Data Processing Addendum (DPA)

Effective date: August 21, 2025 • Last updated: August 21, 2025

This DPA forms part of the Terms of Use (or other written agreement) between WeVite Inc. ("WeVite", "Processor") and the customer entity identified in the Agreement ("Customer", "Controller").

Table of Contents

  1. Introduction
  2. Definitions
  3. Roles of the Parties
  4. Scope & Customer Instructions
  5. Customer Responsibilities
  6. WeVite Obligations
  7. Subprocessors
  8. International Transfers & SCCs
  9. Data Subject Rights & Assistance
  10. Audit & Information Rights
  11. Security & Breach Notification
  12. Return & Deletion of Data
  13. US State Privacy (CPRA et al.)
  14. Liability & Precedence
  15. Term & Governing Law

1. Introduction

This DPA governs WeVite's Processing of Personal Data on behalf of Customer in connection with the Services. Capitalized terms not defined here have the meanings in the Agreement.

2. Definitions

Applicable Data Protection Laws means all data protection and privacy laws that apply to the Processing, including the GDPR, UK GDPR, Swiss FADP, and U.S. state privacy laws (e.g., California CPRA).

Personal Data, Processing, Controller, Processor, Sub-processor have the meanings in the GDPR.

Services means the SaaS ticketing, event, and related services provided by WeVite pursuant to the Agreement.

3. Roles of the Parties

  • Controller: Customer is Controller of Personal Data it uploads or collects via the Services (e.g., Attendee data).
  • Processor: WeVite processes such Personal Data solely on Customer's behalf and in accordance with this DPA.
  • Independent Controller: WeVite may act as its own Controller for account administration, billing, fraud/security, compliance, and Organizer marketing (see Privacy Policy).

4. Scope & Customer Instructions

WeVite shall Process Personal Data only: (a) to provide and improve the Services; (b) on documented instructions from Customer, including those in the Agreement and this DPA; and (c) as required by Applicable Data Protection Laws. If WeVite is required by law to Process Personal Data contrary to Customer's instructions, WeVite will inform Customer (unless prohibited by law).

5. Customer Responsibilities

  • Provide a lawful basis and appropriate notices to data subjects; obtain consents where required.
  • Not instruct Processing that violates Applicable Data Protection Laws.
  • Be responsible for the accuracy, quality, and legality of Personal Data and the means by which it was acquired.

6. WeVite Obligations

  • Confidentiality: ensure personnel are bound by confidentiality obligations.
  • Security Measures: implement Technical and Organizational Measures (TOMs) described in Annex 2.
  • Assistance: provide reasonable assistance with data subject requests, DPIAs, and supervisory authority consultations.
  • Notice of Legal Requests: notify Customer before disclosing Personal Data to public authorities unless prohibited by law.
  • Records: maintain records of Processing as required by law.

7. Subprocessors

Customer authorizes WeVite to engage Subprocessors to support the Services (e.g., hosting, payments, analytics, support). WeVite will impose data protection obligations on Subprocessors no less protective than those in this DPA and remains responsible for their performance.

WeVite maintains an updated list at /legal/subprocessors and will provide advance notice of additions. Customer may reasonably object within 30 days; if unresolved, the parties will work in good faith toward a solution.

8. International Transfers & SCCs

Where WeVite transfers Personal Data outside the EEA/UK/Switzerland, it shall implement appropriate safeguards such as the European Commission's Standard Contractual Clauses (2021/914/EU, Module 2: Controller→Processor) and any applicable UK/Swiss addenda. The SCCs are incorporated by reference and completed using the details in Annex 1 and Annex 2.

9. Data Subject Rights & Assistance

WeVite will promptly inform Customer if it receives a request from a data subject relating to Personal Data we process for Customer. WeVite will not respond except on documented instructions from Customer or where legally required. WeVite will assist Customer, at Customer's cost where applicable, in fulfilling data subject requests.

10. Audit & Information Rights

Upon request, WeVite will make available information necessary to demonstrate compliance with this DPA, including independent third-party audit reports (e.g., SOC 2, ISO 27001) where available. If such materials are insufficient, Customer may conduct an on-site audit no more than annually with 30 days' notice, during normal business hours, subject to confidentiality and reasonable time, scope, and cost limitations.

