Skip to main content
Monetize database
Generate recurring revenue between editions
Segment audience
Increase conversion 3x with advanced segmentation
Retain attendees
From 20% to 60% repeat attendance
Omnichannel communication
Email + SMS + WhatsApp unified in one CRM
Increase attendance
Fill your capacity with data-driven strategies
Manage multiple events
Centralized CRM for multi-event promoters
CRM for events
Manage and segment your event audience
Email Marketing
AI email campaigns that sell tickets
SMS Marketing
Personalized SMS with 98% open rate
AI Chatbot
Handle thousands of attendees with AI 24/7
Analytics
Control revenue and performance across all events
Superapp
All-in-one mobile app to manage your events
Integrations
Connect with your favorite tools
Festivals
CRM and marketing for music festivals
Venues & Clubs
Software for nightclubs and concert venues
Promoters
Professional multi-event management
Revenue Calculator
Calculate your festival revenue potential
Client Portal
Access support portal and documentation
Developers
Technical API documentation
🇪🇸ES Login Request information

Data Processing Addendum (DPA)

This document governs personal data processing when Nevent acts as a Data Processor.

Last updated: January 13, 2024
Version: 1.0
Effective from: January 13, 2024
Hash: 3d65f700ebe85a715dce1359d78194a327a6f577a33ea22e5f59c3eceba32a14

This Data Processing Addendum (the "DPA") is part of the applicable agreement between Neventech, S.L. ("Nevent", "we", "us") and the customer contracting or using Nevent's services ("Customer", "you") (the "Agreement").

This DPA applies when Nevent processes Personal Data on behalf of the Customer to provide the Services.

If you do not agree with this DPA, you should not use the Services.

1. Definitions

Unless expressly defined herein, capitalized terms have the meaning set forth in the Agreement or in Data Protection Legislation.

  • "Data Protection Legislation": GDPR, applicable Spanish regulations (incl. LOPDGDD) and, where applicable, UK GDPR and Swiss regulations.
  • "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Security Breach": as defined in GDPR and equivalent applicable regulations.
  • "Customer Data": Personal Data processed by Nevent on behalf of the Customer in connection with the Services.
  • "Account Data": Personal Data necessary to create/manage the Customer's account (e.g., admin user, credentials, billing/contracting data, support contacts).
  • "Aggregated/Anonymized Data": data derived from Customer Data that does not identify any person (either directly or indirectly) and that is used for global analytics/statistics/service improvement.

2. Roles of the Parties and scope

2.1 Nevent as Processor (Customer Data)

With respect to Customer Data, the Customer acts as Controller and Nevent as Processor.

2.2 Nevent as Controller (Account Data)

With respect to Account Data, Nevent may act as Controller (e.g. admin user management, billing, security, fraud prevention). These processing activities are governed by Nevent's Privacy Policy and not by this DPA.

2.3 Customer as Processor

If the Customer acts as Processor for a third party (e.g. a brand), Nevent will act as Sub-processor, and this DPA shall apply accordingly.

2.4 Interaction with the Agreement and affiliated entities

This DPA supplements and, in case of conflict regarding data protection matters, prevails over the Agreement.

The Customer may enter into this DPA on behalf of its affiliated entities that use the Services. In such case:

  • The Customer is authorized to act on behalf of such affiliated entities.
  • The Customer is designated as the main point of contact for enforcing the terms of this DPA on behalf of all affiliated entities.
  • Notifications to the Customer will satisfy notification requirements to affiliated entities.
  • Each affiliated entity shall be responsible for its own obligations under this DPA with respect to Customer Data it processes.

3. Subject matter, duration, nature and purposes

3.1 Subject matter

Provision of the Services in accordance with the Agreement.

3.2 Duration

During the term of the Agreement and the retention period described in section 13.

3.3 Nature and purposes

As described in Annex 1 (Processing Details).

4. Customer Instructions

4.1 Nevent will process Customer Data only in accordance with documented Customer instructions, including:

  • this DPA,
  • the Agreement, and
  • normal use of the Service functionalities according to Customer configuration.

4.2 Additional instructions must be reasonable, in writing, and may be subject to costs if they involve substantial work.

