Data Processing Agreement

Effective Date: November 13, 2023


Acceptance of this DPA

Your access to and use of Third-Party Products is conditional on your acceptance of the terms and conditions of this DPA. By accessing and using Third-Party Products, you agree on your own behalf and on behalf of any End Users on whose behalf you may act to accept and abide by this DPA. If you do not agree with all terms and conditions of this DPA, please do not access or use any Third-Party Products.

Modification to this DPA

We reserve the right to modify this DPA at any time by posting an updated DPA on our website. If we make changes, we will notify you by revising the date at the top of the policy. We may also, at our sole discretion, provide active Resellers with an email notice of changes. You are responsible for regularly reviewing this DPA, and your continued use of Third-Party Products after the effective date of any change shall constitute your acceptance of the updated DPA. If any modification is unacceptable, you shall cease using the applicable Third-Party Products. If you have any questions about this DPA, contact us at legal@eventfield.co.

  • Definitions.  Capitalized terms not defined herein have the meaning set forth in the Primary Agreement.

Data Protection Laws” means, as applicable, data protection laws of the State of California under the CCPA and the laws of the European Union (“EU”) and, to the extent applicable, the data protection or privacy laws of any other country. Data Protection Laws include, without limitation, the EU Directive 95/46/EC, as transposed into domestic legislation of each member state and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

Data Subjects” means End Users and their representatives, such as their employees, job applicants, contractors, collaborators, partners, suppliers, customers, and clients.

End User Personal Information” means the Personal Information about an End User and its personnel or customers that Eventfield receives from Reseller, or otherwise Processes for or on behalf of Reseller, in the provision of Third-Party Products and/or Implementation Services or Support Services under our Primary Agreement.

GDPR” means EU General Data Protection Regulation 2016/679.

Personal Information” shall have the same meaning as the term “personal information,” “personally identifiable information (PII),” or the equivalent term under applicable Data Protection Laws.

Personal Information Breach” means a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored, or otherwise Processed on Third-Party Products that compromises the security, confidentiality, or integrity of such Personal Information.

Personnel” means all workers, including, without limitation, Eventfield’s employees, contractors, and others employed or contracted by Eventfield that have access to, store, Process, or use End User Personal Information.

Process/Processing,” Controller,” and “Processor” (or the equivalent terms) have the meaning set forth under applicable Data Protection Laws.

Sensitive Data” means (i) any patient, medical, or other protected health information regulated by HIPAA or any similar federal or state laws, rules, or regulations; or (ii) any other information subject to regulation or protection under specific laws such as the Gramm-Leach-Bliley Act (or related rules or regulations). 

Special Category Data” means any Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Subcontractor” means Eventfield’s vendors, agents, subcontractors, and all other persons, entities, or organizations, exclusive of Reseller’s employees or Third-Party Products providers who are subject to the direction, supervision, and control of Reseller.

Sub-Processor” means any Subcontractor engaged by Eventfield to Process End User Personal Information identified by Eventfield in the Primary Agreement or otherwise approved or acknowledged in writing by Reseller.

  • Scope

This DPA applies if and to the extent End User Personal Information is received by Eventfield from or on behalf of Reseller as a data Processor while providing Third-Party Products, Implementation Services, or Support Services under the Primary Agreement and related addendums or exhibits.

  • Term

This DPA begins when Eventfield first Processes End User Personal Information and continues thereafter for the period during which Eventfield is a data Processor and has possession or access to End User Personal Information in connection with Third-Party Products.

  • Eventfield Responsibilities


Eventfield will Process Personal Information solely for the purpose of providing Third-Party Products in accordance with the Primary Agreement and this DPA or as otherwise instructed by Reseller. Eventfield does not control the type of Personal Information Reseller submits to Eventfield for Processing. Eventfield may Process some or all of the following categories of Personal Information: personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance, and other capabilities, education/qualification, identification numbers, and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers; IP addresses and online behavior and interest data.


Eventfield will comply with all reasonable instructions provided by Reseller in the Processing of End User Personal Information. If Eventfield cannot comply with Reseller’s instructions for any reason, it agrees to promptly inform Reseller of its inability to comply. Reseller is solely responsible for the legality or reasonableness of any instructions it provides to Eventfield relating to Processing Personal Information.


