between
EventSync UG (haftungsbeschränkt)
Dresdner Str. 12, 69181 Leimen, Germany
Commercial Register: HRB 751208 – Local Court of Mannheim
VAT ID: DE368176249
represented by Moritz Biedenbach
(hereinafter "EventSync" or "Processor")
and
the User of the EventSync.io Platform
(hereinafter "User" or "Controller")
collectively referred to as "Parties".
1. EventSync provides the User with a cloud-based software platform for digitally organizing, managing, and analyzing events, attendee and ticket data.
2. The processing of personal data is carried out exclusively on behalf and according to documented instructions of the User in accordance with Art. 28 GDPR.
3. The User remains the Controller within the meaning of the GDPR. EventSync acts exclusively as a Processor.
4. This Agreement is an integral part of EventSync's Terms and Conditions and applies for the duration of active use of the Platform. It terminates automatically upon deletion of the User account.
5. In case of conflicts between this Agreement and the Terms and Conditions, the provisions of this Agreement shall prevail for data protection matters.
1. Processing operations: Storage and management of attendee and ticket data, sending automated emails (e.g., confirmations), technical logging (log and IP data).
2. Purpose: Fulfillment of event and ticketing services provided by the User via the Platform.
3. EventSync has no access to complete card or account data; these are exclusively processed by the respective payment service provider (e.g., Stripe). PCI-DSS obligations lie with the PSP.
4. Processing takes place primarily within the EU/EEA; third-country transfers only in accordance with § 9.
1. EventSync processes data only according to documented instructions from the User.
2. Oral instructions must be confirmed in text form without delay.
3. If EventSync recognizes that an instruction is unlawful, it shall inform the User and may refuse to execute it.
All persons involved in processing are obliged to treat personal data confidentially, are appropriately trained, and are bound to data secrecy.
1. EventSync implements appropriate measures in accordance with Art. 32 GDPR.
2. The current TOMs are described in Annex 1.
3. System access follows the "Least Privilege" principle.
4. Emergency and recovery plans are regularly tested and documented.
EventSync shall inform the User without undue delay, at the latest within 24 hours, of any personal data breaches. The notification shall include the nature of the incident, affected data, consequences, and measures taken.
EventSync supports the User with data security measures, notifications to authorities and data subjects, as well as with data protection impact assessments and consultations (Art. 32–36 GDPR).
1. The User handles requests from data subjects independently.
2. EventSync provides technical support and makes available information and logs required for notifications under Art. 33 and 34 GDPR.
1. EventSync may only engage sub-processors after prior notification to the User. Current list: https://eventsync.io/subprocessors.
2. The User may object within 14 days of notification. EventSync may offer a reasonable alternative; if this is not possible, both parties may terminate the affected part of the contract extraordinarily.
3. EventSync contractually binds all sub-processors to comply with this Agreement.
4. For transfers to third countries, appropriate safeguards according to Art. 44 ff. GDPR are used (Standard Contractual Clauses ("SCCs") including future versions, adequacy decisions, or Binding Corporate Rules).
1. The User may verify compliance with this Agreement.
2. EventSync provides appropriate evidence (audit reports, TOM documentation, certificates).
3. Audits may be conducted at most once annually and with reasonable advance notice; costs are borne by the User in case of extraordinary effort.
4. Access for support or maintenance purposes is exclusively purpose-bound, minimal, and logged.
EventSync informs the User before official data disclosure, where legally permissible, and transmits only the required information.
All personal data remains the property of the User. EventSync has no right of retention and processes the data exclusively for contract fulfillment.
1. After contract termination or upon instruction, EventSync deletes or returns all personal data, unless there is a legal retention obligation.
2. Production data will be deleted within 7 days, backups within 30 days.
3. EventSync documents the deletion and provides a deletion confirmation upon request.
1. EventSync is liable for violations of the GDPR or this Agreement according to Art. 82 GDPR.
2. EventSync is liable for breaches by sub-processors as if they were its own.
3. The User remains the primary Controller for the lawfulness of processing; EventSync is only liable for its own breaches.
For additional support or audit services, EventSync may charge a reasonable fee based on actual effort.
1. Amendments or additions to this Agreement require text form.
2. Should a provision be invalid, the validity of the remaining provisions remains unaffected.
3. German law applies; place of jurisdiction is Mannheim.
4. The Agreement may be concluded electronically (e.g., by consent during registration or in the user account).
For an up-to-date list of all subprocessors, please visit our Subprocessors page.