Data Processing Agreement (DPA)

pursuant to Art. 28(3) GDPR

Last updated: 15 Feb 2026

§ 1 Subject Matter and Duration

This agreement specifies the data protection obligations of the parties arising from the use of the FireVue Events platform (hereinafter "Software"). FireVue UG (haftungsbeschränkt) (hereinafter "Processor") processes personal data on behalf of the customer (hereinafter "Controller").

The duration of this agreement corresponds to the term of the main contract (use of the Software).

§ 2 Nature and Purpose of Processing

The Processor provides event management software. The Controller uses this software to manage events and collect data from participants (e.g., via custom forms and questionnaires).

Types of data

Names, email addresses, payment confirmations, and any additional data the Controller collects via custom-built forms.

Categories of data subjects

Participants of the Controller's events.

§ 3 Obligations of the Processor

Instructions

The Processor shall process data only on documented instructions from the Controller. If the Processor believes that an instruction violates the GDPR or other data protection provisions, the Processor shall inform the Controller immediately.

Confidentiality

All persons authorized to process personal data are bound by confidentiality obligations.

Security Measures

The Processor shall implement appropriate technical and organizational measures (TOMs) to ensure a level of security appropriate to the risk, including but not limited to:

  • Encryption of data in transit and at rest (via Supabase/Vercel)
  • Database hosting within the European Union
  • Role-based access controls and authentication
  • Regular backups and disaster recovery procedures
  • Continuous security monitoring and updates

Sub-processors

The Controller hereby grants general authorization for the use of the following sub-processors:

  • Vercel Inc. — Website hosting and deployment
  • Supabase / Copple Software Inc. — Database and authentication
  • Cloudflare Inc. — File storage (R2) and CDN
  • Stripe Payments Europe Ltd. — Payment processing

The Processor shall inform the Controller before adding or replacing sub-processors, giving the Controller the opportunity to object to such changes. Sub-processors are bound by the same data protection obligations as set out in this agreement.

§ 4 Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling their obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (right of access, rectification, erasure, restriction, portability, and objection). If a data subject contacts the Processor directly, the Processor shall forward the request to the Controller without undue delay.

§ 5 Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include:

  • The nature of the personal data breach, including the categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including measures to mitigate its adverse effects

The Processor shall assist the Controller in meeting their obligations under Art. 33 and 34 GDPR (notification to supervisory authorities and data subjects).

§ 6 Data Protection Impact Assessment

The Processor shall assist the Controller, where necessary, in carrying out data protection impact assessments (DPIA) and prior consultation with supervisory authorities pursuant to Art. 35 and 36 GDPR.

§ 7 Obligations of the Controller

Lawfulness of Data Collection

The Controller is solely responsible for the legal admissibility of the forms and questionnaires they create. This includes ensuring an appropriate legal basis for any data collected (especially sensitive data under Art. 9 GDPR).

Indemnification

The Controller shall indemnify and hold the Processor harmless from all claims by third parties resulting from the Controller processing data without a lawful basis (e.g., health data collected without proper consent) through the platform.

§ 8 Audit and Inspection Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable prior notice and during normal business hours.

§ 9 International Data Transfers

Insofar as sub-processors are located outside the EU/EEA, the Processor ensures that appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or certification under the EU-US Data Privacy Framework, in accordance with Art. 46 GDPR.

§ 10 Termination and Deletion

Upon termination of the main contract, the Processor shall delete all personal data processed on behalf of the Controller, unless retention is required by EU or member state law. The Controller may request a copy of the data in a common, machine-readable format before deletion.

§ 11 Liability

Liability of the parties is governed by Art. 82 GDPR. The Processor is liable for damages caused by processing only where it has not complied with the obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the lawful instructions of the Controller.

© 2026 Events by FireVue. All rights reserved.
Terms of ServicePrivacy PolicyDPAImprint