This Data Processing Agreement (the "DPA") is an integral part of the Terms of Service between the Provider and the Customer and governs the processing of Personal Data of Attendees. The DPA applies whenever a Customer (as data controller) uses the Platform to process Personal Data of Attendees (data subjects) through the Service.

---

1. Parties and Definitions

1.1 Parties. The parties to this DPA are:

• Controller: the Customer (Organizer) who collects and uploads Personal Data of Attendees into the Platform and determines the purposes and means of processing; and
• Processor: Michal Král, the Provider, who processes Personal Data of Attendees solely on the documented instructions of the Controller through the Platform.

1.2 Relationship. The relationship between the Controller and Processor is governed by Article 28 of Regulation (EU) 2016/679 (the "GDPR") and Chapter II, Article 24 of Act No. 110/2019 Coll., on the processing of personal data (the "Czech Personal Data Protection Act").

1.3 Definitions. In this DPA, unless otherwise defined herein, capitalized terms have the meanings set out in the Terms of Service. In addition:

• "Personal Data" means any information relating to an identified or identifiable natural person (Article 4(1) GDPR), including Attendees' names, email addresses, custom fields, check-in timestamps, email delivery state, feedback submissions, and technical identifiers.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates — in this DPA, Attendees.
• "Processing" has the meaning given in Article 4(2) GDPR.
• "Sub-processor" means any entity authorized by the Processor to process Personal Data on its behalf (Article 28(2) GDPR).
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (Article 4(12) GDPR).
• "Technical and Organizational Measures" or "TOMs" means the technical and organizational safeguards required by Article 32 GDPR to protect Personal Data.

---

2. Subject Matter and Scope

2.1 This DPA regulates the processing of Personal Data of Attendees by the Processor on behalf of the Controller in connection with the provision of the Service.

2.2 The DPA applies to all processing of Attendee Personal Data carried out by the Processor, whether performed within the EU or via authorized Sub-processors, and covers all aspects of the relationship described in Article 28(3) GDPR.

---

3. Role of the Parties

3.1 Controller responsibilities. The Controller (Organizer) is responsible for:

• determining the purposes, scope, and lawful basis for processing Attendee Personal Data;
• ensuring that processing is lawful under the GDPR and applicable national law;
• providing clear, documented instructions to the Processor concerning the processing of Attendee Personal Data;
• obtaining any necessary legal basis (such as consent) and providing transparency information to Attendees;
• responding to data-subject rights requests; and
• assisting the Processor in meeting its obligations under Articles 32—36 GDPR.

3.2 Processor responsibilities. The Processor (EntryLog) is responsible for:

• processing Personal Data only in accordance with documented instructions from the Controller;
• implementing TOMs to ensure a level of security appropriate to the risk;
• assisting the Controller with data-subject rights requests and other GDPR obligations;
• notifying the Controller of Personal Data Breaches without undue delay;
• maintaining records of processing activities;
• not engaging Sub-processors without the Controller's authorization; and
• otherwise performing the obligations set out in this DPA and Article 28(3) GDPR.

---

4. Nature and Purpose of Processing

4.1 The Processor processes Attendee Personal Data for the purpose of providing the Service, which includes:

• storing and organizing Attendee records (names, emails, custom fields);
• enabling Check-in functionality (recording timestamps and check-in state);
• delivering transactional and campaign emails on the Controller's behalf;
• tracking email delivery state (sent, delivered, bounced, complained);
• collecting Attendee feedback;
• managing digital passes and QR codes;
• maintaining technical logs and audit trails; and
• otherwise fulfilling the functionalities described in the Terms of Service.

4.2 The Processor performs no independent processing beyond what is necessary to provide the Service. The purposes of processing are determined solely by the Controller.

---

5. Types of Personal Data and Categories of Data Subjects

5.1 Categories of Data Subjects. The Data Subjects are Attendees — natural persons invited, registered, or admitted to an Event by the Organizer through the Platform. Attendees are not Customers and do not enter into a contract with the Provider.

5.2 Categories of Personal Data. The Processor processes the following categories of Personal Data:

• Identity data: name, email address;
• Custom fields: any custom fields the Organizer collects during registration or import, which may include (at the Organizer's discretion) dietary restrictions, accessibility requirements, professional information, or other information;
• Event data: check-in status, check-in timestamps, email delivery state (sent, delivered, bounced, complained), feedback submissions, pass/QR tokens, registration state;
• Technical identifiers: unique hash tokens used in attendee pass URLs, session metadata, IP addresses (in server logs), user agents, service worker cache metadata.

