Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") is between Anton Eremeeff, IČO 09673024, sole trader trading as FoyerFlow ("Processor") and the customer that has accepted the FoyerFlow Terms of Use ("Controller"). It supplements those Terms.

2. Subject matter, duration, nature, and purpose

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the FoyerFlow service to the Controller (the "Service"). Processing continues for the duration of the Controller's subscription and ends with the termination of that subscription, subject to clause 10.

3. Categories of data subjects and personal data

Data subjects include the Controller's staff and other authorised users of the Account; the Controller's clients (venues' booking customers, event planners' clients); event guests, attendees, and contacts; vendors and their representatives.

Categories of personal data typically processed: contact details (name, email, phone, address); event metadata (attendance, role, dietary preferences, accessibility notes); communications and notes; uploaded documents and signatures; photographs uploaded by the Controller; technical identifiers (IP address, device); any other personal data the Controller chooses to enter into the Service.

Special categories of personal data (Art. 9 GDPR — health, religion, political opinion, etc.) are not required by the Service. If the Controller chooses to enter such data — for example, dietary or accessibility notes — the Controller is solely responsible for ensuring an appropriate legal basis under Art. 9 and warrants that such basis is in place.

4. Documented instructions

The Processor processes personal data only on the documented instructions of the Controller. The Controller's standing instructions are: (a) the Terms of Use; (b) this DPA; (c) the configuration the Controller chooses inside the Service. Additional one-off instructions may be sent to [email protected]; the Processor may charge a reasonable fee for instructions that go beyond the scope of the Service.

The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other Union or member-state data-protection law.

5. Confidentiality

The Processor ensures that persons authorised to process personal data are subject to a confidentiality obligation, either contractual or statutory. Production access is limited to a minimum number of named engineers under role-based access control, with audit logging.

6. Security of processing (Art. 32)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and at rest;
• Strong authentication and role-based access control on the production environment;
• Network segmentation and firewalling;
• Tenant-level isolation enforced both at the application and database layer;
• Centralised audit logging of administrative actions;
• Regular automated backups, with restore testing;
• Vulnerability monitoring of dependencies and infrastructure;
• Documented incident-response procedures and on-call coverage;
• Vendor due diligence before engaging any subprocessor.

A current summary of measures is available on request at [email protected].

7. Subprocessors

The Controller grants the Processor general written authorisation to engage subprocessors, subject to the conditions in this clause. The current list of subprocessors and their function is published at /legal/subprocessors.

The Processor will notify the Controller at least 30 days in advance of any intended addition or replacement of a subprocessor (we recommend subscribing to the RSS feed on the Subprocessors page; otherwise the Account-administrator email is used). The Controller has 30 days from notice to object on reasonable data-protection grounds. If the parties cannot resolve the objection, the Controller may terminate the Service for the affected functionality without penalty.

The Processor imposes data-protection obligations on each subprocessor that are materially equivalent to those in this DPA, by written contract, and remains liable to the Controller for the performance of each subprocessor.

8. Assistance with data-subject requests

The Service provides self-serve tools for the Controller to read, export, correct, and delete data subjects' personal data. Where additional assistance is needed to comply with a data subject's request (Art. 15–22 GDPR), the Processor will assist the Controller using appropriate technical and organisational measures, taking into account the nature of the processing.

9. Assistance with DPIA, breach notification, and authority engagement

Taking into account the nature of processing and the information available, the Processor will assist the Controller with: data-protection impact assessments (Art. 35); prior consultations with supervisory authorities (Art. 36); breach notifications (Art. 33–34) and the security obligations (Art. 32).

Breach notification. The Processor will notify the Controller without undue delay — and in any case within 72 hours — after becoming aware of a personal-data breach affecting Controller's data, providing all information reasonably necessary for the Controller to meet its own notification obligations.

10. Return or deletion of data

On termination of the Service, the Processor will, at the Controller's choice, delete or return all Customer Data and delete existing copies, unless retention is required by Union or member-state law. Default behaviour: full deletion within 60 days of termination, with backups overwritten in the normal rotation cycle (max 35 days). The Controller may export Customer Data through the Service before termination.

11. Audit rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by it, on reasonable notice and during business hours, no more than once per year except for cause. To minimise disruption, the Processor's first answer to an audit request is typically a current report (security questionnaire, penetration-test summary, ISO/SOC report) — the Controller may escalate to an on-site or remote inspection if the report is insufficient.

12. International transfers

Where the Processor or a subprocessor transfers personal data outside the European Economic Area, the transfer is made under one of the lawful mechanisms listed in Chapter V of the GDPR — typically the European Commission's Standard Contractual Clauses (SCCs, Implementing Decision 2021/914), supplemented as needed by additional safeguards. The transfer mechanism for each subprocessor is listed at /legal/subprocessors.

13. Liability and term

The liability of the parties under this DPA is governed by the limitations of liability in the Terms of Use, except where applicable law imposes direct statutory liability on either party (e.g. Art. 82 GDPR). This DPA takes effect when the Terms of Use take effect and remains in force as long as the Processor processes personal data on behalf of the Controller.

14. Conflict and order of precedence

In the event of any conflict between this DPA and the Terms of Use, this DPA prevails in matters of personal-data processing. In the event of any conflict between this DPA and the GDPR, the GDPR prevails.

Questions? Write to [email protected]. The binding version of this document is the most recent one published at foyerflow.app/legal.