4.3 If Nevent believes that an instruction infringes Data Protection Legislation, it will notify the Customer unless legally prohibited.

4.4 Legal obligation: if a law requires Nevent to process Customer Data otherwise, Nevent will inform the Customer where legally possible.

5. Confidentiality and authorized personnel

5.1 Nevent ensures that persons authorized to process Customer Data:

  • are subject to confidentiality obligations (contractual or legal), and
  • receive reasonable training in security and privacy matters where appropriate.

5.2 Nevent will limit access to Customer Data following the principle of least privilege.

6. Security measures (art. 32 GDPR)

6.1 Nevent implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

6.2 A summary of these measures is described in Annex 2 (Security Measures).

6.3 Nevent may update security measures while maintaining an equivalent or higher level of protection.

6.4 Upon reasonable request from the Customer, Nevent may provide additional information about security measures, subject to confidentiality.

7. Sub-processors

7.1 What is a Sub-processor

A Sub-processor is an external provider engaged by Nevent that processes Customer Data on behalf of Nevent to provide the Services (for example, cloud infrastructure, analytics, messaging, or AI when the Customer activates that functionality).

Important: Nevent will only consider a provider as "Sub-processor" when it processes Customer Data (personal data processed by Nevent on behalf of the Customer). If a provider only processes Account Data (e.g., billing, admin users), it will be governed by applicable terms/privacy and not necessarily by this DPA.

7.2 General authorization

The Customer grants Nevent general authorization to engage Sub-processors when necessary to provide the Services.

7.3 Sub-processor list

Nevent will maintain an updated list of Sub-processors in Annex 3 of this DPA.

The list will include, at minimum, name, service type, main processing location and, where applicable, safeguards for international transfers.

7.4 Changes to Sub-processors (notification)

Nevent will notify the Customer of additions or replacements of Sub-processors through:

  • updating the List, and/or
  • reasonable notice by email and/or dashboard notice.

7.5 Customer's right to object

The Customer may object to a new Sub-processor on reasonable grounds related to data protection, notifying in writing within 15 days of notification.

If there is a valid objection:

  1. Nevent and the Customer will cooperate in good faith to offer a reasonable alternative.
  2. If not possible without disproportionate impact or without materially degrading the Service, Nevent may:
    • suspend or terminate the affected functionality/part of the Service, and/or
    • allow the Customer to terminate the affected part according to the Agreement.

7.6 Contractual obligations with Sub-processors ("flow-down")

Nevent will sign with each Sub-processor a written agreement imposing data protection obligations no less protective than those in this DPA, including at minimum:

  • processing only under documented instructions,
  • personnel confidentiality,
  • appropriate technical and organizational measures (art. 32 GDPR),
  • assistance with data subject rights and compliance,
  • security breach notification,
  • data deletion or return upon termination,
  • reasonable audit/evidence when appropriate.

7.7 Liability for Sub-processors

Nevent will remain liable to the Customer for its Sub-processors' compliance with obligations to the extent required by Data Protection Legislation.

7.8 "Conditional" Sub-processors (optional functionalities)

Some Sub-processors only apply if the Customer activates or uses specific functionalities (for example, SMS or AI). In those cases, such providers will act as Sub-processors only when they process Customer Data on behalf of Nevent in relation to that functionality.

7.9 Emergency Sub-processors

In exceptional cases (for example, security incidents, service continuity or critical failures), Nevent may temporarily engage an unlisted Sub-processor to restore or maintain the Service, notifying the Customer as soon as reasonably possible and updating the List.

8. Customer Assistance

8.1 Customer's exclusive responsibility and Nevent's assistance

The Customer has exclusive responsibility for responding to data subject rights requests regarding Customer Data, including:

  • Right of access
  • Right of rectification
  • Right of deletion
  • Right to object
  • Right to restriction of processing
  • Right to data portability
  • Rights related to automated decisions and profiling (where applicable)

Nevent will reasonably assist the Customer in responding to such requests through:

  • Self-service functionalities available in the Service (e.g., data export, deletion).
  • Reasonable technical assistance within standard Service support.

