Early AccessJoin PaySeats early and enjoy exclusive launch terms for your space 

Trust Center

Data Processing Addendum

Last Updated: March 15, 2026

This Data Processing Addendum ("Addendum") forms part of the PaySeats Terms and Conditions (the "Main Agreement") between:

  1. PaySeats Europe SL ("PaySeats" or "Data Processor"), a company incorporated in Spain.
  2. The Organizer ("Client" or "Data Controller"), as defined in the Main Agreement.

This Addendum applies to the extent that PaySeats processes Personal Data on behalf of the Client in the course of providing the Service, and to the extent that the General Data Protection Regulation (EU) 2016/679 ("GDPR") or other applicable data protection laws govern such processing.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Main Agreement.

  • "Data Protection Laws" means all applicable data protection and privacy laws and regulations, including the GDPR.
  • "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" have the meanings given to them in the GDPR.
  • "Sub-processor" means any third party engaged by PaySeats to process Personal Data on behalf of the Client.

2. Processing of Personal Data

2.1. Roles and Responsibilities

The parties acknowledge and agree that with regard to the Processing of Personal Data, the Client is the Data Controller and PaySeats is the Data Processor.

2.2. Controller's Instructions

PaySeats shall only process Personal Data on behalf of and in accordance with the Client's documented, lawful instructions. The provision of the Service in accordance with the Main Agreement is considered a documented instruction.

2.3. Details of Processing

The details of the Processing of Personal Data are specified in Annex 1 of this Addendum.

3. Confidentiality and Security

3.1. Confidentiality

PaySeats shall ensure that all personnel authorized to process Personal Data are subject to strict confidentiality obligations.

3.2. Security Measures

PaySeats shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Such measures are described in Annex 2.

4. Sub-processors

4.1. General Authorization

The Client grants PaySeats a general authorization to engage Sub-processors to provide the Service.

4.2. List and Notification

PaySeats shall maintain an up-to-date list of its Sub-processors, as detailed in Annex 3. PaySeats shall notify the Client of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Client the opportunity to object to such changes.

4.3. Liability

PaySeats shall impose on its Sub-processors data protection obligations equivalent to those set out in this Addendum. PaySeats remains fully liable to the Client for the acts and omissions of its Sub-processors.

5. Data Subject Rights

PaySeats shall, to the extent legally permitted, promptly notify the Client of any requests from a Data Subject to exercise their rights (such as rights of access, rectification, erasure, etc.). PaySeats shall provide the Client with reasonable cooperation and assistance in relation to handling a Data Subject's request.

6. Personal Data Breach Notification

PaySeats shall notify the Client without undue delay after becoming aware of a Personal Data Breach. PaySeats shall provide the Client with necessary information to allow the Client to meet its obligations to notify supervisory authorities and Data Subjects.

7. Data Protection Impact Assessments (DPIAs)

PaySeats shall provide reasonable assistance to the Client with any Data Protection Impact Assessments and prior consultations with supervisory authorities, as required under Data Protection Laws.

8. Deletion or Return of Data

Upon termination of the Main Agreement, PaySeats shall, at the Client's choice, delete or return all Personal Data to the Client, and delete existing copies unless Union or Member State law requires storage of the data.

9. Audits

PaySeats shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client, subject to reasonable advance notice and confidentiality obligations.

10. General Provisions

10.1. Precedence

In the event of a conflict between this Addendum and the Main Agreement, the provisions of this Addendum shall prevail with regard to data protection matters.

10.2. Governing Law

This Addendum shall be governed by the laws of Spain.

Annex 1: Details of Processing

A. Subject Matter and Duration of Processing

Subject Matter: PaySeats processes Personal Data to provide the platform and related services to the Client, as described in the Main Agreement.

Duration: Processing lasts for the term of the Main Agreement and any legally required retention.

B. Nature and Purpose of Processing

  • Providing the Client with tools to publish and manage events, classes, bookings, memberships, customer-facing pages, domain or redirect settings, hosted mailboxes, and onsite terminal operations.
  • Processing orders, registrations, guest checkouts, subscriptions, ticket or reservation artifacts, and box-office or in-person sales workflows on behalf of the Client.
  • Managing attendee, customer, CRM-profile, transaction, terminal-device, and operator-session records related to the Client's services, including segments, follow-up tasks, customer conversations, campaign workflows, communication preferences, suppression controls, and privacy request queues.
  • Managing domain registration contacts, DNS or redirect records, SSL lifecycle data, hosted mailbox provisioning, mailbox status or quota settings, catch-all routing, and related provider-reference records requested by the Client.
  • Facilitating transactional communications, support workflows, organizer-initiated customer messages, consent or suppression changes, privacy-rights workflows, and terminal device recovery or operator-authentication workflows.
  • Preventing fraud, securing the Service, and troubleshooting operational issues.

C. Types of Personal Data Processed

Client and customer data may include names, email addresses, phone numbers or billing details if provided, domain registration contact records (including registrant, admin, or technical contact details), DNS, redirect, or SSL lifecycle configuration, hosted mailbox addresses, local-part identifiers, mailbox status, quota or catch-all settings, mailbox credential inputs submitted by the Client for provisioning or password updates, ticket, booking, subscription, payment-status, attendance, ticket-scan and check-in records, terminal device metadata (such as device name, platform, model, app/OS version, status, scopes, approval and last-seen data), operator identifiers and session records, support messages and attachments, CRM notes, tags, segment memberships, follow-up tasks, campaign send or performance records linked to a customer, communication preference or suppression ledger entries, customer privacy request records, and any custom fields or notes configured by the Client. Card and bank account details are processed by the Payment Partner rather than stored by PaySeats, except for limited status or reference data needed to operate the Service.

D. Categories of Data Subjects

Organizers and their authorized staff, including terminal operators or other onsite personnel; attendees, students, members, buyers, guests, and other individuals whose data the Client submits to the Service; and people who contact the Client or PaySeats through Service workflows.

Annex 2: Technical and Organizational Security Measures

PaySeats implements, at a minimum, the following security measures:

  • Access Control: Strong password policies, role-based access controls, additional authentication controls for privileged access where applicable, and principles of least privilege.
  • Encryption: Encryption of data in transit (TLS/SSL) and use of encrypted storage or provider-managed protections for stored data where supported.
  • System Resilience: Infrastructure hosted on top-tier cloud providers with high availability, redundancy, and disaster recovery plans.
  • Network Security: Managed network protections, logging, and restricted administrative access to help protect the infrastructure.
  • Incident Management: An incident response plan to detect, manage, and report Personal Data Breaches promptly and effectively.
  • Personnel Training: Regular security and data protection training for all personnel with access to Personal Data.
  • Secure Development: Secure Software Development Lifecycle (SDLC) practices to minimize application vulnerabilities.

Annex 3: List of Sub-processors

The Client authorizes PaySeats to use the types of Sub-processors listed below to provide the Service. A specific, up-to-date list of all Sub-processors is maintained at payseats.com/subprocessors.

Service CategoryPurposePrimary Location
Cloud InfrastructureHosting of the platform and databasesEU / USA (based on data localization)
Payment ProcessingSecure handling of card transactions and payoutsGlobal
Email Delivery (Transactional)Sending transactional emails (tickets, confirmations, operational notices)USA / EU
Domain Registration & Hosted EmailDomain registration, DNS or email routing, and hosted mailbox provisioning or managementCanada / USA
Email Delivery (Marketing)Opt-in marketing and launch communications via APIUK / EU / USA (depends on account)