5.3 Special-category data. The Processor does not intentionally or directly collect special-category data (data revealing race, ethnicity, political opinion, religious belief, trade union membership, genetic data, biometric data for identification, health data, or sex life data) as defined in Article 9 GDPR. However, Organizers may voluntarily upload such data as custom fields (for example, dietary restrictions or accessibility notes). The Organizer bears sole responsibility for ensuring lawful processing of any special-category data. The Processor merely stores and processes such data as instructed by the Organizer and does not perform any automated decision-making or profiling based on special categories.

---

6. Duration of Processing

6.1 Active processing period. The Processor processes Attendee Personal Data for the duration the Event is active and operational within the Platform.

6.2 Retention after event end. After an Event ends, Attendee Personal Data is retained according to the following schedule:

• Attendee account data: retained for 12 months following the Event end date, then deleted or anonymized;
• Check-in logs: retained for 24 months;
• Email delivery logs: retained for 12 months;
• Feedback submissions: retained until the Organizer deletes them or until the Account is closed;
• Database backups: retained for 90 days as part of the standard backup lifecycle, then expired.

6.3 Retention on termination. Upon termination of the Controller-Processor relationship (closure of the Account), the Processor follows the data lifecycle set out in Article 10 (§ 4) of the Terms of Service:

• Day 0: Account enters soft-delete. Data retained for 30 days. Recovery possible on written request.
• Day 30: Hard-delete. All Organizer and Attendee Personal Data purged from the primary database.
• Day 30–120: Residual copies may remain in encrypted backups until the 90-day backup retention window rolls over.
• Indefinite: Anonymized aggregate statistics (containing no Personal Data) may be retained without time limit.

6.4 Mandatory retention exceptions. Invoices and billing records are retained for 10 years per Act No. 563/1991 Coll. on accounting. Deletion cannot occur earlier and overrides any data-subject erasure request to the extent such records are required by law.

---

7. Obligations of the Processor

7.1 Processing on Documented Instructions

7.1.1 The Processor processes Attendee Personal Data only on documented instructions from the Controller. The Controller's documented instructions are:

• the features, settings, and configurations available through the Platform interface; and
• any specific written instructions provided to the Processor at info@entrylog.eu.

7.1.2 Use of the Service through its documented features and default functionality constitutes a standing, continuing instruction from the Controller to the Processor to perform that processing. The Processor will not process Personal Data in any manner inconsistent with the Controller's explicit configuration of the Service.

7.1.3 If the Processor receives an instruction from the Controller that the Processor believes is unlawful or inappropriate (for example, mass deletion of Attendee records in violation of data-subject rights), the Processor will notify the Controller in writing and may defer processing pending clarification.

7.2 Confidentiality

7.2.1 The Processor ensures that any person authorized to process Personal Data on the Processor's behalf is subject to a binding obligation of confidentiality (whether by employment contract, non-disclosure agreement, or equivalent legal obligation) that is equivalent to the confidentiality obligations imposed by this DPA.

7.2.2 Confidentiality obligations survive termination of employment or engagement.

7.3 Sub-processors

7.3.1 The Processor may only engage Sub-processors with the prior written authorization of the Controller. Details of authorized Sub-processors and their processing activities are set out in Annex II.

7.3.2 Where the Processor changes, adds, or removes a Sub-processor, the Processor will notify the Controller in advance by written notice (email to the Controller's registered contact) together with a republication of this DPA reflecting the change in Annex II.

7.3.3 The Processor will provide at least thirty (30) days advance notice before any new or replacement Sub-processor begins to process Attendee Personal Data. If the Controller objects on reasonable data-protection grounds, the Controller may terminate the affected processing by providing written notice before the change takes effect. If the Controller and Processor cannot resolve the objection, the Controller may terminate the Contract in full without penalty.

7.3.4 The Processor remains fully liable to the Controller for the performance of any Sub-processor's obligations.

7.4 Security and Protection of Personal Data

7.4.1 The Processor implements industry-standard Technical and Organizational Measures to protect Attendee Personal Data against unlawful or unauthorized processing and against accidental loss, destruction, or damage. These measures include TLS encryption in transit, encryption at rest, strict access controls, and regular security updates. Details are set out in Annex III.