11. Security & Breach Notification

WeVite maintains security measures appropriate to the risk (see Annex 2). In the event of a Personal Data Breach, WeVite will notify Customer without undue delay (and, where feasible, within 72 hours of becoming aware) and provide information reasonably required for Customer to meet its obligations.

12. Return & Deletion of Data

Upon termination or expiry of the Services, WeVite will, upon Customer request, return Personal Data and delete existing copies within 90 days, unless retention is required by law or for the establishment, exercise, or defense of legal claims. Backup media are overwritten on standard cycles.

13. US State Privacy (CPRA et al.)

For the limited Processing of Personal Information subject to U.S. state privacy laws, WeVite acts as a Service Provider/Processor and will: (a) not sell or share Personal Information; (b) not retain, use, or disclose Personal Information for any purpose other than performing the Services or as otherwise permitted by law; (c) not combine Personal Information with other data except as permitted (e.g., for security, debugging, or to improve the Services); and (d) provide assistance to honor consumer rights requests as applicable.

14. Liability & Precedence

Each party's liability arising from or in connection with this DPA is subject to the limitations and exclusions of liability in the Agreement, except where prohibited by law. In the event of conflict between this DPA and the Agreement, this DPA controls with respect to Processing of Personal Data.

15. Term & Governing Law

This DPA remains in force for as long as WeVite processes Personal Data on behalf of Customer under the Agreement and is governed by the same law and venue as the Agreement, unless Applicable Data Protection Laws require otherwise.

Annex 1 — Details of Processing

  • Subject Matter: Provision of SaaS event ticketing and community services.
  • Duration: Term of Agreement and up to 90 days thereafter (retention window).
  • Nature & Purpose: Hosting, storage, transmission, and management of Organizer and Attendee data; diagnostics; security; support.
  • Types of Personal Data: Names, emails, contact details, ticket and check-in info, custom form responses, IP addresses, device/browser data, limited payment instrument metadata (payment credentials handled by Stripe).
  • Categories of Data Subjects: Organizers and their Attendees; authorized users of Customer.

Annex 2 — Technical & Organizational Measures

  • Encryption: TLS in transit; encryption at rest for primary datastores where supported.
  • Access Controls: role-based access, least privilege, MFA for privileged accounts, regular access reviews.
  • Secure SDLC: code review, dependency scanning, vulnerability management, change control.
  • Monitoring & Logging: centralized logging, anomaly detection, security alerts, incident response runbooks.
  • Availability & DR: regular backups, restore testing, redundancy appropriate to tier, RPO/RTO targets.
  • Personnel: confidentiality agreements, security/privacy training, off-boarding access revocation.
  • Physical Security: secured data centers via vetted cloud providers.
  • Pen Tests: periodic external testing and remediation tracking.

Annex 3 — Subprocessors

WeVite may use the following categories of Subprocessors (current list and updates at /legal/subprocessors):

  • Payments: Payment processors for payment processing and payouts.
  • Hosting & CDN: Cloud infrastructure providers and content delivery networks.
  • Analytics & Monitoring: Analytics tools and error monitoring services.
  • CRM & Support: Platforms used for customer support and communications.

Note: As of the effective date of this DPA, WeVite does not currently engage any third-party subprocessors. This annex describes the categories of services for which subprocessors may be engaged in the future.

Contact & Notices

WeVite Inc.
Attn: Privacy & Security
Email: support@wevite.io • Security: security@wevite.io
Subprocessors: /legal/subprocessors • Privacy Policy: /legal/privacy-policy • Terms: /legal/terms-of-use • Cookie Policy: /legal/cookie-policy • Cookie Preferences: /privacy/cookie-preferences • Data Deletion: /legal/data-deletion • Do Not Sell: /privacy/do-not-sell • Sitemap: /sitemap

DPA FAQ

WeVite acts as a processor for Organizer-uploaded Attendee data and as an independent controller for WeVite's own account, billing, security, and marketing data.
Yes. Cross-border transfers from the EEA/UK/Switzerland are supported by the 2021/EU SCCs (Module 2: Controller to Processor) and any applicable UK/Swiss addenda.
Yes. WeVite provides advance notice of new subprocessors on /legal/subprocessors. Organizers have 30 days to reasonably object.
WeVite deletes or returns Personal Data within 90 days after termination, subject to legal retention requirements (e.g., tax and anti-fraud obligations).

Execution: This DPA is incorporated by reference into the Agreement. If your procurement requires a countersigned copy, contact support@wevite.io.