AddEvent
or
Solutions
Go to app
Menu
Privacy Data Processing Agreement (DPA)

Data Processing Addendum (DPA)

Last Updated: June 11th, 2025

This Data Processing Addendum (the “DPA”) between AddEvent, Inc. (“AddEvent”) and the customer on the signature page below (“Company”) is effective as of the date of the last party to sign (the “Effective Date”) and is incorporated into AddEvent’s terms located at https://www.addevent.com/c/legal/terms or such other commercial terms as the parties have executed (the “Agreement”) regarding the services provided by AddEvent to Company (the “Services”). The parties agree as follows:

  1. Definitions.

    CCPA” means the California Consumer Privacy Act of 2018, as amended and its regulations.

    Company Personal Data” means the personal information or personal data provided or made available or accessible by Company to AddEvent in connection with the Agreement, that is processed by AddEvent on Company’s behalf and protected under Data Protection Laws.

    Data Protection Laws” means all applicable data privacy and security laws, including, as applicable, (a) all applicable US data privacy and security laws, including, as applicable, the CCPA; (b) all applicable Canadian privacy and security laws, including, as applicable Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector, as amended by Bill 64, Alberta’s Personal Information Protection Act, and British Columbia’s Personal Information Protection Act; and

    (c) European and UK Data Protection Laws and Non-European Data Protection Laws; (d) the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and (e) the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”); and with respect to each of the foregoing, collectively with all amendments and implementing rules and regulations.

    Europe” means, for the purposes of this DPA, the European Economic Area and its member states (“EEA”), Switzerland and the United Kingdom (“UK”).

    European and UK Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the UK GDPR and the UK Data Protection Act 2018 (together, “ UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).

    SCCs” means either (a) for European personal data (other than UK Personal Data), by the standard contractual clauses (applicable module: MODULE TWO: transfer controller to processor) in Commission Decision 2021/914/EU which can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN) (the “EU SCC”); Clause 7 (Docking Clause), and Clause 9(a) Option 2 (General Authorization), but not the option under Clause 11 (independent dispute resolution), shall apply; and (b) for UK data, by the EU SCC plus the template Addendum

    B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (or as it may be amended or replaced) as set forth in Annex C (the “UK Addendum”).

    UK GDPR” means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments) (EU Exit) Regulations 2019 (as amended).

    UK Personal Data” means Company Personal Data and Company affiliates’ Personal Data to which the UK GDPR is applicable.

    UK Standard Contractual Clauses” means in respect of UK Personal Data such standard data protection clauses as are adopted from time to time by the UK Information Commissioners Office in accordance with Article 46(2) of the UK GDPR including, but not limited to, the international data transfer agreement (UK IDTA), and the international data

    transfer addendum to the European Commission’s standard contractual clauses for international data transfers (UK Addendum in Annex C).

    The terms “business”, “business purpose”, “commercial purpose”, “consumer”, “controller”, “data subject”, “enterprise”, “organization”, “personal data”, “personal information”, “process”, “processing”, “processor”, “sell”, “service provider”, and “share” as used in this DPA have the meanings given under Data Protection Laws.

  2. Processing.

    1. Responsibilities.

      The parties acknowledge and agree that:

      1. Annex A describes the following: the nature and purpose of processing, the type of personal information that is subject to processing, the type of consumer whose personal information is being processed, and the duration of processing;

      2. As applicable, AddEvent is a service provider and processor of Company Personal Data under Data Protection Laws;

      3. As applicable, Company is a business and controller of Company Personal Data under Data Protection Laws; and

      4. Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the collection, processing, disclosure, and transfer of Company Personal Data.

      5. For the avoidance of doubt, this DPA will not apply to instances where AddEvent is the controller (as defined by European and UK Data Protection Laws) unless otherwise described in Annex C (Jurisdiction-Specific Terms) of this DPA.

    2. Consent; Notice.

      Company is responsible for the means by which it obtained the Company Personal Data. Company will ensure that it has obtained all consents and lawful rights and have provided all notices and disclosures, in each case as required by Data Protection Laws, as necessary for AddEvent and its sub-processors to process Company Personal Data in accordance with this DPA. Company will not disclose or transfer to AddEvent (i) any sensitive data or sensitive personal information, or (ii) any Company Personal Data of any individuals located or residing outside of the United States of America or Canada.

    3. Instructions

      By entering into this DPA, Company instructs AddEvent to process Company Personal Data in accordance with the following, and AddEvent will comply to the extent not prohibited under Data Protection Laws: (a) to provide the Services; (b) as set forth in the Agreement and this DPA, including as specifically set forth on Annex A; (c) as set forth in any other written instructions given by Company; and (d) to process Company Personal Data as permitted under Data Protection Laws for service providers and processors. Company will ensure that its instructions for the processing of Company Personal Data comply with Data Protection Laws.