7.4.2 The Processor ensures that persons authorized to process Personal Data have committed to confidentiality and are authorized only to process Personal Data as instructed.

7.4.3 The Processor implements and maintains appropriate technical and organizational safeguards in accordance with Article 32 GDPR.

7.5 Personal Data Breach Notification

7.5.1 The Processor will notify the Controller of any known or suspected Personal Data Breach without undue delay and in any event within 72 hours of becoming aware of the Breach. Notification will be made by email to the Controller's registered contact address.

7.5.2 The Processor's notification will include, to the extent known at the time of notification:

• (a) the nature and scope of the Breach (what data was affected, how many Attendees);
• (b) the likely consequences for the Attendees (risk level: low, medium, high);
• (c) the identity and contact details of the Processor's point of contact;
• (d) the measures the Processor has taken or proposes to take to address the Breach and mitigate harm;
• (e) the date and time the Breach was discovered; and
• (f) information to assist the Controller in meeting its own notification obligations under Articles 33 and 34 GDPR.

7.5.3 The Processor maintains an internal breach register recording the date of discovery, facts of the Breach, effects, and remedial actions, in compliance with Article 33(5) GDPR.

7.5.4 The Processor notifies the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ) within 72 hours of becoming aware of a Breach, unless the Breach is unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with Article 33 GDPR.

7.6 Assistance with Data-Subject Rights

7.6.1 The Processor will assist the Controller in fulfilling the Controller's obligation to respond to data-subject requests for access, rectification, erasure, restriction, objection, and portability (Articles 15—22 GDPR) by:

• (a) making available tools and functionality within the Platform for the Controller to manage and export Attendee data;
• (b) providing the Controller with information necessary to respond to data-subject requests; and
• (c) cooperating with the Controller in expedited erasure, restriction, or other action as instructed.

7.6.2 If the Processor receives a data-subject access request, erasure request, or other rights request directed at the Processor and concerning Attendee Personal Data, the Processor will:

• (a) forward the request to the Controller without undue delay;
• (b) not respond directly to the data subject without instructions from the Controller; and
• (c) assist the Controller in responding as instructed.

7.6.3 The Processor will assist the Controller in responding to Controller requests that include disclosure of information concerning the processing of Attendee Personal Data, where required by supervisory authorities or courts.

7.7 Assistance with Data Protection Impact Assessments

7.7.1 The Processor will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) as required by Article 35 GDPR, including providing information about the Processor's security measures, data handling practices, and Sub-processors.

7.8 Cooperation with Supervisory Authorities

7.8.1 The Processor will cooperate with the Czech Office for Personal Data Protection (ÚOOÚ) and other supervisory authorities, including:

• (a) responding to information requests from the supervisory authority;
• (b) permitting audits and inspections as described in Section 15 below; and
• (c) assisting the Controller in fulfilling its own obligations to cooperate.

7.9 Deletion or Return of Personal Data

7.9.1 At the end of the provision of the Service (whether due to expiry of a fixed term, termination for cause, termination for convenience, or closure of the Controller's Account), the Processor will, at the Controller's request and choice:

• (a) delete all Attendee Personal Data and existing copies thereof, unless Union or Czech law requires retention; or
• (b) return all Attendee Personal Data to the Controller in a structured, commonly used, machine-readable format (subject to Annex II export capabilities).

7.9.2 The Processor may retain Personal Data in encrypted backups for up to 90 days following the date of deletion or return, as part of the standard backup retention lifecycle. After that period, backups containing Personal Data are deleted.

7.9.3 Invoices and accounting records are retained for 10 years per Act No. 563/1991 Coll. on accounting and are not deleted earlier or on request.

---

8. Sub-processors and Authorized Changes

8.1 The Controller authorizes the Processor to engage the Sub-processors listed in Annex II for the processing of Attendee Personal Data. Annex II identifies each Sub-processor, its location, its processing purpose, and reference to its transfer mechanism (e.g., Standard Contractual Clauses) where applicable.

8.2 Annex II of this DPA is the complete and authoritative record of all Sub-processors engaged in the processing of Attendee Personal Data as of the effective date. Changes to Annex II are published by way of a new version of this DPA issued in accordance with Section 7.3.

