Data Processing Agreement

TixEvery Data Processing Agreement (DPA) – Organisers Effective date: 24 February 2026 Version: 1.0

This Data Processing Agreement (“DPA”) applies where TixEvery processes Personal Data on behalf of an Organiser in connection with the Platform and the Organiser is a Data Controller and TixEvery is a Data Processor for that processing.

Where TixEvery acts as a Data Controller for its own purposes such as platform security, fraud prevention, analytics, service improvement and account administration, those activities are governed by the Privacy Policy.

Definitions "Controller", "Processor", "Personal Data", "Processing" have the meanings set out in UK GDPR. "Customer Data" means Personal Data relating to Buyers/Customers processed via the Platform for Orders/Events. "Services" means the Platform services provided by TixEvery.

Subject matter, duration, nature and purpose Subject matter: Customer Data processed to facilitate Orders and administer Events, deliver e-tickets, provide support tooling and enable organiser reporting. Duration: For the term of the Organiser’s use of the Platform and thereafter only as necessary for legal obligations, fraud prevention, disputes/chargebacks, and backup/retention policies. Nature: Collection, storage, retrieval, transmission, delivery, reporting and deletion where applicable. Purpose: Providing Services to the Organiser and administering Orders/Events.

Categories of data and data subjects Data subjects: Customers/Buyers, organiser users, event attendees where different. Data categories: identity/contact, order/ticket details, communications, technical logs, delivery status.

Processor obligations TixEvery will process Customer Data only on documented instructions from the Organiser including as necessary to provide the Services, ensure personnel are bound by confidentiality, implement appropriate technical and organisational security measures, assist with data subject requests where applicable taking into account the nature of processing, notify the Organiser of personal data breaches affecting Customer Data without undue delay where required, delete or return Customer Data at end of Services where applicable subject to legal retention, and make available information reasonably necessary to demonstrate compliance with this DPA.

Controller obligations (Organiser) The Organiser will ensure a lawful basis for processing and sharing Customer Data with TixEvery, provide required privacy information to Customers, comply with UK GDPR and PECR for marketing, maintain suppression lists and honour opt-outs, respond to Customer requests and complaints, and ensure accuracy of Customer Data provided.

Sub-processing The Organiser authorises TixEvery to appoint sub-processors to provide the Services such as hosting, email delivery, payment and fraud tooling. The list of sub-processors is provided in /terms/sub-processors. TixEvery will impose contractual obligations on sub-processors that are no less protective than this DPA.

International transfers Where sub-processors process data outside the UK, TixEvery will implement appropriate safeguards as required.

Security measures Measures may include access controls, encryption in transit, monitoring/logging, secure backups, vulnerability management, and least-privilege policies.

Data subject requests If TixEvery receives a request directly from a Customer relating to Customer Data processed on behalf of the Organiser, TixEvery may direct the Customer to the Organiser or notify the Organiser to respond.

Liability Liability is governed by the Organiser Terms, except where this DPA requires otherwise by law.

Order of precedence If there is a conflict between this DPA and the Organiser Terms regarding processing as Processor, this DPA prevails.

Contact privacy@tixevery.com

Annex: processing details and safeguards

The processing may include account, organiser user, customer, attendee, order, ticket, product, payment reference, refund, support, audit, communications, analytics and security data needed to provide TixEvery services. Processing purposes include ticketing, checkout, fulfilment, reporting, customer support, fraud prevention, platform security, legal compliance and agreed organiser instructions.

TixEvery maintains technical and organisational measures appropriate to the service, which may include access controls, least-privilege permissions, encryption in transit, backup controls, logging, monitoring, vulnerability management, staff confidentiality, incident response and supplier review. The current sub-processor schedule is available at /terms/sub-processors. TixEvery will provide reasonable notice of material sub-processor changes and will use appropriate transfer safeguards for restricted international transfers.

TixEvery will provide reasonable assistance with data subject requests, DPIAs, incidents and audits within the bounds of the service, available information, confidentiality, security and proportionate cost. If TixEvery believes an instruction is unlawful or outside the agreed service, it may pause the instruction and request clarification. After termination, TixEvery will delete or return personal data in line with the agreement, legal retention duties, backup cycles and payment or dispute record requirements.