Assistance will be provided to the extent applicable to the Services and technically possible. Additional assistance beyond standard support (e.g., complex queries, custom development) may be subject to additional costs, which will be communicated to the Customer with reasonable advance notice.

8.2 Requests received by Nevent

If Nevent receives a request directly from a data subject regarding Customer Data:

  • it will redirect it to the Customer without undue delay and without responding on its own, unless legally obliged, and
  • will provide reasonable assistance if Customer requests it, in accordance with section 8.1.

8.3 DPIA and prior consultation

Nevent will reasonably provide necessary information to support:

  • data protection impact assessments (DPIA), and
  • prior consultations with authorities,

to the extent relevant to the Services and under Nevent's control.

9. Cooperation with authorities and requirements

9.1 Nevent will reasonably cooperate with supervisory authorities when necessary for compliance with the DPA and Data Protection Legislation, considering its role as Processor.

9.2 If Nevent receives a binding legal requirement (e.g. court order) regarding Customer Data, it will notify the Customer where legally possible and take reasonable steps to limit disclosure.

10. Security Breaches (Data Breach)

10.1 Nevent will notify the Customer without undue delay upon becoming aware of a Security Breach affecting Customer Data.

10.2 The notification will include, to the extent available:

  • nature of the incident,
  • categories and approximate volume of affected data subjects/data,
  • measures taken or proposed,
  • contact point,
  • any other reasonable information for the Customer to comply with its obligations.

10.3 Nevent will reasonably cooperate to investigate, mitigate and remedy the incident, without prejudice to limitations for security, confidentiality or ongoing investigation.

10.4 No admission of liability: Notification of a Security Breach pursuant to this section shall not constitute an admission of fault or liability by Nevent with respect to the Security Breach.

11. Audit and evidence of compliance (art. 28.3 GDPR)

11.1 Upon reasonable request, Nevent will make available information to demonstrate compliance, such as:

  • security documentation,
  • responses to reasonable privacy questionnaires,
  • third-party reports/certifications if available (without obligation to obtain them).

11.2 Certifications in lieu of audit: If the audit scope is covered by an ISO 27001, SOC 2 Type II or other relevant security certification valid within the last 12 months, the Customer will accept such findings in lieu of conducting an on-site audit.

11.3 On-site audits will only be permitted when the above is insufficient and there is a justified need:

  • advance notice of at least 2 weeks (14 calendar days),
  • the auditor must be independent, qualified and not a competitor of Nevent,
  • scope limited to processing of Customer Data,
  • during business hours,
  • subject to confidentiality and security measures,
  • no more than once per year unless serious incident or authority requirement,
  • reasonable costs borne by Customer, including reimbursement of Nevent's staff time at reasonable rates.

11.4 Nevent may propose an audit by an independent third party and provide results as an equivalent alternative.

12. International transfers

12.1 Standard Contractual Clauses (SCCs)

When Customer Data is transferred outside the EEA/UK/Switzerland to a country without an adequacy decision and the Data Privacy Framework is not available, the parties agree that the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Decision (EU) 2021/914 are incorporated by reference into this DPA, as follows:

  • Module 2 (Controller-to-Processor): When the Customer acts as Controller and Nevent as Processor.
  • Module 3 (Processor-to-Processor): When both parties act as Processors with respect to Customer Data.

In case UK GDPR applies, the UK Addendum to the Standard Contractual Clauses (version B1.0) is also incorporated. For data subjects in Switzerland, the Swiss Addendum described in Annex 5 applies.

12.2 Data Privacy Framework (DPF)

Nevent self-certifies under the Data Privacy Framework (DPF) between the U.S. and the EU/UK/Switzerland, and complies with the applicable DPF Principles for transfers of personal data from the European Economic Area, the United Kingdom, and Switzerland to the United States. To the extent Nevent's DPF certification covers the processing activities under this DPA, it may be used as an alternative safeguard to the SCCs. Further details about Nevent's DPF certification are available at www.dataprivacyframework.gov.

12.3 Supplementary measures and assistance for Data Transfer Impact Assessments

Nevent implements supplementary technical, organizational and contractual measures for international transfers, as described in Annex 4. Upon reasonable request, Nevent will provide relevant information to assist the Customer in conducting Data Transfer Impact Assessments (DTIAs) for transfers to third countries, including information about:

  • applicable laws in the countries where data is processed,
  • technical and organizational measures to protect data,
  • measures against unlawful access by public authorities.

