Swapcard Legal CenterOrganizer Terms & Conditions

Appendix C

Appendix C - Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between Swapcard Corporation SAS (herein after for the purpose of this DPA, “Swapcard”) and Organizer and forms part of the Agreement. This DPA is effective starting from the Effective Date and prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

I. Definitions

Capitalized terms in this DPA that are not defined herein shall have the meaning given to them in Appendix A of the Agreement or other parts of the Agreement.

  • Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 
  • Data Processor: the natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller. 
  • Data Sub-processor: the natural or legal person hired by the Data Processor to Process Personal Data. 
  • Event Data: any Members’ Personal Data that is Processed in relation to an Event Profile and/or a specific Event and/or Community organized on Organizer Area, to the exclusion of Member Account Data. 
  • Event Profile: online profile created by Organizer, accessible from Member Account and specific to an Event and/or Community organized on the Organizer Area. 
  • Governmental Authority: any governmental entity with the power to exercise any regulatory, enforcement, investigative, or other supervisory authority over the Processing of Personal Data under Data Protection Law. 
  • International Data Transfer: any transfer of Event Data from the European Economic Area (EEA) and Switzerland to an international organization or to a country outside of the EEA and Switzerland. 
  • Member Account: online master profile created by Swapcard and accessible through the Event/Community Application enabling Member i) to access to one or several Organizer Area(s) on the Platform and attend the Events and Communities organized in such Organizer Area(s) and ii) to use a private messaging system to communicate with other Members. 
  • Member Account Data: Member’s Personal Data that is Processed in relation to their Member Account. 
  • Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. 
  • Process/Processed/Processing: any action, active or passive, taken in connection with Personal Data.

II. Roles of the Parties

Swapcard and Organizer agree to always abide by Data Protection Law in connection with the Agreement. The Parties further agree that their respective Affiliates are bound by the terms of this DPA and that each Party will be fully responsible for their respective Affiliate’s failure to comply with the terms of this DPA. 

1. Roles of Swapcard

The Parties acknowledge and agree that Swapcard holds two distinct roles while Processing Personal Data in connection with the Agreement depending on the Processing and purposes involved:

  • When Processing Event Data, Swapcard is acting as a Data Processor on behalf of Organizer as described in III.
  • When Processing Member Account Data, Swapcard is acting as a distinct Data Controller as described in section IV.

2. Role of the Organizer

In connection with the Agreement, the Parties acknowledge and agree that Organizer is acting as a Data Controller and Swapcard as a Data Processor for the Processing of Event Data as further described in EXHIBIT 1

In the event that Organizer is a Data Processor on behalf of other Data Controller(s), Swapcard shall act as a Data Sub-processor. When acting as a Data Processor on behalf of other Data Controller(s), Organizer shall act as the single point of contact for Swapcard, must obtain all necessary authorizations from such other Data Controller(s), undertakes to promptly issue all instructions and exercise all rights on behalf of such other Data Controller(s), and is responsible for compliance with the requirements of Data Protection Law applicable to Data Processors.

III. Obligations of Swapcard when acting as Data Processor

1. Instructions

Swapcard shall process Event Data in accordance with Organizer’s documented instructions which are reflected in the Agreement, including this DPA and any Subscription Form, and through the use of the Platform by Organizer. 

Swapcard shall not be authorized to process Event Data for any purpose other than the purposes specified in EXHIBIT 1 of this DPA unless otherwise agreed by the Parties or required by Data Protection Law. Swapcard will inform Organizer in the event Swapcard is legally required to Process Event Data outside of Organizer’s documented instructions, unless such notification is forbidden under Data Protection Law.

The Parties agree that Organizer may reasonably issue additional instructions if required to do so to comply with Data Protection Law and that Swapcard will be authorized to charge a reasonable fee to comply with any additional instructions.

Swapcard shall notify Organizer of any instruction which, in Swapcard’s opinion, infringes Applicable Law and/or Data Protection Law, it being specified that in such a case, Swapcard is allowed to refuse to comply with such instructions without compensation or indemnity to Organizer.

2. Assistance

2.1 Impact assessment and regulatory consultation 
Given the nature and purpose of Personal Data Processing and the information available to Swapcard, Swapcard agrees to provide reasonable assistance to Organizer to conduct any data protection impact assessment or regulatory consultation that Organizer is required to make under Data Protection Law.
Swapcard may charge a reasonable fee for assistance under the present section. If Swapcard is at fault in relation to Organizer’s request for assistance, Swapcard and Organizer shall each bear their own costs related to assistance.
2.2 Member’s data rights requests 
Organizer grants authority to Swapcard to i) directly answer Members’ requests under Data Protection Law relating to the Processing of their Event Data through the Platform and ii) decide the appropriate measures to implement in order to comply with Members’ requests. Swapcard shall reasonably inform Organizer about such Members’ requests, the response provided by Swapcard to Members and the measures implemented to comply with such requests. 
Organizer shall be solely responsible to comply with Member’s requests relating to their Personal Data Processed outside of the Platform or through Third-Party Products.