8.3 The Processor will not engage any new Sub-processor without providing the Controller with at least thirty (30) days advance written notice by email to the Controller's registered contact. If the Controller objects on reasonable data-protection grounds, the Processor and Controller will attempt in good faith to resolve the objection. If no resolution is reached before the change takes effect, the Controller may terminate the affected processing or the Contract in full without penalty, as provided in Section 7.3.3.

8.4 Each Sub-processor is bound by written data-processing terms at least as stringent as those in this DPA.

---

9. International Transfers

9.1 Location of primary storage. All Attendee Personal Data is stored and processed within the European Union (Czech Republic) by the Processor. The Processor's primary servers, database, and backup infrastructure are located in the Czech Republic.

9.2 Sub-processor transfers. Some authorized Sub-processors may be located outside the European Economic Area (EEA) or may transfer Personal Data to countries outside the EEA. In such cases, the Processor relies on:

• (a) Standard Contractual Clauses (SCCs) published by each Sub-processor in their standard Data Processing Agreement or Privacy Policy;
• (b) adequacy decisions issued by the European Commission under Article 45 GDPR; or
• (c) other appropriate safeguards recognized by the GDPR.

9.3 For each Sub-processor transferring Personal Data outside the EEA, Annex II identifies the jurisdiction and the transfer mechanism (e.g., "SCCs per Sub-processor DPA"). The Controller may review each Sub-processor's published standard DPA or transfer documentation to verify compliance.

9.4 The Processor will notify the Controller promptly of any change in a Sub-processor's location or transfer mechanism.

---

10. Security of Processing

10.1 The Processor implements Technical and Organizational Measures as described in Article 32 GDPR. The measures implemented by the Processor are set out in detail in Annex III.

10.2 General principles. The Processor applies TOMs designed to ensure a level of security appropriate to the risk of unauthorized or unlawful processing, accidental loss, destruction, or damage to Attendee Personal Data. The TOMs are based on the following principles and objectives:

• Pseudonymization and encryption where feasible;
• Confidentiality (preventing unauthorized access);
• Integrity (preventing unauthorized or undetected alteration);
• Availability and resilience (maintaining service continuity and restoring access after incidents);
• Regular testing and evaluation of TOM effectiveness.

10.3 Industry-standard measures. The Processor implements industry-standard technical and organizational measures, including:

• TLS encryption in transit (HTTPS/TLS 1.2+);
• encryption at rest for sensitive data;
• strict access controls (role-based, least-privilege principle);
• regular security updates and patches;
• audit logging and monitoring;
• secure deletion of data.

10.4 Annex III. For additional details on the categories of TOMs, see Annex III of this DPA.

---

11. Personal Data Breach Notification

11.1 72-hour notification. Upon becoming aware of a Personal Data Breach affecting Attendee Personal Data, the Processor will notify the Controller without undue delay and in any event within 72 hours, unless the Breach poses no risk to the rights and freedoms of Attendees.

11.2 Content of notification. The notification will include the information described in Section 7.5.2 above, to the extent known at the time.

11.3 ÚOOÚ notification. The Processor will notify the Czech supervisory authority (ÚOOÚ) within 72 hours of becoming aware of a Breach if the Breach is likely to result in a risk to the rights and freedoms of natural persons, in accordance with Article 33 GDPR.

11.4 Breach register. The Processor maintains a register of all Breaches (whether or not notification was required) in accordance with Article 33(5) GDPR.

---

12. Assistance with Data Protection Impact Assessments

12.1 The Processor will cooperate with the Controller and provide information and assistance necessary to carry out a Data Protection Impact Assessment (DPIA) as required by Article 35 GDPR, including providing details about:

• the nature and scope of processing activities;
• the Technical and Organizational Measures implemented;
• any known or foreseen risks and mitigation measures;
• Sub-processors and their processing practices.

---

13. Assistance with Data Subject Rights

13.1 Access and export. The Processor makes available within the Platform tools enabling the Controller to access and export Attendee Personal Data in machine-readable formats, facilitating the Controller's response to data-subject access requests (Article 15 GDPR) and portability requests (Article 20 GDPR).

