For event-related personal data, the Customer or Event Organizer is the Controller and Bewitt is the Processor. Bewitt processes Customer Personal Data only on documented instructions from the Customer and solely to provide and operate the requested services.
Controller and processor
The organizer controls event data. Bewitt processes it to provide registrations, access, agenda, check-in, communication, feedback, reporting, and related services.
Event data covered
Customer Personal Data may include participant records, ticket or payment references, agenda choices, check-in status, feedback, speaker data, sponsor contacts, and reporting data.
Support for legal teams
The annexes describe processing activities, security measures, and subprocessors so privacy and procurement reviews do not have to guess what Bewitt handles.
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
Customer / Event Organizer: the legal entity, organization, association, university, business, community, or event organizer using Bewitt's services.
Bewitt: a software-as-a-service provider established in the Netherlands.
In this DPA, the Customer is the Controller and Bewitt is the Processor for Customer Personal Data processed through the Service.
2. Purpose of the DPA
This DPA forms part of the Agreement between Bewitt and Customer and governs Bewitt's processing of Customer Personal Data on behalf of Customer in connection with Bewitt's cloud-based SaaS event-management platform.
The purpose of processing is to provide, operate, maintain, secure, and support the services requested by Customer, including event registration, event operations, communications, analytics, reporting, and related platform functionality.
3. Definitions
Agreement means the commercial agreement, order, subscription, quotation, terms of service, or other arrangement under which Bewitt provides the Service to Customer.
Customer Personal Data means personal data processed by Bewitt on behalf of Customer through the Service.
Controller, Processor, Personal Data, Processing, Data Subject, Personal Data Breach, and Supervisory Authority have the meanings given in the GDPR.
GDPR means Regulation (EU) 2016/679, the General Data Protection Regulation.
Service means Bewitt's cloud-based SaaS event-management platform and related services.
Subprocessor means another processor engaged by Bewitt to process Customer Personal Data on behalf of Customer.
4. Scope of Processing
Bewitt will process Customer Personal Data only to the extent necessary to provide and operate the Service requested by Customer.
The processing may relate to event participants, event organizers, event staff, volunteers, speakers, sponsors, guests, customers, and other individuals whose data Customer submits to the Service.
Details of processing activities are set out in Annex A.
5. Nature of Processing
The nature of processing may include collection, recording, organization, structuring, storage, hosting, retrieval, consultation, use, transmission, disclosure to authorized users, alignment or combination, restriction, deletion, export, and other processing necessary to provide the Service.
Processing may occur through features including registrations, agenda management, session participation, QR code check-ins, feedback collection, quizzes, gamification, rewards, networking, stores, reporting, analytics, email communications, custom domains, and API integrations.
6. Categories of Data Subjects
Customer Personal Data may relate to:
- event participants and prospective participants;
- event organizers and event staff;
- volunteers;
- speakers;
- sponsors;
- guests;
- customers and customer representatives;
- platform users; and
- other individuals included by Customer in the Service.
7. Categories of Personal Data
Identity Data
- name;
- username;
- email address;
- phone number.
Event Participation Data
- registrations;
- attendance;
- check-ins;
- session participation;
- agenda interactions;
- feedback;
- quiz responses;
- reward redemptions;
- networking interactions;
- gamification activity.
Technical Data
- IP addresses;
- device information;
- browser information;
- login history;
- security logs.
Commercial Data
- subscription records;
- billing information;
- transaction history.
Customer is responsible for ensuring that it does not submit unnecessary or unlawful personal data to the Service.
8. Processing Instructions
Bewitt will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or international organization, unless Bewitt is required to process such data by EU or Member State law.
Customer's documented instructions include this DPA, the Agreement, Customer's configuration and use of the Service, written instructions provided through authorized support or account channels, and instructions reasonably necessary for Bewitt to provide the Service.
Bewitt will promptly inform Customer if, in Bewitt's opinion, an instruction infringes the GDPR or other applicable EU or Member State data protection law, unless prohibited by law.
Customer remains responsible for determining the purposes and means of processing, ensuring a lawful basis, obtaining any required consents, providing privacy notices to data subjects, ensuring event content and data are lawful, responding to data subject requests, and complying with Controller obligations under applicable data protection law.
Bewitt is not responsible for the legality, accuracy, or content of personal data, event content, communications, or materials uploaded or configured by Customer.
9. Confidentiality Obligations
Bewitt will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or professional.
Bewitt will limit access to Customer Personal Data to personnel and contractors who need such access to provide, secure, support, or maintain the Service.
10. Security Measures
Taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, and the risk to individuals, Bewitt will implement appropriate technical and organizational measures designed to protect Customer Personal Data.