3. Authorized Personnel and confidentiality

Swapcard shall limit access to Event Data only to its Personnel and ensure that it is subject to the same obligation of confidentiality as included in the Agreement. 

Swapcard shall not disclose Event Data to any third parties except where consistent with the performance of the Agreement and in response to law enforcement enquiries or as otherwise authorized by Data Protection Law. In no event shall Swapcard sell, rent, make available or transfer by any means Event Data for monetary or other valuable consideration unless otherwise authorized by Organizer in writing.

4. Sub-processing

Organizer authorizes Swapcard to engage Data Sub-processors to Process Event Data, provided that Swapcard enters into written agreements with such Data Sub-processors that impose obligations that are at least as protective as those binding upon Swapcard under this DPA. 

The list of Data Sub-processors engaged by Swapcard is indicated in EXHIBIT 2 TO DPA: LIST OF SUB-PROCESSORS which is available on Swapcard website. Swapcard shall update this EXHIBIT 2 no less than 30 days after engaging a new Data Sub-processor. Organizer understands and agrees that:

  • EXHIBIT 2 update will be performed on Swapcard’s website;
  • Swapcard’s website update of EXHIBIT 2 constitutes Swapcard’s sole and due notification to Organizer of the engagement of any new Data Sub-processor; and
  • Organizer shall be responsible of implementing technical measures to be informed about any update of the webpage hosting EXHIBIT 2. 

Within fifteen (15) days of any addition to the list of Data Sub-processors indicated in EXHIBIT 2, Organizer may object to the addition of a new Data Sub-processor based on reasonable grounds relating to a violation of Data Protection Law by providing a written notice to legal@swapcard.com detailing the grounds of such objection. Swapcard and Organizer agree to work in good faith to address Organizer’s objection. Swapcard may choose to: (i) not pursue its relationship with the new Data Sub-Processor or (ii) take corrective steps as requested by Organizer in its objection to use the new Data Sub-processor. If none of these options are reasonably possible and Organizer continues to object based on reasonable grounds, Organizer may terminate the Agreement and this DPA within thirty (30) days, without Organizer being able to claim any compensation, refund or reimbursement of any kind as a consequence of termination.

5. International Data Transfer

For the purpose of this DPA, any transfer of Event Data from the United-Kingdom (UK) to an international organization or to a country outside of the UK, shall be deemed an International Data Transfer. 

Organizer authorizes Swapcard to perform International Data Transfers to any country or recipient that has been recognized by the EU Commission as offering an adequate level of protection of Personal Data. 

To the extent that the provision of the Swapcard Solutions involves International Data Transfers to any country or recipient that has not been recognized by the EU Commission as offering an adequate level of protection of Personal Data, Swapcard agrees to implement safeguards recognized by Data Protection Law before proceeding to such International Data Transfers including, but not limited to, signing standard contractual clauses with the Personal Data recipient, as set out by the EU Commission Implementing Decision 2021/914 of 4 June 2021 (“SCCs”). In the event of an International Data Transfer, the SCCs shall be incorporated by reference and form an integral part of this DPA with Organizer acting as exporter and Swapcard as importer. For the purposes of the SCCs: (i) only module 2 shall apply and modules 1, 3 and 4 shall be deemed deleted entirely; (ii) clause 7 “docking clause” shall be maintained in the SCCs; (iii) in clause 9, option 2 shall apply; (iv) in clause 11, the optional language shall be deleted; (v) in clause 17, option 1 shall apply and the SCCs shall be governed by French Law; (vi) in clause 18, disputes shall be settled by the competent courts of France; (vii) the appendices of the SCCs shall be populated with the information provided herein under Exhibits 1 to 3 of this DPA; (viii) in the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.

If Swapcard’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Swapcard’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, Organizer and Swapcard will work together in good faith to reasonably resolve such non-compliance.

6. Personal Data Breach

Swapcard shall notify Organizer in writing about any actual Personal Data Breach involving Event Data without undue delay and in any case no less than seventy-two (72) hours after Swapcard becomes aware of the Personal Data Breach. 

Such notification shall contain information allowing Organizer to comply with its notification obligation with the Governmental Authority and/or any other competent authorities, in accordance with the provisions of Data Protection Law. 