13. Return and deletion upon termination

13.1 Export and copy before termination: If the Customer requests it before the termination of the Agreement, Nevent will provide a copy of all raw Customer Data (original personal data provided to the Service) in a commonly used machine-readable format (such as CSV or JSON) within 30 days of the request. The Customer may also export raw Customer Data using the Service's self-service functionalities during the notice period and for 30 days after termination (recovery period). Enriched data (scores, predictions, automated segmentations, aggregations) generated by Nevent's models are not exportable pursuant to section 14.3 and will cease to be available upon termination of the Agreement.

13.2 Legal retention: Nevent may retain Customer Data beyond the deletion deadline to the extent required by applicable law (for example, fiscal, accounting, or litigation hold obligations). Such data will remain subject to the confidentiality and security obligations of this DPA and will be deleted once the legal retention period expires.

13.3 Complete deletion: Within 90 days following the termination of the Agreement, Nevent will completely delete or anonymize all Customer Data from its production systems and backups, except as permitted under Section 13.2. Upon reasonable request, Nevent will provide written certification of such deletion.

14. Aggregated/anonymized data

14.1 Nevent may generate and use Aggregated/Anonymized Data for global analytics, service improvement, security and internal reporting, provided such data does not identify any person.

14.2 This data is not considered Customer Data for the purposes of this DPA.

14.3 Intellectual Property and Enriched Data:

(a) Nevent's Ownership: Machine learning models, algorithms, methodologies, underlying technology, know-how and any other intellectual property developed or used by Nevent to generate enriched data are and shall remain the exclusive property of Nevent.

(b) Customer's Enriched Data: Enriched data generated by Nevent (including engagement scores, behavioral predictions, automated segmentations, statistical aggregations and other insights calculated through Nevent's models) are the property of Nevent and are only available to Customer within the Service during the term of the Agreement. Customer may view and use such enriched data exclusively through the Service interface for its internal business purposes, but may not export, extract, copy or transfer them outside the Service.

(c) Product improvement through aggregated learning: Nevent may use aggregated patterns, statistics and non-identifiable learnings derived from the use of the Service by multiple customers to:

  • Improve the accuracy and performance of its models and algorithms.
  • Develop new features and analytical capabilities.
  • Provide aggregated industry benchmarks and statistics (without identifying any specific Customer).

(d) Restrictions:

  • Customer may not reverse engineer, decompile or attempt to extract Nevent's underlying models, algorithms or technology.
  • Nevent will not sell, license or disclose individual enriched data from one Customer to third parties, unless fully anonymized or as required to provide the Service.

(e) Export and termination: Customer may export raw Customer Data (original personal data provided to the Service, such as names, emails, interaction events, purchases and other information directly provided by Customer) pursuant to section 13. Enriched data (scores, predictions, automated segmentations, aggregations) are not exportable and will cease to be available upon termination of the Agreement. Nevent will retain its intellectual property and may continue using aggregated learnings obtained.

15. Customer Obligations

The Customer represents and warrants that:

  • it has a valid legal basis to process and transfer Customer Data to Nevent,
  • it has informed data subjects and obtained consents where appropriate,
  • it does not incorporate special categories (art. 9) or criminal data (art. 10) unless written agreement,
  • it configures and uses the Service in accordance with Data Protection Legislation (e.g. cookies, marketing consent, lists, opt-outs, etc.).

16. Customer Security

16.1 The Customer is responsible for:

  • keeping credentials secure,
  • managing admin user access,
  • correctly configuring permissions, lists, consents and segmentations,
  • reviewing outputs/automations created within the Service (e.g. segmentation and sending rules).

17. Liability

17.1 Limitations and exclusions of liability shall be governed by the Agreement, unless applicable law provides otherwise.

17.2 Nothing in this DPA limits liability where not legally limitable.

18. Order of precedence

In case of conflict between this DPA and the Agreement on data protection matters, this DPA shall prevail.

