Data Processing Agreement

Data Processing Agreement (DPA) pursuant to Art. 28 GDPR / Swiss FADP

Between
Beyond Tickets AG, Maschinengasse 12, 6330 Cham, Switzerland (“Processor”)
and the event organizer (“Controller”) – jointly the “Parties”.

1. Subject, Term, Nature & Purpose

Processor provides ticketing/event software and processes personal data of ticket buyers and contacts on behalf of Controller. Processing starts upon contract and ends upon termination. Purposes include ticket sales & access control, settlement, transactional emails, support, analytics, fraud prevention, and Controller’s event-related marketing (where lawful).

2. Data subjects & categories

Subjects: ticket buyers, companions, promoters, Controller’s staff (admin/support).
Data: identity/contact, transaction & access data, technical/log data, consent records. Payment data is handled primarily by the PSP; Processor receives status/reference data.

3. Instructions & roles

Processing only on documented instructions. Processor informs Controller if an instruction appears unlawful. Controller determines purposes and means.

4. Confidentiality

Processor ensures that persons authorised to process personal data are bound by confidentiality, surviving termination.

5. Technical & organisational measures (TOMs)

Processor implements appropriate TOMs under Art. 32 GDPR: TLS, encryption at rest, RBAC/least privilege, MFA, logging, backups/restore testing, secure SDLC, vulnerability management, staff training. Evidence available upon request.

6. Sub-processors

General authorization for sub-processors (e.g., hosting/CDN, email, support tools) as listed in the Privacy Policy (https://beyond-tickets.com/privacy). Changes are notified at least 30 days in advance; Controller may object for good cause. Processor imposes equivalent obligations (Art. 28(4) GDPR).

7. Third-country transfers

For international transfers, Processor ensures appropriate safeguards (notably EU SCCs with supplementary measures). Swiss adequacy does not replace EU safeguards.

8. Assistance

Processor assists Controller with data subject rights, DPIAs (Art. 35), prior consultation (Art. 36), and supervisory authority requests.

9. Personal data breach

Processor notifies Controller without undue delay, no later than 48 hours after becoming aware, including information required by Art. 33 GDPR.

10. Evidence & audits

Processor provides reasonable evidence and enables audits upon reasonable notice, during business hours, respecting confidentiality and proportionality.

11. Deletion & return

Upon termination or on instruction, Processor deletes or returns all personal data within 30 days, unless statutory retention applies; any copies are securely deleted.

12. Liability, governing law, order of precedence

Liability per main agreement/Terms. Swiss law applies where not overridden by mandatory EU data protection law.