    4. Confidentiality

      AddEvent will ensure that all persons authorized by AddEvent to process Company Personal Data are subject to a duty of confidentiality with respect to the Company Personal Data.

    5. Data Deletion

      Company instructs AddEvent to delete all Company Personal Data from AddEvent’s systems upon termination of the Agreement, except to the extent retention of Company Personal Data is required by applicable law.

    6. Demonstration of Compliance

      Upon Company’s reasonable request, AddEvent will make available to Company all information in its possession necessary to demonstrate AddEvent’s compliance with its obligations under Data Protection Laws.

    7. Security; Data Incidents

      1. AddEvent will implement and maintain reasonable and appropriate administrative, technical, physical, and organizational measures on systems managed by or otherwise controlled by AddEvent, to protect against unauthorized or illegal access to or acquisition of Company Personal Data, and accidental loss, destruction or damage to Company Personal Data, and to protect the confidentiality, integrity, and accessibility of Company Personal Data. AddEvent’s security standards are located in Annex B.

      2. Taking into account the nature of processing and the information available to AddEvent, AddEvent will reasonably assist Company in meeting its obligations in relation to the security of processing the Company Personal Data and in relation to the notification of a Data Incident pursuant to Data Protection Laws. If AddEvent becomes aware of a Data Incident, AddEvent will notify Company without unreasonable delay and take reasonable steps to minimize harm and secure Company Personal Data.

        Data Incident” means
        (a) any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Company Personal Data on systems managed or otherwise controlled by AddEvent, or (b) with respect to US personal data, a breach of the security of the system (as defined under Data Protection Laws) of AddEvent, including a breach of security leading to the unauthorized access to or acquisition of (or reasonable belief of such unauthorized access to or acquisition of) Company Personal Data on systems managed by or otherwise controlled by AddEvent, excluding unsuccessful attempts that do not compromise the security of Company Personal Data such as unsuccessful pings, log-in attempts, and other network attacks on firewalls or networked systems. AddEvent’s notification of or response to a Data Incident will not be construed as an acknowledgement by AddEvent of any fault or liability with respect to the Data Incident. For the avoidance of doubt, AddEvent is not responsible or liable for any personal data breach or incident to the extent the breach or incident arose from the actions, omissions, personnel, users, service providers, or systems of Company.

      3. Company is responsible for complying with breach and incident notification laws applicable to Company and fulfilling any third party notification obligations related to any Data Incident. In addition, Company is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Company Personal Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Company Personal Data uploaded to the Service.

    8. Consumer Requests.

      1. As between the parties, Company is responsible for responding to consumer requests or informing AddEvent of consumer requests that AddEvent must comply with.

      2. AddEvent will provide Company with reasonable assistance as necessary for Company to fulfil its obligation under Data Protection Laws to respond to consumer requests, taking into account the nature of processing and the information available to AddEvent.

    9. Assessments; Audits.

      AddEvent will provide Company with reasonably necessary information to enable Company to conduct and document data protection assessments required by Data Protection Laws. Pursuant to Data Protection Laws, AddEvent will allow and cooperate with reasonable assessments, audits or inspections by Company (or Company’s designated third party, subject to execution of a confidentiality agreement with AddEvent), not to exceed once per year; provided, that AddEvent may, in the alternative, arrange for a qualified and independent assessor or auditor to conduct an assessment or audit of AddEvent’s policies and technical and organizational measures in support of the obligations under Data Protection Laws using an appropriate and accepted control standard or framework and assessment and audit procedure for such assessments and audits. If AddEvent arranges for such independent assessment or audit, AddEvent shall provide Company a report of the assessment or audit upon Company’s request.

    10. Service providers/Sub-processors

      If AddEvent engages any service provider/sub-processor to process Company Personal Data on AddEvent’s behalf, AddEvent will enter into a written contract with such service provider that requires the service provider to meet the obligations of AddEvent under Data Protection Laws with respect to the Company Personal Data. AddEvent’s current list of service providers/sub-processors is located on Annex A. AddEvent will notify Company if AddEvent engages any other service providers/sub-processors to assist it in processing Company Personal Data on behalf of Company.

      Updating https://help.addevent.com/changelog is deemed sufficient notice to Company. Where required by Data Protection Laws, AddEvent will provide Company an opportunity to reasonably object to the engagement of a new service provider/sub-processor. In such event, Company must notify AddEvent of its reasonable objection no later than 5 days after notice is provided online. In the event that Company reasonably objects, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, AddEvent will, at its sole discretion, either not appoint such subprocessor/service provider, or permit Company to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement.