7. Audit

Organizer acknowledges that Swapcard is regularly audited regarding ISO 27001 and SOC2 type II standards by independent third-party auditors. Upon written request, Swapcard shall supply a summary copy of its audit report(s) to Organizer, which reports shall be subject to the confidentiality provisions of the Agreement. 

Swapcard shall also respond to any written audit questions submitted by Organizer, provided that Organizer shall not exercise this right more than once per year during the Term of this DPA. 

In the event Organizer has reasonable ground to further audit Swapcard, it shall provide Swapcard with an audit request and contemplated agenda thirty (30) days prior to intended start of the audit. The audit shall be: (i) at Organizer’s exclusive expense, (ii) no more than eight (8) consecutive hours a year; (iii) during normal business hours and in a manner that causes minimal disruption to Swapcard and Swapcard Affiliates’ business; (iv) conducted by an independent auditor jointly selected by Organizer and Swapcard; (v) the independent auditor shall be bound by confidentiality undertakings and not be a competitor of Swapcard; (vi) limited to what is strictly necessary and excluding  Swapcard's business secrets, strategic information or information that Swapcard has undertaken to keep confidential. Swapcard may oppose any measure of control that would be likely to give the independent auditor access to such information without Organizer being able to make any claim in this respect.

A copy of the audit report prepared by the auditor shall be provided to each Party and shall be jointly examined by the Parties who undertake to meet for this purpose.

8. Data retention

Swapcard will retain Event Data throughout the Term of the Agreement, including any renewal Term. Organizer understands and agrees that its access to the Platform enables Organizer to delete or mask Event Data and that Organizer is responsible for implementing any deletion of Event Data it deems appropriate. In the event Organizer is unable to proceed to deletion of Event Data through the Platform, Swapcard will, upon Organizer’s reasonable written request, delete the Event Data within ninety (90) days of receiving such request from Organizer unless prevented from doing so by Applicable Law.

Upon termination of the Agreement for any reason, Swapcard will retain Event Data on the Swapcard Platform unless Organizer requests for the deletion of such Event Data. Swapcard will provide a copy of such Event Data to Organizer via CSV file and/or an API and will delete Event Data from the Swapcard Platform within ninety (90) days of Organizer’s request. 

Notwithstanding the foregoing, Swapcard is authorized to retain an archived copy of the Event Data for backup and evidence purpose and as strictly authorized by Data Protection Law. Swapcard shall apply the same safeguards to such archived copy as it does to the Personal Data it processes and retain such backup copy in accordance with Data Protection Law. 

IV. Obligations of Swapcard when acting as a Data Controller

Swapcard shall Process Member Account Data as a Data Controller in compliance with Data Protection Law. The Parties acknowledge and agree that Organizer is not a joint Controller regarding the Processing of Member Account Data. 

Swapcard will process Member Account Data for its own purposes as follows:

  • Management of Member Account including creation, hosting, maintenance, update and deletion. 
  • Provision of a private messaging system to Members.
  • Management of a matchmaking system including development, maintenance, improvement, correction.
  • Provision of support to Members in connection with their Member Account or the messaging system. 
  • Technical maintenance and improvement of the Platform.
  • Communication and marketing of the Platform’s capabilities and features to Members.
  • Management of Platform’s performance, including but not limited to technical and/or commercial performances, usage, adoption, feedback, metrics and analytics. 
  • Maintenance of the Platform security and integrity.

Organizer understands and agrees that Swapcard can communicate directly with Members in relation to the Processing where Swapcard is acting as a Data Controller and can directly promote Swapcard’s products to Members.

When acting as a Data Controller, Swapcard will transfer Personal Data only to its Personnel and Data Sub-processors as necessary for the purposes described in the present section. Swapcard will ensure that the level of security and contractual protection applied to such recipient is as protective as those applied to the Data Sub-processors listed in EXHIBIT 2 TO DPA: LIST OF SUB-PROCESSORS

Organizer understands and agrees that Swapcard will retain Member Account Data in accordance with its Privacy Policy and no longer than three (3) years following the Member’s last activity into the Platform. Swapcard will not delete Member Account Data at Organizer’s request. 

For the avoidance of doubt, Swapcard undertakes to Organizer that: 

  • Swapcard will minimize the Member Account Data to only what is strictly necessary to fulfill the purposes listed in the present section. 
  • Swapcard will not sell or otherwise share Member Account Data to i) any other Organizer using the Platform nor ii) any third-party except the Data Sub-processors necessary to implement the purposes listed in the present section. 
  • Swapcard will logically segregate each Organizer Area from one another on the Platform as follows: 
    • Member will only have access via their Member Account to the Organizer Area they are invited to by the Organizer who controls such Organizer Area. 
    • Swapcard will not make accessible to Member via their Member Account to any Organizer Area they are not invited to by the Organizer who controls such Organizer Area. 
    • Swapcard will not display into the Platform any Organizer’s content nor Event Data outside of the Organizer Area they belong to.


V. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Swapcard will implement all appropriate organizational and technical security measures in order to protect Personal Data against unauthorized or unlawful Processing or disclosure and against accidental loss, destruction or damage, including without limitation the measures related to Event Data specified in EXHIBIT 3 TO DPA: SECURITY MEASURES

Organizer acknowledges that Swapcard may update and modify its security measures from time to time provided that such updates or modifications of security measures do not result in a degradation of the level of data security provided by Swapcard on the Effective Date. Any change to EXHIBIT 3 TO DPA: SECURITY MEASURES by Swapcard shall be published on Swapcard’s website, which shall constitute Organizer’s notification and be deemed as sufficient information.


VI. Liability

This DPA is subject to the exclusions and limitations of liability included in the Agreement. 

In case Swapcard has paid damages or fines in relation with this DPA, Swapcard shall be entitled to claim back from Organizer the part of the damages or fines corresponding to Organizer’ responsibility. 


VII. Term and termination

This DPA is effective starting the Effective Date and remains effective until the termination of the Agreement. 

If following termination of the Agreement, Organizer retains Event Data inside the Platform, Swapcard agrees to Process such data in accordance with Data Protection Law.

VIII. Applicable law and jurisdiction

Notwithstanding anything contrary in the Agreement, this DPA is governed by the laws of France. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts of Paris, France.

IX. Notification

Organizer shall send all notifications and requests under this DPA to Swapcard’s Data Protection Officer via email to legal@swapcard.com. Swapcard shall send all notifications under this DPA to Organizer’s contact as indicated in the Subscription Form.

EXHIBIT 1 TO DPA: DESCRIPTION OF PROCESSING

Categories of Data Subjects

The Event Data Processed may concern, but is not limited to, the following categories of data subjects:

  • Attendees or potential Attendees to Organizer’s Events.
  • Personnel of Exhibitors or potential Exhibitors to Organizer’s Events or Exhibitor in their individual capacity.
  • Personnel of sponsors or sponsors in their individual capacity.
  • Speakers to Organizer’s Events.
  • Personnel of Organizer.

Categories of Personal Data

The Event Data may include, but is not limited to, the following categories of personal data:

  • Identification information: first name, last name, IP address, device identifiers or similar identifiers specific to the Platform, code, badge, order number, group. 
  • Contact information: email address, telephone number, postal address, time zone, fax.
  • Professional information: job title, employer’s name, profession, sector; Personal Data as populated in the custom fields created on Organizer’s instruction by Swapcard. 
  • Audio-visual information: photo, video and/or voice recording. 
  • Browsing information: credential, cookies, trackers, logs, device and browser information. 
  • Platform usage data: views, attendance, bookmarks, interactions.

Processing operations

The Event Data processed may concern, but is not limited to, the following processing operations: 

  • Event Profile management: pre-creation, creation, activation, hosting, modification, customization, access permission, archiving and deletion of member Event Profile 
  • Event management: Event or Community creation, modification and deletion;
  • Features management (depending on selected options): 
    • Registration: codes or badges generation, scanning, printing, stats management.
    • Integrations and imports: integration of Organizer’s third-party tool or extension, automatic imports management.
    • Event management: settings, attendance tracking, reactions management. 
    • Public discussions (live or forum): settings, rules management. 
    • Meetings: settings, calendar, notifications management.
    • Polls: settings and results management.
    • Emailing: campaign, transactional emailing.
    • Lead generation: QR codes generation, scanning. 
    • Contacts management: qualification, grouping. 
    • Notifications: requests and activities management.
    • Communications: chat and calls with Exhibitors (excluding private chats). 
    • Scoring: sessions evaluation, top performance management.
  • Support management
    • Customer success call and email assistance,
    • Online or onsite support depending on subscribed services.
  • AI services: 
  • Swapcard recommender system: personalized recommendations to Attendees; 
  • Smart meeting generator: meetings suggestions to Attendees;
  • ROI management
    • Event analytics and metrics: monitoring and analyzing of activity, performances, usage, engagement, networking and sessions;
    • General metrics on attendance, sessions registration and feedbacks, video streaming and sessions views, Exhibitors, items, ads, usage and interactions;

Special categories of data

The Event Data Processed are not intended to contain special categories of data.

