Data Processing Agreement

In respect of Customer Personal Data, the Customer is the Controller and determines the purposes and means of the processing. Novex is the Processor and processes Customer Personal Data only on documented instructions from the Customer. Documented instructions are established by the Customer's use of the Service in accordance with the Service's documented configuration options, the Terms of Service, and this DPA. Additional instructions must be agreed in writing.

• Subject matter: provision of the Novex event management Service.
• Duration: the term of the subscription plus any retention period required by law.
• Nature and purpose: hosting, storing, transmitting, displaying, searching, indexing, backing up, and otherwise processing Customer Personal Data as necessary to deliver the Service features chosen by the Customer.
• Types of Personal Data: identifying information (name, email, phone, organization), professional information (job title, department), event-participation information (registration status, attendance, dietary or accessibility preferences if collected by Customer), financial information (invoice line items, payment status — not card data), communications metadata, and any other Personal Data the Customer chooses to upload.
• Categories of Data Subjects: Customer's authorized users, end users (attendees, registrants), vendors, sponsors, speakers, exhibitors, and any other individuals the Customer chooses to manage in the Service.
• Special categories: none expected. The Customer must not upload special-category data unless explicitly enabled by Customer configuration; the Customer is responsible for the lawful basis for such processing.

• Process Customer Personal Data only on the Customer's documented instructions, including for international transfers, unless required by law (in which case Novex will inform the Customer before processing, unless prohibited by law).
• Ensure that all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organizational security measures as set out in the Annex to this DPA.
• Assist the Customer in responding to Data Subject requests by providing self-service tools through the Service and, where insufficient, providing reasonable assistance on request.
• Assist the Customer in meeting its obligations under GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation).
• Notify the Customer of any Personal Data Breach without undue delay, and in any event within seventy-two (72) hours of becoming aware, describing the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed.
• Upon termination, return or delete all Customer Personal Data as set out in Section 9.
• Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

The Customer authorizes Novex to engage the Sub-processors listed below to assist with the processing of Customer Personal Data. Novex remains liable for the performance of its Sub-processors' obligations. Novex will give at least 30 days' prior notice of any addition or replacement of Sub-processors by publishing an updated list at nov3x.com/legal/dpa.

The following components run on Novex-controlled infrastructure within the EU and are not third-party Sub-processors: MinIO (object storage), Ollama (self-hosted AI), PostgreSQL (database), Valkey (cache and queue). Third-party services connected by the Customer (such as WhatsApp Business Platform, calendar systems, third-party analytics, regional payment processors, or invoicing/tax integrations) are not Novex Sub-processors. The Customer is the controller for any data flowing to those services and is responsible for disclosing them to its own Data Subjects.

Customer Personal Data is primarily stored and processed in the European Union. Where Novex transfers Customer Personal Data outside the EEA, the UK, or, as applicable, Saudi Arabia, the parties will rely on the EU Standard Contractual Clauses (Decision 2021/914) Module 2 or Module 3 as applicable, the UK International Data Transfer Addendum where UK GDPR applies, and PDPL cross-border transfer mechanisms where applicable, all incorporated into this DPA by reference. The information required by the Annexes to the SCCs is consolidated into the single Annex to this DPA.

Novex provides self-service tools in the Service for the Customer to assist Data Subjects in exercising their rights, including data export in machine-readable form and data deletion with a 30-day grace period. If a Data Subject contacts Novex directly, Novex will redirect them to the Customer and notify the Customer where identifiable. For requests that cannot be handled through self-service tools, Novex will provide reasonable assistance at no additional charge for the Customer's first 5 requests per calendar year; subsequent requests may be subject to a reasonable fee based on time and materials.

The Customer may, at its own cost and no more frequently than once per twelve (12) months (except where required by a supervisory authority or following a Personal Data Breach), audit Novex's compliance with this DPA by reviewing Novex's most recent independent third-party audit reports, security certifications, and policies; by submitting a written questionnaire to be answered within a reasonable time; or, where (a) and (b) are insufficient and there is a documented compliance concern, by conducting an on-site audit at Novex's premises subject to at least 30 days' prior written notice, being conducted during business hours, not unreasonably interfering with operations, the auditor signing reasonable confidentiality undertakings, and Novex's right to redact information unrelated to the Customer's data.

Novex will notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay and in any event within seventy-two (72) hours of becoming aware. The Customer remains responsible for any notifications to supervisory authorities or affected Data Subjects required by law. Novex will reasonably assist the Customer in those notifications.

This DPA takes effect on the Effective Date and remains in force for the duration of the Service. On termination, for 30 days the Customer may export Customer Data; after the 30-day grace period, Novex will delete or irreversibly anonymize all Customer Personal Data within a further 60 days, except where retention is required by law. Customer Personal Data persisting in encrypted backups will be deleted on the normal backup-rotation cycle (within 30 days). Novex will, on written request, certify in writing that deletion has been completed. Obligations of confidentiality, deletion, and liability survive termination.

This single Annex sets out the information required by the Standard Contractual Clauses and applicable Data Protection Laws, consolidating into one annex what the SCCs would otherwise split across separate annexes. The parties and their roles are described in Section 1; the subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Section 2; and the authorized Sub-processors are listed in Section 4. The technical and organizational security measures Novex implements are:

• Access control: role-based access with least-privilege defaults; multi-factor authentication for staff production access; quarterly access reviews; immediate revocation on role change or departure; tenant isolation at the database layer via PostgreSQL row-level security.
• Three-layer tenant isolation: explicit tenant filter in application code, automatic tenant injection at the ORM layer, RLS at the database engine.
• Encryption: TLS 1.2+ for all data in transit; encryption of sensitive fields at rest with AES-256; encrypted backups stored separately from production.
• Network security: production database not exposed to the public internet; access restricted to application servers via private network; strict security headers (HSTS, CSP, COOP, COEP, CORP); web application firewall and rate-limiting at the edge.
• Application security: static analysis (Semgrep) on every release; OWASP ZAP dynamic scanning on a defined cadence; dependency scanning; peer code review prior to release.
• Logging and monitoring: centralized application logs with PII scrubbing; administrative-action audit logs retained 18 months (tenant-scoped operational), 36 months (platform-scoped), or 84 months / 7 years (security-critical: authentication, role/permission, MFA, tenant lifecycle), automatically purged nightly; anomaly detection on authentication and privileged operations; error tracking with PII scrubbing.
• Backup and recovery: daily full database backups with WAL-based point-in-time recovery (5-minute RPO); offsite replication; documented and verified restore drills.
• Personnel: contractual confidentiality; security awareness training mandatory for all staff with system access (initial training within 30 days of hire); access reviewed quarterly.
• Incident response: documented plan including triage, containment, communication, and post-incident review; 72-hour breach notification commitment.
• Vendor risk management: security and data-protection review of new Sub-processors; annual review of existing Sub-processors.
• Physical security: production infrastructure operates from physically secured data centers with restricted access, environmental controls, and 24/7 monitoring.