EventOn Data Processing Addendum

1.1 Processor Details

• Company: Wemoveon Ltd (trading as EventOn)
• Address: 61 Bridge Street, Kington, United Kingdom, HR5 3DJ
• Company number: 10061558
• DPA contact: privacy@eventon.pro

1.2 Definitions and Roles

• "Customer" or "Controller": The organisation or individual who subscribes to EventOn and determines the purposes and means of processing Customer Data. This includes tenant administrators and authorised users.
• "EventOn" or "Processor": Wemoveon Ltd, which processes Customer Data on behalf of and under the instructions of the Customer to provide the EventOn service.
• "Sub-processor": A third party engaged by EventOn to process Customer Data in connection with providing the Service.
• "Customer Data": Personal data that Customer uploads, submits, or otherwise provides to the Service, including data relating to staff, clients, applicants, and other data subjects.

For the purposes of UK GDPR and EU GDPR, Customer acts as the Controller of Customer Data, and EventOn acts as the Processor.

2.1 This DPA applies to all Customer Data processed by EventOn in connection with providing the Service under the Terms of Service.

2.2 The Service includes all portals and functionality provided by EventOn:

• Tenant Dashboard: Where Customer administrators manage their organisation, staff, clients, events, and settings.
• Staff Portal: Where Customer's workforce accesses schedules, submits timesheets, and manages their profiles.
• Client Portal: Where Customer's clients view events, approve staffing, and access reports.
• API Services: Programmatic access to Service functionality.
• Integrations: Optional connections to third-party services (e.g., accounting software) enabled by Customer.

2.3 EventOn does not determine the purposes or means of processing Customer Data except as necessary to provide the Service. Customer retains full control over what data is uploaded and how it is used within the Service.

4.1 Processing Instructions

EventOn shall process Customer Data only in accordance with Customer's documented instructions, which are deemed to include: (a) the Terms of Service; (b) this DPA; (c) Customer's use of Service features and settings; and (d) any additional written instructions agreed between the parties. EventOn shall inform Customer if, in its opinion, an instruction infringes applicable data protection law.

4.2 Confidentiality

EventOn shall ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This includes employees, contractors, and authorised Sub-processors.

4.3 Technical and Organisational Measures

EventOn implements and maintains appropriate technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption in transit: All data transmitted between users and the Service is encrypted using TLS 1.2 or higher.
• Access controls: Role-based access control (RBAC) ensures users only access data appropriate to their role. Each tenant's data is logically separated.
• Least privilege: Administrative access to systems is limited to authorised personnel on a need-to-know basis.
• Audit logging: User actions and system events are logged for security monitoring and incident investigation.
• Backups: Regular automated backups are performed to enable data recovery in case of system failure.
• Vulnerability management: Regular security assessments, dependency updates, and patching of known vulnerabilities.
• Incident response: Documented procedures for detecting, responding to, and recovering from security incidents.
• Tenant data separation: Customer Data is logically isolated per tenant with enforced access boundaries.

EventOn's information security controls are aligned with ISO 27001 principles. Upon request, EventOn can provide further details of its security measures.

5.1 Authorisation

Customer provides general authorisation for EventOn to engage Sub-processors to assist in providing the Service. EventOn shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

5.2 Current Sub-processors

EventOn uses Sub-processors in the following categories to provide the Service:

• Cloud hosting and compute: Infrastructure providers for application hosting, content delivery, and serverless functions.
• Database hosting: Managed PostgreSQL database services for primary data storage.
• Email delivery: Transactional email services for notifications, magic links, and communications.
• Error monitoring and logging: Application performance monitoring and error tracking services.
• Analytics: Privacy-focused analytics services (when enabled) to understand Service usage.
• Payment and billing: Payment processing services for subscription billing (no card numbers are stored by EventOn).
• Optional integration providers: When Customer enables integrations (e.g., QuickBooks Online, Xero, Sage), those providers process data as necessary to provide the integration functionality.

A current list of specific Sub-processors is available upon request by contacting privacy@eventon.pro.

5.3 Changes to Sub-processors

EventOn shall notify Customer of any intended changes to Sub-processors (additions or replacements) by updating the Sub-processor list and providing reasonable notice. Customer may object to such changes within 14 days of notification on reasonable grounds related to data protection. If EventOn cannot reasonably accommodate the objection, Customer may terminate the affected Service component.

