Data Processing Agreement

Version 1.0

Data Processing Agreement in Accordance with Article 28 of the General Data Protection Regulation (GDPR) Agreement


Event Organizer
- the Controller (hereafter named "Customer")

- the Processor

This agreement applies to processing of personal data when using the services of

Personal data covered and purpose

The processing of personal data consists of Processor making available an event booking system to Customer which is used by participants to register for the events that Customer organizes. The information stored is at a minimum name and email address, but the individual organizer may also ask for postal address, phone number, birth date, and potentially other information through custom fields which might be identified as personal data.

The purpose of processing this data is to administer the event (eg. sending confirmation emails, processing payments, producing badges), to provide participants with the services they sign up for, communicate with them about the event, as well as for reports and statistics to understand and improve the success of events and planning thereof.

The processing is not time limited and is applicable until the agreement is terminated by either party.

Duties of the Customer

The Customer has the right and is obligated to decide the purposes and which aids can be used in the processing.

The Customer is responsible that personal data is processed in accordance with current laws and regulations. Customer is obligated to keep own software up-to-date, use secure passwords, and never pass on credentials nor personal information to third party.

Customer is obligated to inform anyone who is given access to the system of this agreement to ensure compliance.

If the Customer experiences a possible breach of personal data Processor must be informed immediately.

The Customer has the right to terminate the agreement if the Processor no longer meet the requirements of current laws and regulations.

Duties of the Processor

Processor will not use the personal data for any other purpose than storing and making them available to the Customer for the purposes previously described, except for Norwegian law imposing a specific processing of the personal data.

Processor is obligated to monitor systems and keep servers within their control up-to-date, as well as informing customers and the Norwegian Data Protection Office ( in case of a possible breach on the security of personal data. Only relevant staff with the Processor has access to personal data.

Processor is obligated to continually evaluate the level of security in their systems as well as possible sub-processors and their handling of personal data.

Processor will immediately notify the Customer in case they discover a concern with meeting the requirements of current laws and regulations.

Processor will as far as possible assist the Customer in complying with the duty of answering requests from participants concerning exercising of their rights.


Processor does daily encrypted backups which are kept for 60 days. The systems are hosted in Denmark and Norway.

Duty of Confidentiality

The use of the service is governed by a login system to ensure only authorized people may gain access. Customer agrees to only authorize people who has an official need for accessing and processing the data. Authorized personnel must ensure that personal data is handled safely and with confidentiality at all times, eg. not keep local copies of participant's personal data on unsecure or unprotected devices.

Processor imposes confidentiality obligations on its staff regarding any personal data they might be accessing and processing on behalf of the Customer.


Processor has the right to and does use one or more sub-processors. An up-to-date list can always be found at


Processor retains the right to amend the Data Processing Agreement without notice as long as the change does not imply a deterioration of the processing of personal data. The agreement in effect can always be found at

In case the amendment imply a deterioration Processor is obligated to inform the Customer before the amendment goes into effect.


If the agreement is terminated Processor is obligated to delete all personal data and copies thereof which has been processed on behalf of Customer.