Data processing agreement
Effective May 2, 2026. Applies when VenueSync processes personal data on your behalf.
Last updated: May 2, 2026 Effective: May 2, 2026
This Data Processing Agreement ("DPA") applies when VenueSync processes personal data on your behalf as part of the Service — specifically, personal data about your vendors, clients, guests, and other individuals whose information you upload to VenueSync. It is incorporated into and forms part of the Terms of Service.
Under the GDPR and similar laws:
- You are the data controller of this personal data.
- VenueSync is the data processor acting on your instructions.
This DPA is designed to comply with Article 28 of the GDPR, the UK GDPR, CCPA service provider requirements, and equivalent provisions under US state privacy laws effective as of the date above.
1. Scope and purpose
1.1 This DPA applies to the processing of personal data that you (the controller) submit, upload, or generate within the VenueSync Service relating to individuals other than yourself — including your event vendors, guests, clients, and their contact personnel.
1.2 VenueSync will process such personal data only:
- As instructed by you through your use of the Service
- As necessary to provide the Service under the Terms of Service
- As required by applicable law (in which case we will notify you unless prohibited from doing so)
2. Nature and purpose of processing
| Item | Details |
|---|---|
| Subject matter | Event coordination data — vendor contact information, certificates of insurance, event briefs, timelines, messages, check-in records |
| Duration | For the duration of your subscription and the retention periods in the Privacy Policy |
| Nature | Storing, organizing, displaying, transmitting within the platform, generating PDF briefs, sending notifications |
| Purpose | Providing the VenueSync Service as described in the Terms of Service |
| Types of personal data | Names, email addresses, phone numbers, business addresses, trade/specialty, COI documents, photos (if attached), messages |
| Categories of data subjects | Vendors, venue staff, planning team members, clients (if their data is entered), guests (if check-in or guest list features are used) |
3. Controller instructions
3.1 You instruct VenueSync to process personal data as configured through your use of the Service. VenueSync will not process personal data for any purpose outside the scope of those instructions.
3.2 If you instruct VenueSync to do something that, in VenueSync's reasonable opinion, would violate applicable law, VenueSync will notify you and is not obligated to follow that instruction.
4. Confidentiality
VenueSync will ensure that all personnel with access to personal data processed under this DPA are bound by confidentiality obligations no less protective than those in this DPA. Access to personal data is limited to personnel who need it to perform their job functions.
5. Security
VenueSync implements and maintains the technical and organizational security measures described in the Privacy Policy (§7). Upon request, VenueSync will provide additional documentation of those measures.
VenueSync will notify you without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting data processed under this DPA. The notification will include, to the extent known at the time:
- A description of the nature of the breach
- The categories and approximate number of individuals and records affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach
6. Sub-processors
6.1 You authorize VenueSync to engage sub-processors to assist in providing the Service. The current sub-processor list is maintained at venue-sync.com/legal/sub-processors.
6.2 VenueSync will:
- Notify you at least 14 days before adding or removing a material sub-processor, by email or in-app notice
- Bind each sub-processor to data protection obligations equivalent to those in this DPA
- Remain liable to you for the acts and omissions of each sub-processor
6.3 If you object to a new sub-processor on reasonable grounds relating to data protection, you may notify us at privacy@venue-sync.com within 14 days of the notification. We will work in good faith to accommodate your objection. If we cannot do so, you may terminate your subscription without penalty, and we will provide a prorated refund for the unused portion of any annual plan.
7. International transfers
VenueSync processes personal data in the United States. Where personal data is transferred from the EEA, UK, or Switzerland to the US, VenueSync relies on:
- EU Standard Contractual Clauses (SCCs): Controller-to-Processor, Module 2, as approved by the European Commission. These SCCs are incorporated by reference into this DPA and are available in full at venue-sync.com/legal/sccs.
- UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom.
By entering into this DPA, you are deemed to have executed the SCCs and IDTA where applicable.
8. Data subject rights
VenueSync will provide you with reasonable assistance — including through technical measures where appropriate — to respond to data subject rights requests (access, deletion, correction, portability, restriction) received from individuals whose data you have uploaded to VenueSync.
If VenueSync receives a data subject rights request directly relating to data you control, we will redirect the individual to you and notify you within 5 business days.
9. Data protection impact assessments
VenueSync will provide reasonable cooperation and information to assist you in conducting any data protection impact assessments (DPIAs) required under applicable law relating to your use of the Service.
10. Audit rights
Upon your reasonable written request (no more than once per calendar year, unless a security incident has occurred), VenueSync will provide documentation demonstrating compliance with this DPA, including the results of any third-party audits or certifications (such as SOC 2 Type II when complete).
If you require a more extensive audit, the parties will agree on scope and cost in advance. Any such audit must be conducted with reasonable notice, during business hours, and in a manner that does not unreasonably disrupt VenueSync's operations.
11. Deletion and return of data
Upon termination of your subscription, or upon written request, VenueSync will — at your election — delete or return your personal data within the timeframes described in the Privacy Policy (§5), except where retention is required by applicable law.
Confirmation of deletion will be provided in writing upon request.
12. CCPA service provider terms
For purposes of the CCPA/CPRA: VenueSync is a "service provider." VenueSync certifies that it will not:
- Sell or share personal data received from you under this DPA
- Retain, use, or disclose personal data for any commercial purpose other than providing the Service
- Retain, use, or disclose personal data outside the direct business relationship between VenueSync and you
- Combine personal data received from you with personal information received from other sources, except as permitted by the CCPA/CPRA
13. Governing law
This DPA is governed by the same law as the Terms of Service (Delaware). For EU/UK data subjects, the EU SCCs and/or UK IDTA supplement and, in case of conflict regarding data protection obligations, take precedence over this DPA.
14. Order of precedence
In the event of any conflict between this DPA and the Terms of Service with respect to the subject matter of this DPA (processing of personal data), this DPA will control.
15. Contact and signed copies
For questions about this DPA, or to request a countersigned copy for your records, contact privacy@venue-sync.com.
Enterprise and Collection customers may request a mutually executed DPA with a VenueSync officer signature by contacting their account lead.
This DPA is effective upon your acceptance of the Terms of Service and does not require a separate signature to be binding, except where your organization requires a countersigned copy for compliance purposes.