Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between dinnerHQ, LLC ("Controller" or "dinnerHQ") and you ("Data Subject") pursuant to the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR.

This DPA supplements our Privacy Policy and provides additional details regarding:

• Standard Contractual Clauses (SCCs) for international data transfers
• Sub-processors who process your personal data on our behalf
• Technical and organizational security measures
• Your rights under GDPR and our obligations as Data Controller

Important: This DPA is legally binding and forms part of our agreement with you when you use dinnerHQ services.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person (you), as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion, as defined in GDPR Article 4(2).
• "Processor" means a third-party service provider that processes Personal Data on behalf of dinnerHQ (the Controller), as defined in GDPR Article 4(8).
• "Sub-Processor" means a Processor engaged by dinnerHQ to assist with specific data processing activities.
• "Standard Contractual Clauses" (SCCs) means the contractual terms approved by the European Commission (Decision 2021/914) for international data transfers from the EEA to countries without an adequacy decision.
• "Data Subject" means you, the individual to whom Personal Data relates.
• "Controller" means dinnerHQ, LLC, the entity that determines the purposes and means of processing your Personal Data.

2. Scope and Purpose of Processing

dinnerHQ processes your Personal Data for the following purposes:

• Event Management: To register you for networking dinners, assign seating, send event confirmations, and manage attendance.
• Payment Processing: To process ticket payments via Stripe and issue invoices/receipts.
• Profile Management: To maintain your user profile, professional information, and networking preferences.
• Matchmaking Algorithm: To match you with relevant attendees based on industry, seniority, and interests.
• Sponsor Data Sharing: To share your information with event sponsors (if you opt-in via explicit consent).
• Email Communications: To send event invitations, reminders, updates, and marketing emails (where you have consented).
• Analytics and Product Improvement: To analyze usage patterns, improve our platform, and measure event success (using PostHog analytics).
• Security and Fraud Prevention: To detect fraud, prevent unauthorized access, and enforce our Terms of Use.

Legal Basis: We process your data based on (a) your consent (GDPR Article 6(1)(a)), (b) performance of our contract with you (GDPR Article 6(1)(b)), (c) compliance with legal obligations (GDPR Article 6(1)(c)), and (d) our legitimate interests (GDPR Article 6(1)(f)) where necessary for fraud prevention and service improvement.

3. Categories of Personal Data Processed

We process the following categories of Personal Data about you:

• Identity Data: First name, last name, email address, password (hashed)
• Professional Data: Company name, job title, LinkedIn URL, industry/vertical, seniority level, years of experience
• Contact Data: Email address, phone number (if provided)
• Event Data: Event registrations, attendance history, seating assignments, dietary preferences
• Payment Data: Payment method (stored by Stripe), transaction history, invoice/receipt data
• Technical Data: IP address, browser type, device fingerprint, session logs, cookies
• Marketing Data: Email open/click tracking, event RSVP behavior, sponsor opt-in status
• Analytics Data: Usage patterns, feature interactions, A/B test assignments (PostHog)

4. International Data Transfers and Standard Contractual Clauses

dinnerHQ is based in the United States. When you access our services from the European Economic Area (EEA), United Kingdom, or Switzerland, your Personal Data is transferred to the United States, which does not have an adequacy decision from the European Commission under GDPR Article 45.

4.1 Legal Safeguards for International Transfers

To protect your Personal Data during international transfers, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We have executed SCCs approved by the European Commission (Decision 2021/914) with all Sub-Processors who receive your data. These SCCs are legally binding contracts that require Sub-Processors to provide adequate data protection equivalent to GDPR standards.
• UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA approved by the UK Information Commissioner's Office (ICO).
• Supplementary Measures: In addition to SCCs, we implement technical safeguards including end-to-end encryption (TLS 1.3), data minimization, and access controls to mitigate risks of government surveillance or unauthorized access in third countries.

4.2 Request a Copy of SCCs

Under GDPR Article 46(2)(c), you have the right to request a copy of our Standard Contractual Clauses. To request a copy, email [email protected] with the subject line "SCC Request". We will provide a copy within 30 days.