19. Changes to this DPA

We may update this DPA to reflect legal, technical or Service changes. We will publish the new version on this page and indicate the "Last updated" date.

When the change is material, we will make reasonable efforts to notify (e.g., email or dashboard notice).
Continued use of the Service after the effective date implies acceptance.

20. Contact

For data protection matters: dpo@eritiaprivacidad.com
Address: NEVENTECH S.L., Taibo – Carnoedo, 1 – 15169 Sada (A Coruña), Spain

Annex 1 — Processing Details

Part 1 - Parties (for SCCs purposes)

Data Exporter (Data Controller):

  • Identity: Customer and its affiliated entities using the Services, located in the European Economic Area (EEA), United Kingdom, Switzerland or other jurisdictions where GDPR or Swiss data protection legislation applies.
  • Address: As specified in the Customer's Agreement.
  • Contact: Data protection officer or Customer's contact point as specified in the Agreement.
  • Role: Data Controller of Customer Data.

Data Importer (Data Processor):

  • Identity: NEVENTECH S.L.
  • Address: Taibo – Carnoedo, 1 – 15169 Sada (A Coruña), Spain
  • Contact: dpo@eritiaprivacidad.com
  • Role: Data Processor of Customer Data; or Sub-processor when Customer acts as Processor for a third party.

Part 2 - Description of the Transfer

Transfer frequency: Continuous, according to the Service configuration and Customer's use.

Services: Nevent (email marketing, CRM/segmentation, analytics, automations, notifications and event-related functionalities).

Purposes (examples):

  • Management of attendee/user database.
  • Segmentation and enrichment of profile fields (according to Customer configuration).
  • Sending communications (email, push, WhatsApp/SMS if applicable).
  • Performance reporting and analytics.
  • Ticketing/payment/cashless integrations (if applicable).
  • Support, maintenance, security and fraud/abuse prevention.

Nature of processing: collection, structuring, storage, consultation, use, communication/transfer, deletion.

Categories of data subjects:

  • Attendees/ticket purchasers.
  • Communication subscribers.
  • Event-associated app users.
  • Customer personnel (admin users).

Categories of personal data (examples):

  • Identifiers: name, email, phone.
  • Demographics: city, province, country, language, gender (if applicable).
  • Activity: opens/clicks, navigation/app events, declared preferences.
  • Transactional: ticket purchases, cashless consumption (if integrated), merchandising (if applicable).
  • Technical identifiers: IP, device ID, cookies/advertising IDs (depending on configuration).
  • Support data: support communications, technical logs.

Special categories (art. 9): not planned unless expressly agreed.
Criminal data (art. 10): not planned unless expressly agreed.

Processing duration: term of the Agreement + retention period in section 13.

Part 3 - Competent Data Protection Authority

The competent supervisory authority will depend on the location of the Data Exporter (Customer):

  • European Union Exporters: The data protection authority of the EU Member State in which the Exporter is established.
  • Non-EU/Non-UK Exporters with EU representative: The data protection authority of the EU Member State in which the Exporter's representative is established.
  • United Kingdom: Information Commissioner's Office (ICO).
  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC).
  • Other exporters not specified above: Spanish Data Protection Agency (AEPD) shall be the competent supervisory authority.

Annex 2 — Security measures (summary)

A) Governance, organization and policies

  • Internal security and privacy policies.
  • Risk management and periodic reviews.
  • Reasonable training of personnel with system access.

B) Access control

  • Role-based access (RBAC) and least privilege.
  • Credential management and secret rotation where applicable.
  • MFA for administrative accounts where possible.

C) Encryption

  • Encryption in transit (TLS) for communications.
  • Encryption at rest in storage where applicable.
  • Key/secret protection (e.g. managed services / vault).

D) Logging and monitoring

  • Logging of relevant events.
  • Monitoring and alerts.
  • Reasonable abuse/fraud detection controls.

E) Resilience

  • Backups and recovery procedures.
  • Continuity/DR plans to the extent reasonable for the Service.

F) Secure development

  • Separate environments (dev/stage/prod) where applicable.
  • Change control and reviews.
  • Vulnerability and patch management.

G) Incidents

  • Incident response procedure.
  • Internal escalation and Customer communication according to section 10.

