Konvio Konvio
English Deutsch Home Features Use Cases Pricing About
Log in
Request Access

Data Processing Agreement (DPA)

Last updated: 11. März 2026

Preamble

This Data Processing Agreement (hereinafter "DPA") is entered into between the customer of the SaaS platform Konvio (hereinafter "Controller") and

Ing. Philipp Zöchner, Sackstraße 26, 8010 Graz, Austria (hereinafter "Processor").

This DPA supplements the General Terms and Conditions (GTC) of the Konvio platform and governs the data protection obligations of the parties pursuant to Art. 28 of Regulation (EU) 2016/679 (GDPR) and § 12 of the Austrian Data Protection Act (DSG).

§ 1 Subject Matter and Duration of Processing

The Processor processes personal data on behalf of the Controller in the context of providing the Konvio SaaS platform for event management and CRM.

The duration of processing corresponds to the term of the service agreement between the Controller and the Processor as defined in the GTC.

§ 2 Nature and Purpose of Processing

The processing includes the following activities in the context of platform usage:

  • Storage and management of event data
  • Processing of registration data for events
  • Management of contact and company data in the CRM
  • Sending email notifications and messages
  • Creation and management of invoices
  • Provision of data collection forms
  • Management of exhibitor data and booth bookings
  • Provision of event catalogs and public pages

The purpose of processing is the provision of the contractually agreed SaaS services.

§ 3 Types of Personal Data and Categories of Data Subjects

Types of personal data processed:

  • Contact data (name, email address, phone number, address)
  • Company data (company name, VAT ID, business address)
  • Registration data (username, hashed password)
  • Event-related data (registrations, booth bookings, attendee lists)
  • Communication data (messages, email content)
  • Billing data (billing addresses, amounts)
  • Usage data (page views within the platform, activity log)
  • Data collected by customers via forms (defined by the Controller)

Categories of data subjects:

  • Employees and representatives of the Controller
  • Event participants and registrants
  • Exhibitors and their contact persons
  • Contacts in the Controller's CRM
  • Recipients of emails and messages

§ 4 Obligations and Rights of the Controller

  • The Controller is responsible for the lawfulness of data processing and ensures that a valid legal basis for processing exists.
  • The Controller issues instructions to the Processor regarding the processing of personal data. Instructions are generally issued through the use of platform features.
  • The Controller has the right to verify compliance with data protection regulations and this DPA (see § 9).
  • The Controller shall inform the Processor immediately if they detect errors or irregularities in the processing.

§ 5 Obligations of the Processor

  • The Processor processes personal data solely on the basis of documented instructions from the Controller, unless processing is required by Union or Member State law (Art. 28(3)(a) GDPR).
  • The Processor ensures that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of secrecy (Art. 28(3)(b) GDPR).
  • The Processor takes all measures required pursuant to Art. 32 GDPR regarding the security of processing (see Annex 1).
  • The Processor assists the Controller in fulfilling data subject rights under Art. 15–22 GDPR (Art. 28(3)(e) GDPR).
  • The Processor assists the Controller in complying with obligations under Art. 32–36 GDPR, in particular regarding data protection impact assessments and breach notifications (Art. 28(3)(f) GDPR).
  • The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other data protection provisions (Art. 28(3) sentence 3 GDPR).

§ 6 Sub-processors

The Controller grants the Processor general authorization to engage sub-processors pursuant to Art. 28(2) GDPR.

At the time of concluding this DPA, the Processor engages the following sub-processors:

  • Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — Hosting and infrastructure
  • Scaleway SAS (8 rue de la Ville-l'Évêque, 75008 Paris, France) — Email delivery and data backup
  • Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) — Authentication (Social Login via Google OAuth)

All sub-processors are located in the European Union. No data transfers to third countries take place.

The Processor shall inform the Controller in advance of any intended changes regarding the addition or replacement of sub-processors. The Controller has the right to object to the change within 30 days of notification. In the event of a justified objection, the Processor shall either not proceed with the change or provide the Controller with the option to terminate the agreement without penalty.

The Processor ensures that sub-processors comply with the same data protection obligations as set out in this DPA (Art. 28(4) GDPR).

§ 7 Data Breach Notification

The Processor shall notify the Controller of any personal data breach without undue delay, and no later than 24 hours after becoming aware of it (Art. 33(2) GDPR).

The notification shall include at least:

  • A description of the nature of the breach, including the categories and approximate number of affected data subjects and data records
  • The name and contact details of the responsible contact person
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to remedy the breach

§ 8 Deletion and Return of Data

Upon termination of the service agreement, the Processor shall delete all personal data processed on behalf of the Controller within 30 days, unless a statutory retention obligation exists (Art. 28(3)(g) GDPR).

The Controller has the option to export their data via the platform before the 30-day period expires.

Upon request, the Processor shall confirm the complete deletion of data in writing.

§ 9 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and shall allow for and contribute to audits, including inspections (Art. 28(3)(h) GDPR).

Audits are subject to the following conditions:

  • Advance notice of at least 30 days
  • Conducted during regular business hours
  • Maintaining confidentiality and protection of trade secrets
  • The costs of the audit shall be borne by the Controller

Annex 1: Technical and Organizational Measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR:

1. Encryption and Pseudonymization

  • TLS/SSL encryption for all data transfers (HTTPS)
  • Encryption of data at rest on servers
  • Password hashing with industry-standard algorithms (bcrypt)

2. Confidentiality

  • Access control via role-based permission systems
  • Multi-tenant architecture with strict data separation per organization
  • Authentication via secure session management and optional two-factor authentication

3. Integrity

  • Automated input validation and data sanitization
  • Logging of data changes (audit trail)
  • Regular security reviews and updates of software dependencies

4. Availability and Resilience

  • Daily automated backups with geographically separated storage
  • Hosting in EU data centers with high availability (Hetzner, Germany)
  • System availability monitoring and automatic notifications

5. Recoverability

  • Documented procedures for recovery after system failures
  • Regular testing of backup restoration

6. Regular Review

  • Regular review and adjustment of technical and organizational measures
  • Consideration of the state of the art when selecting and implementing security measures

Annex 2: List of Sub-processors

Last updated: 11. März 2026

Sub-processor Location Processing Purpose
Hetzner Online GmbH Gunzenhausen, Germany Hosting, server infrastructure, databases
Scaleway SAS Paris, France Email delivery (transactional email), data backup
Google Ireland Limited Dublin, Ireland Authentication (Social Login via Google OAuth) — Data: name, email address, profile picture

Note: This DPA has been created as a standard template. For legally binding adaptations, we recommend review by an attorney specializing in data protection law.