Legal · B2B

Data Processing Agreement

Template version: 1.0 · Effective: 7 May 2026 · Last updated: 7 May 2026

Plain-English summary: This is the standard Data Processing Agreement (DPA) GayOut offers to business partners (venue chains, integrators, resellers, ticketing systems, white-label clients) when GayOut acts as a processor of personal data on the partner's behalf — or when GayOut shares data with a third party that processes it for us. It mirrors Article 28 of the GDPR and incorporates the EU Standard Contractual Clauses (SCCs) where international transfers occur. To execute it, complete the Order Form in Annex 3 and email it to dpo@gayout.com.

Important — this is a template. The text below is a template offered for transparency and to streamline negotiations. It does not constitute legal advice and is not, by itself, a signed contract. A binding DPA exists only once both parties have countersigned an executed version (electronic or wet-ink) and the Annexes have been completed for the specific engagement. Material deviations from this template require GayOut's prior written approval. Please consult your own legal counsel before signing.

This Data Processing Agreement ("DPA") forms part of the underlying commercial agreement, order form, integration contract, partnership agreement, or terms of service (the "Principal Agreement") between ACTV-TEC Ltd., doing business as GayOut ("GayOut"), and the counterparty identified in the Order Form (the "Customer"). Each is a "Party" and together the "Parties". This DPA governs the Processing of Personal Data carried out by GayOut on behalf of Customer in connection with the services described in the Principal Agreement (the "Services").

Where Customer is the Controller of Personal Data and GayOut acts as Processor, this DPA applies in the form set out below. Where the roles are reversed (e.g. GayOut shares Personal Data with the Customer for the Customer to process on GayOut's behalf), the same terms apply mutatis mutandis with the Parties' roles reversed, as expressly noted in the Order Form.

Contents

Definitions
Subject matter, duration, nature & purpose
Categories of Personal Data & Data Subjects
Obligations of GayOut as Processor
Customer instructions & lawfulness
Confidentiality
Security of processing (Article 32)
Sub-processors
Assistance with Data Subject requests
Assistance with DPIA & prior consultation
Personal Data breach notification
Return or deletion of Personal Data
Audit rights
International transfers & SCCs
Term & termination
Liability
Governing law & dispute resolution
General & order of precedence
Annex 1 — Description of Processing
Annex 2 — Technical & Organisational Measures
Annex 3 — Order Form / Execution

1. Definitions

Capitalised terms not defined in this DPA have the meanings set out in the Principal Agreement or, failing that, in Regulation (EU) 2016/679 ("GDPR"). The following definitions apply:

Applicable Data Protection Law means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the Brazilian LGPD, the Israeli Privacy Protection Law, 5741-1981, and any successor or equivalent legislation.
Controller means the natural or legal person which determines the purposes and means of the Processing of Personal Data.
Processor means the natural or legal person which Processes Personal Data on behalf of the Controller.
Personal Data means any information relating to an identified or identifiable natural person ("Data Subject") that is Processed by GayOut on behalf of Customer under the Principal Agreement.
Processing means any operation performed on Personal Data, whether or not by automated means, including collection, recording, storage, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.
Data Subject means an identified or identifiable natural person to whom the Personal Data relates.
Sub-processor means any third party engaged by GayOut to Process Personal Data on behalf of Customer.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data Processed under this DPA.
Standard Contractual Clauses or "SCCs" means (i) for transfers from the EEA, the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021; (ii) for transfers from the UK, the UK International Data Transfer Addendum issued by the ICO; (iii) for transfers from Switzerland, the SCCs as recognised by the Swiss Federal Data Protection and Information Commissioner.
Supervisory Authority means an independent public authority established under Applicable Data Protection Law.