Duration of processing

Swapcard will process Event Data for the duration of the Agreement in accordance with section III 8.

EXHIBIT 2 TO DPA: LIST OF SUB-PROCESSORS

The following list of Sub-processors is optional and subject to Organizer’s subscription of additional integrated services from Swapcard’s partners:

EXHIBIT 3 TO DPA: SECURITY MEASURES

Training and awareness

  • Swapcard Personnel has to follow annual mandatory online trainings on privacy and on cybersecurity
  • Swapcard implements binding policies relating to security and data.

Physical access control

For servers’ physical security, Swapcard relies on AWS’ security measures;

Access control

  • Swapcard implements user identification and authentication procedures;
  • Measures include: MFA and SSO, password and credentials policy, automated locking after several failed attempts, inactivity lockout timing, intrusion detection.

Access rights

  • Swapcard implements an Information System Administrator Charter governing the rights, roles and liabilities of administrators;
  • Swapcard distinguishes between administrative and users accounts and implements different permission settings depending on individuals’ role to comply with least privilege principle and with differentiated access rights (by profiles, roles, transactions and objects);
  • Swapcard monitors and logs accesses.

Incident management

Swapcard implements a Security Incident Management policy.

Log management

  • Maintain system logs based on residual risk and commensurate with industry expected operating practices (operating system event logs, administrative access logs, user access logs and security event logs)
  • Logs are sent to a central SIEM for correlation and alerting and are stored for one year

Risk management

Swapcard implements a documented risk assessment and management policy and process to identify, rate and treat all identified risks.

Laptops and mobile devices management

Swapcard implements a mobile device management policy ensuring enrollment of devices, verification for security requirements implementation, control of company data on mobile devices and acceptable use guidelines.

Network security

Swapcard implements appropriate network measures to monitor, detect, and prevent malicious network activity and restrict access to authorized users and services;

Business continuity

  • Swapcard implements BCP and DRP policies;
  • Data back-ups are in a distinct location.

Availability control

Swapcard implements AWS high-availability architecture spread over multiple availability zones, with load-balancers, CDN and autoscaling to automatically manage load changes and optimise performance;

Secure archiving

Swapcard implements a Data Management policy defining data deletion and secure retention rules and processes;

Data minimization

Swapcard collects and processes data as necessary to provide its products and services in accordance with applicable privacy policies, data processing agreements and written instructions if any;

Encryption

  • Swapcard encrypt data at rest (AES256) and in transit (TLS v1.2 minimum)
  • Passwords are hashed

Secure development

  • Swapcard has a software development lifecycle (“SDLC”) policy that governs the acquisition, development, implementation, configuration, maintenance, modification and management of Swapcard’s infrastructure and software components.
  • Swapcard has defined secure coding guidelines and developers are trained on a continuous basis.

Change management

  • Swapcard follows a change management policy where changes will undergo review and testing prior to approval for implementation.
  • Swapcard maintains separate environments for development, testing, and production

Threat and vulnerability management

Swapcard has a threat and vulnerability management program that includes on-going monitoring for vulnerabilities that are acknowledged by Swapcard, reported by researchers, identified during external audits, or discovered internally through vulnerability scans, or identified by Swapcard’s personnel, documentation, risk ranking and remediation plans

Subprocessors management

  • Swapcard implements a third-party risk management process for suppliers including any subprocessor ;
  • Swapcard’s contracts with subprocessors that have access to personal data contain technical and organizational measures substantially as protective as those outlined herein.

Solutions
Registration & Access ControlSwapcard Go - Event in a BoxAttendee Networking & EngagementExhibitor and Sponsor ROI
Revenue Generation & Profitability
Data-Driven EventsProfessional Services
Built for
Trade Show & ExhibitionAssociationsB2B ConferencesCongress & Medical ConferencesSelf-Service Small EventsMedia CompanyNon-ProfitCommunity
Event Experience
In-PersonHybridVirtual
Platform
Platform OverviewIntegrationsData, Safety & SecurityWidgetsProduct Roadmap

Product Releases

Features
Features OverviewLead CaptureLead QualificationRegistration, Ticketing, PaymentsOn-site Self Check-in & Badge PrintingEngagement Hub & Mobile Event AppMeeting Request RulesAI / Personalized
RecommendationsLive BackstagePrivate & Limited Sessions
Resources
BlogResource CenterSwapcard Events & WebinarsSwapcard Connect CommunityMedia Kit & Newsroom
Company
About UsBecome a PartnerLegalCareersContact Us

Sign up for our newsletter

Follow us

© Swapcard | Made with 💚 by our international team

Legal CenterManage Cookies