Data Processing Agreement (DPA)
Last updated: 2026-05-15. Pending review by a Swiss data-protection lawyer before launch.
This DPA is concluded between the festival organiser using Festinato (the Controller) and Festinato (the Processor), and forms an integral part of the Terms of Service. It implements GDPR Art. 28 and the equivalent requirements of the revised Swiss FADP.
1. Subject matter, duration and nature
The Processor processes Personal Data on the Controller's documented instructions to provide the SaaS Service (back-office + mobile app + APIs). Duration: the term of the subscription plus the 90-day retention window.
2. Categories of data subjects + personal data
Data subjects: festival attendees, artists, volunteers, sponsors, the Controller's own staff.
Personal data: names, contact details, push device tokens, scheduled performance / shift times, optional payment details for fundraising — anything the Controller puts into the back-office or that arrives via the public API.
3. Processor's obligations
The Processor shall:
- process Personal Data only on documented instructions from the Controller (instructions = the configured use of the Service);
- ensure that personnel authorised to process Personal Data are bound by confidentiality;
- take the technical and organisational measures listed in docs/security;
- not engage another processor without the Controller's prior general written authorisation (see §5);
- assist the Controller in responding to data-subject requests via the standard export / deletion endpoints described in §6;
- notify the Controller of a Personal Data breach within 72 hours of becoming aware of it;
- at the choice of the Controller, delete or return all Personal Data after the end of the provision of services (see §7).
4. Security measures
See the consolidated technical & organisational measures at docs.festinato.app/security. They include encryption in transit (TLS 1.2+), encryption at rest (LUKS on hosts, server-side-encrypted S3 backups), per-tenant database isolation (database-per-tenant), 2FA on all administrative access, daily backups with 30-day retention, and quarterly access reviews.
5. Sub-processors
The Controller hereby authorises the use of the sub-processors listed in the Privacy notice. The Processor will inform the Controller at least 30 days in advance of any intended additions or replacements; the Controller may object on reasonable data-protection grounds and terminate the Service if the objection cannot be resolved.
6. Data-subject requests
The Controller can satisfy access / portability requests
using GET /api/v1/export (see the
API
reference). For deletion, the Processor offers
POST /tenants/{id}/suspend followed by
DELETE /tenants/{id} after the retention
window has elapsed.
7. Return + deletion
On termination, the Processor will retain the Controller's data for 90 days to allow recovery in case of accidental cancellation. After that window, the Postgres database, on-disk filestore and S3 backups are irreversibly deleted by a daily cron. The Controller may also request immediate deletion by mail to privacy@festinato.app.
8. Audits
The Controller (or an independent auditor under NDA) may audit the Processor's compliance with this DPA once per year with 30 days' notice, at the Controller's expense.
9. Governing law
This DPA is governed by the laws of Switzerland; jurisdiction is Solothurn. For Controllers established in the EU, GDPR Art. 28(3)(h) audit rights apply.