Data Processing Agreement

Standard DPA · Version 1.0 · Effective on Studio account creation

This DPA forms part of the Terms of Service between Event Super OS Pvt Ltd ("Processor") and the Studio account holder ("Controller"). It is automatically deemed accepted on Studio sign-up. Enterprise and white-label customers may execute a counter-signed version on request — email legal@eventsuperos.com.

1. Roles

The Studio is the Data Controller of all event, guest, vendor, and crew data uploaded to the Platform. Event Super OS is the Data Processor. We process personal data only on documented instructions from the Studio.

2. Categories of data

Data subject	Categories
Event guests	Name, contact, RSVP, dietary, accommodation, photographs at event
Vendors / crew	Name, contact, role, payment terms
End clients (couples)	Name, contact, event preferences, payment status
Studio staff	Name, email, role, activity

3. Sub-processors

Current sub-processors:

Name	Purpose	Region
Supabase Inc.	Database, auth, realtime	India (ap-south-1)
Cloudflare	CDN, edge delivery, DDoS protection	Global edge
Stripe	Card payments	USA / Ireland
Razorpay	India payments & UPI	India
Resend	Transactional email	USA

We will give you 30 days' notice before adding a new sub-processor. You can object in writing; if we cannot accommodate the objection we will work with you on a transition plan.

4. Security measures

TLS 1.3 in transit, AES-256 at rest
Row-level security per studio at the database
Daily encrypted backups, point-in-time recovery (Pro+ on Supabase tier)
Access controls: SSO/MFA for our own staff, audit log of all admin actions
Incident response: 24-hour notification to Controllers of any confirmed breach affecting their data
Annual security review

5. Data subject rights assistance

We help you respond to data-subject requests:

Access / portability: built-in JSON/CSV export in Settings → Privacy
Erasure: built-in account-deletion flow with 30-day grace period
Correction: you can correct any data via the studio app directly
Other requests: contact dpo@eventsuperos.com

6. International transfers

Primary storage is in India. Where data must transit outside India for delivery (CDN, email), we rely on Standard Contractual Clauses or equivalent safeguards under the DPDP Act.

7. Audit rights

Once per year, with 30 days' notice, an Enterprise Controller may request an audit of our security and processing practices. We will respond with our latest SOC 2 / ISO 27001 evidence (when those certifications are in place — currently planned for Q4 2026) or, in the interim, a written attestation.

8. Termination & deletion

On termination, we delete or return your data within 90 days, except where retention is required by law (audit logs 7y, payment records 8y). You can request immediate deletion in writing — we honour it within 30 days, except for legally-mandated retention.

9. Liability

Our liability for breaches of this DPA is governed by Section 10 of the Terms of Service.

10. White-label addendum

If you operate the Platform under your own brand for downstream studios:

You are the Controller for your own studio data and a separate Processor for your downstream clients' data
You must execute equivalent DPAs with each downstream client
You remain responsible to those clients for compliance, breach notification, and data-subject rights
We support you with deletion, export, and audit tooling — see your white-label contract

11. Contact

Data Protection Officer: dpo@eventsuperos.com
India grievance officer: grievance@eventsuperos.com
Security incidents: security@eventsuperos.com