Data Protection Agreement
Last updated: April 19, 2026
This Data Protection Agreement ("DPA" or "Agreement") is entered into between Event Parlour ("Data Processor" or "we") and the party using Event Parlour's services ("Data Controller" or "you").
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Data Controller: The entity that determines the purposes and means of processing personal data
- Data Processor: The entity that processes personal data on behalf of the Data Controller
- Processing: Any operation performed on personal data, including collection, storage, use, and deletion
- Data Subject: The individual to whom personal data relates
This DPA governs the processing of personal data by Event Parlour in connection with the provision of our event management platform and related services. The purpose of this Agreement is to ensure compliance with applicable data protection laws, including but not limited to:
- General Data Protection Regulation (GDPR)
- Data Protection Act 2019 (Kenya)
- Other applicable data protection legislation
3.1 Categories of Data Subjects
- Event organizers and administrators
- Event attendees and ticket purchasers
- Workspace members and team collaborators
- Speakers and presenters
- Vendors and service providers
- Platform users and visitors
3.2 Types of Personal Data Processed
- Identity information (name, username, email)
- Contact details (phone number, address)
- Payment and billing information
- Profile pictures and avatars
- KYC verification documents and data
- Event registration and attendance records
- Communication data (messages, posts, feedback)
- Usage and analytics data
- Device and technical information
3.3 Processing Activities
- Collection and storage of personal data
- User authentication and account management
- Event creation, management, and promotion
- Ticket sales and purchase processing
- Payment processing and financial transactions
- Communication and notification delivery
- Analytics and service improvement
- Security monitoring and fraud prevention
- Legal compliance and reporting
As the Data Controller, you are responsible for:
- Ensuring you have a lawful basis for processing personal data
- Obtaining necessary consents from data subjects where required
- Providing accurate and up-to-date information to data subjects about data processing
- Complying with data subject rights requests (access, rectification, erasure, etc.)
- Implementing appropriate security measures for data you control
- Notifying Event Parlour of any changes to data processing instructions
- Ensuring data subjects are informed about Event Parlour's role as a data processor
5.1 Processing Instructions
Event Parlour will process personal data only in accordance with your documented instructions, this DPA, and applicable data protection laws. We will not process personal data for any purpose other than providing our services unless required by law.
5.2 Confidentiality
All personnel with access to personal data are bound by confidentiality obligations. We ensure that only authorized personnel have access to personal data and only to the extent necessary to perform their duties.
5.3 Security Measures
We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration, including:
- Encryption of data in transit and at rest
- Secure authentication and access controls
- Regular security audits and assessments
- Incident response and breach notification procedures
- Regular backups and disaster recovery plans
- Employee training on data protection
5.4 Sub-processors
We may engage sub-processors to assist in providing our services. We maintain a list of sub-processors and will notify you of any intended changes. We ensure that sub-processors are bound by similar data protection obligations through contractual agreements.
Current sub-processors include payment processors (Paystack, Stripe, M-Pesa), hosting providers, and email service providers. You may object to the appointment of a new sub-processor by contacting us.
5.5 Data Subject Rights
We will assist you in responding to data subject rights requests, including requests for access, rectification, erasure, portability, and objection. We will promptly inform you of any data subject requests we receive directly.
5.6 Data Breach Notification
In the event of a personal data breach, we will notify you without undue delay and provide all relevant information to assist you in meeting your breach notification obligations. We will take reasonable steps to mitigate the effects of any breach.
5.7 Data Protection Impact Assessments
We will provide reasonable assistance to you in conducting data protection impact assessments where required by applicable law.
We will retain personal data only for as long as necessary to provide our services or as required by law. Upon termination of services or upon your request, we will:
- Return all personal data to you in a structured, commonly used, and machine-readable format, or
- Delete all personal data, unless retention is required by law
We will delete or return personal data within 30 days of termination, unless legal obligations require longer retention.
Personal data may be transferred to and processed in countries outside your jurisdiction. We ensure that such transfers are subject to appropriate safeguards, including:
- Standard contractual clauses approved by relevant authorities
- Adequacy decisions by data protection authorities
- Other legally recognized transfer mechanisms
By using our services, you consent to such international transfers subject to the safeguards described above.
We will make available to you all information necessary to demonstrate compliance with this DPA and applicable data protection laws. Upon reasonable notice and during business hours, we will allow for and contribute to audits conducted by you or your authorized representatives, subject to:
- Confidentiality obligations
- Reasonable frequency (not more than once per year unless required by law)
- Your bearing the costs of such audits
- Minimizing disruption to our business operations
Each party will be liable for any damages caused by its breach of this DPA, subject to the limitations set forth in our Terms of Service. We will be liable only for damages directly caused by our breach of this DPA and will not be liable for any indirect, consequential, or special damages.
You agree to indemnify and hold Event Parlour harmless from any claims, damages, or expenses arising from your breach of this DPA or your failure to comply with applicable data protection laws.
This DPA will remain in effect for as long as you use Event Parlour's services and will terminate automatically upon termination of your use of our services. The obligations in sections relating to data retention, deletion, confidentiality, and liability will survive termination.
This DPA is governed by the laws of Kenya. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution provisions set forth in our Terms of Service.
We may update this DPA from time to time to reflect changes in our services, legal requirements, or data processing practices. We will notify you of material changes by posting the updated DPA on this page and updating the "Last updated" date. Continued use of our services after changes constitutes acceptance of the updated DPA.
If you do not agree with the changes, you may terminate your use of our services.
For questions about this DPA or to exercise your data protection rights, please contact us through the feedback feature in the platform or refer to our Privacy Policy for additional contact information.
If you are located in the European Economic Area (EEA), you may also contact your local data protection authority with any concerns.
Last updated: April 19, 2026