Back to registrationPYPO

Data Processing Agreement

Last updated: 05/12/2026

This Data Processing Agreement version 2026-05-12 forms part of the agreement between PYPO and the customer using PYPO. It applies when PYPO processes customer personal data as processor on behalf of the customer.

Roles

For agency staff account, billing, security, and service administration data, PYPO may act as controller. For event guest and attendee data entered by the customer, the customer is controller and PYPO is processor.

Processing Instructions

PYPO processes customer personal data only to provide, secure, support, and improve PYPO; to comply with documented customer instructions; and to meet legal obligations that apply to PYPO.

Customer Warranty

Customer warrants it has provided required privacy notices and has obtained any GDPR Art. 9 / LGPD Art. 11 lawful basis required before entering dietary, accessibility, health, under-16, or other special-category data into the Service.

Sub-processors

Customer authorizes PYPO to use the sub-processors listed on the public sub-processor page. PYPO will give at least 30 days' notice before engaging a new sub-processor, and the customer's sole remedy for an unresolved objection is termination of the affected Service.

Security Measures

PYPO maintains encryption in transit and at rest, MFA for privileged access, audit logging, least-privilege access controls, role-based authorization, backups, and EU-resident production infrastructure.

Security Incidents

PYPO will notify the customer without undue delay and no later than 24 hours after confirming a personal data breach affecting customer personal data.

Audit Rights

Once per year, on reasonable notice and under NDA, customer may request information reasonably necessary to verify PYPO's compliance. PYPO may satisfy this by providing summaries of SOC 2, ISO, penetration-test, or equivalent audit results instead of on-site access.

International Transfers

Where customer personal data is transferred from the EEA, UK, Switzerland, or Brazil to a country without an adequacy decision, the parties rely on the applicable Standard Contractual Clauses, Data Privacy Framework certifications, or equivalent lawful transfer safeguards. SCC Module 2 applies where an EU controller transfers personal data to PYPO as a non-EU processor.

Return and Deletion

During the subscription term, customers may export or delete data through the Service where available. After termination, PYPO applies the 90-day grace period and automated retention job described in the Terms unless legal preservation is required.

Contact

Questions about this DPA should be sent to dpo@pypo.events.

Terms of ServicePrivacy PolicyData Processing AgreementSub-processors
© 2026 PYPO