Data Processing Agreement

Last updated: 12 January 2026

Parties and Execution

Processor

BOOKSVP Ltd

Company number: 12953465

Registered office address: 30 St Giles, Oxford, OX1 3LE

(referred to as "BOOKSVP" in the Main Agreement and "BOOKSVP" or "Processor" in this DPA)

Controller

The "Customer"

As set out in the Main Agreement

(referred to as "Customer" in the Main Agreement and "Customer" or "Controller" in this DPA)

Variables

Parties' relationship Controller to Processor
Parties' roles Customer will act as the Controller (as defined in Section 1 of the Terms)

BOOKSVP will act as the Processor (as defined in Section 1 of the Terms)
Contacts
Controller
As set out in the Notices clause (Clause 16.10) of the Main Agreement.
Processor
As set out in the Notices clause (Clause 16.10) of the Main Agreement.
Main Agreement The Agreement entered into between BOOKSVP and the Customer in relation to the provision of the Services under and in accordance with the ARTSVP Terms of Service
Term This DPA will commence on the Effective Date as set out in the Main Agreement and will continue for the Term as set out in the Main Agreement.
Breach Notification Period Without undue delay after becoming aware of a personal data breach
Sub-processor Notification Period A reasonable timeframe before the new sub-processor is granted access to Personal Data
Liability Cap Each party's aggregate liability under this DPA will not exceed the liability caps as per the Main Agreement
Governing Law and Jurisdiction As per the Main Agreement
Data Protection Laws All laws, regulations and court orders which apply to the processing of Personal Data in:
  • the European Economic Area (EEA)
  • the United Kingdom (UK)

This includes the European Union Regulation (EU) 2016/679, the UK GDPR and the Data Protection Act 2018, each as amended from time to time.
Services related to processing As described in the Main Agreement
Duration of processing For the Term of this DPA
Nature and purpose of processing Collection, storage, organising, amending/updating and deletion for the purposes of providing the Services under the Main Agreement including to:
  1. (a) process bookings;
  2. (b) deliver updates on bookings; and
  3. (c) provide the Controller with marketing functionality.

Personal Data

In this section:

  • "Client" means the end consumer customers of the Customer attending a Customer event).
  • "Customised Field" means any tailored field requested to be added to the Customer's account on the ARTSVP Platform by the Customer and implemented by BOOKSVP during the Term; this may include, but is not limited to, the collection of Client personal data, such as occupation, dietary preference etc.
  • "Exhibitor" means a business displaying works/hosting a stand at a Customer event.
  • "Partner" means a partner of the Customer relating to a Customer event (such as a vendor).
  • "Sponsor" means a sponsor of a Customer event.

Customer's Clients

  • Identity Data: first name, last name, profile picture (optional)
  • Contact Data: email address, telephone number, billing address (which may be the Client's residential address)
  • Financial Data: payment card details
  • Transaction Data: details about payments to and from the Client
  • Location Data: the Client's current location as disclosed by the QR code check-in process, at the time of check-in

Customer's personnel

  • Identity Data: first name, last name, profile picture (optional)
  • Contact Data: email address (work)

Exhibitor's, Sponsor's and Partner's customers

  • Identity Data: first name, last name
  • Contact Data: email address

Exhibitor's, Sponsor's and Partner's personnel

  • Identity Data: first name, last name, profile picture (optional)
  • Contact Data: email address (work)

plus any other personal data that may be shared:

  • by the Customer, Exhibitor, Partner or Sponsor via the user interface of the ARTSVP Platform (including the "Tags" and "Meta data" features or any Customised Field) which may include special categories of personal data; and
  • by Clients when making a booking using the ARTSVP Platform.

Data Subjects

The individuals whose Personal Data will be processed are:

  • Customer's Clients
  • Customer's personnel
  • Exhibitor's customers
  • Exhibitor's personnel
  • Partner's customers
  • Partner's personnel
  • Sponsor's customers
  • Sponsor's personnel
Special provisions In relation to amendments to this DPA, clause 16.3 of the Main Agreement shall override clause 5.6 in the Terms below.
Transfer Mechanism N/A

Annex 1: Security Measures

Technical and organisational measures to ensure the security of Personal Data:

Technical Measures

  • System access controls: Processors employs an identity and access management system integrated with Google, while other platforms follow standardized protocols under CISO direction.
  • Data access controls: access to Customer data is strictly controlled through role-based access control systems that limit Processor employees to only the information necessary for their specific responsibilities.
  • Data encryption: all data is encrypted via SSL/TLS when transmitted from our servers to browser and our database backups are also encrypted. Customer information is encrypted both during storage and transmission using industry-standard protocols. Full-disk encryption is enabled across all company devices. No production data is stored locally on individual machines.
  • CDN Layer (Content Delivery Network): ARTSVP uses Cloudflare as a global content delivery network and security layer to improve performance, availability, and resilience of the Services, including protection against distributed denial-of-service (DDoS) attacks, traffic filtering, and web application firewall (WAF) controls.
  • Anti-virus and intrusion prevention devices
  • Multi-factor authentication is mandatory across all platforms where available, complemented by single sign-on capabilities.
  • Privileged customer accounts undergo regular monitoring and auditing to detect any unauthorised access attempts.
  • Secure channels are used for any transmission of sensitive data (specifically Keybase and the password management system Onepassword).

Organisational Measures

  • Processor has a designated Chief Information Security Officer who directs the implementation and continuous monitoring of all security initiatives.
  • Building access controls
  • Data Security Awareness Training: for all new joiners and annual refresher for all personnel. Mandatory cybersecurity training programs for all employees
  • Vendor due diligence process: Risk management is embedded throughout operations, with assessments conducted whenever new vendors or technologies are considered.
  • Personnel background checks and binding confidentiality obligations
  • Security policies, including:
    • Information Security Policy and Charter
    • Disaster Recovery & Security Incident Policy
    • A data classification system that categorises information by sensitivity level, with corresponding handling procedures for each category

    pluss, regular policy reviews that address incidents and identify areas for improvement.

