DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA“) forms part of the Terms of Use (or other similarly titled written or electronic agreement addressing the same subject matter) (“Agreement“) between the entity identified as Customer in the applicable Order Form (“Customer” or “Controller“) and TurnoutNow LLC, a limited liability company (“TurnoutNow” or “Processor“) under which the Processor provides the Controller with the AI-powered event intelligence platform and related services (the “Services“). The Controller and the Processor are individually referred to as a “Party” and collectively as the “Parties“.

RECITALS

WHEREAS, the Parties seek to implement this DPA to comply with the requirements of the EU General Data Protection Regulation (EU) 2016/679 (“GDPR“) and other applicable data protection laws in relation to Processor’s processing of Personal Data as part of its obligations under the Agreement; WHEREAS, this DPA shall apply to Processor’s processing of Personal Data provided by the Controller as part of Processor’s obligations under the Agreement; NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1. DEFINITIONS

Terms not otherwise defined herein shall have the meaning given to them in the GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:
  1. “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy, including without limitation the GDPR, the California Consumer Privacy Act (“CCPA“), and any applicable national implementing laws, regulations and secondary legislation.
  2. “Data Transfer” means a transfer of Personal Data from the Controller to the Processor, or between two establishments of the Processor, or from the Processor to a Sub-processor.
  3. “EU GDPR” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  4. “Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws, which is processed by the Processor on behalf of the Controller pursuant to or in connection with the Agreement.
  5. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  6. “Standard Contractual Clauses” or “SCCs” means the contractual clauses attached hereto as Schedule 1 pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection.
  7. “Sub-processor” means any processor engaged by the Processor or any of its Sub-processors to process Personal Data on behalf of the Controller in connection with the Agreement.

2. PURPOSE AND SCOPE

2.1 Purpose

This DPA sets out the obligations of the Processor in relation to the Processing of Personal Data and shall be limited to the Processor’s obligations under the Agreement.

2.2 Hierarchy

If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail with respect to matters of data protection and privacy.

2.3 Scope

This DPA applies to all Personal Data processed by the Processor on behalf of the Controller in the course of providing the Services.

3. PROCESSING OF PERSONAL DATA

3.1 Categories of Personal Data and Data Subjects

The Controller authorizes the Processor to process Personal Data to the extent determined and regulated by the Controller. The types of Personal Data and categories of Data Subjects are specified in Annex I to Schedule 1 of this DPA.

3.2 Purpose of Processing

The Processor shall process Personal Data solely for the purpose of providing the Services to the Controller pursuant to the Agreement and in accordance with the Controller’s documented instructions.

3.3 Duration of Processing

The Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Controller or as required by applicable law.

4. DATA CONTROLLER’S OBLIGATIONS

The Data Controller shall:

4.1 Legal Basis

Warrant that it has all necessary rights and legal bases to provide Personal Data to the Processor for processing in relation to the Services, including obtaining any necessary consents from Data Subjects.

4.2 Privacy Notices

Provide all Data Subjects from whom it collects Personal Data with appropriate privacy notices in compliance with Data Protection Laws.

4.3 Instructions for Deletion

Request the Processor to delete or return Personal Data when required by the Controller or any Data Subject, unless the Processor is required to retain the Personal Data by applicable law.

4.4 Incident Notification

Immediately advise the Processor in writing if it receives or learns of any:
  • Complaint or allegation indicating a violation of Data Protection Laws regarding Personal Data;
  • Request from individuals seeking to exercise their rights under Data Protection Laws;
  • Inquiry or complaint from individuals relating to the processing of Personal Data;
  • Regulatory request, search warrant, or other legal process seeking Personal Data.

4.5 Accuracy

Ensure the accuracy of Personal Data provided to the Processor and promptly notify the Processor of any changes or corrections required.

5. DATA PROCESSOR’S OBLIGATIONS

The Data Processor shall:

5.1 Instructions

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.

5.2 Confidentiality

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in Annex II of Schedule 1.

5.4 Sub-processors

Not engage another processor without prior specific or general written authorization of the Controller, and in case of general written authorization, inform the Controller of any intended changes concerning the addition or replacement of other processors.