    11. Deidentified Data

      "Deidentified Data" is defined under Data Protection Laws and, under the CCPA, is data that is "deidentified" as defined under the CCPA, when disclosed by one party to the other party hereunder. Each party will comply with the requirements for processing Deidentified Data as set out in the Data Protection Laws, including taking reasonable measures to ensure the information cannot be associated with a consumer, publicly committing to processing the Deidentified Data solely in deidentified form and not attempting to reidentify the information, and contractually obligating any recipients of Deidentified Data to comply with such requirements and Data Protection Laws.

  3. Additional CCPA Obligations.

    To the extent that CCPA applies to the processing of Company Personal Data, AddEvent will act as Company’s service provider, and as such, unless otherwise permitted for service providers under CCPA:

    1. AddEvent will not sell or share any Company Personal Data;

    2. AddEvent will not retain, use or disclose Company Personal Data for any purpose other than for the business purposes specified in the Agreement and this DPA or as permitted under the CCPA;

    3. AddEvent will not retain, use or disclose Company Personal Data for any commercial purpose other than the business purposes specified in the Agreement and this DPA or as permitted under the CCPA;

    4. AddEvent will not retain, use or disclose Company Personal Data outside of the direct business relationship between AddEvent and Company, unless permitted by the CCPA;

    5. AddEvent will not combine (or update) Company Personal Data that AddEvent receives from, or on behalf of, Company with (i) personal information that AddEvent receives from, or on behalf of, another person or persons or (ii) personal information collected from AddEvent’s own interaction with a consumer;

    6. AddEvent will comply with applicable obligations under CCPA and will provide the same level of privacy protection as is required by CCPA;

    7. AddEvent grants Company the right to take reasonable and appropriate steps to ensure that AddEvent uses the Company Personal Data in a manner consistent with Company’s obligations under CCPA, including ongoing manual reviews and automated scans (subject to notification and mutual agreement of the parties with respect to the method) of AddEvent’s system and regular assessments, audits, or other technical and operating testing (not to exceed once per year);

    8. AddEvent will promptly notify Company if AddEvent makes a determination that it can no longer meet its obligations under the CCPA; and

    9. AddEvent grants Company the right, upon written notice, to take reasonable and appropriate steps to stop and remediate AddEvent’s use of Company Personal Data.

  4. Additional Canadian Law Requirements.

    1. To the extent the Agreement and processing involve the transfer of Company Personal Data of residents of Canada (including residents of Alberta and British Columbia) to locations outside of Canada, Company warrants that (i) appropriate notice concerning the transfer has been provided to the Canadian residents, in the form of a privacy policy or otherwise; and (ii) the provisions of this DPA are reasonably designed to ensure a comparable level of protection that such Company Personal Data would otherwise enjoy within Canada.

    2. For any transfer of Company Personal Data of residents of Quebec to locations outside of Quebec, including to other Canadian provinces and the United States, Company warrants that (i) it has conducted a prior analysis of the data security and privacy impact consistent with the requirement for a privacy impact assessment under the Quebec Act Respecting the Protection of Personal Information in the Private Sector, as amended by Bill 64, including an assessment of the goals of the transfer and internal procedures implicated, the parties involved and

      their roles and responsibilities, an overall understanding of the location of the Company Personal Data during the transfer, and the risks involved with the transfer; (ii) it has determined that the Company Personal Data will receive adequate protection in the transferee jurisdiction; and (iii) that this DPA includes terms to mitigate the risks identified in connection with the above analysis.

    3. Each party’s privacy officer information is listed on the signature page below.

  5. International Transfers

    1. Data center locations. Company acknowledges that AddEvent may transfer and process Company Personal Data to and in the United States and anywhere else in the world where AddEvent, its affiliates or its subprocessors/service providers maintain data processing operations. AddEvent shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.

    2. Australian personal data. To the extent that AddEvent is a recipient of Company Personal Data protected by the Australian Privacy Law, the parties acknowledge and agree that AddEvent may transfer such Company Personal Data outside of Australia as permitted by the terms agreed upon by the parties and subject to complying with this DPA and the Australian Privacy Law.

    3. European and UK Data transfers. To the extent that AddEvent is a recipient of Company Personal Data protected by European Data Protection Laws (“European Data”) and UK Data Protection Laws in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable European and UK Data Protection Laws), the parties agree to abide by and process European and UK Data in compliance with the SCCs, which shall be incorporated into and form an integral part of this DPA.

    4. Compliance with the SCCs. The parties agree that if AddEvent cannot ensure compliance with the SCCs, it shall promptly inform Company of its inability to comply. If Company intends to suspend the transfer of European and UK Data and/or terminate the affected parts of the Service, it shall first provide notice to AddEvent and provide AddEvent with a reasonable period of time to cure such non-compliance, during which time AddEvent and Company shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required. Company shall only be entitled to suspend the transfer of data and/or terminate the affected parts of the Service for non-compliance with the SCCs if AddEvent has not or cannot cure the non-compliance within a reasonable period.

