Evenda

De officiële versie van het document is in het Servisch.

Translations into other languages are provided for convenience only. If there is any discrepancy between a translation and the Serbian version, the Serbian version prevails.

Data Processing Agreement (DPA)

Effective date: 01 March 2026
Last updated: 01 March 2026

This Data Processing Agreement (“DPA”) forms part of and is an integral appendix to the Evenda platform Organizer Agreement and governs the processing of personal data that ZURKA CE BITI DOO carries out on behalf of the Organizer when using the Evenda SaaS platform.

This DPA is entered into between:

ZURKA CE BITI DOO
PIB: 114432064
MB: 22023195
Beograd, Kraljice Natalije 11, Serbia
Email: [email protected]

(“Evenda” or “Processor”)

and

the person who registers an organizer account, accepts this DPA, or uses the Evenda platform as an event organizer
(“Organizer” or “Controller”).

If the parties have concluded a separate written data processing agreement, it takes precedence over this DPA for matters expressly covered by it.

1. Purpose and scope

1.1. This DPA applies only where Evenda processes personal data on behalf of and under the instructions of the Organizer in connection with use of the Evenda platform.

1.2. This DPA does not apply where Evenda acts as an independent controller of personal data, including without limitation:

  • Organizer account and team data;
  • data related to subscription, billing, and SaaS payment;
  • support request data;
  • security, logging, fraud prevention, and Evenda rights protection data;
  • data that Evenda is required to process by law.

1.3. This DPA governs only processing performed by Evenda as Processor. All other matters relating to use of the platform are governed by the Organizer Agreement and other applicable Evenda documents.

2. Definitions

For the purposes of this DPA, the following terms apply:

Controller — the Organizer who determines the purposes of processing and essential parameters of personal data processing through the Evenda platform.
Processor — Evenda, which processes personal data on behalf of the Controller.
Applicable data protection law — applicable personal data protection law, including the GDPR where it applies, and other mandatory rules governing the relevant processing.
Personal Data — any information relating to an identified or identifiable natural person.
Data Subject — the natural person to whom Personal Data relates.
Sub-processor — any processor engaged by Evenda that processes Personal Data on behalf of the Organizer in connection with Evenda’s services.
Personal data breach — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

If a term is used in this DPA and is defined in Applicable data protection law, it is interpreted in accordance with that law.

3. Subject matter, duration, nature, and purposes of processing

3.1. The subject matter of this DPA is Evenda’s processing of Personal Data on behalf of the Organizer when providing Evenda platform SaaS functionality.

3.2. Processing begins when Evenda starts processing Personal Data on behalf of the Organizer and continues for the period of use of the relevant platform features and for any period of retention, deletion, return, or other completion of processing in accordance with this DPA and Applicable data protection law.

3.3. Depending on the platform features used, the nature of processing may include:

  • collection;
  • recording;
  • organisation;
  • structuring;
  • storage;
  • adaptation;
  • retrieval;
  • consultation;
  • use;
  • disclosure by transmission;
  • dissemination or otherwise making available;
  • alignment or combination;
  • restriction;
  • erasure;
  • destruction;
  • other operations necessary to provide Evenda’s services.

3.4. The purposes of processing are determined by the Organizer and may include:

  • publishing and administering events;
  • selling tickets;
  • processing orders and registrations;
  • managing attendees;
  • sending service notifications, tickets, and QR codes;
  • processing forms, fields, and data configured by the Organizer;
  • supporting the Organizer’s operations within use of the platform.

3.5. Categories of Data Subjects, categories of Personal Data, and a description of processing are set out in Appendix 1 to this DPA.

4. Roles of the parties

4.1. The Organizer acts as Controller in respect of Personal Data that it uploads, collects, structures, or otherwise processes through the Evenda platform in connection with its events, orders, tickets, registrations, and communications with buyers and participants.

4.2. Evenda acts as Processor only to the extent that it processes such Personal Data on behalf of and under the documented instructions of the Organizer.

4.3. The Organizer confirms that it independently determines the purposes of processing and essential parameters of processing, including:

  • what data is collected;
  • in respect of which persons;
  • how long data is used for the Organizer’s purposes;
  • who is granted access to data within the Organizer’s account;
  • which forms, fields, notifications, and scenarios are used.