4.3 Objection to International Transfers

If you object to international data transfers, you may choose not to use our services. We cannot provide our services without transferring data to US-based Sub-Processors (see Section 5). However, where technically feasible, we can accommodate requests to store your data on EU servers. Email [email protected] to request EU-based hosting options.

5. Sub-Processors

dinnerHQ engages the following Sub-Processors to process your Personal Data on our behalf. All Sub-Processors have executed Data Processing Agreements (DPAs) with dinnerHQ containing Standard Contractual Clauses (SCCs) for international data transfers.

5.1 Changes to Sub-Processors

We reserve the right to add, replace, or remove Sub-Processors at our discretion. However, we will notify you of any changes to our Sub-Processor list by:

• Updating this DPA and posting a notice on our website at least 30 days before the change
• Sending an email notification to your registered email address (if you have opted in to service updates)

Your Right to Object: Under GDPR Article 28(2), you have the right to object to the appointment of a new Sub-Processor on reasonable grounds relating to data protection. If you object, you must email [email protected] within 14 days of receiving notice. If we cannot accommodate your objection, you may terminate your account and request deletion of your data under GDPR Article 17 (Right to Erasure).

5.2 Request Current Sub-Processor List

To request the most current list of Sub-Processors (including any updates since this DPA was published), email [email protected] with the subject line "Sub-Processor List Request". We will respond within 10 business days.

6. Technical and Organizational Security Measures

In accordance with GDPR Article 32, dinnerHQ implements the following technical and organizational measures to protect your Personal Data:

6.1 Technical Measures

• Encryption: TLS 1.3 for data in transit; AES-256 encryption at rest (Neon PostgreSQL)
• Access Controls: Database row-level security (RLS), multi-factor authentication (MFA) for all admin accounts, role-based access controls (RBAC)
• Network Security: Transaction pooler with connection limits, IP allowlisting for admin access, DDoS protection via Vercel Edge Network
• Security Testing: Annual penetration testing, quarterly external vulnerability scans, automated dependency scanning
• Patch Management: Automated security patching within 7 days of critical vulnerability disclosure
• Logging & Monitoring: Access logs retained 90 days, real-time intrusion detection, automated alerting for suspicious activity
• Backups: Nightly encrypted database backups with 30-day retention, tested quarterly
• Pseudonymization: User IDs are UUIDs (not sequential integers); session tokens are hashed with SHA-256

6.2 Organizational Measures

• Staff Training: Annual security and data protection training for all personnel with access to Personal Data
• Incident Response: Written incident response plan tested quarterly; 72-hour breach notification procedure (GDPR Article 33)
• Data Minimization: Unverified accounts deleted after 30 days; inactive accounts reviewed annually
• Vendor Management: All Sub-Processors undergo risk assessment and execute Data Processing Agreements (DPAs) with Standard Contractual Clauses
• Confidentiality: All employees and contractors sign confidentiality agreements (NDAs)
• Access Reviews: Quarterly review and revocation of unnecessary access permissions
• Data Protection Officer (DPO): Designated DPO available at [email protected]

6.3 Physical Security

dinnerHQ does not operate physical data centers. All data is hosted by certified Sub-Processors (Neon, Vercel, Stripe) who maintain SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. These Sub-Processors provide:

• 24/7 physical security at data centers (biometric access, video surveillance)
• Redundant power and network infrastructure
• Geographic data replication for disaster recovery
• Annual third-party security audits

7. Your Rights Under GDPR

As a Data Subject under GDPR, you have the following rights regarding your Personal Data:

7.1 Right of Access (GDPR Article 15)

You have the right to request a copy of all Personal Data we hold about you. To exercise this right, email [email protected] with the subject line "Data Access Request". We will respond within 30 days and provide your data in a structured, commonly used, machine-readable format (JSON or CSV).

7.2 Right to Rectification (GDPR Article 16)

You have the right to correct inaccurate or incomplete Personal Data. You can update most information directly in your profile settings. For data you cannot edit yourself, email [email protected].

