Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and CeremonySync ("Processor"), located in Georgia, USA, for the provision of the CeremonySync wedding venue management platform and related services (the "Services"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and sets forth the terms under which the Processor shall process Personal Data on behalf of the Controller.

By using the Services, the Controller agrees to the terms of this DPA. Where a separate, individually signed DPA is required, please contact support@ceremonysync.com to request a copy for execution.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. All capitalised terms not defined herein shall have the meanings given to them in the GDPR or the principal agreement between the parties.

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Under this DPA the Controller is the customer who has entered into the principal agreement with CeremonySync.
• "Processor" means CeremonySync, the entity that processes Personal Data on behalf of the Controller in connection with the provision of the Services.
• "Data Subject" means any identified or identifiable natural person whose Personal Data is processed under this DPA. This may include the Controller's end users, customers, employees, or other individuals whose data is submitted to the Services.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Services.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and any applicable national implementing legislation.

2. Scope & Purpose

2.1 Subject Matter and Duration

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in the course of providing the Services. The duration of this DPA shall correspond to the term of the principal agreement between the parties and shall automatically terminate upon the expiry or termination of that agreement, subject to any obligations regarding data deletion or return set out in Section 7 below.

2.2 Categories of Personal Data

The categories of Personal Data processed under this DPA may include, but are not limited to:

• Contact information (names, email addresses, phone numbers, mailing addresses)
• Account credentials (hashed passwords, authentication tokens)
• Event and booking details (event dates, venue selections, guest counts, ceremony preferences)
• Payment information (billing addresses, transaction records; note that full payment card details are processed directly by Stripe and are not stored by CeremonySync)
• Usage and analytics data (IP addresses, device identifiers, browser information, interaction logs)
• Communication records (messages exchanged through the platform, support correspondence)

2.3 Categories of Data Subjects

Data Subjects may include:

• The Controller's employees, agents, and authorised users of the Services
• The Controller's customers and prospective customers (e.g., engaged couples, event planners)
• Event guests and attendees whose data is entered into the platform
• Vendors and third-party service providers associated with events

2.4 Purpose of Processing

The Processor shall process Personal Data solely for the purposes of providing, maintaining, and improving the Services, including but not limited to:

• Operating the wedding venue management platform
• Facilitating account creation, authentication, and management
• Processing bookings, payments, and related transactions
• Sending transactional and marketing communications (where authorised by the Controller)
• Providing customer support
• Performing analytics to improve the Services

The Processor shall not process Personal Data for any purpose other than as set out in this DPA or as otherwise instructed in writing by the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before Processing (unless prohibited by law from doing so).

3. Processor Obligations

3.1 Compliance with Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such notification on important grounds of public interest.

3.2 Confidentiality

The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA and any employment or contractual relationship between the Processor and such persons.

3.3 Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:

• Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• The ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing
• Role-based access controls to restrict access to Personal Data to authorised personnel only
• Regular security assessments and vulnerability scanning of the Services

3.4 Staff Training

The Processor shall ensure that all personnel with access to Personal Data receive appropriate training on data protection principles, the requirements of the GDPR, and the Processor's data handling policies and procedures. Training shall be conducted at the time of onboarding and on an ongoing periodic basis thereafter.

3.5 Documentation and Records

The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR. Such records shall be made available to the Controller and/or the relevant supervisory authority upon request.

4. Sub-processors

4.1 Authorised Sub-processors

The Controller provides general written authorisation for the Processor to engage the following Sub-processors in connection with the provision of the Services:

4.2 Obligations Regarding Sub-processors

Where the Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the Controller, the Processor shall:

• Impose on the Sub-processor, by way of a written contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the GDPR
• Remain fully liable to the Controller for the performance of the Sub-processor's obligations

4.3 Changes to Sub-processors

The Processor shall notify the Controller in writing of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Controller the opportunity to object to such changes. If the Controller reasonably objects to a new Sub-processor on data protection grounds, the Processor shall use commercially reasonable efforts to make available to the Controller an alternative arrangement that avoids the use of the objected-to Sub-processor. If no alternative is reasonably available, the Controller may terminate the principal agreement and this DPA without penalty.

5. Data Subject Rights

5.1 Assistance with Requests

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR, including but not limited to:

• Right of access (Article 15) — providing the Controller with the ability to retrieve Personal Data pertaining to a Data Subject
• Right to rectification (Article 16) — facilitating the correction of inaccurate or incomplete Personal Data
• Right to erasure (Article 17) — enabling the deletion of Personal Data upon a valid request, subject to any legal retention obligations
• Right to restriction of processing (Article 18) — restricting the Processing of Personal Data where applicable
• Right to data portability (Article 20) — providing Personal Data in a structured, commonly used, and machine-readable format upon request
• Right to object (Article 21) — ceasing Processing of Personal Data where the Data Subject has objected, unless legitimate grounds for continued Processing exist

5.2 Notification of Requests

If the Processor receives a request directly from a Data Subject regarding the exercise of their rights under the GDPR, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's prior written instructions, unless required to do so by applicable law.

