Vendor Data Processing Agreement (DPA)

Understanding data processing responsibilities between Eventso and vendors

This Data Processing Agreement ("Agreement") is between Eventso OÜ ("Processor") and the vendor ("Controller").

1. Purpose

Eventso processes personal data on behalf of vendors to facilitate customer bookings and related services.

2. Roles

Vendor

Data Controller (decides purposes and means of processing)

Eventso OÜ

Data Processor (processes on behalf of vendor)

3. Obligations of Eventso OÜ

Eventso OÜ will process the Vendor's personal data only on documented instructions from the Vendor, unless otherwise required by applicable law. The Vendor hereby instructs Eventso OÜ to process the Vendor's personal data as necessary to:

Create, maintain, and manage the Vendor's account on the Eventso OÜ platform;

Display Vendor profile information, including name, contact details, and images, to customers on the platform;

Process payments to and from the Vendor-Eventso processes Vendor payments and payouts via Stripe Connect. Vendors enter their bank or card details directly with Stripe. Eventso does not store full payment or bank details; we only receive and process limited information from Stripe (e.g. account ID, payout status, transaction amounts) as needed to manage bookings, issue payouts and comply with legal obligations.

Provide customer service and resolve disputes related to bookings or transactions; and

Comply with legal obligations applicable to Eventso OÜ's operation as a marketplace.

Any additional use of the Vendor's personal data for purposes outside the scope above will require separate documented instructions from the Vendor.

Confidentiality

Eventso OÜ shall ensure that all persons authorised to process personal data on behalf of Eventso OÜ, including employees, contractors, and temporary staff, are subject to a binding duty of confidentiality, whether under a statutory obligation or through written contractual terms. Such obligations shall remain in force both during and after termination of their engagement with Eventso OÜ.

Security Measures

Eventso OÜ shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, where applicable:

  • Encryption of personal data in transit and at rest;
  • Access controls and authentication protocols to limit data access to authorised personnel only;
  • Regular security testing, vulnerability assessments, and patch management;
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems;
  • Procedures to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • A process for regularly testing, assessing, and evaluating the effectiveness of security measures.

GDPR Assistance

Assist the vendor in fulfilling GDPR obligations: Eventso OÜ shall provide reasonable assistance to the Vendor in fulfilling the Vendor's obligations under applicable data protection laws, including the General Data Protection Regulation (GDPR), in relation to:

  1. responding to data subject requests to exercise their rights;
  2. notifying personal data breaches to supervisory authorities and affected individuals; and
  3. conducting data protection impact assessments.

Such assistance shall be limited to personal data processed by Eventso OÜ on behalf of the Vendor through the Eventso platform. Eventso OÜ shall not be responsible for the Vendor's own compliance with GDPR or other applicable laws outside the scope of processing activities performed by Eventso OÜ. Any additional assistance beyond the scope of this Agreement may be subject to reasonable fees.

Data Deletion

Delete or return personal data at the end of the service provision.

4. Sub-Processors

Eventso OÜ may engage third-party processors (including, but not limited to, payment providers such as Stripe and hosting providers) to process personal data on behalf of the Vendor. Eventso OÜ shall provide Vendors with prior notice of any intended changes concerning the addition or replacement of sub-processors by updating the list of sub-processors on the Eventso website.

By continuing to use the Eventso platform after such notice, the Vendor is deemed to have approved the use of the updated sub-processors.

5. Data Breaches

Eventso OÜ will notify the vendor without undue delay upon becoming aware of a personal data breach.

6. Governing Law

This Agreement is governed by Estonian law and GDPR.

Agreement Acceptance

By registering as a vendor on the Eventso platform, you acknowledge that you have read, understood, and agree to this Data Processing Agreement.