Data Processing Agreement
Updated 2026-07-05
This Data Processing Agreement (DPA) applies when an organization uses SHOWUPAT to coordinate activities and SHOWUPAT processes personal data on the organization's behalf as a processor under GDPR Article 28.
Roles
The organization (Customer) is the data controller for participant and staff personal data collected through its activities.
SHOWUPAT acts as data processor, processing data only on documented instructions from the Customer and for the coordination services described in the Terms of Service.
Subject matter & duration
Processing covers phone numbers, names, activity participation, attendance facts, and optional profile fields submitted by participants to activities organized by the Customer.
Processing lasts for the term of the Customer's use of SHOWUPAT and as required for attendance records, unless earlier deletion is requested.
Sub-processors
SHOWUPAT uses managed cloud infrastructure (hosting, database, SMS delivery) under written agreements requiring equivalent data protection.
Customers may request the current sub-processor list via privacy@showupat.com.
Security measures
HTTPS transport, access controls, OTP authentication, rotating QR codes, and audit logging for check-in actions.
See the Security page for vulnerability reporting.
Data subject rights
SHOWUPAT assists the Customer in responding to data subject requests (access, rectification, erasure, portability) when technically feasible.
Participants may also contact privacy@showupat.com directly; SHOWUPAT will notify the relevant organizer when appropriate.
Personal data breach
SHOWUPAT notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer data, with information required under GDPR Article 33.
DPA requests
For a signed DPA or enterprise data protection questions: privacy@showupat.com.