Last updated: 3 June 2026
Data Processing Agreement
This DPA is between Vertel Solutions j.d.o.o., Opatija, Croatia (“Processor”, “Eventyca”) and the organisation creating an Eventyca account (“Controller”). It forms part of the Terms of Service and is automatically accepted when you create an account.
1. Definitions
- Controller — the Eventyca customer who determines the purposes and means of processing personal data
- Processor — Eventyca, which processes personal data on behalf of the Controller
- Data subjects — your audience members, ticket buyers, and contacts whose data you upload to Eventyca
- Personal data — any information relating to an identified or identifiable natural person
2. Subject matter and duration
Eventyca processes personal data on your behalf for the purpose of providing the Eventyca platform. Processing continues for the duration of your subscription and for 30 days after termination.
3. Nature and purpose of processing
| Activity | Purpose |
|---|
| Storing audience member records | Audience management features |
| Sending campaign emails | Email campaign features |
| Processing unsubscribe requests | GDPR compliance |
| Generating reports | Analytics features |
4. Types of personal data processed
- Names and email addresses
- Phone numbers
- City and country
- Ticket purchase history
- Email engagement data (opens, clicks)
- Consent records
5. Controller obligations
You confirm that:
- You have a lawful basis for uploading personal data to Eventyca
- You have provided appropriate privacy notices to your data subjects
- You will respond to data subject rights requests within required timeframes
- You will notify us immediately of any data breaches you become aware of
6. Processor obligations
We confirm that:
- We process personal data only on your documented instructions
- We ensure all staff with access to personal data are bound by confidentiality
- We implement appropriate technical and organisational security measures
- We assist you in responding to data subject rights requests
- We delete or return all personal data on termination of the agreement
- We notify you within 72 hours of becoming aware of a personal data breach
7. Sub-processors
| Sub-processor | Purpose | Location |
|---|
| Supabase Inc. | Database storage | EU (AWS eu-central-1) |
| Vercel Inc. | Hosting | EU region |
| Stripe Inc. | Payment processing | EU |
| Resend Inc. | Email delivery | EU |
We will notify you 14 days before adding new sub-processors.
8. Security measures
- TLS encryption for all data in transit
- AES-256 encryption for data at rest
- Row-level security policies on all database tables
- Access controls and authentication requirements
- Regular security reviews and penetration testing
- Incident response procedures
9. Data subject rights
- Access requests — provide export of all data held on a specific individual
- Erasure requests — hard delete of all data related to a specific individual
- Portability requests — export in machine-readable format (CSV/JSON)
10. Data breach notification
- Notify you within 72 hours of becoming aware
- Provide details of the nature, scope, and likely consequences
- Describe measures taken or proposed to address the breach
11. Audit rights
You have the right to audit our compliance with this DPA on reasonable notice. We will provide documentation, certifications, and answers to security questionnaires.
12. Governing law
This DPA is governed by the laws of the Republic of Croatia, consistent with GDPR requirements.
13. Contact
Vertel Solutions j.d.o.o., Opatija, Croatia
Luka Vertel, Owner
info@eventyca.com