  • Password security is maintained through an organisation-wide password manager, and automated provisioning processes ensure access rights are promptly updated when personnel changes occur.

Annex 2: Sub-processors

Current sub-processors:

Name of Sub-processor Location of Processing Transfer Mechanism
Stripe (payment processor) EU/UK N/A
Twillio (notifications) EU/UK N/A
Mailgun (transactional emails) EU/UK N/A

Terms

1. What is this agreement about?

1.1 Purpose. The parties are entering into this Data Processing Agreement (DPA) for the purpose of processing Personal Data (as defined above).

1.2 Definitions. Under this DPA:

  1. (a) adequate country means a country or territory that is recognised under Data Protection Laws from time to time as providing adequate protection for processing Personal Data, and
  2. (b) Controller, data subject, personal data breach, process/processing, Processor and supervisory authority have the same meanings as in the Data Protection Laws.

2. What are each party's obligations?

2.1 Controller obligations. Controller instructs Processor to process Personal Data in accordance with this DPA, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Processor to process Personal Data.

2.2 Processor obligations. Processor will:

  1. (a) only process Personal Data in accordance with this DPA and Controller's instructions (unless legally required to do otherwise),
  2. (b) not sell, retain or use any Personal Data for any purpose other than as permitted by this DPA and the Main Agreement,
  3. (c) inform Controller immediately if (in its opinion) any instructions infringe Data Protection Laws,
  4. (d) use the technical and organisational measures described in Annex 1 when processing Personal Data to ensure a level of security appropriate to the risk involved,
  5. (e) notify Controller of a personal data breach within the Breach Notification Period and provide assistance to Controller as required under Data Protection Laws in responding to it,
  6. (f) ensure that anyone authorised to process Personal Data is committed to confidentiality obligations,
  7. (g) without undue delay, provide Controller with reasonable assistance with:
    1. (i) data protection impact assessments,
    2. (ii) responses to data subjects' requests to exercise their rights under Data Protection Laws, and
    3. (iii) engagement with supervisory authorities,
  8. (h) if requested, provide Controller with information necessary to demonstrate its compliance with obligations under Data Protection Laws and this DPA,
  9. (i) allow for audits at Controller's reasonable request, provided that audits are limited to once a year and during business hours except in the event of a personal data breach, and
  10. (j) return Personal Data upon Controller's written request or delete Personal Data by the end of the Term, unless retention is legally required.

2.3 Warranties. The parties warrant that they and any staff and/or subcontractors will comply with their respective obligations under Data Protection Laws for the Term.

3. Sub-processing

3.1 Use of sub-processors. Controller authorises Processor engage other processors (referred to in this section as sub-processors) when processing Personal Data. Processor's existing sub-processors are listed in Annex 2.

3.2 Sub-processor requirements. Processor will:

  1. (a) require its sub-processors to comply with equivalent terms as Processor's obligations in this DPA,
  2. (b) ensure appropriate safeguards are in place before internationally transferring Personal Data to its sub-processor, and
  3. (c) be liable for any acts, errors or omissions of its sub-processors as if they were a party to this DPA.

3.3 Approvals. Processor may appoint new sub-processors provided that they notify Controller in writing in accordance with the Sub-processor Notification Period.

3.4 Objections. Controller may reasonably object in writing to any future sub-processor. If the parties cannot agree on a solution within a reasonable time, either party may terminate this DPA.

4. International personal data transfers

4.1 Instructions. Processor will transfer Personal Data outside the UK, the EEA or an adequate country only on documented instructions from Controller, unless otherwise required by law.

4.2 Transfer mechanism. Where a party is located outside the UK, the EEA or an adequate country and receives Personal Data:

  1. (a) that party will act as the data importer,
  2. (b) the other party is the data exporter, and
  3. (c) the relevant Transfer Mechanism will apply.

4.3 Additional measures. If the Transfer Mechanism is insufficient to safeguard the transferred Personal Data, the data importer will promptly implement supplementary measures to ensure Personal Data is protected to the same standard as required under Data Protection Laws.

4.4 Disclosures. Subject to terms of the relevant Transfer Mechanism, if the data importer receives a request from a public authority to access Personal Data, it will (if legally allowed):

  1. (a) challenge the request and promptly notify the data exporter about it, and
  2. (b) only disclose to the public authority the minimum amount of Personal Data required and keep a record of the disclosure.

5. Other important information

5.1 Survival. Any provision of this DPA which is intended to survive the Term will remain in full force.

5.2 Order of precedence. In case of a conflict between this DPA and other relevant agreements, they will take priority in this order:

  1. (a) Transfer Mechanism,
  2. (b) DPA,
  3. (c) Main Agreement.

5.3 Notices. Formal notices under this DPA must be in writing and sent to the Contact on the DPA's front page as may be updated by a party to the other in writing.

5.4 Third parties. Except for affiliates, no one other than a party to this DPA has the right to enforce any of its terms.

5.5 Entire agreement. This DPA supersedes all prior discussions and agreements and constitutes the entire agreement between the parties with respect to its subject matter and neither party has relied on any statement or representation of any person in entering into this DPA.

5.6 Amendments. Any amendments to this DPA must be agreed in writing.

5.7 Assignment. Neither party can assign this DPA to anyone else without the other party's consent.

5.8 Waiver. If a party fails to enforce a right under this DPA, that is not a waiver of that right at any time.

5.9 Governing law and jurisdiction. The Governing Law applies to this DPA and all disputes will only be litigated in the courts of the Jurisdiction.