Search events

Data Processing Agreement

The standard UK GDPR Article 28 Data Processing Agreement between Seaty Ltd and event organisers using the Seaty platform. Covers processing scope, security, sub-processors, breach notification, and data subject rights.

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Seaty Terms of Service between Seaty Ltd ("Seaty", "Processor", "we") and the organiser using the Seaty platform to host events ("Organiser", "Controller", "you").

This DPA reflects the parties' agreement on the processing of personal data in connection with your use of Seaty, and is designed to meet the requirements of Article 28 of the UK General Data Protection Regulation (as it forms part of UK law by virtue of the Data Protection Act 2018, the "UK GDPR").

If you require an executed copy signed by Seaty for your records, email Support@Seaty.co.uk with your organisation name, ICO registration (if any), and the name of the signatory on your side.

1. Definitions

Terms not defined here have the meanings given to them in the UK GDPR.

  • Personal Data — any information relating to an identified or identifiable natural person processed by Seaty on behalf of the Organiser under the Terms of Service.
  • Processing — any operation performed on Personal Data, including collection, recording, storage, retrieval, disclosure, and erasure.
  • Sub-processor — any third party engaged by Seaty to process Personal Data on the Organiser's behalf in connection with the Services.
  • Services — the Seaty platform features the Organiser uses, including event creation, ticket sales, payment collection, attendee communications, mailshots, file sharing, and reporting.
  • Data Subject — a natural person whose Personal Data is processed under this DPA, including the Organiser's attendees, members, volunteers, and committee.
  • Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Subject matter and duration

Subject matter: the processing of Personal Data by Seaty on behalf of the Organiser, strictly for the purpose of providing the Services described in the Terms of Service.

Duration: for as long as the Organiser maintains an active account on Seaty, plus any retention period required by law (including HMRC retention for transaction records and Gift Aid declarations) and any retention period necessary to defend legal claims.

3. Nature and purpose of processing

Seaty processes Personal Data for the following purposes only:

  • Allowing attendees to discover and buy tickets to the Organiser's events
  • Allowing the Organiser to administer attendees, seating, payments, refunds, member quotas, and ticket requests
  • Sending transactional emails (order confirmations, ticket delivery, balance reminders, account verification)
  • Sending mailshots and event-update emails on the Organiser's behalf, subject to the Data Subject's consent at the appropriate lawful basis
  • Hosting and serving public event listings and organisation pages
  • Generating reports, analytics, and exports for the Organiser
  • Supporting integrations the Organiser chooses to enable (for example Stripe for card processing or Dropbox for file storage)
  • Complying with Seaty's own legal obligations (for example record retention for taxation and audit purposes)

Seaty will not process Personal Data for any other purpose unless required to do so by UK or EU law, in which case Seaty will inform the Organiser of that legal requirement before processing, unless the law prohibits such notification.

4. Types of Personal Data and categories of Data Subjects

Categories of Data Subjects:

  • The Organiser's attendees and ticket buyers
  • The Organiser's members, volunteers, and committee
  • Donors (where the Organiser is a registered charity)
  • Recipients of mailshots and event-update communications sent through Seaty
  • Visitors to the Organiser's public event pages

Types of Personal Data:

  • Identification and contact data: name, email address, phone number, postal address
  • Account credentials: hashed and salted password, single sign-on identifiers
  • Ticket and order data: tickets purchased, seats allocated, payment status, balances outstanding
  • Payment metadata (not card numbers): Stripe payment reference, payment status, refund records
  • Consent and preference data: marketing consent, survey consent, event-update consent, audit trail of changes
  • Communication metadata: email opens, link clicks (with IP hashed under SHA-256 + per-environment salt for unauthenticated recipients), bounce and complaint status
  • Gift Aid declaration data where applicable: full name, address, postcode, UK taxpayer declaration (retained for 6 years per HMRC)
  • Waiting list data where applicable: contact details, number of tickets requested, accessibility requirements
  • Custom question answers: any additional fields the Organiser configures on the event registration form (the Organiser is responsible for the lawful basis of any sensitive data they elect to collect this way)

Seaty does not require the Organiser to collect special category data under Article 9. If the Organiser configures custom questions that would collect special category data (for example detailed health information beyond accessibility needs), the Organiser is responsible for the lawful basis under Article 9(2) and should consider whether a DPIA is appropriate.

