Legal

Data Processing Addendum

Last updated: May 25, 2026 · Processor: Nyza Creations LLC

1. Introduction

This Data Processing Addendum (the "DPA") supplements and forms part of the agreement between Nyza Creations LLC ("Nyza," the "Processor") and the customer ("Customer," the "Controller") under which Customer uses Nyza Events (the "Agreement"). It applies whenever Nyza processes Personal Data on Customer's behalf in connection with the Service, and is intended to satisfy Article 28 of the EU General Data Protection Regulation (EU) 2016/679 (the "GDPR") and the equivalent provisions of the UK GDPR and Data Protection Act 2018.

Where the DPA conflicts with the Agreement, the DPA prevails as to data-protection matters.

2. Definitions

Capitalized terms not defined here have the meanings given in the GDPR or in the Agreement.

"Personal Data" means any information relating to an identified or identifiable natural person that Customer uploads, inputs, or otherwise causes Nyza to process via the Service — e.g., guest contact details, vendor contacts, planner-team member details.
"Processing" means any operation performed on Personal Data as defined in GDPR Art. 4(2).
"Subprocessor" means any third party engaged by Nyza to process Personal Data on Customer's behalf, as listed in Annex III.
"Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries, set out in Commission Implementing Decision (EU) 2021/914.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

3. Scope & roles

With respect to Personal Data Customer entrusts to Nyza through the Service, Customer acts as the Controller (or, where Customer is itself a processor of a further controller, a Processor) and Nyza acts as the Processor (or Sub-processor, as the case may be).

Nyza is the Controller of certain account-level data — Customer's contact details, login credentials, billing information, and aggregated usage analytics — which is governed by our Privacy Policy rather than by this DPA.

4. Details of processing (Annex I)

Subject matter: processing of Personal Data as necessary to provide the Service under the Agreement.
Duration: for the term of the Agreement and any post-termination retention required by law or set out in Section 13.
Nature and purpose: hosting, storing, retrieving, displaying, transmitting, generating, and otherwise processing Personal Data to deliver event planning, vendor discovery and booking, AI-assisted design, payment processing, and guest communications.
Categories of data subjects: Customer's end users, including event hosts, planners, vendors, event guests, and other third parties Customer chooses to add to the Service (e.g., venue contacts).
Categories of Personal Data: identification data (name, email, phone), event-related data (dates, location, preferences), communications content (chat with vendors, message templates, RSVP responses), guest-list contents, payment metadata (last 4 digits of card, transaction status), and any data Customer chooses to upload (photos, notes, custom fields).
Special categories: Customer should not upload special categories of Personal Data (Art. 9 GDPR) such as health, religious belief, sexual orientation, or political affiliation, except to the extent strictly necessary for the event (e.g., dietary preferences indicating religious practice). Customer is responsible for any additional legal basis required.
Frequency: continuous, on demand, for the term of the Agreement.

5. Processing instructions

Nyza will process Personal Data only on documented instructions from Customer, including with regard to transfers to third countries. Customer's use of the Service in accordance with the Agreement and our published documentation constitutes Customer's initial documented instructions. Customer may give further written instructions consistent with the Service's capabilities. Nyza will inform Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

6. Confidentiality of personnel

Nyza ensures that persons authorized to process Personal Data are bound by appropriate confidentiality obligations (whether by contract or statutory duty) and have received appropriate data-protection training.

7. Security measures (Annex II)

Nyza implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (GDPR Art. 32). These include, at minimum:

Encryption in transit (TLS 1.2+) and encryption at rest for the application database;
Hashing of account passwords using a modern adaptive function (e.g., bcrypt, argon2);
Role-based access control with principle-of-least-privilege scoping;
Multi-factor authentication for all engineering accounts that can reach production systems;
Audit logging of administrative actions, with logs retained for at least 90 days;
Network segmentation between application, database, and worker tiers; databases not directly internet-exposed;
Automated dependency-vulnerability scanning and routine patching of host systems;
Backup of the application database with off-site retention and tested restore procedures;
Documented incident-response process with on-call rotation;
Rate limiting, abuse detection, and request-level monitoring;
Subprocessor due-diligence and contractual data-protection commitments.

Nyza may update these measures from time to time provided that the level of protection does not materially decrease.

8. Subprocessors (Annex III)

Customer authorizes Nyza to engage Subprocessors as needed to provide the Service. The current list of Subprocessors is maintained on our Privacy Policy and is incorporated here by reference as Annex III. Each Subprocessor is bound by written data-protection obligations no less protective than those in this DPA.