5.5 Data Subject Rights

Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights.

5.6 Compliance Assistance

Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

5.7 Deletion or Return

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.

5.8 Audit and Inspection

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5.9 Notification of Infringement

Immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other Data Protection Laws.

6. PERSONNEL AND TRAINING

6.1 Reliability

The Processor shall ensure that its personnel engaged in processing Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed appropriate confidentiality agreements.

6.2 Access Control

The Processor shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Services in accordance with the Agreement.

6.3 Training

The Processor shall provide regular data protection and security training to personnel having access to Personal Data.

7. SECURITY OF PROCESSING

7.1 Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures as described in Annex II of Schedule 1.

7.2 Security Standards

The Processor maintains information security management systems aligned with industry standards including ISO 27001 and SOC 2 Type II.

7.3 Regular Testing

The Processor shall regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing.

8. PERSONAL DATA BREACH

8.1 Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach, unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons.

8.2 Information to be Provided

The notification shall at least:
  • Describe the nature of the Personal Data Breach including the categories and approximate number of Data Subjects and Personal Data records concerned;
  • Communicate the name and contact details of the data protection officer or other contact point;
  • Describe the likely consequences of the Personal Data Breach;
  • Describe the measures taken or proposed to address the Personal Data Breach.

8.3 Assistance

The Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Data Protection Laws with respect to Personal Data Breaches.

8.4 No Acknowledgment of Fault

The Processor’s notification of or response to a Personal Data Breach under this DPA will not be construed as an acknowledgment by the Processor of any fault or liability with respect to the Personal Data Breach.

9. SUB-PROCESSORS

9.1 General Authorization

The Controller provides general authorization for the Processor to engage Sub-processors listed in Annex III of Schedule 1.

9.2 Notification of Changes

The Processor shall notify the Controller at least thirty (30) days in advance of any intended changes concerning the addition or replacement of Sub-processors by emailing notice to the Customer’s designated contact.

9.3 Right to Object

The Controller may object to the Processor’s use of a new Sub-processor if the Controller reasonably believes that such Sub-processor’s processing of Personal Data would cause the Controller to breach its data protection obligations. The Parties shall confer in good faith to address such concerns.

9.4 Liability

The Processor shall remain fully liable to the Controller for the performance of any Sub-processor’s obligations in relation to the processing of Personal Data.

9.5 Flow-Down Requirements

The Processor shall ensure that any Sub-processor agreement imposes the same data protection obligations as set out in this DPA.

10. INTERNATIONAL DATA TRANSFERS

10.1 Transfer Mechanisms

Any Data Transfer to a country outside the European Economic Area (“EEA“) shall only take place:
  • To a country subject to an adequacy decision by the European Commission;
  • Subject to appropriate safeguards as described in Article 46 of the GDPR, including the Standard Contractual Clauses; or
  • Pursuant to a derogation under Article 49 of the GDPR.

10.2 Standard Contractual Clauses

Where Personal Data is transferred outside the EEA to countries not subject to an adequacy decision, the Parties agree to execute and comply with the Standard Contractual Clauses (Module 2: Controller to Processor) as set out in Schedule 1.

10.3 Supplementary Measures

The Processor shall implement supplementary measures where necessary to ensure that Personal Data is afforded a level of protection substantially equivalent to that guaranteed within the EEA.

11. DATA SUBJECT RIGHTS

11.1 Assistance with Requests

The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond to such request directly without the Controller’s prior written authorization.

11.2 Facilitation of Rights

The Processor shall provide reasonable assistance to the Controller to enable the Controller to respond to Data Subject requests to exercise their rights under Data Protection Laws, including:
  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making and profiling

12. AUDIT RIGHTS

12.1 Information and Audit

Upon reasonable request, the Processor shall make available to the Controller information necessary to demonstrate compliance with its obligations under this DPA and allow for and contribute to audits.

12.2 Notice and Scheduling

The Controller shall provide at least fifteen (15) business days’ prior written notice of any audit and shall conduct such audit during regular business hours, with minimal disruption to the Processor’s business operations.