7.3 Right to Erasure ("Right to Be Forgotten") (GDPR Article 17)

You have the right to request deletion of your Personal Data. To exercise this right, email [email protected] with the subject line "Deletion Request". We will delete your data within 30 days, except where retention is required by law (e.g., tax records, fraud investigations).

Exceptions: We may refuse deletion requests if we need to retain your data to:

• Comply with legal obligations (e.g., 7-year tax record retention)
• Establish, exercise, or defend legal claims (e.g., ongoing litigation)
• Detect and prevent fraud or security threats

7.4 Right to Restriction of Processing (GDPR Article 18)

You have the right to request that we temporarily stop processing your Personal Data (without deleting it) if:

• You contest the accuracy of your data (we will restrict processing until accuracy is verified)
• Processing is unlawful and you prefer restriction over deletion
• You need the data for a legal claim but we no longer need it

To request restriction, email [email protected] with the subject line "Restriction Request".

7.5 Right to Data Portability (GDPR Article 20)

You have the right to receive your Personal Data in a structured, machine-readable format (JSON or CSV) and transmit it to another controller. To request a data export, email [email protected] with the subject line "Data Portability Request". We will provide your data within 30 days.

7.6 Right to Object (GDPR Article 21)

You have the right to object to processing of your Personal Data where we rely on legitimate interests (GDPR Article 6(1)(f)) as our legal basis. This includes:

• Direct Marketing: You can opt out of marketing emails at any time by clicking "Unsubscribe" in any email or updating your preferences in profile settings.
• Analytics and Profiling: You can opt out of PostHog analytics by enabling "Do Not Track" in your browser or emailing [email protected].

7.7 Right to Withdraw Consent (GDPR Article 7(3))

Where we process your data based on consent (e.g., sponsor data sharing, marketing emails), you have the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

To withdraw consent:

• Sponsor Data Sharing: Update your consent preferences in profile settings
• Marketing Emails: Click "Unsubscribe" in any email
• All Consents: Email [email protected] to revoke all consents at once

7.8 Right to Lodge a Complaint (GDPR Article 77)

You have the right to lodge a complaint with a supervisory authority (Data Protection Authority) in your country if you believe we have violated GDPR. Contact details for EU/EEA supervisory authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

8. Data Breach Notification

In the event of a personal data breach, dinnerHQ will comply with GDPR Articles 33 and 34:

8.1 Notification to Supervisory Authority (GDPR Article 33)

We will notify the relevant supervisory authority (Data Protection Authority) within 72 hours of becoming aware of a data breach, unless the breach is unlikely to result in a risk to your rights and freedoms.

8.2 Notification to Data Subjects (GDPR Article 34)

If a data breach is likely to result in a high risk to your rights and freedoms (e.g., identity theft, financial loss, discrimination), we will notify you without undue delay via email to your registered email address. Our notification will include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures we have taken or propose to take to mitigate the breach
• Contact details of our Data Protection Officer (DPO)

8.3 Your Right to Compensation (GDPR Article 82)

Under GDPR Article 82, you have the right to receive compensation from dinnerHQ if you suffer material or non-material damage as a result of a data breach caused by our violation of GDPR. This right cannot be contractually limited (see Section 13 of our Terms of Use for liability limitations that do not apply to GDPR violations).

9. Data Retention and Deletion

We retain your Personal Data only as long as necessary for the purposes described in Section 2 or as required by law (GDPR Article 5(1)(e) - storage limitation principle).