    5. Alternative transfer mechanism. To extent that and for so long as the SCCs as implemented in accordance with this DPA cannot be relied on to lawfully transfer personal data in compliance with UK Data Protection Laws, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”) shall be incorporated by reference and deemed completed with the relevant information set out in the Annexes of this DPA. Additionally, to the extent AddEvent adopts an alternative lawful data transfer mechanism for the transfer of European and UK Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European and UK Data Protection Laws and extends to the countries to which European and UK Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer European and UK Data (within the meaning of applicable European and UK Data Protection Laws), AddEvent may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of European and UK Data.

  6. Jurisdiction-Specific Terms

    To the extent AddEvent processes Company Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex C, then the terms specified in Annex C with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to AddEvent.

  7. Limitation of Liability

    1. Each party’s and all of its affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.

    2. Any claims made against AddEvent or its affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Company entity that is a party to the Agreement.

    3. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.

  8. Relationship with the Agreement

    1. This DPA shall remain in effect for as long as AddEvent carries out Company Personal Data processing operations on behalf of Company or until termination of the Agreement (and all Company Personal Data has been returned or deleted in accordance with this DPA).

    2. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service.

    3. In the event of any conflict or inconsistency between this DPA, the SCCs, and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) SCCs; then (ii) this DPA; and then (iii) the Agreement.

  9. Miscellaneous

    This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

    The parties have caused this DPA to be executed by their duly authorized officers as of the Effective Date.

Company:
By:
Name:
Title:
Date:
Privacy Officer:


Company AddEvent, Inc
By:
Name: Michael Nilsson
Title: CEO
Date: 6/10/2025
Privacy Officer: Mike Kaplan, Head of Engineering


Annex A

  1. Subject matter and nature of processing:

    AddEvent provides an "add to calendar" service, as more particularly described in the Agreement. The subject matter of the data processing under this DPA is the Company Personal Data. Company Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: collecting, organizing, structuring, storing, altering, using, disclosing, combining, deleting and destroying.

  2. Purpose of processing: for AddEvent to provide the Services to Company, including specifically:

    • operating its “add to calendar” service

    • measuring the performance of its service

    • supporting and communicating with users of the Services (e.g., supporting and communicating with Company’s employees who use the Services)

    • Company’s configuration of or use of any settings, features, or options in the Service (as the Company may be able to modify from time to time)

  3. Type of personal information that is subject to processing:

    • Members: Identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information).

    • Contacts: Identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address).

  4. Type of consumer/data subject whose personal information is being processed:

    • Members (i.e., individual end users with access to a AddEvent account) and

    • Contacts (i.e., Member’s subscribers and other individuals about whom a Member has given us information or has otherwise interacted with a Member via the Service).

  5. Frequency of processing:

    Continuous and as determined by Company.

  6. Duration of processing:

The term of the Agreement until Company Personal Data is deleted.

Current list of service providers/sub-processors:
https://www.addevent.com/c/legal/privacy/subdata-processors.

Annex B
Security Measures

The Security Measures applicable to the Service are described https://www.addevent.com/c/legal/security (as updated from time to time).

Annex C
Jurisdiction-Specific Terms


Europe:

Government data access requests. As a matter of general practice, AddEvent does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about AddEvent accounts (including Company Personal Data). If AddEvent receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a AddEvent account (including Company Personal Data) belonging to a Company whose primary contact information indicates the Company is located in Europe, AddEvent shall: (i) review the legality of the request; (ii) inform the government agency that AddEvent is a processor of the data; (iii) attempt to redirect the agency to request the data directly from Company; (iv) notify Company via email sent to Company’s primary contact email address of the request to allow Company to seek a protective order or other appropriate remedy; and (v) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. As part of this effort, AddEvent may provide Company’s primary and billing contact information to the agency. AddEvent shall not be required to comply with this paragraph if it is legally prohibited from doing so, or it has a reasonable and

good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or AddEvent’s property, the AddEvent website, or Service, but where AddEvent is legally prohibited from notifying Company of requests it shall use its best efforts to obtain a waiver of the prohibition.


UK Addendum:

UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, in force 21 March 2022

Part 1: Tables

Table 1: Parties

Start Date As set out in the DPA
The Parties As set out on the signature page

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Clause 9a (Prior Authorisation or General Authorisation) Clause 9a (Time period) Is personal data received from the Importer combined with personal data collected by the Exporter?
2 YES YES NO GENERAL 5 days n/a


Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex I Part A: List of Parties: signature page
Annex I Part B: Description of Transfer: ANNEX A
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: ANNEX B
Annex III: List of Sub processors: ANNEX A

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19 of the Mandatory Clauses:

Part 2: Mandatory Clauses

Mandatory Clauses Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.