5. Controller instructions

5.1. Evenda processes Personal Data only on the basis of the Organizer’s documented instructions, unless Applicable data protection law requires otherwise.

5.2. This DPA, the Organizer Agreement, Organizer account settings, selected platform functionality, event configuration, forms, fields, access rights, and other Organizer actions in the Evenda interface are treated as documented instructions of the Controller.

5.3. The Organizer may issue reasonable additional written instructions where they:

  • relate to use of the service;
  • do not conflict with the Organizer Agreement, this DPA, or Applicable data protection law;
  • are technically feasible;
  • do not require disproportionate platform changes.

5.4. If Evenda considers that an Organizer instruction violates Applicable data protection law, Evenda may notify the Organizer and suspend execution of that instruction until clarifications or a lawful basis are provided.

6. Organizer obligations as Controller

The Organizer undertakes and warrants that:

6.1. it has a lawful basis for processing Personal Data and for instructing Evenda to process such data;

6.2. it provides appropriate information to Data Subjects where required by law;

6.3. it independently determines what Personal Data is collected through the platform and does not instruct Evenda to process data unlawfully;

6.4. it does not use the Evenda platform to process special categories of personal data, criminal offence data, or other sensitive data unless such processing is lawful, necessary, and properly regulated;

6.5. it is responsible for the lawfulness of its events, forms, fields, descriptions, notifications, communication scenarios, its team’s access rights, and other settings affecting Personal Data processing;

6.6. it is responsible for handling buyers’ and participants’ requests to the extent it acts as Controller.

7. Evenda obligations as Processor

Evenda undertakes to:

7.1. process Personal Data only in accordance with the Organizer’s documented instructions;

7.2. not use Personal Data for its own purposes incompatible with the Processor role;

7.3. ensure that persons authorised to process Personal Data are bound by confidentiality obligations or an appropriate statutory duty of confidentiality;

7.4. implement appropriate technical and organisational security measures in accordance with Section 10 of this DPA and Applicable data protection law;

7.5. comply with the Sub-processor engagement terms set out in Section 8;

7.6. assist the Organizer, as far as reasonably possible, in fulfilling its obligations to respond to Data Subject requests;

7.7. assist the Organizer, as far as reasonably possible, in fulfilling its obligations regarding security, breach notification, data protection impact assessment, and prior consultation with a supervisory authority where required by law;

7.8. at the end of processing, delete or return Personal Data as provided in this DPA, unless retention is required by law;

7.9. provide the Organizer with information necessary to demonstrate compliance with this DPA and cooperate with audits as provided in this DPA.

8. Sub-processors

8.1. The Organizer grants Evenda general written authorisation to engage Sub-processors to provide Evenda’s services.

8.2. Evenda will maintain an up-to-date list of Sub-processors and, on request, provide it to the Organizer or publish it in a place accessible to the Organizer on the website or in the account area.

8.3. Where Evenda intends to add a new Sub-processor or replace an existing one, Evenda will notify the Organizer in advance by reasonable means if the change is material for Personal Data processing.

8.4. The Organizer may raise a reasoned objection to a new Sub-processor within a reasonable time after notification if it has documented grounds to believe the change creates a material risk of breach of Applicable data protection law.

8.5. If the parties cannot reasonably resolve such objection, Evenda may discontinue the relevant part of processing or propose that the Organizer stop using the affected functionality.

8.6. Evenda will enter into a written agreement with each Sub-processor imposing data protection obligations not materially lower than those under this DPA, insofar as they apply to the services provided.

8.7. Evenda remains liable for the actions of its Sub-processors within the limits set by Applicable data protection law and the parties’ agreements.

9. International transfers

9.1. Evenda does not carry out international transfers of Personal Data outside the applicable jurisdiction without an appropriate legal basis where such a basis is required by Applicable data protection law.

9.2. If providing Evenda’s services or using Sub-processors requires international transfer of Personal Data, Evenda will apply an appropriate transfer mechanism, including where applicable:

  • an adequacy decision;
  • standard contractual clauses;
  • other lawful mechanisms permitted by Applicable data protection law.

9.3. On reasonable request from the Organizer, Evenda provides general information about transfer mechanisms used, where such transfers occur.

10. Security of processing

10.1. Taking into account the state of the art, implementation costs, nature, scope, context, and purposes of processing, and the risks to individuals’ rights and freedoms, Evenda implements appropriate technical and organisational security measures.