5.4 Sub-processor Liability

EventOn remains liable to Customer for the performance of its Sub-processors' obligations under this DPA.

6.1 Customer Data may be transferred to and processed in countries outside the United Kingdom and European Economic Area (EEA) where Sub-processors are located.

6.2 For any such transfers, EventOn shall ensure appropriate safeguards are in place, including:

• The UK International Data Transfer Agreement (UK IDTA) for transfers from the UK;
• The EU Standard Contractual Clauses (SCCs) for transfers from the EEA;
• Adequacy decisions by the UK or EU Commission where applicable;
• Other lawful transfer mechanisms as permitted under applicable data protection law.

6.3 Upon request, EventOn shall provide information about the transfer mechanisms in place for specific Sub-processors.

7.1 Notification

If EventOn becomes aware of a Personal Data Breach affecting Customer Data, EventOn shall notify Customer without undue delay and in any event within 72 hours of becoming aware of the breach, except where the breach is unlikely to result in a risk to the rights and freedoms of data subjects.

7.2 Information Provided

EventOn's notification shall include, to the extent known:

• A description of the nature of the breach, including categories and approximate number of data subjects and records affected;
• The name and contact details of EventOn's point of contact;
• A description of the likely consequences of the breach;
• A description of measures taken or proposed to address the breach and mitigate its effects.

7.3 Cooperation

EventOn shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data Breach.

8.1 Data Subject Requests

EventOn shall assist Customer in responding to requests from data subjects exercising their rights under applicable data protection law (e.g., access, rectification, erasure, portability, restriction, objection). This includes providing appropriate technical measures and functionality within the Service to enable Customer to respond to such requests.

8.2 Compliance Assistance

Taking into account the nature of processing and information available to EventOn, EventOn shall assist Customer in ensuring compliance with:

• Security obligations;
• Personal Data Breach notification requirements;
• Data Protection Impact Assessments (DPIAs) where reasonably required;
• Prior consultation with supervisory authorities where required.

EventOn may charge a reasonable fee for assistance that is excessive, unfounded, or beyond the scope of normal support.

9.1 Upon termination or expiry of the Terms of Service, Customer may request export of Customer Data in a commonly used, machine-readable format within 30 days of termination.

9.2 Following the export period (or upon Customer's earlier request), EventOn shall delete Customer Data from active systems within 90 days, except where:

• Retention is required by applicable law;
• Retention is necessary for the establishment, exercise, or defence of legal claims;
• Data is retained in anonymised form that no longer constitutes personal data.

9.3 Backup copies containing Customer Data will be deleted in accordance with EventOn's standard backup retention cycle, typically within 90 days of the primary deletion.

9.4 Upon request, EventOn shall provide written confirmation that Customer Data has been deleted.

10.1 EventOn shall make available to Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

10.2 Customer's audit rights may be satisfied through:

• Completion of security questionnaires provided by Customer (once per year or upon material change);
• Review of EventOn's security documentation, policies, and procedures;
• Review of third-party audit reports, certifications, or attestations where available;
• Review of penetration test summaries where available.

10.3 On-site audits shall only be conducted where:

• The information provided above is insufficient to demonstrate compliance;
• A Personal Data Breach has occurred affecting Customer Data;
• Required by a supervisory authority.

10.4 Any on-site audit shall be subject to:

• At least 30 days' prior written notice;
• Reasonable scope and duration;
• Confidentiality obligations protecting EventOn's proprietary information and other customers' data;
• Customer bearing its own costs (EventOn may charge reasonable fees for time spent).

11.1 This DPA forms part of and is incorporated into the Terms of Service.

11.2 In the event of any conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail. In all other respects, the Terms of Service shall prevail.

11.3 The limitations of liability set out in the Terms of Service apply to this DPA. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law.

11.4 Each party shall be liable for any fines, penalties, or claims arising from its own breach of applicable data protection law or this DPA.

12.1 EventOn may update this DPA from time to time to reflect changes in legal requirements, our Sub-processors, or our practices. When we make material changes:

• We will update the "Last updated" date at the top of this DPA;
• We will notify Customer through the Service or by email where appropriate;
• Continued use of the Service after changes become effective constitutes acceptance of the updated DPA.

This DPA shall be governed by and construed in accordance with the laws of England and Wales, subject to the mandatory data protection laws applicable to Customer.