Data Processing Addendum
Last updated: 2026-05-18
This Data Processing Addendum (“DPA”) supplements the VenueFuze Terms of Use and applies where an Organizer (the “Controller”) processes personal data of EU/EEA, UK, or Swiss data subjects through the VenueFuze platform (operated by Zafronix LLC, the “Processor”).
1. Roles
- Controller: the Organizer, which determines the purpose and means of processing attendee data.
- Processor: VenueFuze, which processes that data on the Controller's documented instructions.
2. Scope of processing
VenueFuze processes the following categories of personal data on the Controller's behalf: name, email address, phone number, payment metadata (no card numbers), ticket/order history, scan logs, bid history, and event-related communications.
Processing is carried out for the purposes described in our Privacy Policy and as instructed by the Controller through use of the platform.
3. Sub-processors
The Controller authorizes VenueFuze to engage the following sub-processors:
- Stripe, Inc. (payment processing — USA)
- Resend (transactional email — USA)
- ip-api.com (IP geolocation — Germany)
We will notify Controllers of any intended addition or replacement of sub-processors at least 30 days in advance. Controllers may object on reasonable grounds.
4. International transfers
Where personal data is transferred from the EU/EEA, UK, or Switzerland to the United States, the parties rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum as appropriate. VenueFuze will maintain transfer safeguards consistent with applicable law.
5. Security
VenueFuze implements technical and organizational measures appropriate to the risk, including TLS in transit, encrypted backups, audit-logged production access, and role-scoped application authorization. Material details are available on request.
6. Data subject rights
VenueFuze will, taking into account the nature of the processing, assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection). Requests should be routed through the Controller; VenueFuze acts on the Controller's instructions.
7. Incident notification
VenueFuze will notify the Controller without undue delay (and within 72 hours where feasible) of a personal data breach affecting the Controller's data. Notice will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation steps taken.
8. Return or deletion on termination
On termination of the Controller's account, VenueFuze will, at the Controller's election, return or delete all personal data in its possession, except where retention is required by law (e.g. tax recordkeeping).
9. Audits
VenueFuze will make available the information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits conducted by the Controller or a mandated third-party auditor on reasonable notice. Audit costs are borne by the Controller except where the audit reveals a material breach by VenueFuze.
10. Term
This DPA enters into force on the date the Controller accepts it (by signed copy or by continued use of the service after publication) and remains in effect for the duration of the Controller's account.
11. Signing
Organizers needing a counter-signed copy of this DPA on company letterhead should email legal@venuefuze.com with the Organizer's legal entity name and address.