5. Obligations of Seaty as Processor

In addition to the obligations set out elsewhere in this DPA and the Terms of Service, Seaty will:

5.1 Process only on documented instructions. Process Personal Data only on the Organiser's documented instructions, which are reflected in the Terms of Service, the Organiser's configuration of the platform, and any further written instructions the Organiser provides. If Seaty is required by UK or EU law to process Personal Data for any other purpose, Seaty will inform the Organiser of that legal requirement before processing, unless the law prohibits such notification.

5.2 Confidentiality. Ensure that everyone authorised to process Personal Data under this DPA, including employees and contractors, has committed to confidentiality or is under an appropriate statutory obligation of confidentiality.

5.3 Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the UK GDPR. The current measures are summarised in Annex 2 of this DPA and described in plain English at our Security and Compliance page. Seaty will regularly review these measures and may update them; updates will be communicated through the Privacy Policy and the Security page.

5.4 Sub-processors. Engage Sub-processors only on terms that impose substantially the same data protection obligations as set out in this DPA. The current list of Sub-processors is maintained in our Privacy Policy and reproduced in Annex 3 of this DPA. Seaty will give the Organiser notice of any intended changes concerning the addition or replacement of Sub-processors by updating the Privacy Policy. The Organiser may object to a new Sub-processor on reasonable data-protection grounds by emailing Support@Seaty.co.uk within 14 days of the update; if Seaty is unable to address the objection, the Organiser may terminate the affected portion of the Services.

5.5 Data subject rights. Taking into account the nature of the processing, assist the Organiser by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Organiser's obligation to respond to requests for exercising the data subject's rights under Chapter III of the UK GDPR. In practice this means Seaty will, on the Organiser's request, provide attendee data exports, delete or anonymise attendee records, and rectify inaccurate data, subject to legal retention obligations.

5.6 Article 32–36 assistance. Assist the Organiser in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of processing and the information available to Seaty. This includes assistance with security, breach notification, DPIAs, and prior consultation with the ICO.

5.7 Return and deletion. At the choice of the Organiser, delete or return all Personal Data to the Organiser after the end of the provision of Services relating to processing, and delete existing copies, unless UK or EU law requires storage of the Personal Data. Statutory retention obligations affecting Seaty include HMRC retention for transaction records (7 years) and Gift Aid declarations (6 years).

5.8 Information and audits. Make available to the Organiser all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Organiser or an auditor mandated by the Organiser. Audits must be:

  • requested in writing with at least 30 days' notice;
  • conducted during normal business hours;
  • limited to one audit per 12-month period unless a Personal Data Breach gives reasonable cause for a further audit;
  • conducted under appropriate confidentiality undertakings;
  • carried out in a manner that does not unreasonably disrupt Seaty's operations or other customers' use of the Services.

Seaty may satisfy this obligation by providing existing third-party audit reports, certifications, or written responses to a reasonable security questionnaire, where these adequately address the matters the Organiser would otherwise audit.

5.9 Notification of unlawful instructions. Immediately inform the Organiser if, in Seaty's opinion, an instruction infringes the UK GDPR or other UK or EU data protection provisions.

6. Sub-processors

The current list of Sub-processors is maintained at the Privacy Policy and reproduced in Annex 3.

Seaty has entered into written agreements with each Sub-processor that impose obligations on the Sub-processor substantially equivalent to those imposed on Seaty under this DPA. Seaty remains fully liable to the Organiser for the performance of each Sub-processor's data protection obligations.

7. International transfers

Personal Data is hosted on Microsoft Azure in the UK South region and does not leave the United Kingdom for routine processing.

Where a Sub-processor processes Personal Data outside the UK (for example Stripe, Postmark, Dropbox, or the SSO identity providers), the transfer is made under that Sub-processor's documented UK GDPR transfer mechanism, which may include the UK Addendum to the EU Standard Contractual Clauses, a UK adequacy decision, or the UK International Data Transfer Agreement, as appropriate. Seaty is satisfied that each Sub-processor has implemented appropriate safeguards under Chapter V of the UK GDPR.

8. Personal Data Breach notification

Seaty will notify the Organiser without undue delay, and in any event within 48 hours of becoming aware of a confirmed Personal Data Breach affecting the Organiser's Personal Data. The notification will, to the extent reasonably available at the time, include:

  • a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;
  • the name and contact details of Seaty's point of contact for further information;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its effects.

