This Data Processing Agreement (“DPA”) forms part of the agreement between EventNX LLC, a Delaware limited liability company with its registered address at 2055 Limestone Road, Wilmington, DE 19808, USA (“Processor” or “EventNX”), and the customer entity using EventNX services (“Controller” or “Client”).

This DPA applies where EventNX processes Personal Data on behalf of the Controller in connection with the provision of its services.

1. Definitions

For the purposes of this DPA, the terms “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, and “Supervisory Authority” shall have the meanings given to them under the EU GDPR and UK GDPR.

“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR and UK GDPR.

2. Scope and Roles

The parties acknowledge that, with respect to Personal Data processed under this DPA, the Controller determines the purposes and means of processing, and EventNX acts as a Processor.

The subject matter of processing consists of providing EventNX’s SaaS platform, including event registration management, social sharing, referral tracking, and attendee engagement tools.

Processing shall occur for the duration of the services agreement unless otherwise required by law.

3. Nature and Purpose of Processing

EventNX will process Personal Data solely for the purpose of providing the services to the Controller, including facilitating event registrations, managing attendee interactions, enabling marketing and referral features, and providing analytics and platform functionality.

The nature of processing includes collection, storage, organization, retrieval, transmission, and deletion of Personal Data.

Categories of Data Subjects may include event attendees, prospective attendees, event organizers’ staff, and platform users.

Categories of Personal Data may include identifiers such as name, email address, phone number, professional details, and event-related information, as determined by the Controller.

4. Controller Obligations

The Controller is responsible for ensuring that all processing of Personal Data complies with Applicable Data Protection Laws. This includes establishing a lawful basis for processing, providing appropriate privacy notices, and ensuring that instructions given to EventNX are lawful.

The Controller is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it was obtained.

5. Processor Obligations (Article 28 GDPR)

EventNX shall process Personal Data only on documented instructions from the Controller, unless required to do so by law, in which case EventNX will inform the Controller unless legally prohibited.

EventNX shall ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.

EventNX shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.

EventNX shall not use Personal Data for its own purposes and shall not sell Personal Data.

6. Security Measures

EventNX implements commercially reasonable technical and organizational measures designed to protect Personal Data. These include encryption in transit and at rest, access controls based on least privilege, authentication mechanisms, network security protections, and system monitoring.

EventNX regularly reviews and updates its security practices and aligns with recognized industry standards such as SOC 2 and ISO 27001 frameworks where applicable.

7. Sub-Processors

The Controller authorizes EventNX to engage sub-processors to support the delivery of its services.

EventNX shall ensure that any sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

EventNX shall remain responsible for the performance of its sub-processors.

A current list of sub-processors shall be made available upon request or via a publicly accessible link.

8. Data Subject Rights

Taking into account the nature of processing, EventNX shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfill the Controller’s obligation to respond to requests for exercising Data Subject rights.

If EventNX receives a request directly from a Data Subject, it shall not respond except on the Controller’s instructions and may redirect the request to the Controller.

9. Personal Data Breach

EventNX shall notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA.

EventNX shall provide reasonable assistance to the Controller in meeting its obligations under Articles 33 and 34 GDPR, taking into account the nature of processing and information available.

10. Data Protection Impact Assessments

EventNX shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities where required, taking into account the nature of processing and available information.

11. International Data Transfers

Where Personal Data is transferred outside the European Economic Area or the United Kingdom, EventNX shall ensure that appropriate safeguards are in place, including the use of Standard Contractual Clauses approved by the European Commission and/or the UK ICO.

Such safeguards shall be deemed incorporated into this DPA by reference.

12. Audit and Compliance

EventNX shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.

Any audits shall be conducted with reasonable notice, during normal business hours, and in a manner that minimizes disruption to EventNX’s operations and protects the confidentiality of other customers.

EventNX may satisfy audit obligations through the provision of third-party audit reports or certifications where applicable.

13. Return and Deletion of Data

Upon termination of the services, EventNX shall, at the choice of the Controller, delete or return Personal Data, unless retention is required by applicable law.

14. Confidentiality

EventNX shall ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.

15. Liability

Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the main services agreement or Terms of Service.

To the extent permitted by law, EventNX shall not be liable for indirect, incidental, or consequential damages, or for compliance failures attributable to the Controller.

16. Governing Law

This DPA shall be governed by the laws specified in the main agreement between the parties, unless otherwise required by Applicable Data Protection Laws.

17. Order of Precedence

In the event of any conflict between this DPA and other agreements between the parties, this DPA shall prevail with respect to data protection matters.

Annex I – Details of Processing

• Subject Matter: Provision of EventNX SaaS platform
• Duration: Duration of services agreement
• Nature of Processing: Collection, storage, use, transmission, deletion
• Purpose: Event registration, engagement, analytics, communication
• Data Subjects: Event attendees, organizers, users
• Data Types: Contact details, professional information, event data

Annex II – Security Measures

EventNX implements measures including encryption, access controls, authentication, monitoring, secure infrastructure, and internal security policies aligned with industry standards.