Eventfield will implement and maintain reasonable policies, procedures, and practices that satisfy the applicable requirements set forth in this DPA.

  • Reseller Responsibilities


Reseller is responsible for compliance with its requirements under the applicable Data Protection Laws.

No Special Categories of Data

Unless otherwise specified in the Primary Agreement, Reseller may not provide Eventfield with any Sensitive Data or Special Category Data that imposes specific data security or protection obligations on Eventfield in addition to or different from those specified in this DPA or the Primary Agreement.

  • Processing

Eventfield may Process Personal Information as necessary to provide Third-Party Products, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates, and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical legal systems and IT infrastructure; and migration, implementation, configuration, and performance testing.

  • Sub-Processors

Eventfield may subcontract its Processing work related to Personal Information under the Primary Agreement to Third-Party Products providers identified in the Primary Agreement or any related documentation. Subject to applicable Data Protection Laws, Reseller agrees that Eventfield may later use Sub-Processors not identified in the Primary Agreement if, prior to the use of any additional Sub-Processor, Eventfield provides notice to Reseller of such additional Sub-Processors. Reseller will have fourteen (14) days from the date of notice to provide a justifiable and reasonable objection to the use by Eventfield of such Sub-Processor. Eventfield will require that its Sub-Processors maintain adequate measures reasonably appropriate to such Sub-Processor’s storage, maintenance, or processing activities that comply in all material respects with this DPA. Eventfield is not responsible for the applicable Third-Party Products provider’s compliance with the terms of applicable Data Protection Laws.

  • International Transfers

Unless otherwise specified in an applicable Purchase Order, Eventfield may Process Personal Information globally as necessary to perform the Services. If a Purchase Order or any applicable addenda indicates a specific geographic location where End User Personal Information will be stored and hosted (“Country of Origin”), then any transfer of End User Personal Information outside of the Country of Origin by Eventfield will only be done through written permission of Reseller and in compliance with the relevant provisions of the applicable Data Protection Laws. 

  • Cooperation and Inquiries

The parties will promptly inform the other party if it receives any inquiry, complaint, or claim from any court, governmental official, third parties, or individuals (including but not limited to Data Subjects) arising out of the Services and will provide the other party reasonable legal and cooperation in a timely manner in responding to any such request. Should Eventfield directly receive a request or inquiry from a Data Subject that has identified Reseller as the Controller, Eventfield will promptly pass on such requests to Reseller without responding to the Data Subject. Should Reseller, based on applicable Data Protection Laws, be obliged to provide access or information to a Data Subject about the Processing of Personal Information relating to him or her, Eventfield will reasonably assist Reseller in providing such access or information.

  • Confidentiality and Information Security

Eventfield has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Information designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These security measures govern all security areas applicable to Third-Party Products, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement, and other security control measures. Eventfield employees and contractors who Process Personal Information are subject to written confidentiality arrangements.

  • Data Breach Incidents

When known or reasonably suspected by Eventfield while providing Third-Party Products under the Primary Agreement, Eventfield will inform Reseller without undue delay if Eventfield becomes aware of a Personal Information Breach. Eventfield will take appropriate measures to address the Personal Information Breach, including, where appropriate, securing Personal Information, and will work in good faith to reduce risk to the Data Subjects whose Personal Information was involved. Applicable Data Protection Laws may impose a duty to inform the competent authorities or affected Data Subjects in the event of the loss or unlawful disclosure of Personal Information or access to it, and Eventfield agrees to provide Reseller with sufficient information to allow Reseller to meet any obligations to report or inform Data Subjects of the Personal Information Breach under applicable Data Protection Laws. Eventfield will cooperate with Reseller and take reasonable steps as necessary to assist in the investigation, mitigation, and remediation of each Personal Information Breach. Reseller is responsible for and will coordinate the messaging related to any privacy violation, security breach, or data breach incident with Eventfield prior to making any public disclosures.