10.2. Such measures may include, where applicable:

  • access segregation;
  • authentication and account management;
  • role management within the platform;
  • logging of actions and events;
  • backups;
  • protection of data in transit;
  • protection of infrastructure and network environment;
  • incident detection and handling procedures;
  • internal access rules for staff and contractors;
  • testing, evaluation, and improvement of security measures;
  • measures to reduce the risk of unauthorised access, loss, alteration, or disclosure of data.

10.3. The Organizer acknowledges that no method of transmission or storage can guarantee absolute security.

10.4. The Organizer is also responsible for security on its side, including:

  • managing access for its team;
  • security of its own devices, browsers, mailboxes, and integrations;
  • lawfulness and security of payment methods and other third-party services it connects.

11. Data Subject requests

11.1. Given the nature of processing, Evenda provides the Organizer with reasonable assistance, as far as possible, in fulfilling its obligations to respond to Data Subject requests.

11.2. If Evenda receives a Data Subject request relating to processing for which the Organizer is Controller, Evenda may:

  • forward the request to the Organizer;
  • inform the Data Subject that the relevant Controller is the Organizer;
  • provide reasonable assistance to the Organizer in handling the request.

11.3. Unless required by law, Evenda is not obliged to substantively respond to such a request on the Organizer’s behalf without the Organizer’s instructions.

12. Assistance with legal compliance

12.1. Given the nature of processing and information available to Evenda, Evenda provides the Organizer with reasonable assistance in complying with obligations relating to:

  • security of processing;
  • notification of personal data breaches;
  • data protection impact assessment;
  • prior consultation with a supervisory authority where required.

12.2. If required assistance goes beyond standard functionality and ordinary Evenda support, the parties may separately agree timing, format, and reasonable remuneration for such assistance where permitted by law.

13. Personal data breach

13.1. Evenda notifies the Organizer without undue delay after becoming aware of a confirmed personal data breach affecting Personal Data that Evenda processes on behalf of the Organizer.

13.2. That notification shall, to the extent possible at the time it is sent, include:

  • a description of the nature of the incident;
  • known or likely categories of data affected;
  • known or likely categories of Data Subjects affected;
  • known or likely consequences;
  • measures already taken or proposed to address the incident and mitigate its effects.

13.3. Evenda may provide information in phases if the full detail is not available at the time of the first notification.

13.4. The Organizer independently determines whether notification to a supervisory authority or Data Subjects is required, unless otherwise provided by applicable law.

14. Audits and right to information

14.1. On reasonable written request from the Organizer, Evenda provides information necessary to demonstrate compliance with this DPA.

14.2. The Organizer may audit compliance with this DPA no more than once per calendar year, unless more frequent audit is required:

  • due to a personal data security breach;
  • by requirement of a competent authority;
  • where there are reasonable indications of a material breach of this DPA.

14.3. To the maximum extent possible, audits shall be conducted in a way that minimises burden on Evenda and security risks, for example:

  • written responses;
  • provision of documents;
  • provision of reports;
  • remote review;
  • review of certificates or descriptions of control measures, where applicable.

14.4. On-site audits are permitted only if:

  • other reasonable means are insufficient;
  • the Organizer has notified Evenda in advance;
  • the audit does not create disproportionate risks to security, confidentiality, and platform operations;
  • the auditor is bound by confidentiality obligations.

14.5. The Organizer bears its own audit costs unless the parties agree otherwise.

15. Return and deletion of data

15.1. On termination of the relevant processing or on reasonable request from the Organizer, Evenda shall, at the Organizer’s choice:

  • return Personal Data to the Organizer; or
  • delete Personal Data, unless Applicable data protection law requires otherwise.

15.2. If return in a reasonable format is technically impossible within standard platform functionality, Evenda may provide data in a commonly used format available in the service or delete it in accordance with standard procedures.

15.3. Evenda may retain Personal Data after processing ends to the extent required:

  • by law;
  • for backups within a limited retention cycle;
  • to establish, exercise, or defend legal claims;
  • for security, logging, and evidentiary purposes;
  • subject to appropriate access restrictions and confidentiality.

16. Confidentiality

16.1. Evenda ensures that persons authorised to process Personal Data are properly instructed and bound by confidentiality obligations.