9.1 Retention Periods

• Active Accounts: Retained indefinitely while your account is active
• Unverified Accounts: Deleted after 30 days if email address is not verified
• Inactive Accounts: Reviewed annually; deleted after 3 years of inactivity (no logins, no event registrations)
• Payment Records: Retained for 7 years to comply with tax laws (IRS, HMRC)
• Access Logs: Retained for 90 days (hot storage), then archived for 2 years (cold storage)
• Marketing Data: Deleted immediately upon opt-out (email unsubscribe)
• Legal Claims: Retained until the statute of limitations expires (varies by jurisdiction)

9.2 Deletion Procedure

When data is deleted, we use a secure deletion process:

• Database Records: Permanently deleted from production database (SQL DELETE with no recovery option)
• Backups: Data is removed from backups within 30 days (maximum backup retention period)
• Third-Party Processors: We instruct Sub-Processors to delete your data from their systems within 30 days
• Cache: Cached data (Vercel Blob, Cloudflare CDN) is purged within 24 hours

10. Audits and Compliance Verification

Under GDPR Article 28(3)(h), you have the right to request information demonstrating our compliance with GDPR and this DPA. Upon written request, we will provide:

• Copies of security certifications (SOC 2, ISO 27001) from our Sub-Processors
• Annual penetration test reports (redacted for security)
• Data Processing Agreements (DPAs) with Sub-Processors (redacted for confidentiality)
• Standard Contractual Clauses (SCCs) for international transfers

To request compliance documentation, email [email protected] with the subject line "Compliance Documentation Request". We will respond within 30 days.

On-Site Audits: You may request an on-site audit of our data processing practices, subject to reasonable notice (30 days) and confidentiality agreements. We reserve the right to charge a fee for audits exceeding one business day. Email [email protected] to request an audit.

11. Liability and Indemnification

Under GDPR Article 82, both dinnerHQ (as Controller) and our Sub-Processors (as Processors) may be held liable for damages resulting from GDPR violations.

11.1 dinnerHQ's Liability

dinnerHQ is liable for damage caused by processing that violates GDPR, unless we can prove we are not responsible for the event giving rise to the damage (GDPR Article 82(3)). The $100 liability cap in our Terms of Use does not apply to GDPR violations (see Section 13 of Terms of Use).

11.2 Sub-Processor Liability

Our Sub-Processors (listed in Section 5) are liable for damage caused by their processing activities only where they have not complied with GDPR obligations specifically directed at Processors or where they have acted outside or contrary to our lawful instructions (GDPR Article 82(2)).

11.3 Claims Against dinnerHQ

If you suffer damage caused by a Sub-Processor's GDPR violation, you may bring a claim against dinnerHQ (as Controller) even if the Sub-Processor was responsible for the damage. We will then seek reimbursement from the Sub-Processor under our Data Processing Agreement with them. This ensures you always have a party to hold accountable (GDPR Article 82(4)).

12. Governing Law and Dispute Resolution

This DPA is governed by:

• GDPR Compliance: General Data Protection Regulation (EU) 2016/679 and UK GDPR
• Contract Law: The laws of the State of Florida, United States (consistent with our Terms of Use)

Conflicts Between DPA and Terms of Use: In the event of a conflict between this DPA and our Terms of Use, this DPA prevails solely with respect to data protection and GDPR compliance matters.

Dispute Resolution: Any disputes arising from this DPA shall be resolved in accordance with Section 17 of our Terms of Use (mandatory arbitration in Miami-Dade County, Florida). However, you retain the right to lodge a complaint with your local Data Protection Authority (GDPR Article 77) without affecting your arbitration rights.

13. Updates to This DPA

We may update this DPA from time to time to reflect:

• Changes to GDPR or other data protection laws
• Changes to our Sub-Processors or data processing practices
• New security measures or organizational changes

Notice of Material Changes: If we make material changes to this DPA (e.g., adding a new Sub-Processor in a country without an adequacy decision), we will notify you at least 30 days in advance by:

• Posting a notice on our website (https://dinnerhq.com)
• Sending an email notification to your registered email address

Objection to Changes: If you object to material changes, you may terminate your account and request deletion of your data (GDPR Article 17) within 14 days of receiving notice. Continued use of our services after the 30-day notice period constitutes acceptance of the updated DPA.

14. Contact Information

For questions about this DPA, to exercise your GDPR rights, or to request compliance documentation, contact:

Response Time: We will respond to all GDPR-related inquiries within 30 days of receipt (GDPR Article 12(3)). In complex cases, we may extend this period by an additional 60 days, and we will inform you of the extension and reasons within the initial 30-day period.