12.3 Frequency

Audits shall be conducted no more than once per twelve (12) month period, unless required by a competent data protection authority or following a Personal Data Breach.

12.4 Costs

The Controller shall bear its own costs of any audit, including any costs for external auditors.

12.5 Third-Party Certifications

The Processor may, at its option, provide relevant third-party certifications or audit reports (such as ISO 27001 or SOC 2 Type II reports) to satisfy audit requirements.

13. RETURN AND DELETION OF PERSONAL DATA

13.1 End of Services

Upon termination of the Agreement or completion of the Services, the Processor shall, at the Controller’s option:
  • Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
  • Delete all Personal Data and certify such deletion in writing.

13.2 Timeline

Deletion or return shall be completed within thirty (30) days of the end of the Agreement, unless applicable law requires continued storage.

13.3 Existing Copies

The Processor shall delete existing copies unless applicable law requires storage of the Personal Data.

13.4 Certification

Upon request, the Processor shall provide written certification of deletion signed by an authorized representative.

14. LIMITATION OF LIABILITY

14.1 Application of Agreement

Each Party’s liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.

14.2 Regulatory Fines

Nothing in this DPA shall be construed to limit either Party’s liability for regulatory penalties or fines imposed directly on that Party by a competent authority.

15. GENERAL PROVISIONS

15.1 Governing Law

This DPA shall be governed by the laws specified in the Agreement.

15.2 Amendments

No modification of this DPA shall be valid unless made in writing and signed by authorized representatives of both Parties.

15.3 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Entire Agreement

This DPA, together with the Agreement and its Schedules and Annexes, constitutes the entire agreement between the Parties relating to the processing of Personal Data.

15.5 Survival

The obligations of the Parties under this DPA shall survive termination or expiration of the Agreement to the extent necessary to fulfill the purposes described herein.

SCHEDULE 1 – STANDARD CONTRACTUAL CLAUSES

MODULE TWO: Controller to Processor

[Note: The full text of the Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 should be inserted here or attached as a separate document. These are available from the European Commission website.]

ANNEX I – DETAILS OF PROCESSING

A. LIST OF PARTIES

Data exporter(s):

  • Name: Customer (as identified in the applicable Order Form)
  • Address: As set forth in the applicable Order Form
  • Contact person’s name, position and contact details: As set forth in the applicable Order Form
  • Activities relevant to the data transferred: Recipient of the Services provided by TurnoutNow LLC in accordance with the Agreement
  • Signature and date: As set forth in the Agreement
  • Role: Controller

Data importer(s):

  • Name: TurnoutNow LLC
  • Address: 1390 Columbia Ave, Suite 212, Lancaster, PA 17603, United States
  • Contact person’s name, position and contact details: Harpreet Chatha, Founder & CEO ([email protected])
  • Activities relevant to the data transferred: Provision of the AI-powered event intelligence platform and Services to the Customer in accordance with the Agreement
  • Signature and date: As set forth in the Agreement
  • Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

  • Customer’s authorized users (event organizers, administrators)
  • Event attendees and participants
  • Exhibitors and sponsors
  • Speakers and presenters
  • Visitor contacts engaging with Customer’s events

Categories of personal data transferred:

Standard Event Data:
  • Identification Data: First Name, Last Name, UserID
  • Contact Data: Email Address, Phone Number
  • Professional Data: Job Title, Company, Department
  • Event Data: Attendee Type, Registration Status
  • Location Data: Country, City (if applicable)
Behavioral Event Data (when beacon technology is enabled):
  • Session attendance records
  • Booth visit logs
  • Networking interaction data
  • Content engagement metrics
Technical Data:
  • IP addresses
  • Device identifiers
  • Authentication tokens
Sensitive data transferred: No special categories of personal data under Article 9 of the GDPR are collected or processed. Frequency of the transfer: Continuous basis during the term of the Agreement

Nature of the processing:

The processing activities include:
  1. Event Intelligence Processing:
    • Collection of attendee registration data via API integration
    • Real-time tracking of attendee movements using beacon technology
    • Analysis of behavioral patterns for event insights
    • Creation of anonymized aggregate analytics
  2. AI-Powered Personalization:
    • Processing profiles through machine learning algorithms
    • Automated attendee matching for networking (PeerConnect)
    • Content recommendations via Prescriptive Recommendation Engine (PRE™)
    • Natural language processing for Event Copilot AI
  3. Lead Management:
    • Lead qualification and scoring
    • Lead routing to stakeholders
    • ROI tracking and analysis
  4. Platform Operations:
    • Authentication and access control
    • Data storage and retrieval
    • CRM/marketing automation integration
    • Analytics dashboard generation
  5. Data Management:
    • Data cleansing and standardization
    • Profile enrichment
    • Metrics aggregation
    • Secure deletion per retention policies
Purpose(s) of the data transfer and further processing: To facilitate the performance of TurnoutNow’s AI-powered event intelligence platform and Services as described in the Agreement, including event analytics, attendee engagement, lead generation, and ROI measurement. Period for which personal data will be retained:
  • Active event data: Duration of the event plus 90 days
  • Backup data: Removed within 6 months of event completion
  • Aggregate analytics: Retained for 24 months
  • As otherwise specified in the Agreement or required by law
For transfers to (sub-) processors: Subject matter, nature, and duration of processing are as described in the Agreement and this Annex.

C. COMPETENT SUPERVISORY AUTHORITY

For data exporters established in the EEA: As determined by application of Article 13 of the SCCs based on the Member State of establishment. For other situations: The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES

TurnoutNow LLC implements and maintains the following technical and organizational measures to ensure appropriate security of Personal Data:

1. INFORMATION SECURITY MANAGEMENT

1.1 Security Framework

  • ISO 27001:2022 certified Information Security Management System
  • SOC 2 Type II compliance for security, availability, and confidentiality
  • Regular third-party security assessments and penetration testing
  • Formal risk assessment and treatment program

1.2 Policies and Procedures

  • Comprehensive information security policies reviewed annually
  • Data protection and privacy policies aligned with GDPR requirements
  • Incident response and breach notification procedures
  • Business continuity and disaster recovery plans

1.3 Security Governance

  • Designated Data Protection Officer (DPO)
  • Qualified security team responsible for security program
  • Regular management review of security controls
  • Continuous security monitoring and improvement

2. ACCESS CONTROL

2.1 Identity and Access Management

  • Multi-factor authentication (MFA) for all administrative access
  • Role-based access control (RBAC) with principle of least privilege
  • Regular access reviews and recertification (quarterly)
  • Automated provisioning and de-provisioning processes
  • Strong password policies and account lockout mechanisms

2.2 Privileged Access Management

  • Separate administrative accounts
  • Just-in-time access for privileged operations
  • Session recording for high-privilege activities
  • Regular rotation of service account credentials

3. DATA PROTECTION

3.1 Encryption

  • AES-256 encryption for data at rest
  • TLS 1.2+ for data in transit
  • Key management using industry-standard practices
  • Encrypted backups and archives

3.2 Data Segregation

  • Logical separation of customer data in multi-tenant architecture
  • Database-level isolation
  • Application-level access controls
  • Separate encryption keys per customer

3.3 Data Minimization

  • Collection limited to necessary data
  • Automated data retention and deletion policies
  • Regular data purging processes
  • Anonymization for analytics

4. INFRASTRUCTURE SECURITY

4.1 Network Security

  • Web Application Firewall (WAF)
  • Intrusion Detection/Prevention Systems (IDS/IPS)
  • Network segmentation and micro-segmentation
  • DDoS protection
  • Regular vulnerability scanning

4.2 Endpoint Security

  • Endpoint Detection and Response (EDR)
  • Anti-malware protection
  • Host-based firewalls
  • Patch management program
  • Mobile Device Management (MDM) for corporate devices

4.3 Cloud Security (AWS)

  • Virtual Private Cloud (VPC) implementation
  • Security Groups and Network ACLs
  • AWS CloudTrail for audit logging
  • AWS Config for compliance monitoring
  • Multi-Availability Zone deployment for resilience

