Skip to main content

Draft for review by your legal counsel. Update controller details in lib/legal/controller.ts before production B2B use.

Data Processing Agreement

Last updated: 2026-06-25

This Data Processing Agreement (DPA) applies when you (the Customer / Controller) use Conference Scheduler to process personal data about your event participants. By uploading participant data or enabling self-service forms, you accept this DPA.

1. Roles

Customer (you) is the data controller for participant personal data.

Operator of scheduler-app.org (https://scheduler-app.org) is the data processor, contact: privacy@scheduler-app.org.

2. Subject matter and duration

Processing is limited to providing scheduling, storage, optimization, PDF generation, and email delivery features for the duration of your subscription/account and until you delete the data or your account.

3. Nature and purpose of processing

  • Storage of names, emails, availability grids, meeting requests, rankings, schedules.
  • Running the optimization engine and generating exports.
  • Sending transactional emails on your instruction.
  • Hosting self-service data-entry forms via tokenized links.

4. Categories of data subjects and personal data

  • Event participants (clients, company representatives) — contact details, scheduling preferences.
  • Your account users — email addresses for authentication.

5. Processor obligations

  • Process only on documented instructions (your use of the service).
  • Ensure confidentiality of personnel with access.
  • Implement appropriate technical and organizational measures (encryption, access control, EU hosting).
  • Assist with data subject requests via privacy@scheduler-app.org within reasonable time.
  • Notify you without undue delay of personal data breaches affecting your data.
  • Delete or return data on termination (account deletion cascades cloud projects).
  • Make available information necessary to demonstrate compliance.

6. Subprocessors

You authorize the following subprocessors (EU/EEA where noted):

  • Google Cloud Platform — hosting, database, KMS, logging (EU regions).
  • Resend — transactional email (EU region).
  • Cloudflare — DNS and email routing.

7. International transfers

Primary processing occurs in the EU/EEA. Where a subprocessor operates globally, we rely on appropriate safeguards (e.g. SCCs) offered by that provider.

8. Audits

Upon reasonable written request, we will provide summaries of security measures. On-site audits require mutual agreement and may be subject to confidentiality and cost allocation.

9. Customer obligations

  • Ensure lawful basis for processing participant data.
  • Provide privacy notices to participants where required.
  • Configure retention by deleting projects when no longer needed.
  • Not instruct us to process unlawful data.