Data Processing Agreement

1. Definitions

• Personal Data: data relating to identified or identifiable individuals
• Processing: any operation performed on Personal Data
• UK GDPR: the UK General Data Protection Regulation as amended
• Sub-Processor: any third party appointed by the Processor to process Personal Data

2. Processing Details

The Processor shall process Personal Data only as documented below:

• Subject matter: provision of hospitality guest management and competition software
• Nature and purpose: storage, management and reporting of guest data, competition entries and outreach data
• Types of data: name, email, phone, marketing preferences, event attendance
• Categories of data subjects: end users submitting data via Controller's forms (guests, competition entrants)
• Duration: for the term of the service agreement, plus retention as instructed by Controller

3. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorised to process Personal Data are bound by confidentiality
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• Assist the Controller in responding to data subject requests
• Assist the Controller in meeting obligations regarding security, breach notification and impact assessments
• Delete or return all Personal Data after the end of services unless law requires retention

4. Sub-Processors

The Processor may appoint Sub-Processors (e.g. hosting, infrastructure, email) provided they offer sufficient guarantees. Sub-Processors are contractually bound to equivalent obligations. The Controller may object to new Sub-Processors on reasonable grounds; the Processor will work in good faith to address concerns or propose alternatives.

5. International Transfers

Where Personal Data is transferred outside the UK, the Processor shall ensure appropriate safeguards (e.g. adequacy decisions, UK International Data Transfer Agreement or UK Addendum to the EU SCCs) are in place.

6. Audit

The Controller may audit the Processor's compliance with this DPA, upon reasonable notice and at Controller's cost. The Processor will provide information and access necessary to demonstrate compliance. Audits shall not unreasonably interfere with the Processor's operations.

7. Data Breach

The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach. The notice shall include the nature of the breach, categories and approximate number of records affected, and the measures taken or proposed to address the breach.

8. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Terms & Conditions. Each party shall be liable to data subjects for damage caused by non-compliance with UK GDPR obligations.

9. Termination

Upon termination of the service agreement, the Processor shall delete or return Personal Data as instructed by the Controller, unless applicable law requires retention. Until deletion or return, the Processor shall continue to ensure confidentiality and security of the data.