Where the full information is not available within 48 hours, Seaty will provide an initial notification within that period and follow up with further information as it becomes available, in phases.

This timing is designed to give the Organiser, as Controller, sufficient time to meet its own 72-hour notification deadline to the ICO under Article 33 of the UK GDPR.

9. Liability and indemnity

The parties' aggregate liability under this DPA is subject to the liability provisions of the Terms of Service, save that nothing in this DPA limits liability that cannot be limited under applicable law.

10. Term and termination

This DPA continues for as long as the Organiser maintains an active account on Seaty. On termination of the Organiser's account, the obligations in clause 5.7 (return and deletion) apply. Provisions of this DPA that are intended by their nature to survive termination, including confidentiality and liability provisions, will survive.

11. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails to the extent of the conflict and only in respect of the processing of Personal Data.

12. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for any disputes arising out of or in connection with this DPA.

Annex 1 — Details of processing

ItemDetail
Subject matterProvision of the Seaty event ticketing platform
DurationTerm of the Organiser's account plus statutory retention
Nature and purposeAs set out in clause 3
Types of Personal DataAs set out in clause 4
Categories of Data SubjectsAs set out in clause 4
ControllerThe Organiser
ProcessorSeaty Ltd, 11 Brindley Place, Birmingham, B1 2LP. Company number 08960314. ICO registration ZA543843
Processor contactSupport@Seaty.co.uk

Annex 2 — Technical and organisational security measures

A non-exhaustive summary of the security measures Seaty has in place. The plain-English version of the same measures is at our Security and Compliance page.

Card data

  • Card numbers, expiry dates, and security codes are entered into Stripe-hosted fields and never reach Seaty's servers
  • Stripe is certified to PCI DSS Level 1

Authentication

  • Passwords are salted and hashed before storage; plaintext passwords are never written to disk or logged
  • Two-factor authentication via single-use email codes is required on every email-and-password login; SSO flows rely on the identity provider for the second factor
  • Door-scanning devices use a separate organisation-passcode flow distinct from admin sign-in

Access control

  • Over thirty distinct granular permissions across event, organisation, tour, and order management
  • Custom roles configurable by the Organiser
  • Device accounts carry a platform-level marker restricting them from admin functions
  • All admin actions are attributed to the acting user with timestamps

Encryption

  • Azure SQL Transparent Data Encryption at rest, platform-wide
  • Application-layer AES encryption on email values embedded in unsubscribe and preference URLs
  • HTTPS / TLS in transit for all client connections

Architecture

  • Public pages served from a read-only Azure Blob Storage cache, isolated from the live database
  • Live database accessible only to authenticated admin sessions
  • Per-endpoint rate limiting with brute-force-resistant limits on authentication surfaces

Monitoring

  • Error fingerprinting (SHA-256 of normalised error type, message, and path) for incident triage; no customer data in fingerprints
  • Application logging in Azure Application Insights
  • 72-hour ICO breach notification commitment in the Privacy Policy; 48-hour processor-to-controller notification under clause 8 of this DPA

Hosting

  • Microsoft Azure UK South
  • Azure SQL with platform-level backups and point-in-time restore
  • Azure Blob Storage with provider-level redundancy

Personnel

  • Confidentiality undertakings for all staff and contractors
  • Support access to organiser data is the subject of ongoing internal audit improvements

Annex 3 — Sub-processors

The authoritative list is maintained at the Privacy Policy. As at the lastUpdated date of this document:

Sub-processorPurposeLocation
Microsoft AzureApplication hosting, SQL database, blob storageUK South
StripeCard payment processing, SCA, refunds, payoutsUK / EU / US (under Stripe's UK GDPR transfer mechanism)
PostmarkTransactional and mailshot email deliveryUS (under Postmark's UK GDPR transfer mechanism)
Apple, Google, MicrosoftOptional single sign-on for organiser accountsGlobally distributed; second factor handled by the identity provider
DropboxOptional file storage integration where enabled by the OrganiserUS (under Dropbox's UK GDPR transfer mechanism)

Contact

For any questions about this DPA, or to request a signed copy for your records:

Email: Support@Seaty.co.uk Post: Seaty Ltd, 11 Brindley Place, Birmingham, B1 2LP, United Kingdom ICO Registration: ZA543843