Last updated: 3 June 2026

Data Processing Agreement

This DPA is between Vertel Solutions j.d.o.o., Opatija, Croatia (“Processor”, “Eventyca”) and the organisation creating an Eventyca account (“Controller”). It forms part of the Terms of Service and is automatically accepted when you create an account.

1. Definitions

  • Controller — the Eventyca customer who determines the purposes and means of processing personal data
  • Processor — Eventyca, which processes personal data on behalf of the Controller
  • Data subjects — your audience members, ticket buyers, and contacts whose data you upload to Eventyca
  • Personal data — any information relating to an identified or identifiable natural person

2. Subject matter and duration

Eventyca processes personal data on your behalf for the purpose of providing the Eventyca platform. Processing continues for the duration of your subscription and for 30 days after termination.

3. Nature and purpose of processing

ActivityPurpose
Storing audience member recordsAudience management features
Sending campaign emailsEmail campaign features
Processing unsubscribe requestsGDPR compliance
Generating reportsAnalytics features

4. Types of personal data processed

  • Names and email addresses
  • Phone numbers
  • City and country
  • Ticket purchase history
  • Email engagement data (opens, clicks)
  • Consent records

5. Controller obligations

You confirm that:

  • You have a lawful basis for uploading personal data to Eventyca
  • You have provided appropriate privacy notices to your data subjects
  • You will respond to data subject rights requests within required timeframes
  • You will notify us immediately of any data breaches you become aware of

6. Processor obligations

We confirm that:

  • We process personal data only on your documented instructions
  • We ensure all staff with access to personal data are bound by confidentiality
  • We implement appropriate technical and organisational security measures
  • We assist you in responding to data subject rights requests
  • We delete or return all personal data on termination of the agreement
  • We notify you within 72 hours of becoming aware of a personal data breach

7. Sub-processors

Sub-processorPurposeLocation
Supabase Inc.Database storageEU (AWS eu-central-1)
Vercel Inc.HostingEU region
Stripe Inc.Payment processingEU
Resend Inc.Email deliveryEU

We will notify you 14 days before adding new sub-processors.

8. Security measures

  • TLS encryption for all data in transit
  • AES-256 encryption for data at rest
  • Row-level security policies on all database tables
  • Access controls and authentication requirements
  • Regular security reviews and penetration testing
  • Incident response procedures

9. Data subject rights

  • Access requests — provide export of all data held on a specific individual
  • Erasure requests — hard delete of all data related to a specific individual
  • Portability requests — export in machine-readable format (CSV/JSON)

10. Data breach notification

  • Notify you within 72 hours of becoming aware
  • Provide details of the nature, scope, and likely consequences
  • Describe measures taken or proposed to address the breach

11. Audit rights

You have the right to audit our compliance with this DPA on reasonable notice. We will provide documentation, certifications, and answers to security questionnaires.

12. Governing law

This DPA is governed by the laws of the Republic of Croatia, consistent with GDPR requirements.

13. Contact

Vertel Solutions j.d.o.o., Opatija, Croatia
Luka Vertel, Owner
info@eventyca.com