H) Multi-tenant isolation

  • Logical controls to separate data between customers.
  • Reasonable tests/controls to prevent cross-access.

Annex 3 — Sub-processors (List)

Last updated: January 13, 2024

This list identifies the providers ("Sub-processors") that Nevent uses to provide the Service and that may process Customer Data.

1) Sub-processors

Sub-processor Service When it applies Purpose Data potentially processed Main location Transfers / safeguards
Amazon Web Services, Inc. (AWS) Cloud infrastructure (hosting, storage, networks, managed services) Always Platform operation (servers, storage, backups, availability and security) Customer Data stored/processed by the Service; technical metadata and logs EU (Ireland - eu-west-1) SCCs or other applicable safeguards if processing outside EEA
Google Cloud (Google LLC) Cloud infrastructure Always or depending on configuration Technical operations necessary for the Service Customer Data stored/processed by the Service; technical metadata and logs EU (depending on configuration) SCCs or other applicable safeguards if processing outside EEA
SMS Publi SMS messaging provider Only if Customer activates SMS SMS sending and delivery Phone number, message content, delivery metadata (status, timestamps) Spain (EU) N/A (EU provider)
OpenAI Generative AI (API) Only if Customer activates AI functionalities (e.g. template generator) Content generation / assistance Prompts and responses; may include personal data if sent for contextualization USA International transfers; safeguards per provider's DPA/SCCs
Anthropic (Claude) Generative AI (API) Only if Customer activates AI functionalities (e.g. template generator) Content generation / assistance Prompts and responses; may include personal data if sent for contextualization USA International transfers; safeguards per provider's DPA/SCCs

2) Notes on AI

  • AI providers are considered Sub-processors only when they process Customer Data on behalf of Nevent (for example, template generation with context including personal data).
  • Nevent applies reasonable data minimization measures to avoid sending unnecessary Customer Data to AI providers.
  • Customer must not input special categories of data (art. 9 GDPR) or criminal data (art. 10 GDPR) into prompts unless expressly agreed in writing.

3) Contact

For inquiries about Sub-processors: dpo@eritiaprivacidad.com

4) Selection of SCC Clauses (Standard Contractual Clauses)

When the EU Standard Contractual Clauses (SCCs) 2021/914 apply pursuant to section 12.1 of the DPA, the following clauses are completed:

  • Modules applied:
    • Module 2 (Controller → Processor): when Customer acts as Controller and Nevent as Processor.
    • Module 3 (Processor → Sub-processor): when Customer acts as Processor for a third party and Nevent as Sub-processor.
  • Clause 7 (Docking clause): Not applicable.
  • Clause 9(a) (Authorization of sub-processors): Option 2 (general written authorization); notification period of 15 days pursuant to section 7.4 of the DPA.
  • Clause 11(a) (Dispute resolution - independent arbitration): Not applicable.
  • Clause 17 (Governing law): Law of Spain.
  • Clause 18 (Choice of forum and jurisdiction): Courts of Spain.
  • Annexes to the SCCs:
    • Annex I (Parties and transfer details): Annex 1 of this DPA (Parts 1 and 2).
    • Annex II (Technical and organizational measures): Annex 2 of this DPA.
    • Annex III (List of sub-processors): Annex 3 of this DPA (section 1).

Hierarchy in case of conflict: In case of conflict between the SCCs and this DPA, the SCCs shall prevail with respect to international transfers of personal data.

Annex 4 — Supplementary Measures for International Transfers

This Annex describes the supplementary measures that Nevent implements to ensure an essentially equivalent level of protection to that provided within the EEA, United Kingdom and Switzerland when Customer Data is transferred to third countries.

1. Technical Measures

1.1 Encryption in transit

  • Strong encryption (TLS 1.2 or higher) for all data transmissions between Customer and Nevent.
  • Strong encryption for all data transmissions between Nevent and its Sub-processors.
  • Use of industry-standard encryption algorithms (e.g., AES-256).

1.2 Encryption at rest

  • Encryption of databases and storage containing Customer Data.
  • Secure management of encryption keys via managed services (e.g., AWS KMS, Google Cloud KMS).
  • Logical separation of data between customers (secure multi-tenancy).

