Data processing
addendum.

This DPA applies between you ("Controller") — typically an event host, organisation, or wedding planner using Vowly Event to manage guest data — and CKR Technology Group Ltd ("Processor"). The Controller determines the purposes and means of processing personal data; the Processor processes personal data only on documented instructions from the Controller.

The Processor will process personal data on behalf of the Controller to provide the Vowly Event service, including but not limited to event creation, invitation distribution, RSVP collection, guest list management, payment processing for events, and platform analytics.

• Categories of data subjects: event guests, plus-ones, vendors, and Controller staff
• Categories of personal data: names, contact details, dietary requirements, RSVP responses, photographs (where uploaded by guests)
• Duration: for the lifetime of the Controller's subscription and any data retention period agreed in writing

In accordance with Article 28(3) of the UK/EU GDPR, the Processor commits to the following obligations regarding personal data processed on behalf of the Controller.

• Process personal data only on documented instructions from the Controller
• Ensure that all personnel authorised to process personal data are bound by confidentiality
• Implement appropriate technical and organisational measures (TOMs) — detailed in our Security page
• Assist the Controller with data-subject rights requests, DPIAs, and prior consultations with supervisory authorities
• Notify the Controller without undue delay of any personal data breach affecting their data
• Make available all information necessary to demonstrate compliance with Article 28

The Processor uses a curated list of sub-processors to deliver the service. By signing this DPA, you grant general authorisation for the use of sub-processors, subject to a 30-day prior notice of any changes giving you the right to object.

• Google Ireland Limited — cloud infrastructure (EU/EEA)
• Stripe Payments Europe Ltd — payment processing (Ireland)
• Resend Inc. — transactional email delivery (SCCs where applicable)
• Cloudflare Inc. — DDoS protection and CDN (EU/US with SCCs)
• Updated list maintained at vowly.co/subprocessors (planned)

Where personal data is transferred outside the UK or EEA, the Processor relies on appropriate safeguards as required by Chapter V of the UK/EU GDPR. The primary mechanisms are the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), supplemented by additional technical and organisational measures where necessary.

The Processor will, upon reasonable written notice, allow for and contribute to audits conducted by the Controller or a mandated third-party auditor (subject to confidentiality undertakings). To minimise disruption, the Processor will first offer industry-standard audit reports (e.g., SOC 2 Type II reports from infrastructure providers) and security questionnaires.

Upon termination of the Controller's subscription, the Processor will, at the choice of the Controller, return or delete all personal data within 30 days, unless retention is required by applicable law. Backup data will be purged from rotation within 35 days of deletion in primary systems.

The Processor's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for failures to comply with the UK GDPR or EU GDPR where such liability cannot be excluded by law.