Trade Fair Wala
Register

Data processing addendum

This DPA augments SaaS contracts where Trade Fair Wala processes personal data on behalf of enterprise organizers activating workspace controls, HIPAA-sensitive clinics, promoter loyalty programs bridging multiple jurisdictions.

Exhibit DP-EMEA-SEA-ROW

Abstract network connections across a globe hologram

Parties, roles & workspace configuration truth

Unless order forms specify promoter-as-controller bridging multiple child venues, organizers remain primary controllers configuring consent strings, lawful bases, attendee notice templates. Trade Fair Wala processes strictly under documented instructions, honoring restriction flags even when product friction arises.

Subprocessor governance & objection windows

  • Quarterly catalogs detail name, residence, subprocessed activities, transferable regions.
  • Objection clocks default 21 days with good-faith negotiations before mandatory exit clauses engage.
  • Emergency subprocessors aiding zero-day patching may onboard with 72-hour retrospective notices referencing severity CVSS tiers.
  • Downstream venues supplying CCTV ingest must attest retention caps matching hall agreements.
  • Finance processors bridging FX windows document PCI scope boundaries.
  • Bare-metal disaster recovery clones remain offline until invoked, logged in failover ledgers.

Technical & organizational controls snapshot

Encryption in transit mandates TLS 1.2+, ideal TLS 1.3; disks leverage AES-256 with envelope keys in HSMs. Workforce access observes quarterly access reviews; customer success overrides expire after incident closure. Pseudonymisation jobs obfuscate exhibitor SKU labels in analytics clones.

Assistance with data subject workflows

Upon receipt of verifiable SAR/DSAR payloads, processors acknowledge within SLA hours, retrieving ticket histories, kiosk logs respecting legal holds, attendee communications bridging organizer mail bridges. Automated deletion propagates respecting immutable finance logs statutes demand.

Breach notification interplay

We notify controllers within regulatory windows—including 72-hour GDPR presumptions—with severity scoring, tentative root causes, provisional counts, mitigation steps; controllers remain responsible for regulator & attendee escalation unless contractually shifted with mutual signatures.

Return or deletion-of-data post-termination choreography

Snapshots export encrypted to organizer buckets unless legal holds freeze subsets. Sandbox tenants purge after 35 days verifying no outstanding AML investigations anchored to IP ranges referencing soon-to-delete clusters.

Liability interplay & SCC anchoring

Indirect damages disclaimers interplay with mandatory privacy statutes; carve-outs emerge for supervisory fines attributed solely to processors breaching mandates. SCC Module Two (controller-to-processor) default with optional Module Four for onward transfers dictated by promoters.