event platform, including registration, ticketing, communication, AI features (where enabled), analytics, and support.

Categories of data subjects: Customer’s end users, including event attendees, registrants, organizers, and members of the Customer’s organization. Categories of Personal Data: identification and contact data, registration and ticketing data, transaction metadata, content submitted by data subjects, device and usage data, and any additional data the Customer chooses to upload.

Otaly will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. A description of those measures is provided on our Security page and may be supplemented in writing on request.

Customer authorizes Otaly to engage subprocessors for the processing of Customer Personal Data. Otaly maintains an up-to-date list of subprocessors and will provide at least 30 days’ notice before adding or replacing a subprocessor that processes Customer Personal Data, allowing Customer a reasonable opportunity to object on reasonable grounds.

Otaly will impose data protection terms on each subprocessor that are no less protective than this DPA and remains liable for the acts and omissions of its subprocessors.

Otaly will, taking into account the nature of processing, provide reasonable assistance to Customer (including through appropriate technical and organizational measures) to enable Customer to respond to requests from data subjects to exercise their rights under Data Protection Laws.

Otaly will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide Customer with information reasonably required to fulfill Customer’s obligations under Data Protection Laws.

Where Otaly processes Customer Personal Data originating from the EEA, the United Kingdom, or Switzerland in a country that has not been deemed adequate, the parties agree to rely on the EU Standard Contractual Clauses (Module 2 or Module 3, as applicable) and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and completed by the parties’ details in the underlying agreement.

Otaly will make available to Customer on request information reasonably necessary to demonstrate compliance with this DPA, including security summaries or third-party audit reports when available under appropriate confidentiality terms. Where the Customer reasonably believes additional information is required to demonstrate compliance, the parties will discuss in good faith additional measures.

On termination of the agreement, Otaly will, at the Customer’s choice, delete or return all Customer Personal Data, except to the extent applicable law requires retention. Backups will be deleted in accordance with our standard backup retention schedule.

This DPA forms part of the underlying agreement and is effective on the agreement’s effective date or, if later, on the date Customer first activates the Services. To request a counter-signed copy of this DPA, please contact contact form.