Data Processing Agreement
Effective date: 1 May 2026 · Last updated: 14 May 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Use between Verdavu ("Processor") and each venue operator who uses the Verdavu platform ("Controller"). By using Verdavu, you agree to this DPA.
1. Definitions
The venue operator who determines the purposes and means of processing personal data using the Verdavu platform.
Verdavu, which processes personal data on behalf of the Controller in accordance with this DPA.
Any information relating to an identified or identifiable natural person, including names, email addresses, phone numbers, and any other data entered into the Verdavu platform that relates to your clients, guests, or staff.
Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
The individual whose Personal Data is being processed — typically your clients, event guests, or staff members.
A third-party service provider engaged by Verdavu to assist in processing Personal Data on the Controller's behalf.
2. Scope and Purpose
This DPA applies to all Personal Data processed by Verdavu on behalf of the Controller in connection with the provision of the Verdavu venue management platform.
Verdavu processes Personal Data solely for the purpose of providing the platform's services as described in the Terms of Use, and only in accordance with the Controller's documented instructions. Verdavu will not process Personal Data for any other purpose, including for Verdavu's own commercial benefit.
3. Details of Processing
| Element | Detail |
|---|---|
| Subject matter | Venue management operations including bookings, client communications, event logistics, and payments |
| Duration | For as long as the Controller uses the platform, plus 90 days following account closure |
| Nature of processing | Storage, retrieval, display, transmission, and deletion of Personal Data as directed by the Controller |
| Purpose | To provide venue management, booking, communication, and operational features to the Controller |
| Types of Personal Data | Names, email addresses, phone numbers, event details, payment reference data, and any other personal information entered by the Controller into the platform |
| Categories of Data Subjects | The Controller's clients, event guests, and staff members |
4. Verdavu's Obligations as Processor
Verdavu agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required by law to do otherwise
- Ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorised access
- Assist the Controller in responding to Data Subject requests exercising their rights under applicable data protection law, to the extent technically feasible
- Notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any Personal Data breach affecting the Controller's data
- Provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA
- Delete or return all Personal Data to the Controller upon termination of the platform relationship, and delete existing copies unless retention is required by law
- Not sell, disclose, or use Personal Data for Verdavu's own commercial purposes
5. The Controller's Obligations
The Controller agrees to:
- Ensure there is a valid legal basis for processing Personal Data entered into Verdavu
- Maintain an accurate and up-to-date privacy notice informing Data Subjects of how their data is processed, including use of the Verdavu platform
- Ensure that Personal Data entered into Verdavu is accurate and limited to what is necessary for the stated purpose
- Handle all Data Subject requests (access, erasure, rectification) and notify Verdavu of any requests that require Verdavu's assistance
- Not instruct Verdavu to process Personal Data in a manner that would violate applicable data protection law
6. Sub-processors
The Controller authorises Verdavu to engage Sub-processors to assist in providing the platform's services. Verdavu uses Sub-processors for purposes including cloud infrastructure hosting, email delivery, payment processing, and AI-assisted features.
Verdavu will ensure that all Sub-processors are bound by data protection obligations that are no less protective than those in this DPA. Verdavu remains fully liable to the Controller for the acts and omissions of its Sub-processors.
Verdavu will notify the Controller of any intended changes to Sub-processors that may affect the processing of Personal Data, providing reasonable notice before any change takes effect. The Controller may object to a new Sub-processor on reasonable grounds related to data protection within 14 days of notification.
7. Security Measures
Verdavu implements the following technical and organisational security measures:
- Encryption in transit: All data transmitted between users and the platform is encrypted using TLS/HTTPS
- Access controls: Role-based access controls limit data access to authorised personnel and platform users
- Password security: User passwords are hashed using industry-standard algorithms and are never stored in plain text
- Infrastructure security: Platform infrastructure is hosted on enterprise-grade cloud services with their own security certifications
- Audit logging: All significant actions within the platform are logged for audit and security purposes
- Access management: Verdavu staff access to production systems is restricted and logged
8. Data Breach Notification
In the event of a Personal Data breach affecting the Controller's data, Verdavu will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide the Controller with sufficient information to meet any reporting obligations the Controller may have under applicable law, including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach
Breach notifications will be sent to the primary email address associated with the Controller's Verdavu account.
9. Data Subject Rights
Where a Data Subject makes a request to exercise their rights (including access, rectification, erasure, portability, or objection), the Controller is responsible for responding to that request. Verdavu will provide reasonable technical assistance to the Controller in fulfilling such requests where the action required is within Verdavu's technical capability.
Verdavu will promptly notify the Controller if it receives any request directly from a Data Subject.
10. International Data Transfers
Personal Data processed through Verdavu may be transferred to and stored in countries outside the Controller's jurisdiction, including countries where data protection laws may differ. Verdavu will ensure that any such transfers are made only to jurisdictions with adequate protections or under appropriate contractual safeguards.
11. Data Retention and Deletion
Verdavu retains Personal Data for as long as the Controller's account is active. Following account termination:
- The Controller may export their data within 30 days of account closure
- Verdavu will delete or anonymise all Personal Data within 90 days of account closure
- Audit logs and anonymised aggregated statistics may be retained for longer periods for platform integrity purposes
- Retention may be extended where required by applicable law
12. Audit Rights
The Controller may request reasonable information from Verdavu to verify compliance with this DPA. Verdavu will provide such information within a reasonable timeframe.
For formal audits, the Controller must provide at least 30 days' written notice. Audits will be conducted at the Controller's expense and in a manner that does not unreasonably disrupt Verdavu's operations.
13. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Use. Where both parties are responsible for a damage caused by processing, liability will be apportioned according to each party's degree of responsibility.
14. Governing Law
This DPA is governed by the laws of the Republic of Trinidad and Tobago and forms part of the agreement between the Controller and Verdavu as set out in the Terms of Use.
15. Contact
For questions about this DPA or data protection matters, please contact us:
- Email: privacy@verdavu.com
- Website: verdavu.com