Data Processing Addendum

Parties

This Data Processing Addendum (the “Addendum”) forms part of the services agreement between the entity receiving the Services (the “Customer” or “Controller”) and SUMMITWARE BV — the data processor providing the Services (the “Company” or “Processor”). The Customer determines the purposes and means of processing, and SUMMITWARE BV processes personal data on behalf of the Customer in accordance with this Addendum.

The SUMMITWARE BV’s designated data protection officer (the “Officer”) coordinates privacy and security matters for the Services and may be contacted at privacy@summitware.be.

1. Subject Matter and Duration

This Addendum governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the services listed in Annex I (the “Services”). It remains in force for the term of the underlying services agreement between the Parties and until deletion of personal data by the Processor in accordance with this Addendum.

This Addendum also governs any processing carried out through AI-powered assistance or automation features integrated into the Services, which process text-based user inputs to generate contextual responses or perform actions on behalf of the Controller.

2. Roles and Instructions

The Controller determines the purposes and means of processing and acts as controller. The Processor acts as processor and will process personal data only on documented instructions from the Controller, unless required by Union or Member State law; in such cases the Processor will inform the Controller prior to processing, unless prohibited by law.

The Processor shall assist the Controller in conducting Data Protection Impact Assessments (DPIAs) as required under Article 35 of the GDPR. This assistance shall include providing necessary information and support to evaluate the impact of the processing operations on the protection of personal data.

3. Categories of Data and Data Subjects

As described in Annex I.

4. Processor Obligations

  • Ensure personnel are bound by confidentiality and receive appropriate data protection training.
  • Implement and maintain the technical and organizational measures in Annex III.
  • Assist the Controller with data subject requests and GDPR compliance (Arts. 32–36), taking into account the nature of processing.
  • Notify the Controller without undue delay after becoming aware of a personal data breach.
  • Maintain records of processing as required by Art. 30(2) GDPR.
  • Provide information necessary to demonstrate compliance and allow for audits (upon reasonable notice, during business hours, without disrupting operations).

5. Sub-Processors (General Authorisation)

The Controller grants the Processor general written authorisation to engage sub-processors to support delivery of the Services. The current list of sub-processors is maintained at: subprocessors.

The Processor will notify the Controller at least 30 days in advance of any intended addition or replacement of a sub-processor, giving the Controller the opportunity to object on reasonable data protection grounds before engagement. Absent a reasonable objection within the notice period, the change is deemed approved. If the Controller reasonably objects, the Parties will work in good faith to find a workaround; if none is available, the Controller may terminate the affected Services with a pro-rata refund of prepaid, unused fees.

The Processor will impose on all sub-processors data protection obligations no less protective than those in this Addendum.

6. Representative Appointment clause

The sub-processor shall, when located outside the European Union (EU) and European Economic Area (EEA), appoint a representative within the EU/EEA in accordance with Article 27 of the General Data Protection Regulation (GDPR).

The appointed representative shall be authorized to act on behalf of the sub-processor with regard to its obligations under the GDPR, including but not limited to, responding to inquiries or requests from data subjects or supervisory authorities concerning the processing of personal data.

The sub-processor shall provide the Processor / Controller with the contact details of the appointed representative, including the representative’s name, address, and email address, and shall ensure that this information is kept up-to-date.

7. International Data Transfers

Where the Processor engages in international data transfers, it shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. This may include the use of Standard Contractual Clauses, Binding Corporate Rules (BCRs), or obtaining specific approvals from supervisory authorities. Details are provided in the sub-processor list referenced in Annex II.

8. Retention, Return, and Deletion

  • Retention During Active Services: The Processor shall retain personal data for as long as the Services remain active and the Controller continues to rely on such data for recurring or scheduled events, in accordance with Article 5(1)(e) of the GDPR.
  • Deletion Upon Data Subject Request: Upon receipt of a valid request from a data subject (participant) to exercise their right to erasure under Article 17 of the GDPR, the Processor shall promptly delete or anonymize the relevant personal data, unless retention is required under Union or Member State law.
  • Deletion Due to Inactivity: In the event of inactivity—defined as no access to the personal data and no upcoming events—for a continuous period of twelve (12) months, the Processor shall delete or anonymize the personal data. The Processor shall notify the Controller at least fourteen (14) calendar days in advance of such deletion. The Controller may request a postponement of the deletion for a legitimate reason, which must be documented and communicated to the Processor prior to the scheduled deletion date.
  • Termination of Services: Upon termination of the Services, the Processor shall, at the Controller’s written instruction, either delete or return all personal data within thirty (30) calendar days, unless Union or Member State law requires continued storage. Any backups containing personal data shall be securely deleted or anonymized within three (3) months following the initial deletion, subject to technical feasibility and in accordance with Article 32 of the GDPR.
  • Data Export: The Controller shall have the right to export personal data at any time prior to deletion, using the tools or procedures made available by the Processor.
  • Audit and Logging: The Processor shall maintain detailed logs of all deletion and anonymization actions performed under this Section. These logs shall be retained for audit purposes and made available to the Controller upon request, to demonstrate compliance with Articles 5(2), 17, 28(3)(g), and 30 of the GDPR. Conversation logs generated by AI assistant features are retained by the Processor for up to thirty (30) days for audit and abuse-prevention purposes, then automatically deleted unless required for security or legal reasons.