Notice of new Subprocessors. Nyza will give Customer at least 30 days' prior notice of any new or replacement Subprocessor by updating the list and (for Customers who have countersigned this DPA via email) sending an email notice. Customer may, on reasonable grounds relating to data protection, object in writing within that notice period. The parties will work in good faith to resolve the objection; if no resolution is possible, Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of pre-paid fees attributable to the unprovided portion.

9. Data-subject rights

Taking into account the nature of the processing, Nyza will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). The Service includes self-serve features (account export, account deletion, profile editing) that Customer can use to fulfill most such requests directly. Where additional assistance is required, Customer may contact legal@nyzaevents.com.

Where Nyza receives a request directly from a data subject relating to Customer's Personal Data, Nyza will, without undue delay, forward the request to Customer and not respond to the request itself except as directed by Customer or required by law.

10. Personal data breach notification

Nyza will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Customer's Personal Data. The notification will, to the extent then known, describe:

The nature of the breach, categories and approximate number of data subjects and records concerned;
The likely consequences;
Measures taken or proposed to address the breach and mitigate its possible adverse effects;
The name and contact details of a Nyza point of contact.

Nyza will cooperate with Customer and provide reasonable information requested by Customer to enable Customer to fulfill any notification obligation under GDPR Arts. 33–34 or equivalent law.

11. Audits & information rights

Nyza makes available to Customer all information necessary to demonstrate compliance with this DPA and GDPR Art. 28 obligations, including via the Privacy Policy, this page, and the Subprocessor list. To the extent Customer reasonably requires additional audit information that is not addressed in those documents, Customer may request it by written notice to legal@nyzaevents.com with at least 30 days' advance notice. Audits, where contractually agreed, will be conducted no more than once per 12-month period (unless required by a supervisory authority or in response to a Personal Data Breach), during normal business hours, without unreasonable disruption, and at Customer's expense (except in the case of material non-compliance attributable to Nyza).

12. International transfers & SCCs

Nyza is established in the United States and may process Personal Data in the United States and other jurisdictions in which its Subprocessors operate. Where Customer transfers Personal Data subject to GDPR or UK GDPR to Nyza in a country that has not received an adequacy decision under Art. 45 GDPR (or its UK equivalent):

The parties incorporate by reference Module Two (controller-to-processor) of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), with the following choices: clause 7 (docking clause) — included; clause 9(a) — Option 2 (general written authorization), with the notice period specified in Section 8 above; clause 11(a) — independent dispute resolution option not selected; clause 17 — Option 1, with the supervisory authority of the EU member state in which the relevant data subject is established as competent; clause 18 — forum and jurisdiction of that member state.
For UK transfers, the parties incorporate the UK Addendum, treating the EU SCCs above as the "Approved EU SCCs" and selecting the standard options under Part 1.
For Swiss transfers, the EU SCCs apply as modified to refer to the Swiss Federal Data Protection Act and to recognize the Swiss Federal Data Protection and Information Commissioner as the relevant supervisory authority.
Annexes I, II, and III of the SCCs are populated by Sections 4, 7, and 8 of this DPA respectively.

By accepting this DPA, both parties are deemed to have signed the SCCs and UK Addendum where they apply.

13. Return or deletion at end of term

Within 30 days after termination or expiration of the Agreement, Nyza will, at Customer's choice, return or delete the Personal Data, except to the extent applicable law requires continued storage. Backups containing Personal Data are overwritten on a rolling cycle and reach full deletion within 90 days. Customer may export its data at any time via Account → Data export.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability to data subjects under GDPR Art. 82 or any liability that cannot be excluded under applicable law.

15. Governing law

This DPA is governed by the law specified in the Agreement (State of Washington, USA), except that the SCCs and UK Addendum are governed by the laws specified in those instruments.

16. How to put this DPA in force

This DPA takes effect when Customer (a) accepts the Terms of Service while logged into a paid plan, or (b) emails legal@nyzaevents.com with the subject "DPA acceptance", including the legal entity name, country, account email, and (optionally) the name and contact details of the Customer's data-protection contact. Nyza will confirm by reply email, which constitutes execution by both parties.

Customers requiring a countersigned PDF copy on Nyza letterhead may request one at the same address.

17. Contact

Nyza Creations LLC
701 NE Normandy Dr
Bremerton, WA 98310, USA
Attn: Legal (DPA)
Phone: +1 (360) 919-4060
Email: legal@nyzaevents.com

Questions? Email legal@nyzaevents.com.