13.2 Rectification and erasure. The Processor provides functionality within the Platform enabling the Controller to rectify inaccurate Attendee data and to delete Attendee records, facilitating the Controller's fulfillment of rectification and erasure requests (Articles 16 and 17 GDPR).

13.3 Direct requests to the Processor. If a data subject sends an access request, erasure request, or other rights request directly to the Processor (at info@entrylog.eu) concerning Attendee Personal Data, the Processor will:

• (a) inform the data subject that they should contact the Controller (Organizer); and
• (b) forward the request to the Controller without undue delay; and
• (c) provide the data subject with the Controller's contact information.

---

14. Deletion and Return of Personal Data at End of Processing

14.1 Termination obligation. Upon termination of the Contract (whether by the Controller or by the Processor), or upon the Controller's instruction, the Processor will delete all Personal Data of Attendees, or, at the Controller's choice, will return such Personal Data in a structured, commonly used, machine-readable format suitable for import into other systems.

14.2 Timing. Deletion will be completed within 30 days of the termination date, as described in Article X § 4 of the Terms of Service (Day 0: soft-delete; Day 30: hard-delete from primary database).

14.3 Backup retention. The Processor may retain Attendee Personal Data in encrypted database backups for up to 90 days following deletion from the primary database, as part of the standard backup retention window. Once the 90-day backup window rolls over, backups containing such data are deleted.

14.4 Exceptions. The Processor is not required to delete invoices or billing records, which must be retained for 10 years per Act No. 563/1991 Coll. on accounting.

---

15. Audit Rights

15.1 Audit and inspection rights. The Controller has the right to audit the Processor's compliance with this DPA and the GDPR, exercised as follows:

15.2 Information requests. The Controller may request information about the Processor's processing of Attendee Personal Data, security measures, Sub-processors, and compliance with this DPA. The Processor will provide such information within 30 days of the request (or a longer period if the request is unusually complex).

15.3 On-site audits. The Controller may conduct an on-site audit or inspection of the Processor's facilities and systems, subject to the following conditions:

• (a) Reasonable notice: The Controller will provide at least 30 days' advance written notice to the Processor;
• (b) Reasonable scope: The audit will be limited to the Processor's processing of Attendee Personal Data and compliance with this DPA. Audits of unrelated activities, systems, or third-party infrastructure are not permitted;
• (c) Frequency: No more than once per calendar year without cause. Additional audits may be conducted if the Processor has materially breached this DPA or GDPR, or in response to a supervisory-authority investigation;
• (d) Timing: During normal business hours, and scheduled at a time convenient to both parties;
• (e) Costs: The Controller will bear the full costs of the audit, including the Processor's reasonable time costs;
• (f) Confidentiality: The Controller and its auditors are bound by a confidentiality obligation with respect to any proprietary or sensitive information discovered during the audit;
• (g) Non-disruptive: The audit will be conducted in a manner that does not disrupt the Processor's operations or the Service.

15.4 Supervisory authority cooperation. In the event of an audit or investigation by a supervisory authority (such as ÚOOÚ), the Processor will cooperate fully and will make the Controller's audit rights available to the supervisory authority where legally required.

15.5 Certification. The Processor may, at its sole discretion, provide the Controller with a certificate or attestation of compliance prepared by an independent auditor, as an alternative to a full on-site audit.

---

16. Liability

16.1 Limitation of liability. Liability arising under or related to this DPA is subject to the limitation of liability provisions set out in Article VIII § 3 of the Terms of Service, which provides that the Processor's total aggregate liability to the Controller arising out of or in connection with a single Event shall not exceed the higher of (a) the Activation Fee paid for that Event and (b) 15,000 CZK.

16.2 Mandatory law exception. Notwithstanding Section 16.1, the Processor does not limit or exclude:

• (a) any liability that cannot be limited under mandatory law, including under § 2898 of Act No. 89/2012 Coll., the Civil Code (liability for intentionally caused or grossly negligent harm);
• (b) liability for death or personal injury caused by negligence;
• (c) liability under Article 82 GDPR (the data subject's direct right to claim compensation for material or non-material damage); or
• (d) any other liability that mandatory Czech or EU law does not permit to be limited or excluded.

16.3 Interaction with T&Cs. This DPA incorporates the liability cap of the Terms of Service by reference. In the event of any conflict between this DPA and the Terms of Service concerning Personal Data processing, this DPA prevails; otherwise, the Terms of Service prevail.