Such measures may include encryption in transit, access controls, role-based permissions, authentication controls, logging and monitoring, backup procedures, vulnerability management, incident response procedures, infrastructure security controls, least-privilege access practices, and operational security procedures.
Further details are set out in Annex B. Customer acknowledges that security measures may evolve over time, provided that Bewitt does not materially reduce the overall level of protection for Customer Personal Data.
11. Subprocessors
Customer gives Bewitt general authorization to engage Subprocessors necessary to provide, operate, secure, support, and improve the Service.
Bewitt will maintain a public Subprocessor List describing current categories of Subprocessors and, where applicable, identified Subprocessors.
Bewitt will impose data protection obligations on Subprocessors that are substantially equivalent to those imposed on Bewitt under this DPA, including obligations relating to confidentiality, security, and processing only for authorized purposes.
Bewitt remains responsible to Customer for the performance of its Subprocessors' data protection obligations as required by Article 28 GDPR.
12. Changes to Subprocessors
Bewitt will notify Customer before making material additions or replacements of Subprocessors that process Customer Personal Data.
Notification may be provided by email, in-product notice, publication on a Subprocessor List, or another reasonable method.
Customer may object to a new Subprocessor on reasonable data protection grounds within the notice period stated by Bewitt, or if no period is stated, within 14 days of notice.
If Customer reasonably objects, the parties will work in good faith to resolve the objection. If no reasonable resolution is available, Customer may terminate the affected Service in accordance with the Agreement.
13. International Transfers
Bewitt will not transfer Customer Personal Data outside the European Economic Area unless such transfer complies with applicable data protection law.
Where a transfer requires safeguards under Chapter V GDPR, Bewitt will use appropriate safeguards, such as an adequacy decision, Standard Contractual Clauses adopted by the European Commission, supplementary measures where required, transfer impact assessments where appropriate, or another lawful transfer mechanism.
Where applicable, the parties agree that the European Commission Standard Contractual Clauses for international transfers, including Commission Implementing Decision (EU) 2021/914, may apply to transfers of Customer Personal Data to third countries.
Where relevant for controller-processor terms, the parties may also rely on standard contractual clauses adopted under Article 28 GDPR, including Commission Implementing Decision (EU) 2021/915, to the extent incorporated or referenced by the parties.
14. Assistance with Data Subject Requests
Taking into account the nature of the processing, Bewitt will reasonably assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to data subject requests.
This may include requests involving access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where relevant.
If Bewitt receives a request directly from a data subject relating to Customer Personal Data, Bewitt may refer the request to Customer and will not independently respond to the request except as required by law or instructed by Customer.
15. Assistance with GDPR Compliance
Taking into account the nature of processing and the information available to Bewitt, Bewitt will reasonably assist Customer with Customer's obligations under GDPR Articles 32 to 36, including security of processing, personal data breach assessment, data protection impact assessments, prior consultation with a supervisory authority where required, and information reasonably necessary to demonstrate compliance.
Customer remains responsible for determining whether a data protection impact assessment or prior consultation is required for Customer's use of the Service.
16. Personal Data Breach Notifications
Bewitt will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
The notification will include, to the extent reasonably available, the nature of the breach, categories and approximate number of affected data subjects, categories and approximate number of affected records, likely consequences, measures taken or proposed to address the breach, measures to mitigate possible adverse effects, and a contact point for follow-up.
Bewitt may provide information in phases as it becomes available. Customer is responsible for determining whether notification to a supervisory authority or communication to data subjects is required, unless applicable law imposes a direct obligation on Bewitt.
17. Audits and Inspections
Bewitt will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
Customer may request an audit or inspection where reasonably necessary to verify Bewitt's compliance, subject to reasonable prior notice, confidentiality obligations, reasonable scope and duration, no disruption to Bewitt's systems, security, or other customers, use of an independent auditor where appropriate, compliance with Bewitt's security requirements, and no access to data of other customers or confidential third-party information.
Bewitt may satisfy audit requests by providing security documentation, certifications, policies, summaries, audit reports, or other evidence of compliance where appropriate. Customer will bear its own audit costs unless otherwise required by law or agreed in writing.
18. Return or Deletion of Data
Upon termination or expiry of the Service, Customer may request export or deletion of Customer Personal Data, subject to the functionality of the Service and the Agreement.
At Customer's choice, Bewitt will delete or return Customer Personal Data after the end of the provision of services relating to processing, unless EU or Member State law requires storage of the personal data.
Deletion from backups may occur according to Bewitt's ordinary backup lifecycle, provided that backup data is protected from active processing except where restoration is necessary for security, continuity, or legal reasons.
