This Data Processing Agreement (“DPA”) forms part of the agreement between Treffio ApS, CVR 42 02 16 79, Niels Ebbesens Vej 16, 1911 Frederiksberg C, Denmark (“Treffio”, the “Processor”) and the Customer (the “Controller”) for the use of the Treffio platform (“Service”). It is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (the “GDPR”).
This DPA applies whenever Treffio processes Personal Data on behalf of the Controller. It does not apply to Personal Data for which Treffio is itself the controller (such as data about the Controller’s own admin users in their capacity as Treffio account holders, or website-visitor data of treffio.com); that data is governed by Treffio’s Privacy Policy.
By creating an account on the admin dashboard and accepting the License Terms, the Customer enters into this DPA on behalf of itself and its affiliates.
Terms not defined in this DPA have the meanings given in the GDPR or, where applicable, the Terms and Conditions and the License Terms.
The Controller is the controller of the Personal Data and Treffio is the processor. Treffio processes Personal Data only on documented instructions from the Controller, including those embedded in the configuration and use of the Service.
The subject-matter of the processing is the operation of the Service to enable the Controller to plan, execute, communicate about, and analyze its events. Details are set out in Annex I.
This DPA applies for as long as Treffio processes Personal Data on behalf of the Controller, namely from the start of the Controller’s subscription until completion of the deletion or return obligation in Section 11.
The Controller warrants and undertakes that:
Treffio will:
Process Personal Data only on the Controller’s documented instructions, which include the Service configuration, the License Terms, this DPA, and any specific instructions given via the support channels. Treffio will inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law, before complying.
Treffio will not process Personal Data for any purpose other than to provide the Service to the Controller, except where required to do so by EU or Member-State law to which Treffio is subject (in which case Treffio will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest).
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing. Current measures are summarized in Annex II. Treffio may update these measures at any time provided the level of security is not materially reduced.
Engage Subprocessors only as set out in Section 5.
Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, to fulfil the Controller’s obligation to respond to requests for exercising Data Subject rights under Articles 15 to 22 GDPR. Most rights can be fulfilled by the Controller directly via the admin dashboard; for requests that require Treffio’s assistance, the Controller may contact [email protected].
Assist the Controller, insofar as possible and taking into account the nature of the processing and the information available to Treffio, in ensuring compliance with the Controller’s obligations under Articles 32 to 36 GDPR (security, breach notification, data-protection impact assessments, prior consultation).
Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller’s data. The notification will, to the extent then available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach. Treffio will not notify supervisory authorities or Data Subjects on behalf of the Controller unless explicitly instructed to do so.
Maintain records of all categories of processing activities carried out on behalf of the Controller and make them available to the Controller and to supervisory authorities on request.
Make available to the Controller all information necessary to demonstrate compliance with the obligations of Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as further set out in Section 6.
The Controller grants Treffio a general authorization to engage Subprocessors. The current list is maintained in the Subprocessor List.
Treffio will provide at least 30 days’ prior notice of the addition or replacement of any Subprocessor by updating the Subprocessor List and notifying the Controller’s billing or admin contact by email or in-app message.
The Controller may object to a new Subprocessor on reasonable, documented data-protection grounds within 30 days of the notice. If Treffio cannot, with reasonable effort, accommodate the objection (for example by offering an alternative Subprocessor), the Controller may terminate the parts of the subscription that cannot be provided without the new Subprocessor by written notice within 30 days, with a pro-rata refund of any prepaid fees attributable to the period after termination.
Treffio will impose data-protection terms on each Subprocessor that are no less protective than those in this DPA, including obligations regarding security, confidentiality, and assistance with Data Subject rights. Treffio remains fully liable to the Controller for the performance of its Subprocessors’ obligations.