5. OPERATIONAL SECURITY

5.1 Change Management

  • Formal change control process
  • Code review and security testing
  • Separation of development, testing, and production
  • Version control and rollback procedures

5.2 Vulnerability Management

  • Regular vulnerability assessments (monthly)
  • Penetration testing (annually)
  • Patch management SLAs: Critical (24hrs), High (7 days), Medium (30 days)
  • Security scanning in CI/CD pipeline

5.3 Logging and Monitoring

  • Centralized log management (SIEM)
  • Real-time security monitoring
  • Automated alerting for security events
  • Log retention for minimum 12 months
  • Regular log reviews

6. INCIDENT MANAGEMENT

6.1 Incident Response

  • 24/7 security operations center (SOC)
  • Defined incident response team and procedures
  • Incident classification and escalation matrix
  • Root cause analysis and lessons learned
  • Regular incident response drills

6.2 Breach Notification

  • Documented breach notification procedures
  • 72-hour notification commitment to Controller
  • Breach response team with defined roles
  • Template communications and workflows
  • Post-incident review process

7. PHYSICAL SECURITY

7.1 Data Center Security (via AWS)

  • 24/7 physical security monitoring
  • Biometric access controls
  • Video surveillance
  • Environmental controls (temperature, humidity, fire suppression)
  • Redundant power and cooling systems

8. PERSONNEL SECURITY

8.1 Background Checks

  • Employment verification
  • Criminal background checks (where legally permitted)
  • Reference checks
  • Education verification for key positions

8.2 Training and Awareness

  • Security awareness training during onboarding
  • Annual data protection and privacy training
  • Role-specific security training
  • Phishing simulation exercises
  • Security policy acknowledgment

8.3 Confidentiality

  • Confidentiality agreements for all personnel
  • Non-disclosure agreements for contractors
  • Data handling guidelines and procedures
  • Clean desk policy

9. BUSINESS CONTINUITY

9.1 Backup and Recovery

  • Daily automated backups
  • Geographically distributed backup storage
  • Regular backup restoration testing
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours

9.2 Disaster Recovery

  • Documented disaster recovery plan
  • Annual DR testing and exercises
  • Alternative processing sites
  • Crisis communication procedures
  • Supply chain continuity planning

10. COMPLIANCE AND AUDIT

10.1 Compliance Monitoring

  • Regular compliance assessments
  • Internal audit program
  • External audits and certifications
  • Regulatory compliance tracking
  • Corrective action management

10.2 Third-Party Management

  • Vendor risk assessment process
  • Security requirements in vendor contracts
  • Regular vendor security reviews
  • Sub-processor due diligence
  • Performance monitoring

ANNEX III – LIST OF SUB-PROCESSORS

The Controller has authorized the use of the following Sub-processors:
Sub-processor Name Description of Processing Location Appropriate Safeguards
Amazon Web Services, Inc. Cloud infrastructure and hosting services United States Standard Contractual Clauses, SOC 2 Type II
PostHog, Inc. Product analytics and click tracking United States Standard Contractual Clauses, GDPR compliant
Vercel Frontend Hosting Platform United States Standard Contractual Clauses, GDPR compliant
Google Cloud Platform Cloud infrastructure and hosting services United States Standard Contractual Clauses, SOC 2 Type II
Note: This list is subject to change. Please check https://security.turnoutnow.com for updates.

ANNEX IV – DATA SUBJECT RIGHTS PROCEDURES

Procedure for Handling Data Subject Requests

  1. Receipt of Request: All Data Subject requests received by Processor shall be forwarded to Controller within 2 business days to: [Customer’s designated email]
  2. Request Verification: Controller responsible for verifying identity of Data Subject
  3. Response Timeline: Processor shall provide necessary assistance within 10 business days of Controller’s request
  4. Technical Assistance: Processor provides:
    • Data export in JSON or CSV format
    • Deletion confirmation logs
    • Access to self-service portals where available
    • Technical documentation as needed
  5. Documentation: All requests and responses logged and retained for audit purposes
This Data Processing Agreement was last updated on September 5, 2025 For questions about this DPA, please contact: [email protected]