---

17. Duration and Termination

17.1 Commencement. This DPA is effective as of the effective date stated at the beginning of this document and applies from the moment the Controller first processes Attendee Personal Data through the Platform.

17.2 Continuation. This DPA remains in effect for so long as the Processor processes Attendee Personal Data on behalf of the Controller.

17.3 Termination. This DPA terminates automatically upon termination of the Contract between the Controller and the Processor, as described in Article X of the Terms of Service.

17.4 Survival. The Controller's audit rights (Section 15), the Processor's confidentiality obligations (Section 7.2), and the Processor's liability framework (Section 16) survive termination for as long as they remain relevant, and in any event for a period of two years following termination, unless a longer period is required by mandatory law.

---

18. Governing Law and Jurisdiction

18.1 Governing law. This DPA is governed by the laws of the Czech Republic, in particular Act No. 89/2012 Coll., the Civil Code, and Act No. 110/2019 Coll., on the processing of personal data.

18.2 Jurisdiction. The parties agree on the jurisdiction of Czech courts. For Business Customers, the court of first instance locally competent by reference to the Provider's seat is Okresní soud v Benešově. Consumers retain any mandatory rights to bring proceedings in the courts of their home member state.

---

19. Order of Precedence

19.1 In the event of any conflict between this DPA and the Terms of Service concerning the processing of Attendee Personal Data, this DPA takes precedence.

19.2 For all other matters not related to Personal Data processing, the Terms of Service prevail.

---

20. Miscellaneous

20.1 Language. This DPA is published in English and Czech. Both versions are binding; in the event of any conflict, the Czech version prevails.

20.2 Entire agreement. This DPA, together with the Terms of Service, Privacy Policy, AUP, and any other incorporated documents, constitutes the entire agreement between the parties with respect to the processing of Attendee Personal Data and supersedes all prior communications and proposals.

20.3 Severability. If any provision of this DPA is held invalid, illegal, or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision is replaced by a valid provision that most closely reflects the economic intent of the original.

20.4 Notices. All notices under this DPA shall be given by email to the contact address specified in the Terms of Service (Provider: info@entrylog.eu; Controller: the registered contact email on the Account). A notice is deemed delivered on the business day following transmission.

20.5 No waiver. The failure of either party to enforce any provision of this DPA shall not be construed as a waiver of such provision or of the right to enforce it at a later time.

---

Annex I — Details of Processing

Subject Matter and Scope

The Processor processes Attendee Personal Data to enable the Service as described in Article III of the Terms of Service.

Nature and Purpose of Processing

The Processor processes Attendee Personal Data for the following purposes:

1. Storage and organization of Attendee records;
2. Facilitation of Check-in functionality (QR code scanning, timestamp recording);
3. Delivery of transactional and campaign emails;
4. Tracking email delivery status (delivery, bounce, complaint);
5. Collection and storage of Attendee feedback;
6. Management of digital passes and pass tokens;
7. Maintenance of security and audit logs;
8. Support of Platform functionality as configured by the Organizer.

Categories of Data Subjects

• Attendees: natural persons invited, registered, or admitted to an Event through the Platform.

Categories of Personal Data

• Identity data: name, email address;
• Custom fields: dietary restrictions, accessibility requirements, professional information, or other data collected by the Organizer;
• Event and transactional data: check-in status, check-in timestamps, email delivery state, feedback submissions, pass tokens, registration state;
• Technical data: IP addresses (in server logs), user agents, session metadata, service worker cache metadata.

Special-Category Data

The Processor does not intentionally collect special-category data. Organizers may voluntarily upload special-category data as custom fields. The Organizer bears sole responsibility for ensuring lawful processing. The Processor does not perform automated decision-making based on special categories.

Duration of Processing

• Active Event: Attendee Personal Data is processed while the Event is active.
• After Event end: 12 months for most Attendee data; 24 months for check-in logs; 12 months for email delivery logs.
• On Account termination: 30 days soft-delete, then hard-delete on Day 30; residual backups for up to 90 days.
• Invoices: 10 years (mandatory legal retention).

---

Annex II — Sub-processors

This Annex is the complete and authoritative list of Sub-processors authorized by the Controller to process Attendee Personal Data as of the effective date of this DPA. Any change is notified in accordance with Section 8 of this DPA and implemented through a republication of this DPA.