16.2. Evenda does not disclose Personal Data to third parties except where:

  • necessary to provide Evenda’s services in accordance with this DPA;
  • disclosure is required by Applicable data protection law;
  • disclosure is necessary to protect the rights of Evenda, the Organizer, Data Subjects, or others within the limits of the law.

17. Demonstration of compliance

17.1. Evenda maintains measures, policies, and processes reasonably necessary to comply with its obligations as Processor.

17.2. On reasonable request from the Organizer, Evenda provides information available to it sufficient to confirm that it fulfils its Processor obligations under this DPA.

18. Liability

18.1. Unless expressly provided otherwise in this DPA, liability of the parties is governed by the Organizer Agreement.

18.2. Nothing in this DPA excludes or limits either party’s liability that cannot be excluded or limited under Applicable data protection law.

19. Priority

19.1. In case of conflict between this DPA and the Organizer Agreement, the provisions of this DPA prevail with respect to Evenda’s processing of Personal Data on behalf of the Organizer.

19.2. In case of conflict between this DPA and a separate written data protection agreement signed by the parties, that separate agreement prevails for matters expressly covered by it.

20. Changes to the DPA

20.1. Evenda may amend this DPA from time to time where necessary to:

  • align the document with changes in legislation;
  • reflect changes in the service, infrastructure, or Sub-processors;
  • clarify processes and data protection measures.

20.2. The current version of the DPA is published on the website. If changes are material, Evenda will endeavour to notify the Organizer by reasonable means, for example via the website, email, or account area.

20.3. Continued use of Evenda after a new version takes effect constitutes acceptance of the updated DPA, unless prohibited by Applicable data protection law.

21. Governing law and disputes

21.1. This DPA is governed by and construed in accordance with the laws of the Republic of Serbia, unless Applicable data protection law requires otherwise.

21.2. Any dispute, disagreement, or claim arising out of or in connection with this DPA shall be subject to the competent courts in Belgrade, Republic of Serbia, unless mandatory provisions of applicable law provide otherwise.

22. Contact

If you have questions about this DPA, you can contact us:

ZURKA CE BITI DOO
PIB: 114432064
MB: 22023195
Beograd, Kraljice Natalije 11, Serbia
[email protected]

Appendix 1. Description of processing

1. Subject matter of processing

Processing of Personal Data by Evenda on behalf of the Organizer in connection with use of the Evenda platform to publish events, manage orders, tickets, registrations, attendees, and communications related to the Organizer’s events.

2. Duration of processing

For the period during which the Organizer uses the relevant Evenda platform features and thereafter for the period necessary for return, deletion, backup retention, legal compliance, and protection of Evenda’s or the Organizer’s rights, to the extent permitted by Applicable data protection law.

3. Nature of processing

Collecting, recording, storing, organizing, structuring, viewing, using, transmitting, providing access, deleting, destroying and other actions necessary to provide Evenda services.

4. Purposes of processing

  • creation and publication of events;
  • ticket sales and order processing;
  • registration of participants;
  • generating and sending tickets, confirmations and QR codes;
  • manage orders, participant lists and related communications;
  • providing platform functionality according to the Organizer’s instructions.

5. Categories of Data Subjects

Depending on the platform configuration and the Organizer’s actions:

  • ticket buyers;
  • event participants;
  • persons completing registration or order forms;
  • ticket recipients;
  • contact persons added by the Organizer as part of the event;
  • other persons whose data the Organizer uploads or collects through the platform in connection with its events.

6. Categories of Personal Data

Depending on the Organizer settings and the functions used:

  • first and last name;
  • email;
  • phone number;
  • order details;
  • ticket details;
  • information about the event, date, session, category, place;
  • additional fields created by the Organizer;
  • history of order and ticket statuses;
  • data required to send service notifications;
  • other Personal Data that the Organizer independently decides to collect through the platform.

7. Special categories of data

Unless otherwise expressly agreed by the parties in writing, Evenda does not undertake to process special categories of personal data on behalf of the Organizer. The Organizer must not use the platform for such processing without a lawful basis and sufficient protective measures.

8. Processing operations

Providing hosting, interfaces, storage, administration, search, structuring, export, sending service notifications and other operations necessary for the functioning of the Evenda platform in accordance with the Organizer’s instructions.