9. Security

The Processor will implement the technical and organizational measures set out in Annex III and will regularly review and update them to maintain an appropriate level of security.

10. Data Subject Rights

Taking into account the nature of processing, the Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling obligations to respond to requests for exercising data subject rights under Chapter III GDPR.

11. Breach Notification

The Processor shall maintain a documented incident response plan to address any personal data breaches. In the event of a data breach, the Processor shall notify the Controller without undue delay and provide all necessary information to support the Controller in meeting its notification obligations under the GDPR. The notification shall include the nature of the breach, the categories and approximate number of data subjects concerned, and the measures taken to address the breach.

12. Liability

Each Party shall be liable for damages caused by processing that infringes the General Data Protection Regulation (GDPR) where it has not complied with its obligations under this Addendum or the GDPR. The Processor’s liability for any claims arising out of or related to this Addendum, whether in contract, tort, or under any other theory of liability, shall be limited to maximum the amount paid by the Controller to the Processor for the Services during the twelve (12) months preceding the event giving rise to the liability.

Nothing in this Addendum shall exclude or limit the Processor’s liability for damages resulting from its willful misconduct or gross negligence, or for any other liability that cannot be excluded or limited under applicable law. Notwithstanding the foregoing, the Processor shall not be liable for any indirect, incidental, consequential, or punitive damages, or for any loss of profits or revenues, whether incurred directly or indirectly, arising from the use of the Services or the processing of personal data.

13. Confidentiality

Both the Controller and the Processor agree to maintain the confidentiality of each other’s confidential information. Each party shall take all reasonable measures to protect the confidentiality of the other party’s information and shall not disclose such information to third parties without prior written consent, except as required by law.

14. Termination responsibilities

Upon termination of this agreement, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller, unless Union or Member State law requires storage of the personal data. The Processor shall certify to the Controller that this has been done.

15. Insurance

The Processor shall maintain appropriate insurance coverage to address potential liabilities arising from data protection risks. This insurance shall cover claims related to data breaches, regulatory fines, and other liabilities associated with the processing of personal data.

16. Governing Law and Jurisdiction

This Addendum is governed by the laws of Belgium. The courts of Ghent, Belgium, have exclusive jurisdiction over any dispute arising out of or in connection with this Addendum.

17. Updates

The Processor may update this Addendum to reflect changes in law, security practices, or operations. Sub-processor changes follow Section 5 and Annex II (notice and objection rights); they do not require re-acceptance of the Addendum. If a change materially degrades protections in a way that adversely affects the Controller’s rights and no resolution is found, the Controller may terminate the affected Services with a pro-rata refund of prepaid, unused fees. The Processor will communicate material updates to the Controller at least 30 days in advance, allowing the Controller to review and object if necessary.

18. Contact

Processor DPO/Contact: Data Protection Officer — privacy@summitware.be

Annex I – Description of Processing

Services

  • Registration Town: attendee registration, ticketing, speaker management, conference agenda, optional publication of presentations/e-posters.
  • Slideshow City: storage and distribution of presentations among client-managed devices during events.
  • AI-powered assistant: optional feature enabling users to edit forms, content, generate queries, or retrieve configuration information through natural language interaction. Inputs are processed transiently via authorized AI sub-processors under stateless, non-training configurations.

Categories of Personal Data

  • Mandatory: first name, surname, email address.
  • Optional (as configured by Controller): country, city, company, job title, address, other event-specific fields.
  • Speaker logistics: flight numbers, hotel accommodations, other conference-related data.
  • Presentation materials, which may contain personal data (biographies, photos, affiliations).
  • Billing details: customer name, billing address. Card details are not stored by the Processor (processed by payment provider).
  • Interaction content submitted to AI assistant (text prompts, commands, and contextual parameters such as filters, queries, commands or view identifiers, but excluding underlying datasets). No participant or registration records are shared with AI sub-processors.

Data Subjects

  • Conference attendees
  • Exhibitors
  • Speakers
  • Event organizers (Controller’s staff)

Nature and Purpose

To provide the Services for the Controller’s events, including registration, content management, agenda publishing, presentation distribution, and related support.

Duration

For the term of the Services and the retention period specified in Section 8.

Annex II – Sub-Processors (External List & Snapshot)

The Processor maintains an up-to-date list of sub-processors at: subprocessors.

Future changes to sub-processors will be notified per Section 5; absence of a reasonable objection within the notice period constitutes approval.

Annex III – Technical and Organizational Measures

  • Encryption: TLS for data in transit; encryption at rest for databases and backups.
  • Access control: role-based access, least privilege, MFA for administrative access.
  • Logging & monitoring: access logs, audit trails, anomaly monitoring.
  • Resilience: regular backups, tested restore, availability and disaster recovery processes.
  • Secure development: code reviews, dependency management, vulnerability scanning and patching.
  • Personnel: confidentiality obligations; security awareness training.
  • Incident response: documented procedures including breach notification to Controller without undue delay.

Related documents: Terms of Service · Privacy Policy · Cookie Policy · Imprint