6. Data Breach Notification

6.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data breach, as defined in Article 4(12) of the GDPR. Where the Processor is unable to provide full details within the 72-hour period, information may be provided in phases, without further undue delay.

6.2 Content of Notification

The notification to the Controller shall include, to the extent available:

• A description of the nature of the Personal Data breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the Processor's point of contact from whom more information can be obtained
• A description of the likely consequences of the Personal Data breach
• A description of the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects

6.3 Cooperation

The Processor shall cooperate with the Controller and take such reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of each Personal Data breach. The Processor shall also assist the Controller in fulfilling its obligations under Articles 33 and 34 of the GDPR (notification to the supervisory authority and communication to the Data Subject, respectively).

7. Data Deletion

7.1 Deletion or Return Upon Termination

Upon termination or expiry of the principal agreement, or upon the Controller's written request, the Processor shall, at the Controller's election:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
• Delete all Personal Data and all existing copies thereof, unless Union or Member State law requires storage of the Personal Data

The Processor shall complete the return or deletion within thirty (30) days of the request or the termination of the principal agreement, whichever is later.

7.2 Certification of Deletion

Upon completion of the deletion of Personal Data, the Processor shall provide the Controller with a written certification confirming that all Personal Data has been securely deleted in accordance with this Section 7. Such certification shall be provided within ten (10) business days of the completion of deletion.

7.3 Retention Exceptions

Where the Processor is required by applicable law to retain any Personal Data, the Processor shall inform the Controller of such requirement, including the legal basis for retention and the anticipated duration. The Processor shall continue to protect such retained data in accordance with the terms of this DPA and shall delete it as soon as the legal retention period expires.

8. Audit Rights

8.1 Right to Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

8.2 Audit Procedures

Audits shall be subject to the following conditions:

• The Controller shall provide the Processor with at least thirty (30) days' prior written notice of any audit
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
• The Controller shall bear its own costs in connection with any audit, unless the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear reasonable audit costs
• The Controller and its auditors shall maintain the confidentiality of all information obtained during the audit
• Audits shall be limited to no more than one (1) per calendar year, unless a Personal Data breach has occurred or the Controller has reasonable grounds to believe that the Processor is not in compliance with this DPA

8.3 Alternative Audit Mechanisms

In lieu of an on-site audit, the Processor may, at its discretion, provide the Controller with a summary of relevant third-party audit reports, certifications, or other documentation that demonstrates compliance with the obligations set out in this DPA. The Controller shall consider such documentation in good faith before exercising its right to conduct an on-site audit.

9. Liability

9.1 Allocation of Liability

Each party shall be liable for damage caused by Processing that infringes the GDPR in accordance with Article 82 of the GDPR. The Processor shall be liable for damage caused by Processing only where it has not complied with obligations of the GDPR specifically directed to Processors or where it has acted outside of or contrary to the lawful instructions of the Controller.

9.2 Indemnification

Each party agrees to indemnify and hold harmless the other party from and against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in connection with any breach of this DPA by the indemnifying party, including any fines imposed by a supervisory authority attributable to the indemnifying party's failure to comply with its obligations under this DPA or the GDPR.

9.3 Limitation

The total liability of the Processor under this DPA shall be subject to any limitations of liability set out in the principal agreement between the parties, except to the extent that such limitation is prohibited by applicable law.

10. Governing Law

10.1 Applicable Law

This DPA shall be governed by and construed in accordance with the laws of the State of Georgia, United States of America, without regard to its conflict of laws principles, except to the extent that the GDPR or other mandatory data protection laws of the European Union or its Member States apply to the Processing of Personal Data hereunder.

10.2 Dispute Resolution

Any dispute, controversy, or claim arising out of or relating to this DPA, or the breach, termination, or invalidity thereof, shall first be attempted to be resolved through good-faith negotiation between the parties. If the dispute cannot be resolved through negotiation within thirty (30) days, either party may submit the dispute to the exclusive jurisdiction of the state and federal courts located in the State of Georgia, United States of America. Notwithstanding the foregoing, either party may lodge a complaint with a competent supervisory authority in accordance with the GDPR.

10.3 Relationship to Principal Agreement

This DPA is incorporated into and forms part of the principal agreement between the parties. In the event of any conflict between this DPA and the principal agreement, this DPA shall prevail with respect to the Processing of Personal Data.

11. Contact

For any questions regarding this Data Processing Agreement, to request a signed copy, or to exercise any rights or obligations set out herein, please contact us at:

• Email: support@ceremonysync.com
• Entity: CeremonySync
• Location: Georgia, United States of America

We aim to respond to all enquiries within ten (10) business days.