Selfish Software Ltd. - Data Processing Agreement (DPA)

Last updated: January 24, 2026

SELFISH SOFTWARE LTD. - DATA PROCESSING AGREEMENT

Last Updated: January 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Selfish Software Ltd. ("Processor") and the Event Host ("Controller").

---

1. SCOPE

1.1 Application

This DPA applies to Processor's processing of personal data on behalf of Controller, including photos, biometric identifiers, and associated metadata.

1.2 Roles

  • Controller determines purposes and means of processing
  • Processor processes data only on Controller's documented instructions

    • ---

    2. CONTROLLER OBLIGATIONS

    2.1 Lawful Basis

    Controller represents and warrants that:

  • It has valid lawful basis for all processing, including explicit consent for biometric data
  • It has obtained all required consents and releases (including BIPA written releases)
  • It has provided appropriate privacy notices to data subjects
  • It will use Processor's deletion tools to manage data lifecycle

    • 2.2 Instructions

    Controller instructs Processor to process personal data as necessary to provide the Service, including storing photos, creating and storing biometric identifiers, matching, and deletion.

    ---

    3. PROCESSOR OBLIGATIONS

    3.1 Processing Limitations

    Processor shall:

  • Process personal data only on documented instructions
  • Not process for any other purpose
  • Not sell personal data

    • 3.2 Confidentiality

    Persons authorized to process data are subject to confidentiality obligations.

    3.3 Security

    Processor implements appropriate technical and organizational measures including encryption, access controls, and secure infrastructure.

    3.4 Sub-processors

    Controller authorizes use of sub-processors for cloud infrastructure and related services. Sub-processors are bound by equivalent data protection obligations. Processor will notify Controller of new sub-processors with 14 days' notice.

    3.5 Data Subject Rights

    Processor assists Controller in responding to data subject requests.

    3.6 Security Incidents

    Processor notifies Controller of security incidents without undue delay and no later than 72 hours after becoming aware.

    3.7 Audits

    Processor makes available information to demonstrate compliance and permits audits upon reasonable notice.

    ---

    4. INTERNATIONAL TRANSFERS

    For transfers outside EEA/UK, Processor relies on Standard Contractual Clauses and supplementary measures including encryption.

    ---

    5. RETENTION AND DELETION

    5.1 Retention

    Per Privacy Policy: Guest data deleted immediately; Event data retained until Host deletion or 1 year maximum.

    5.2 Termination

    Upon termination, Controller may export data before closure. Processor deletes all personal data within 30 days except as required by law.

    ---

    6. CCPA ADDENDUM

    If CCPA applies, Processor certifies it:

  • Shall not sell or share personal information
  • Shall not retain, use, or disclose except to provide the Service
  • Complies with applicable CCPA requirements

    • ---

    7. BIPA ADDENDUM

    If BIPA applies:

  • Controller warrants it has obtained written releases per 740 ILCS 14/15(b)
  • Processor protects biometric data using reasonable standard of care
  • Processor does not sell, lease, or trade biometric data
  • Processor destroys biometric data per retention schedule

    • ---

    8. GENERAL

    8.1 Liability

    Subject to limitations in Terms of Service. Controller indemnifies Processor for claims arising from Controller's failure to comply with applicable law.

    8.2 Governing Law

    Same as Terms of Service.

    8.3 Conflict

    This DPA prevails over Terms of Service for data processing matters.

    ---

    9. CONTACT

    Email: info@selfish-events.com

    Selfish Software Ltd.

    Israel

    Go back to the homepage