Evenda

Official version of the document — in Serbian.

Translations into other languages are provided for convenience only. If there is any discrepancy between a translation and the Serbian version, the Serbian version prevails.

Data Processing Agreement (DPA)

Effective date: 01.03.2026
Last updated: 01.03.2026

This Data Processing Agreement (“DPA”) forms part of and is an integral annex to the Evenda Platform Organizer Agreement and governs the processing of personal data carried out by ZURKA CE BITI DOO on behalf of the Organizer when using the Evenda SaaS platform.

This DPA is entered into between:

ZURKA CE BITI DOO
Tax ID: 114432064
Mobile: 22023195
Belgrade, Kraljice Natalije 11, Serbia
Email: [email protected]

(hereinafter referred to as “Evenda” or “the Processor”)

and

the person who registers an organizer account, accepts this DPA, or uses the Evenda platform as an event organizer
(hereinafter referred to as the “Organizer” or “Operator”).

If the parties have entered into a separate written data processing agreement, that agreement shall take precedence over this DPA with respect to matters expressly addressed therein.

1. Purpose and Scope

1.1. This DPA applies only in cases where Evenda processes personal data on behalf of and at the request of the Organizer in connection with the use of the Evenda platform.

1.2. This DPA does not apply to instances where Evenda acts as an independent data controller, including, but not limited to:

  • Organizer and team account data;
  • data related to subscriptions, billing, and SaaS payments;
  • support request data;
  • security, logging, fraud prevention, and Evenda rights protection data;
  • data that Evenda is required to process by law.

1.3. This DPA governs only the processing of data performed by Evenda as a Processor. All other matters regarding the use of the platform are governed by the Organizer Agreement and other applicable Evenda documents.

2. Definitions

For the purposes of this DPA, the following terms are used:

Controller — The Organizer that determines the purposes and essential parameters of the processing of personal data via the Evenda platform.
Processor — Evenda, which processes personal data on behalf of the Controller.
Applicable Data Protection Laws — applicable laws governing the protection of personal data, including the GDPR where applicable, as well as other mandatory regulations governing the relevant processing.
Personal Data — any information relating to an identified or identifiable natural person.
Data Subject — a natural person to whom Personal Data relates.
Subprocessor — any processor engaged by Evenda that processes Personal Data on behalf of the Operator in connection with the provision of Evenda’s services.
Personal data breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

If a term is used in this DPA and defined in the applicable data protection laws, it shall be interpreted in accordance with the meaning established by such laws.

3. Subject matter, duration, nature, and purpose of processing

3.1. The subject matter of this DPA is Evenda’s processing of Personal Data on behalf of the Organizer in connection with the provision of the Evenda platform’s SaaS functionality.

3.2. The processing period begins when Evenda starts processing Personal Data on behalf of the Organizer and continues for the duration of the use of the relevant platform features, as well as for the duration of storage, deletion, return, or other termination of processing in accordance with this DPA and applicable data protection laws.

3.3. Depending on the platform features used, the nature of the processing may include:

  • collection;
  • recording;
  • organization;
  • structuring;
  • storage;
  • adaptation;
  • retrieval;
  • viewing;
  • use;
  • transmission;
  • disclosure;
  • comparison;
  • restriction;
  • erasure;
  • destruction;
  • other actions necessary for the provision of Evenda services.

3.4. The purposes of processing are determined by the Organizer and may include:

  • publishing and managing events;
  • ticket sales;
  • processing orders and registrations;
  • participant management;
  • sending service notifications, tickets, and QR codes;
  • processing forms, fields, and data configured by the Organizer;
  • supporting the Organizer’s operational activities in connection with the use of the platform.

3.5. The categories of Data Subjects, categories of Personal Data, and a description of the processing are set forth in Appendix 1 to this DPA.

4. Roles of the Parties

4.1. The Organizer acts as a Data Controller with respect to Personal Data that it uploads, collects, structures, or otherwise processes through the Evenda platform in connection with its events, orders, tickets, registrations, and communications with customers and participants.

4.2. Evenda acts as a Processor only to the extent that it processes such Personal Data on behalf of and in accordance with the documented instructions of the Controller.

4.3. The Organizer confirms that it independently determines the purposes of processing and the essential parameters of processing, including:

  • What data is collected;
  • Regarding which individuals;
  • How long the data is used for the Organizer’s purposes;
  • Who has access to the data within the Organizer’s account;
  • What forms, fields, notifications, and workflows are used.

5. Operator Instructions

5.1. Evenda processes Personal Data solely on the basis of the Organizer’s documented instructions, unless otherwise required by applicable data protection laws.