2. Organizational Measures

2.1 Internal governance

  • Internal governance policies for managing international transfers.
  • Staff training on procedures for responding to data access requests from public authorities.
  • Periodic review of policies and procedures related to international transfers.

2.2 Transparency

  • Periodic transparency reports on data access requests from authorities (where permitted by local law).
  • Cooperation with Data Protection Officers (DPOs) and legal review on international transfers.
  • Periodic assessment of the adequacy of implemented measures.

3. Contractual Measures

3.1 Transparency obligations

Nevent declares that:

  • It has not created or maintained intentional backdoors in its systems that allow unauthorized access to Customer Data.
  • It has not made changes to its business processes that facilitate access to Customer Data by public authorities in a manner that violates Data Protection Legislation.
  • There is no existing legal or contractual requirement obligating Nevent to maintain backdoors or provide encryption keys to public authorities.

3.2 Periodic verification

  • Nevent verifies the validity of the DPA questionnaire declarations periodically.
  • Nevent will report to Customer any material change in circumstances affecting transfer safeguards.

3.3 Public authority requests

When Nevent is legally obligated to disclose Customer Data to public authorities:

  • Nevent will inform the requesting authority about conflicts with GDPR transfer safeguards and contractual obligations toward Customer.
  • Nevent will request that the authority acknowledge such conflicts and consider alternatives that minimize impact on data subjects' rights.

3.4 Data subject indemnification

Nevent agrees to equitably indemnify data subjects for material and non-material damages arising from unauthorized disclosure of their personal data to public authorities in violation of Data Protection Legislation, subject to the following limitations:

  • Limited to damages recognized under GDPR (art. 82).
  • Excludes consequential damages, lost profits and indirect damages.
  • No double recovery: if the data subject has already been compensated by Customer or through another channel, there will be no additional compensation for the same cause.

4. Public Authority Access Obligations

4.1 Immediate notification before disclosure

If Nevent receives a legally binding request for disclosure of Customer Data from a public authority (e.g., court order, subpoena, intelligence request):

  • Nevent will notify Customer immediately and before disclosing the data, unless legally prohibited.
  • The notification will include:
    • Description of the data requested.
    • Identification of the requesting authority.
    • Legal basis for the request.
    • Deadline for response.
    • Response that Nevent proposes to provide.

4.2 Best efforts to lift notification prohibition

If law prohibits Nevent from notifying Customer about a request:

  • Nevent will use best efforts to obtain an exemption from such prohibition.
  • Nevent will document such efforts and make them available to Customer when legally possible.

4.3 Challenge unlawful requests

Nevent commits to:

  • Challenge requests for data access that are unlawful, disproportionate or that violate Data Protection Legislation, where permitted by the law of the destination country.
  • Exhaust all reasonable procedural remedies available before disclosing data.
  • Request that authorities adequately substantiate their requests and demonstrate compliance with necessity and proportionality standards.

4.4 Minimum necessary disclosure

If Nevent is legally obligated to disclose Customer Data after exhausting available remedies:

  • Nevent will disclose only the minimum information necessary to comply with the legal request.
  • Nevent will not provide direct access to systems or encryption keys, unless a specific court order so requires.

4.5 Special handling of mass surveillance requests

For requests under mass surveillance laws (e.g., FISA 702, Executive Order 12333 of the U.S. or equivalents):

  • Nevent will follow special procedures to minimize access to Customer Data.
  • Nevent will notify Customer as soon as legally possible.
  • Nevent will provide aggregated information about such requests in transparency reports when permitted by law.

4.6 Records and audit

  • Nevent will maintain records of all data access requests from public authorities during the term of the Agreement.
  • Such records will be made available to competent supervisory authorities if they require them.
  • Nevent will provide Customer with reasonable information about the volume and nature of requests received (without violating confidentiality orders).

5. Continuous Review and Update

Nevent will review and update these supplementary measures periodically (at least annually) to:

  • Ensure they remain appropriate and effective.
  • Reflect changes in case law, supervisory authority guidance or technical developments.
  • Respond to emerging threats or identified weaknesses.

