This Data Processing Agreement (DPA) is automatically incorporated into the Eventya Terms of Service for all customers. It governs Eventya’s processing of personal data on behalf of customers in accordance with Article 28 of the GDPR. A signed PDF version is available upon request at
privacy@eventya.net.
1. Definitions
- Controller: The Customer (you) — the DMO that determines the purposes and means of processing
- Processor: Eventya CO SRL (CUI RO31611012, J32/408/2013)
- Data Subject: Any identified or identifiable natural person
- Personal Data: As defined in Art. 4(1) GDPR
- Processing: As defined in Art. 4(2) GDPR
- Sub-processor: A third party engaged by the Processor to process Personal Data
- Services: The Eventya DMS platform as described in the Terms of Service
2. Subject Matter and Duration
This DPA applies to all processing of Personal Data by Eventya on behalf of the Customer in connection with the Services. It remains in effect for the duration of the Terms of Service.
3. Nature and Purpose of Processing
Eventya processes Personal Data for the purpose of:
- Hosting and delivering the Customer’s destination website
- Operating the Customer’s mobile app (iOS and Android)
- Powering the AI virtual agent and WhatsApp integration
- Operating the visitor helpdesk
- Sending push notifications to app users
- Generating analytics and reports
4. Categories of Personal Data and Data Subjects
| Category of data subjects | Categories of personal data |
|---|
| End-visitors (website, app) | Device identifiers, IP address, pages visited, analytics events, email (if submitted) |
| WhatsApp and AI agent users | Phone number, conversation content, language preference |
| Helpdesk ticket submitters | Email address, message content, ticket history |
| Customer staff accounts | Name, email address, role, access logs |
Note: Special category data (Art. 9 GDPR) should not be submitted unless necessary and with appropriate safeguards in place.
5. Obligations of the Processor
Eventya shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorised to process the data have committed themselves to confidentiality
- Implement appropriate technical and organisational security measures (Annex I)
- Engage sub-processors only with prior general authorisation and equivalent contractual obligations (Annex II)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in ensuring compliance with Arts. 32–36 GDPR
- Delete or return all Personal Data upon termination, at the Controller’s choice
- Make available all information necessary to demonstrate compliance and allow for audits
- Immediately inform the Controller if an instruction infringes GDPR
6. Obligations of the Controller
The Customer shall ensure that:
- There is a valid legal basis for all processing instructions
- Appropriate privacy notices are provided to data subjects
- All processing requests are lawful
- Personal Data provided to Eventya is accurate and up to date
7. Sub-processors
The Controller provides general authorisation for the use of sub-processors listed in Annex II. Eventya will notify the Controller at least 30 days before adding or replacing a sub-processor. Each sub-processor is bound by equivalent data protection obligations. Eventya remains fully liable for its sub-processors’ compliance.
8. International Transfers
Primary data storage and processing takes place within the EEA (Google Cloud, Frankfurt, Germany). For transfers outside the EEA (e.g. Twilio, SendGrid), Eventya relies on Standard Contractual Clauses (Commission Implementing Decision 2021/914/EU) or adequacy decisions.
9. Security Measures (Annex I)
Technical measures
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- Pseudonymisation of analytics identifiers
- Automated vulnerability scanning and penetration testing
- Web Application Firewall (WAF) and DDoS protection via Google Cloud
- Multi-factor authentication for admin access
- Automated daily backups with point-in-time recovery
- Intrusion detection and security monitoring
Organisational measures
- Role-based access controls
- Data protection training for all staff
- Documented incident response procedure
- Breach notification to Controller within 36 hours
- Regular review of security policies
10. Sub-processors List (Annex II)
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|
| Google Cloud Platform (Google LLC) | Infrastructure hosting, storage, CDN | EU (Frankfurt, Germany) | EEA — no transfer |
| Twilio Inc. | WhatsApp Business API, SMS | USA | Standard Contractual Clauses |
| SendGrid (Twilio Inc.) | Transactional email delivery | USA | Standard Contractual Clauses |
| Stripe Inc. | Payment processing | USA / EU | Standard Contractual Clauses / Adequacy |
| Google LLC (Analytics) | Platform usage analytics (if enabled) | EU (data residency configured) | EEA — no transfer |
| Firebase (Google LLC) | Mobile app push notifications (FCM) | USA | Standard Contractual Clauses |
| Apple Inc. | iOS push notifications (APNs) | USA | Standard Contractual Clauses |
11. Data Breach Notification
Eventya will notify the Controller of any personal data breach within 36 hours of becoming aware of it. The notification will include:
- Nature of the breach, including categories and approximate numbers of data subjects and records
- Name and contact details of the data protection point of contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
The Controller is responsible for notifying the supervisory authority (per Arts. 33–34 GDPR) and affected data subjects where required.
12. Governing Law
This DPA is governed by Romanian law and applicable EU law. Disputes are resolved per the jurisdiction provisions of the Terms of Service.
13. Signed DPA
A countersigned PDF version of this DPA is available upon request. Contact privacy@eventya.net.