version 1.0 – 2025-11-12
Data Processing Agreement (DPA)
This Data Processing Agreement (“Agreement” or “DPA”) forms an integral part of the Terms and Conditions and the “Main Agreement” between:
(1) The company, event organiser, customer of MeetToMatch (the “Controller”), and
(2) MeetToMatch b.v., having its registered office at Europalaan 400, Utrecht, Netherlands (the “Processor”).
The Controller and the Processor are jointly referred to as the “Parties.”
1. Subject Matter and Duration
1.1 This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided under the Main Agreement.
1.2 The processing shall continue for the duration of the Main Agreement, unless otherwise required by law.
2. Nature and Purpose of Processing
The Processor shall process personal data only for the purpose of performing the services described in the Main Agreement, including:
- data hosting and analytics
- marketing services
3. Categories of Data and Data Subjects
Categories of personal data may include names, email addresses, phone numbers, profile images, account identifiers, direct messages, IP addresses, usage data and transaction information .
Categories of data subjects: event attendees and website users
4. Processor’s Obligations
The Processor shall:
- process personal data on instructions from the Controller;
- ensure that personnel authorised to process data are bound by confidentiality obligations;
- implement appropriate technical and organisational measures to ensure data security (Article 32 GDPR);
- assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notifications, impact assessments);
- at the Controller’s choice, delete or return all personal data after the end of processing, unless retention is required by law;
- make available all information necessary to demonstrate compliance and allow reasonable audits by the Controller or a designated auditor, provided that such audits do not interfere unreasonably with the Processor’s business operations.
5. Sub-Processing
5.1 The Controller authorises the Processor to engage sub-processors.
5.2 The Processor shall inform the Controller of any intended changes concerning new or replacement sub-processors.
6. International Data Transfers
6.1 The Processor may transfer personal data outside the European Economic Area (“EEA”) while applying appropriate safeguards in accordance with Chapter V GDPR.
6.2 Such safeguards may include Standard Contractual Clauses or an adequacy decision by the European Commission.
7. Security of Processing
The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
8. Personal Data Breaches
The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach. The notification shall include all relevant details to enable the Controller to comply with its own GDPR obligations, to the extent reasonably available to the Processor.
9. Assistance to the Controller
9.1 The Processor shall assist the Controller, to the extent reasonably possible, in:
- responding to data subject requests; and
- ensuring compliance with security, breach notification, and data protection impact assessment obligations.
9.2 Cost of Assistance
Any costs incurred by the Processor for assisting the Controller in connection with assistance requests that are not required by applicable data protection law, not initiated by a competent supervisory authority, or not based on a verified data subject request, shall be borne by the Controller.
The Processor shall notify the Controller in advance of any such costs where reasonably practicable.
10 .Return or Deletion of Data
Upon termination of the Main Agreement, the Processor shall, at the Controller’s option, delete or return all personal data, unless retention is required by EU or Member State law.
11. Governing Law and Jurisdiction
This DPA shall be governed by the laws governing the Main Agreement. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction agreed upon in the Main Agreement.