  • Inspection and Audit Rights

Form of Audit

Reseller may inspect, at Reseller’s expense, Eventfield’s operating facilities or conduct an audit of Eventfield’s security, technical, and organizational procedures used for Processing End User Personal Information to verify compliance with this DPA (“Audit”). Unless otherwise required by applicable Data Protection Laws, Reseller may Audit Eventfield’s compliance with this DPA once per twelve (12) month period, unless a violation of Eventfield’s obligations is found, in which case Reseller may conduct another Audit within six (6) months. The Audit may be conducted by Reseller’s data protection officer or a mutually accepted authorized representative or third-party auditor. Eventfield agrees to provide Reseller with any reasonably necessary information and documents during the Audit. All Audits will be performed during normal working hours and in such a way that the Audit does not disrupt or compromise Eventfield’s normal business operations. In addition, Eventfield will cooperate with any Audit ordered by a relevant authority that arises from its performance under the Primary Agreement. Notwithstanding the foregoing, any Audit shall not entitle Reseller to view or in any way access records and/or processes: (i) not directly related to End User Personal Information Processed by Eventfield; (ii) not directly related to the Third-Party Products provided to Reseller under the Primary Agreement; (iii) in violation of applicable laws; and/or (iv) in violation of Eventfield’s confidentiality obligations owed to a third party.

Scope of Audit

Prior to any Audit, the parties must mutually agree in writing on the scope of the Audit, which must describe the proposed scope, duration, and start date of the Audit. Reseller must provide prior written notice, including a written explanation of the reason for the Audit, to Eventfield no later than thirty (30) days before any such Audit commences. Prior to any Audit, both parties shall agree to pursue, in good faith, other means of reconciling the documents that would render such Audits not necessary. Audits may be performed by a third party mutually accepted by the parties, and any such third-party auditor must sign a confidentiality agreement acceptable to Eventfield, or otherwise be bound by a statutory or legal confidentiality obligation. Such third-party Auditor may not disclose to Reseller anything other than the results of Eventfield’s compliance or non-compliance with the Audit.

Disclosure of Audit

Reseller agrees to provide Eventfield with the results of the Audit, including any documented reports, which shall be subject to the confidentiality terms of the Primary Agreement. Reseller may use the Audit reports only for the purpose of meeting Reseller’s requirements in accordance with applicable Data Protection Laws or for confirming Eventfield’s compliance with this DPA.

Sub-Processor Audits

Reseller may request that Eventfield Audit any Sub-Processor or provide confirmation that such an Audit has occurred (or, where available, obtain or assist Reseller in obtaining a third-party audit report concerning the Sub-Processor’s operations) to verify compliance with the Sub-Processor’s obligations. Reseller will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of Eventfield’s agreement with any Sub-Processors that may Process End User Personal Information.

  • Indemnity

The parties agree that: (i) if one party is held liable for a violation of the Data Protection Laws committed by the other party, the latter will, to the extent to which it is liable, indemnify the other party for any cost, charge, damages, expenses, or loss it has incurred as part of its obligations; and (ii) the limitations of liability provided in the Primary Agreement, including the aggregate liability cap, applies to this DPA.

  • Deletion of Personal Information

Following termination of the Primary Agreement, Eventfield will, except to the extent provided in the Primary Agreement or prohibited by applicable law, and at the written request of Reseller, return to Reseller or destroy and delete all End User Personal Information subject to Processing. Upon request from Reseller, Eventfield will certify in writing to Reseller that it has complied with the foregoing obligations.

  • Legal Requirements

Eventfield may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities, for national security and/or law enforcement purposes. Eventfield will promptly inform Reseller of requests for access to End User Personal Information unless otherwise required by law.

  • Severability

If any provision of this DPA is held invalid or unenforceable by any court or agency of competent jurisdiction, the parties shall mutually agree on an alternate, legally valid, and enforceable provision. The remainder of this DPA shall nevertheless continue in full force and effect to the extent that continued operation under this DPA without the invalid or unenforceable provision is consistent with the parties’ intent as expressed in this DPA.

  • Governing Law

This DPA will be governed by the choice of law and jurisdiction provisions in the Primary Agreement unless otherwise required by applicable Data Protection Laws.

  • Integration

Except as otherwise set forth in this DPA, all terms and conditions contained in the Primary Agreement and not amended herein shall remain in full force and effect. In the event of a conflict between the Primary Agreement and this DPA or any other confidentiality term in an agreement between us, the order of precedence regarding the Processing of End User Data shall be this DPA and then the Primary Agreement.

  • Contact

If you have any questions or complaints about this Data Processing Agreement or our handling of End User Personal Information, please contact us at legal@eventfield.co