Any material changes will be notified to Customer pursuant to section 19 of the DPA.

Annex 5 — UK and Swiss Addendums

Section 1: UK Addendum

If UK GDPR applies, the UK Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B.1.0, UK Information Commissioner, February 2, 2022) is automatically incorporated as a supplement to the SCCs for transfers from the United Kingdom.

The UK Addendum modifies the SCCs pursuant to the Mandatory Requirements (Section 18). The Parties are as specified in Annex 1 of this DPA. The Modules and Clauses are as described in section 12.1 of the DPA with the modifications of the UK Addendum.

In case of conflict between the SCCs and the UK Addendum, the UK Addendum prevails for transfers from the United Kingdom.

Section 2: Swiss Addendum

If Swiss data protection legislation applies (Federal Data Protection Act of 1992 and its implementing Ordinance of 1993, or their revised versions), the SCCs will be interpreted with the following adaptations:

  • References to "GDPR" or "EU regulation" are replaced by "Swiss data protection legislation".
  • The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland.
  • The competent courts are the Swiss courts.
  • Until the revision of Swiss law enters into force: legal entities receive the same protection as natural persons.

When both GDPR and Swiss legislation apply: this DPA will apply in its entirety, and then the Swiss modifications will apply without changing Clause 17 of the SCCs (governing law).

In case of conflict, the safeguard providing greater protection to data subjects shall prevail.

Annex 6 — U.S. Data Protection Laws Addendum

This Annex applies when the processing of Customer Data is subject to federal or state data protection laws of the United States, including but not limited to:

  • California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Other applicable state or federal data protection laws

1. Prohibitions applicable to Nevent

In relation to the processing of Customer Data subject to U.S. data protection laws, Nevent is prohibited from:

1.1 Sale of Customer Data

Nevent will not sell Customer Data or disclose it to third parties in exchange for monetary or valuable consideration, as defined by applicable U.S. data protection laws.

1.2 Cross-Context Behavioral Advertising

Nevent will not share Customer Data with third parties for purposes of targeted behavioral advertising based on consumer activity across different businesses, websites, applications or services, unless Customer has expressly instructed such use in accordance with applicable law.

1.3 Purpose limitation

Nevent will only retain, use or disclose Customer Data for:

  • The specific business purposes described in the Agreement and in Annex 1 of this DPA.
  • Other purposes permitted by applicable U.S. data protection laws that do not require consumer consent.

1.4 Relationship limitation

Nevent will not use Customer Data outside the context of the direct business relationship between Nevent and Customer, unless permitted by applicable U.S. data protection laws.

1.5 Data combination

Nevent will not combine Customer Data with personal data that Nevent receives from other sources or from its own interaction with consumers, except when:

  • Customer has expressly instructed such combination.
  • It is necessary to provide the Services to Customer.
  • It is permitted by applicable U.S. data protection laws without requiring additional consent.

2. Consumer rights under U.S. laws

Nevent will reasonably assist Customer in complying with consumer rights requests under U.S. laws, including:

  • Right of access (right to know)
  • Right of rectification
  • Right of deletion
  • Right of portability
  • Right to opt-out of sale or targeted advertising
  • Right to limit use of sensitive data

Assistance will be provided pursuant to section 8 of the DPA, with self-service functionalities when available.

3. Certification and compliance

Nevent certifies that:

  • It understands the restrictions imposed by this Annex.
  • It will comply with applicable obligations under U.S. data protection laws.
  • It will notify Customer if it determines it cannot comply with its obligations under this Annex.

4. Audit and evidence of compliance

Customer has the right to request reasonable evidence of Nevent's compliance with this Annex, pursuant to section 11 of the DPA.

5. Sub-processors

When Nevent engages Sub-processors that process Customer Data subject to U.S. laws, Nevent will impose contractual obligations equivalent to those in this Annex, pursuant to section 7.6 of the DPA.

6. Termination for breach

If Nevent materially breaches the obligations of this Annex and does not remedy the breach within a reasonable period after notification from Customer, Customer may:

  • Request immediate deletion of the affected Customer Data, and/or
  • Terminate the Agreement with respect to processing of data subject to U.S. laws, pursuant to the terms of the Agreement.