19. Data Retention
Bewitt will retain Customer Personal Data for the duration necessary to provide the Service and in accordance with Customer's instructions, the Agreement, this DPA, and applicable law.
Retention may depend on active account status, event configuration, Customer export or deletion requests, backup cycles, legal retention obligations, security and fraud prevention needs, dispute resolution, and tax, accounting, or compliance requirements.
Customer remains responsible for determining retention periods for event-specific personal data.
20. Liability
The liability of the parties under this DPA is governed by the liability provisions of the Agreement, unless otherwise required by applicable data protection law.
Nothing in this DPA limits liability where such limitation is prohibited by GDPR or other mandatory law. Each party remains responsible for its own breaches of applicable data protection law.
21. Governing Law
This DPA is governed by the laws of the Netherlands, unless mandatory applicable data protection law requires otherwise.
The competent courts are those specified in the Agreement or, if not specified, the competent courts in the Netherlands.
22. Contact Information
Privacy and data protection notices under this DPA may be sent to:
BewittNetherlands
Email: [email protected]
Customer must provide and maintain accurate account, legal, and data protection contact details in the Service or Agreement.
Annex A: Details of Processing Activities
Subject Matter
Processing of Customer Personal Data by Bewitt in connection with the provision of Bewitt's cloud-based SaaS event-management platform.
Duration
For the term of the Agreement and thereafter only as necessary for deletion, return, backup lifecycle, legal retention, security, dispute resolution, or compliance purposes.
Purpose
To provide, operate, maintain, secure, support, and improve the Service requested by Customer, including event management and related platform functionality.
Processing Activities
- user accounts;
- event registrations;
- event attendance;
- agenda management;
- session participation;
- QR code check-ins;
- feedback collection;
- quizzes;
- gamification;
- rewards;
- networking;
- event stores;
- reporting and analytics;
- email communications;
- custom domains;
- API integrations;
- support and troubleshooting;
- security monitoring and fraud prevention;
- payment-related platform functions.
Special Categories of Personal Data
The Service is not intended to require special categories of personal data. Customer must not submit special categories of personal data unless Customer has a valid legal basis and has configured appropriate safeguards.
Frequency of Transfer
Continuous or as initiated by Customer, users, participants, integrations, or platform functionality.
Processing Location
Primarily within the EEA where reasonably available. Processing may occur in other jurisdictions subject to applicable transfer safeguards.
Annex B: Technical and Organizational Security Measures
Encryption and Transmission Security
- encryption in transit using secure protocols where supported;
- secure handling of authentication and session tokens;
- protection against common web security risks.
Access Controls
- role-based access controls;
- least-privilege access practices;
- access limited to authorized personnel and contractors;
- account authentication controls;
- permission controls for organizer workspaces where available.
Logging, Monitoring, and Backups
- security, authentication, application, and infrastructure logging;
- monitoring of relevant security events, errors, and uptime where appropriate;
- backup procedures designed to support continuity;
- backup protection against unauthorized access and deletion according to backup lifecycle.
Vulnerability Management and Incident Response
- reasonable vulnerability review and remediation processes;
- security updates and patching where appropriate;
- internal incident response and escalation procedures;
- documentation and customer notification procedures for Personal Data Breaches.
Tenant Controls and Resilience
- logical separation of customer workspaces and data where applicable;
- authorization checks for account and event access;
- infrastructure and operational measures designed to maintain availability;
- reasonable business continuity practices.
Bewitt may update security measures from time to time to reflect changes in technology, threats, service architecture, and operational needs, provided that the overall level of protection is not materially reduced.
Annex C: Current Categories of Subprocessors
| Category | Purpose |
|---|---|
| Cloud hosting and infrastructure providers | Hosting, storage, compute, networking, database, and platform infrastructure. |
| Content delivery, DNS, and security providers | DNS, caching, security filtering, DDoS protection, TLS, and performance. |
| Payment processors | Payment checkout, payment status, transaction processing, fraud prevention, and payment reporting. |
| Email and notification providers | Event invitations, account emails, transactional emails, and notifications. |
| Analytics providers | Usage analytics, product analytics, aggregated reporting, and service improvement, where enabled. |
| Error monitoring and observability providers | Error tracking, diagnostics, logs, uptime, performance, and incident investigation. |
| Customer support tools | Support tickets, customer communications, troubleshooting, and account assistance. |
| Integration and API service providers | Customer-configured integrations, API functionality, and connected services. |
| Backup and storage providers | Backup, restoration, storage redundancy, and data continuity. |
| Professional service providers | Legal, accounting, audit, compliance, and security support where required. |
Bewitt maintains a public Subprocessor List identifying current Subprocessors or categories of Subprocessors and will provide notice of material additions or replacements as described in this DPA.