Legal

Data processing agreement

Last updated:

This Data Processing Agreement ("DPA") governs how Plus + One ("Processor") processes personal data on behalf of clients ("Controller") under Article 28 GDPR. It applies whenever a Controller uses Plus + One to operate an event microsite where personal data of guests is processed. By placing an Order the Controller accepts this DPA. In the event of conflict between this DPA and the Terms of Service, this DPA prevails on data-protection matters.

Definitions

Capitalised terms not defined here have the meanings given in Article 4 GDPR. "Personal Data" means any information relating to an identified or identifiable natural person processed by Plus + One on behalf of the Controller. "Sub-processor" means any third party engaged by the Processor to process Personal Data. "Personal Data Breach" has the meaning in Article 4(12) GDPR.

Subject matter and scope

Subject matter: Plus + One processes Personal Data of the Controller's event guests for the purpose of operating the Microsite ordered by the Controller. Nature and purpose of processing: storing RSVP submissions, hosting photos and guestbook entries, sending email reminders configured by the Controller, generating invoices on behalf of the Controller's accountancy obligations, providing the Controller's dashboard. Categories of data subjects: guests of the Controller's event. Categories of Personal Data: identification (name), contact (email, phone), attendance preferences (RSVP, dietary, plus-ones), free-text content (song requests, guestbook entries), uploaded media (photos, video). Duration: the lifetime of the Order's package (12 months, 24 months, or indefinite hosted archive while the service operates).

Processor obligations

The Processor will (a) process Personal Data only on documented instructions from the Controller (the Order plus any subsequent written request); (b) ensure persons authorised to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organisational measures (Article 32 GDPR — see Annex on Security below); (d) assist the Controller in fulfilling data-subject requests (Articles 12–22) and in DPIA / consultation obligations (Articles 35–36); (e) at the Controller's choice on termination, return or delete all Personal Data within 30 days, except where retention is required by law; and (f) make available to the Controller all information necessary to demonstrate compliance with this DPA.

Sub-processors

The Controller authorises the engagement of the Sub-processors listed below. The Processor will give 30 days' prior written notice (by email to the address on file, or via the dashboard) before adding or replacing a Sub-processor. The Controller may object on reasonable grounds; if the parties cannot agree, the Controller may terminate the affected services for a pro-rated refund of any prepaid Tier remainder.

Authorised Sub-processors as of the "Last updated" date: Vercel Inc. (US, fra1 Frankfurt — application hosting + analytics — SCCs); Neon Inc. (US, EU region targeted — Postgres — SCCs); Novu Inc. (US — notification orchestration + transactional email — SCCs); Cloudflare Inc. (EU jurisdiction — R2 object storage + CDN); Sentry (EU — error monitoring); Inngest (EU — background jobs).

Annex — Security measures (Art. 32)

Encryption in transit: TLS 1.2+ enforced. Encryption at rest: AES-256 on database and object storage. Network: strict Content-Security-Policy with no third-party scripts beyond named integrations, HSTS preload, X-Content-Type-Options, X-Frame-Options DENY (SAMEORIGIN only on microsites for the admin live preview).

Access control: production write-access limited to a small named team, SSO + hardware-token MFA, every privileged action audit-logged. Per-event scoping enforced at the data layer — no event can read another event's data.

Resilience: daily encrypted point-in-time backups retained for 30 days; multi-region failover capability via the application platform. Vulnerability management: dependency scanning on every build, CSP-violation reporting, periodic penetration tests before significant launches.

Personal Data Breach notification

The Processor will notify the Controller of any Personal Data Breach without undue delay and in any case within 72 hours of becoming aware. The notification will describe (a) the nature of the breach including categories and approximate number of data subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate adverse effects; and (d) a Plus + One contact for further information.

Cooperation on data-subject rights

The Processor assists the Controller in fulfilling data-subject requests (access, rectification, erasure, portability, objection) using appropriate technical and organisational measures. Most requests are handled self-serve via the dashboard; the Processor responds to escalations within 5 business days.

Audits and inspections

On reasonable written notice (no more than once per calendar year except where a regulator requires more), the Controller may request information necessary to demonstrate compliance with Article 28 GDPR. Where on-site inspection is required, the parties agree scope and confidentiality first; reasonable Processor costs may be charged at the Processor's standard rates.

International transfers

Where a Sub-processor is located outside the EEA, the Processor implements Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or relies on an equivalent transfer mechanism, supplemented by technical and organisational measures.

Termination and deletion

On termination of the underlying Service, the Processor will, at the Controller's option exercised within 30 days of termination, return or delete all Personal Data within a further 30 days, except where storage is required by EU or Member-State law (e.g. invoicing). After deletion the Processor will, on request, certify in writing that deletion is complete.

Liability and law

Each party's liability under this DPA is subject to the liability cap and exclusions in the Terms of Service. This DPA is governed by the laws of the Republic of Cyprus, supplemented by Cyprus Law 125(I)/2018 implementing the GDPR, and disputes are resolved as set out in the Terms of Service.