5.2. This DPA, the Organizer Agreement, the Organizer’s account settings, the selected platform features, event configurations, forms, fields, access rights, and other actions taken by the Organizer within the Evenda interface shall be considered documented instructions from the Operator.

5.3. The Organizer reserves the right to issue reasonable additional written instructions if they:

  • are related to the use of the service;
  • do not conflict with the Organizer Agreement, this DPA, and applicable data protection laws;
  • are technically feasible;
  • do not require disproportionate modifications to the platform.

5.4. If Evenda believes that the Organizer’s instruction violates applicable data protection laws, Evenda has the right to notify the Organizer of this and suspend the execution of the relevant instruction until clarifications or a legal basis are provided.

6. The Organizer’s Obligations as the Operator

The organizer undertakes and guarantees that:

6.1. has a legal basis for processing Personal Data and for entrusting such processing to Evenda;

6.2. duly informs Data Subjects when required by law;

6.3. independently determines what Personal Data is collected through the platform and does not instruct Evenda to process data in violation of the law;

6.4. does not use the Evenda platform to process special categories of personal data, criminal records, or other sensitive data unless such processing is lawful, necessary, and properly regulated;

6.5. is responsible for the legality of its activities, forms, fields, descriptions, notifications, communication scripts, its team’s access rights, and other settings that affect the processing of Personal Data;

6.6. is responsible for processing requests from customers and participants to the extent that it acts as the Operator.

7. Evenda’s Obligations as a Processor

Evenda undertakes to:

7.1. shall process Personal Data only in accordance with the Organizer’s documented instructions;

7.2. shall not use Personal Data for its own purposes that are incompatible with its role as a Processor;

7.3. shall ensure that persons authorized to process Personal Data are bound by a confidentiality obligation or an appropriate legal duty of confidentiality;

7.4. shall implement appropriate technical and organizational security measures in accordance with Section 10 of this DPA and the requirements of Applicable Data Protection Laws;

7.5. comply with the terms and conditions for engaging Subprocessors set forth in Section 8;

7.6. shall assist the Organizer, to the extent possible, in fulfilling its obligations regarding responses to requests from Data Subjects;

7.7. to assist the Organizer, to the extent possible, in fulfilling its obligations regarding security, breach notifications, data protection impact assessments, and prior consultations, if required by law;

7.8. Upon completion of processing, delete or return the Personal Data in accordance with the procedures set forth in this DPA, unless otherwise required by law;

7.9. shall provide the Organizer with the information necessary to demonstrate compliance with this DPA and shall cooperate with audits in accordance with the procedures set forth in this DPA.

8. Subcontractors

8.1. The Organizer grants Evenda general written permission to engage Subprocessors to provide services to Evenda.

8.2. Evenda undertakes to maintain an up-to-date list of Subcontractors and, upon request, to provide it to the Organizer or post it in a location on the website or in the personal account that is accessible to the Organizer.

8.3. If Evenda intends to add a new Subprocessor or replace an existing one, it shall notify the Organizer in advance by reasonable means, provided that such change is material to the processing of Personal Data.

8.4. The Controller has the right to raise a reasoned objection to a new Subprocessor within a reasonable period of time after receiving notice, if it has documented grounds to believe that such a change poses a substantial risk of a breach of applicable data protection laws.

8.5. If the parties are unable to reasonably resolve such an objection, Evenda reserves the right to suspend the relevant part of the processing or to request that the Organizer cease using the affected functionality.

8.6. Evenda undertakes to enter into a written agreement with each Subprocessor, imposing data protection obligations on the Subprocessor that are no less stringent in substance than those set forth in this DPA, to the extent that they apply to the services provided.

8.7. Evenda is liable for the actions of its Subprocessors to the extent provided for by applicable data protection laws and the agreements between the parties.

9. International data transfer

9.1. Evenda does not transfer Personal Data internationally outside the applicable jurisdiction without a valid legal basis, if such a basis is required by applicable data protection laws.

9.2. If the provision of Evenda’s services or the use of Subprocessors requires the international transfer of Personal Data, Evenda undertakes to use an appropriate transfer mechanism, including, where applicable:

  • a decision on an adequate level of protection;
  • standard contractual clauses;
  • other legal mechanisms permitted by applicable data protection laws.

9.3. Upon reasonable request from the Organizer, Evenda will provide general information about the mechanisms used for international data transfers, if such transfers take place.

10. Data Security

10.1. Taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of the processing, as well as the risk to the rights and freedoms of natural persons, Evenda implements appropriate technical and organizational security measures.