Sub-processors used by the EntryLog application (app.entrylog.eu):

Sub-processor	Operator	Jurisdiction	Purpose	Transfer mechanism
Stripe	Stripe Payments Europe Ltd.	Ireland (EU)	Payment processing for Organizer billing (Activation Fees). Does not process Attendee Personal Data under ordinary operation.	Intra-EU processing; Stripe's standard Data Processing Addendum applies.
MailerSend	MailerLite Ltd.	Ireland (EU)	Delivery of transactional emails and Email Campaigns to Attendees.	Intra-EU processing; MailerSend's standard Data Processing Addendum applies, including SCCs for any onward transfers to its US affiliates.
Cloudflare R2	Cloudflare, Inc.	United States (parent); EU storage region enforced	Storage of uploaded files, attachments, and generated assets that may include Attendee Personal Data.	Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, incorporated by reference through Cloudflare's Data Processing Addendum.
Cloudflare Turnstile	Cloudflare, Inc.	United States (parent)	CAPTCHA and bot-protection challenges on login and registration pages (strictly necessary for security).	Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, incorporated by reference through Cloudflare's Data Processing Addendum.
Sentry	Functional Software, Inc.	EU region (Frankfurt, sentry.io/eu)	Error and exception monitoring. May incidentally capture diagnostic data containing Personal Data.	Processing within the EU region; no SCCs required.

Notes on this Annex:

• The transfer mechanism for each Sub-processor is stated directly in the table above. The Controller may consult each Sub-processor's published standard Data Processing Addendum for further detail.
• Each Sub-processor is bound by a written data-processing agreement imposing obligations at least as stringent as those in this DPA.
• The Controller may object to any new or replacement Sub-processor on reasonable data-protection grounds, with the right to terminate the affected processing or the Contract if the objection cannot be resolved, as set out in Section 8 of this DPA.

---

Annex III — Technical and Organizational Measures

The Processor implements the following Technical and Organizational Measures in accordance with Article 32 GDPR:

A. Pseudonymization and Encryption

• Encryption in transit: All data transmitted between Attendees, Organizers, and the Platform is encrypted using TLS 1.2 or higher.
• Encryption at rest: Sensitive Personal Data (passwords, API tokens) are encrypted at rest using industry-standard encryption algorithms.
• Database encryption: Where feasible, Personal Data stored in the database is encrypted.

B. Confidentiality and Integrity

• Access controls: Access to Personal Data is restricted to authorized personnel on a least-privilege basis. Role-based access control (RBAC) is implemented across the Platform.
• Authentication: Staff with access to Personal Data are authenticated using secure methods (password + multi-factor authentication where appropriate).
• Confidentiality agreements: All personnel authorized to access Personal Data are bound by written confidentiality obligations.
• Data integrity: Systems implement mechanisms to detect and prevent unauthorized or undetected alteration of Personal Data (checksums, audit logs).

C. Availability and Resilience

• Backup and recovery: Daily automated backups are performed and retained for 90 days. Recovery procedures are regularly tested.
• Redundancy: Critical systems are designed with redundancy to prevent single points of failure.
• Incident response: A documented incident response plan is in place for rapid response to security incidents and breaches.
• Service monitoring: Systems are continuously monitored for security anomalies and service degradation.

D. Regular Testing and Evaluation

• Log monitoring and auditing: System and application logs are reviewed for signs of unauthorized access or anomalous activity.
• Incident logging: Security incidents are logged and reviewed to identify patterns and improve controls.
• Periodic review of TOMs: The Processor reviews the effectiveness of its technical and organizational measures on an ongoing basis and updates them in light of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, in accordance with Article 32 GDPR.

E. Sub-processor Security

• Due diligence: All Sub-processors are evaluated for security practices before engagement and periodically thereafter.
• Contractual obligations: All Sub-processors are contractually bound to implement equivalent security measures.
• Monitoring: The Processor monitors Sub-processors for security incidents and compliance with contractual obligations.

F. Physical and Environmental Security

• Data center security: The Processor's servers are housed in a secure data center with physical access controls, surveillance, and environmental monitoring.
• Secure deletion: When Personal Data is deleted, appropriate secure-deletion methods are employed to prevent recovery.