Data Processing Addendum (DPA)

Last Updated: 10 December 2025

1. Definitions (POPIA Context)

• "Data Subject": The ticket buyer or attendee.
• "Personal Information": Names, emails, phone numbers, ID numbers, etc.
• "Processing": Collecting, storing, displaying, or transmitting data.

2. Roles and Responsibilities

2.1 Event Bridge (Operator/Processor)

We agree to process Personal Information only to provide the Ticketing Service. We will not use Attendee data for our own marketing purposes unless the Attendee has explicitly opted-in to the Event Bridge platform marketing list independently of the specific event.

2.2 The Merchant (Responsible Party/Controller)

You guarantee that you have a lawful basis for collecting data from Attendees. Once you access, download, or export Attendee data from our dashboard, you become the sole Responsible Party for that data. You assume full liability for its security, storage, and usage.

3. Security Measures

Event Bridge utilizes industry-standard encryption (SSL/TLS) for data in transit and at rest. However, you acknowledge that no system is 100% secure. In the event of a data breach affecting your event, we will notify you within 72 hours of confirmation.

4. Merchant Data Usage Restrictions

By using the platform, you agree NOT to:

• Sell Attendee data to third parties.
• Use Attendee data for purposes unrelated to the specific event (unless you have separate consent).
• Publicly expose Attendee data (e.g., publishing a guest list with phone numbers).

5. Data Subject Rights

If an Attendee contacts Event Bridge requesting deletion of their data (Right to be Forgotten), we are legally obligated to comply. We will notify you of this deletion, and you agree to delete any copies of that data you may hold locally.

6. Liability

You agree to indemnify Event Bridge against any claims, fines, or penalties imposed by the Information Regulator of South Africa arising from your mishandling, leakage, or illegal use of Attendee Personal Information.