10.2. Such measures may include, as applicable:

  • access rights management;
  • authentication and account management;
  • role management within the platform;
  • logging of actions and events;
  • backup;
  • data transmission security;
  • infrastructure and network environment security;
  • incident detection and response procedures;
  • internal access policies for employees and contractors;
  • testing, evaluation, and improvement of security measures;
  • measures to minimize the risk of unauthorized access, loss, alteration, or disclosure of data.

10.3. The Organizer acknowledges that no method of data transmission or storage can guarantee absolute security.

10.4. The organizer is also responsible for security measures on its end, including:

  • managing your team's access;
  • the security of your devices, browsers, email accounts, and integrations;
  • the legitimacy and security of the payment methods and other third-party services you connect;

11. Requests from Data Subjects

11.1. Taking into account the nature of the processing, Evenda shall, to the extent possible, provide reasonable assistance to the Organizer in fulfilling its obligations to respond to requests from Data Subjects.

11.2. If Evenda receives a request from a Data Subject regarding processing for which the Organizer is the Controller, Evenda has the right to:

  • Forward such a request to the Organizer;
  • Notify the Data Subject that the Organizer is the relevant Controller;
  • Provide reasonable assistance to the Organizer in processing the request.

11.3. Unless otherwise required by law, Evenda is not obligated to respond to such a request on its own behalf on behalf of the Organizer without the Organizer’s instructions.

12. Assistance in complying with legal requirements

12.1. Taking into account the nature of the processing and the information available to Evenda, Evenda shall provide the Organizer with reasonable assistance in ensuring compliance with the obligations related to:

  • data processing security;
  • personal data breach notification;
  • data protection impact assessment;
  • prior consultation with the supervisory authority, where required.

12.2. If the requested assistance goes beyond Evenda’s standard functionality and regular support, the parties may separately agree on the timing, format, and reasonable compensation for such assistance, to the extent permitted by law.

13. Personal Data Breach

13.1. Evenda shall notify the Organizer without undue delay after becoming aware of a confirmed personal data breach affecting the Personal Data that Evenda processes on behalf of the Organizer.

13.2. Such notice shall, to the extent possible at the time it is sent, include:

  • a description of the nature of the incident;
  • known or likely categories of affected data;
  • known or likely categories of affected data subjects;
  • known or likely consequences;
  • measures already taken or proposed to address the incident and mitigate its consequences.

13.3. Evenda may provide information in stages if the full set of data is not available at the time of the initial notification.

13.4. The Organizer shall determine at its sole discretion whether notification of the supervisory authority or Data Subjects is required, unless otherwise provided by applicable law.

14. Inspections and the Right to Information

14.1. Upon reasonable written request from the Organizer, Evenda shall provide the information necessary to demonstrate compliance with this DPA.

14.2. The Organizer may conduct an audit of compliance with this DPA no more than once per calendar year, unless otherwise required:

  • in connection with a personal data breach;
  • upon request by a competent authority;
  • if there are reasonable grounds to believe that there has been a material breach of this DPA.

14.3. To the greatest extent possible, verification should be conducted in a manner that minimizes the load on Evenda and security risks, for example:

  • through written responses;
  • submission of documents;
  • submission of reports;
  • remote verification;
  • review of certificates or descriptions of control measures, if applicable.

14.4. On-site verification is permitted only if:

  • other reasonable measures are insufficient;
  • the organizer has notified Evenda in advance;
  • the verification does not pose disproportionate risks to security, privacy, or the platform’s operation;
  • the verifying party is bound by confidentiality obligations.

14.5. The organizer shall bear its own costs for verification, unless the parties have agreed otherwise.

15. Data Retrieval and Deletion

15.1. Upon termination of the relevant processing or upon a reasonable request from the Evenda Organizer, at the Organizer’s discretion:

  • returns the Personal Data to the Organizer; or
  • deletes the Personal Data, unless otherwise required by applicable data protection laws.

15.2. If it is technically impossible to return the data in a reasonable format within the scope of the platform’s standard functionality, Evenda reserves the right to provide the data in a commonly used format available on the service, or to delete it in accordance with standard procedures.

15.3. Evenda has the right to retain Personal Data after processing has ceased to the extent required:

  • as required by law;
  • for backup purposes within a limited retention period;
  • to establish, exercise, or defend legal claims;
  • for security, logging, and evidentiary purposes;
  • provided that applicable access and confidentiality restrictions are observed.

16. Privacy

16.1. Evenda ensures that persons authorized to process Personal Data are properly instructed and bound by a confidentiality obligation.