Treffio will respond to reasonable written requests for information from the Controller about Treffio’s compliance with this DPA. Where the information made available is insufficient, the Controller may, at its expense and on reasonable notice (not less than 30 days, except in emergencies or where required by a supervisory authority), conduct an audit of Treffio’s processing activities relevant to this DPA, no more than once per calendar year, except where:
Audits must be carried out during normal business hours, must not unreasonably interfere with Treffio’s operations, and must be subject to confidentiality obligations. The auditor must not be a competitor of Treffio. Where appropriate, Treffio may satisfy audit obligations by providing security overviews, summaries of internal reviews, and any third-party certifications, attestations, or audit reports covering the relevant controls — typically those held by Treffio’s subprocessors (such as ISO 27001 or SOC 2 Type II reports issued in respect of subprocessors). Treffio does not currently hold its own SOC 2 or ISO 27001 certification; if and when Treffio obtains such certifications, they will be made available to Customers under the same audit-rights process.
The Controller’s Personal Data is primarily stored within the European Economic Area (EEA). Where Treffio or a Subprocessor processes Personal Data outside the EEA in a country that is not subject to an adequacy decision of the European Commission, the transfer will be made on the basis of:
By entering into this DPA, the parties (and, where the Subprocessor in question requires, the relevant Subprocessor) are deemed to have entered into the SCCs in respect of any in-scope international transfer, with Treffio acting as data importer or data exporter as appropriate.
If Treffio receives a request directly from a Data Subject who has interacted with the Service in connection with the Controller (for example a Guest at the Controller’s event), Treffio will not respond to the request itself unless authorized by the Controller, except to acknowledge receipt and direct the Data Subject to the Controller. Treffio will promptly forward the request to the Controller using the contact information on file.
If Treffio receives a binding legal request from a government, court, or regulator for access to Personal Data processed on behalf of the Controller, Treffio will, except where prohibited by law:
Each party’s liability arising out of or related to this DPA is governed by the limitation-of-liability provisions in the Terms and Conditions and the License Terms. Nothing in this DPA limits a Data Subject’s rights against either party under Article 82 GDPR.
On expiry or termination of the subscription, Treffio will, at the Controller’s choice notified in writing within 30 days after termination:
If no choice is communicated within 30 days, Treffio will delete the Personal Data from the live Service. Personal Data held in standard, non-targeted backups is retained for the standard backup-rotation period and then deleted on rotation. Treffio may retain Personal Data to the extent (and only for as long as) required by EU or Member-State law, or for the establishment, exercise, or defense of legal claims.
In the event of conflict between this DPA and the Terms and Conditions or License Terms, this DPA prevails with respect to the matters it covers. This DPA is governed by Danish law and disputes are subject to the City Court of Copenhagen (Københavns Byret), as set out in the Terms and Conditions.
Treffio’s data-protection contact:
Treffio ApS — Data Protection Niels Ebbesens Vej 16 1911 Frederiksberg C Denmark Email: [email protected]
Hosting, processing, transmitting, and displaying Personal Data through the Treffio platform to enable the Controller to plan, execute, and analyze its events.
The Service is not designed to process special-category data within the meaning of Article 9 GDPR. Where Guests voluntarily disclose special-category data (for example, dietary restrictions or accessibility needs that imply health information), the Controller is responsible for ensuring an appropriate Article 9 condition. Treffio applies the same security measures to all Personal Data and does not differentiate based on the substance of free-text responses.
Continuous, for the duration of the subscription.
For the duration of the Controller’s subscription, plus a tail period of 60 days after the relevant event has concluded (default), as further described in the Privacy Policy, unless the Controller adjusts retention or deletion is required earlier by law.
Treffio personnel acting under appropriate confidentiality obligations, and the Subprocessors listed in the Subprocessor List. Note that OpenAI is engaged as a conditional sub-processor only when the Controller’s authorized users explicitly invoke the optional AI translation feature in the admin dashboard, and only with the free-text content they submit at that time. If the feature is not used, no data is shared with OpenAI.
This Annex summarizes the technical and organizational measures implemented by Treffio. The list is non-exhaustive and may be updated to reflect changes in the state of the art and risk landscape, provided the overall level of security is not materially reduced.
auth_id and event identifiers, enforced both at the application layer and via row-level security in the database