Data Processing Agreement
This DPA governs Standwyse's processing of personal data on the event organiser's behalf and reflects UK GDPR Article 28. It forms part of the Standwyse Pilot Agreement.
Effective 2026-06-23.
1. Roles
This DPA forms part of the Standwyse Pilot Agreement between Standwyse (“Processor”) and the Customer (“Controller”). It governs the Processor’s processing of personal data on the Controller’s behalf.
- The Controller (the event organiser) determines the purposes and means of processing Customer Data.
- Standwyse is the Processor, processing Customer Data only on the Controller's documented instructions, which include this DPA and the Controller's use of the Service.
2. Subject matter, duration, nature and purpose
- Subject matter: provision of the Standwyse exhibitor-readiness platform.
- Duration: for the term of the Pilot Agreement plus the deletion window in Section 8.
- Nature and purpose: hosting, storing, displaying, transmitting, and AI-assisted processing of Customer Data to operate exhibitor onboarding, document review, communications, and readiness workflows.
3. Categories of data subject and personal data
- Data subjects: the Controller's staff, exhibitor account contacts and their staff, and individuals named within uploaded documents or free-text fields.
- Categories of personal data: names, email addresses, phone numbers, account/role associations, exhibitor profile content, document file contents (which may contain identity, insurance, and compliance information), support and AI free-text content, and audit/activity metadata.
- Special-category data is not intentionally processed. The Controller must not upload special-category data (Article 9) except where unavoidable in compliance documents, in which case the Controller confirms it has a lawful basis.
4. Processor obligations
Standwyse will:
- Process Customer Data only on the Controller's documented instructions, including for international transfers, unless required by law (and will notify the Controller of any such legal requirement unless prohibited).
- Ensure persons authorised to process Customer Data are bound by confidentiality.
- Implement the technical and organisational measures in Section 6.
- Respect the conditions in Section 5 for engaging sub-processors.
- Assist the Controller, taking into account the nature of processing, in responding to data-subject rights requests (access, rectification, erasure, portability, objection).
- Assist the Controller with security, breach notification, and data-protection impact assessments under Articles 32–36.
- Notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal-data breach affecting Customer Data.
- At the Controller's choice, delete or return Customer Data at the end of the engagement (Section 8).
- Make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (Section 7).
5. Sub-processors
The Controller provides general authorisation for Standwyse to engage the sub-processors listed below. Standwyse will impose data-protection obligations equivalent to this DPA on each sub-processor and remains liable for their performance. Standwyse will give the Controller reasonable notice of any intended addition or replacement, allowing the Controller to object on reasonable data-protection grounds. The current list is also published at standwyse.com/legal/sub-processors.
| Sub-processor | Purpose | Processing location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication, and document storage (our primary data store). | United Kingdom (London) | Within UK/EEA |
| Vercel | Application hosting; processes request data and server logs. | United Kingdom (London) | Within UK/EEA |
| Anthropic | AI document extraction and assistance; receives document content and AI conversation context. Not used to train models. | United States | SCCs + UK IDTA |
| OpenAI | AI assistance features; receives the context sent to the model for AI-assisted responses. Not used to train models. | United States | SCCs + UK IDTA |
| Inngest | Background job orchestration (such as document review runs and data-export jobs); receives job identifiers and event payloads. | United States | SCCs + UK IDTA |
| Resend | Transactional email delivery; receives recipient address and message content. | United States | SCCs + UK IDTA |
| Stripe | Payment processing; receives billing contact and payment details. Card data is collected by Stripe directly and never touches Standwyse servers. | United States / global | SCCs + UK IDTA |
| Sentry | Error monitoring; receives diagnostic data with a PII redaction filter applied. | European Union | Within UK/EEA |
| PostHog | Product analytics; server-side events keyed by identifiers, with client-side capture only after cookie consent. | European Union | Within UK/EEA |
| HubSpot | CRM integration (optional, organiser-enabled); when an organiser connects HubSpot, we exchange OAuth tokens with HubSpot and receive their exhibitor company and contact records to import into Standwyse. | United States | SCCs + UK IDTA |
6. Security measures (Article 32)
Standwyse maintains, at a level appropriate to the risk:
- Access control: Row-Level Security on all tenant-scoped tables; role-based access; least-privilege service credentials; documents served only via short-lived signed URLs.
- Encryption: TLS in transit; encryption at rest for database and storage (Supabase-managed).
- Secret management: secrets stored in platform secret stores, never in the repository, rotated on a defined cadence.
- Tenant isolation: every domain table is scoped by organisation and event identifiers and enforced by RLS helper functions.
- Resilience: Point-in-Time Recovery and a tested restore runbook with a 4-hour RTO / 24-hour RPO.
- Monitoring: error tracking and audit/activity logging of security-relevant actions.
7. Audit
Standwyse will make available, on reasonable written request and no more than once per year (or after a breach), the information reasonably necessary to demonstrate compliance with this DPA. At pilot scale, this is satisfied by Standwyse’s written security documentation rather than on-site audits.
8. Return and deletion
On termination or expiry of the Pilot Agreement, the Controller may instruct Standwyse to return Customer Data in a portable format and/or delete it. Standwyse will delete Customer Data within 30 days of the instruction (or of expiry absent instruction), subject to retention required by law. Personal data persisting in backups is deleted when those backups age out of their retention window; restored data is re-deleted.
9. International transfers
Where Customer Data is transferred outside the UK/EEA (e.g. to US-based sub-processors), the transfer relies on the EU Standard Contractual Clauses and, for UK data, the UK International Data Transfer Addendum, together with the sub-processor’s supplementary measures. The Controller and Processor agree to the SCCs being incorporated by reference for such transfers.
10. Liability and precedence
Liability under this DPA is subject to the limitations in the Pilot Agreement. If this DPA conflicts with the Pilot Agreement on data-protection matters, this DPA prevails. Governing law is England and Wales. A countersigned copy incorporated into the Pilot Agreement is available via privacy@standwyse.com.