16.2. Evenda does not disclose Personal Data to third parties, except in the following cases:

  • when necessary to provide Evenda’s services in accordance with this DPA;
  • when such disclosure is required by applicable data protection laws;
  • when disclosure is necessary to protect the rights of Evenda, the Organizer, Data Subjects, or other individuals within the limits of the law.

17. Confirmation of Compliance

17.1. Evenda implements and maintains the measures, policies, and processes reasonably necessary to fulfill its obligations as a Processor.

17.2. Upon reasonable request by the Organizer, Evenda shall provide the information available to it that is sufficient to confirm that it is fulfilling its obligations as a Processor under this DPA.

18. Liability

18.1. Unless otherwise expressly provided in this DPA, matters of liability between the parties shall be governed by the Organizer Agreement.

18.2. Nothing in this DPA shall relieve either party of any liability that cannot be excluded or limited under applicable data protection laws.

19. Priority

19.1. In the event of any conflict between this DPA and the Organizer Agreement, the provisions of this DPA shall prevail with respect to the processing of Evenda’s Personal Data on behalf of the Organizer.

19.2. In the event of any conflict between this DPA and a separate written data protection agreement signed by the parties, such separate agreement shall prevail with respect to matters expressly governed by it.

20. Amendment to the DPA

20.1. Evenda reserves the right to periodically amend this DPA if necessary to:

  • updating the document to reflect changes in legislation;
  • reflecting changes in the service, infrastructure, or subprocessors;
  • refining data protection processes and measures.

20.2. The current version of the DPA is published on the website. If the changes are material, Evenda will endeavor to notify the Organizer in a reasonable manner, such as via the website, email, or the personal account.

20.3. Continued use of Evenda after the new version takes effect constitutes acceptance of the updated DPA, unless otherwise prohibited by applicable data protection laws.

21. Governing Law and Disputes

21.1. This DPA shall be governed by and construed in accordance with the laws of the Republic of Serbia, unless otherwise required by applicable data protection laws.

21.2. Any dispute, controversy, or claim arising out of or in connection with this DPA shall be subject to the jurisdiction of the competent court in Belgrade, Republic of Serbia, unless otherwise required by mandatory provisions of applicable law.

22. Contact Information

If you have any questions about this DPA, please contact us at:

ZURKA CE BITI DOO
Tax ID: 114432064
Mobile: 22023195
Belgrade, Kraljice Natalije 11, Serbia
[email protected]

Appendix 1. Description of the Processing

1. Subject of processing

Evenda processes Personal Data on behalf of the Organizer in connection with the use of the Evenda platform for publishing events, managing orders, tickets, registrations, participants, and communications related to the Organizer’s events.

2. Processing time

For the duration of the Organizer’s use of the relevant features of the Evenda platform, and thereafter for the period necessary for refunds, deletion, backup storage, compliance with the law, and the protection of Evenda’s or the Organizer’s rights, to the extent permitted by applicable data protection laws.

3. Type of processing

Collection, recording, storage, organization, structuring, viewing, use, transfer, provision of access, deletion, destruction, and other actions necessary for the provision of Evenda services.

4. Purposes of processing

  • creating and publishing events;
  • ticket sales and order processing;
  • participant registration;
  • generating and sending tickets, confirmations, and QR codes;
  • managing orders, participant lists, and related communications;
  • providing platform functionality in accordance with the Organizer’s instructions.

5. Categories of Data Subjects

Depending on the platform configuration and the Organizer's actions:

  • ticket purchasers;
  • event participants;
  • individuals filling out registration or order forms;
  • ticket recipients;
  • contact persons added by the Organizer in connection with the event;
  • other individuals whose data the Organizer uploads or collects via the platform in connection with its events.

6. Categories of Personal Data

Depending on the Organizer's settings and the features used:

  • First and last name;
  • Email;
  • Phone number;
  • Order details;
  • Ticket details;
  • Information about the event, date, session, category, and venue;
  • Additional fields created by the Organizer;
  • Order and ticket status history;
  • Data required to send service notifications;
  • Other Personal Data that the Organizer independently decides to collect via the platform.

7. Special categories of data

Unless otherwise expressly agreed in writing by the parties, Evenda is not obligated to process special categories of personal data on behalf of the Organizer. The Organizer must not use the platform for such processing without a legal basis and adequate safeguards.

8. Processing operations

Providing hosting, interfaces, storage, administration, search, structuring, export, sending service notifications, and other operations necessary for the operation of the Evenda platform in accordance with the Organizer’s instructions.