2. Subject matter, duration, nature & purpose

The subject matter of the Processing is the provision of the Services described in the Principal Agreement. The nature and purpose of the Processing are set out in Annex 1 and typically include: ingesting venue or event data shared by Customer, displaying that data on GayOut surfaces, syncing user-generated content (reviews, ratings, photos), routing booking or ticket-purchase intents, generating analytics reports, and supporting the Customer in responding to its end users. The duration of the Processing matches the term of the Principal Agreement plus any wind-down period set out in Section 12.

3. Categories of Personal Data & Data Subjects

The categories of Personal Data, the categories of Data Subjects, and any special categories (Article 9 GDPR) are described in Annex 1. Typical categories include:

Identifiers and contact data: name, email address, phone number, business address.
Account data: account identifiers, authentication tokens, sign-in timestamps, IP address.
Usage data: pages viewed, search queries, items saved, transaction history, device and browser metadata.
User-generated content: reviews, ratings, photos, tips submitted in connection with Customer venues or events.
Limited financial metadata: subscription status, transaction identifiers (full payment-card data is not stored — see Annex 1).

Typical categories of Data Subjects include Customer's end-users (e.g. visitors to a venue chain, attendees of an event), Customer's employees who administer the integration, and prospective customers who interact with Customer surfaces routed through GayOut. Special categories of data are not Processed under this DPA unless expressly listed in Annex 1.

4. Obligations of GayOut as Processor

GayOut shall:

Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data outside the EEA, the UK, or Switzerland, unless required to do so by EU, Member State or other Applicable Data Protection Law to which GayOut is subject; in that case, GayOut shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
take all measures required pursuant to Article 32 GDPR (Section 7);
respect the conditions for engaging Sub-processors set out in Section 8;
taking into account the nature of the Processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests for exercising Data Subject rights (Section 9);
assist Customer in ensuring compliance with Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to GayOut (Sections 7, 10 and 11);
at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of Services and delete existing copies, unless retention is required by law (Section 12);
make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (Section 13).

5. Customer instructions & lawfulness

This DPA, the Principal Agreement, and any subsequent written instructions issued by Customer in accordance with the Principal Agreement constitute Customer's complete and final instructions to GayOut regarding the Processing of Personal Data. Additional or alternate instructions must be agreed by the Parties in writing and may be subject to additional fees if they fall outside the scope of the Services.

GayOut shall promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. GayOut is entitled to suspend execution of an instruction it reasonably believes to be unlawful until the matter is clarified.

Customer represents and warrants that it has a valid lawful basis under Applicable Data Protection Law for the Processing of Personal Data it instructs GayOut to perform, that it has provided all required notices to Data Subjects, and that it has obtained any consents required for the Processing contemplated by the Principal Agreement.

6. Confidentiality

GayOut shall ensure that any person it authorises to Process Personal Data is subject to a binding contractual or statutory duty of confidentiality. Access to Personal Data is limited to personnel who require access in order to perform the Services. GayOut maintains role-based access controls and reviews access rights on at least a quarterly basis.

7. Security of processing (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, GayOut implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures in force as of the effective date are described in Annex 2. GayOut may update the measures from time to time provided the level of security is not materially diminished.

8. Sub-processors

8.1 General authorisation

Customer grants GayOut general written authorisation to engage Sub-processors for the Processing of Personal Data, subject to the conditions in this Section 8. The current list of Sub-processors is set out in Section 8.4 and is also published, in updated form, at https://gayout.com/privacy (Section 6) and at https://gayout.com/dpa.

8.2 Notification & right to object

GayOut shall notify Customer in writing (by email to the address on the Order Form, or by posting an updated list at the URL above with at least 30 days' advance notice) of any intended addition or replacement of a Sub-processor. Customer may object on reasonable data-protection grounds within 30 days of notification. If the objection cannot be resolved between the Parties in good faith, Customer's exclusive remedy is to terminate the affected portion of the Services without penalty by giving written notice within a further 30 days; pre-paid fees for the unused portion will be refunded on a pro-rata basis.

8.3 Flow-down obligations

GayOut shall enter into a written agreement with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA. GayOut remains fully liable to Customer for the performance of each Sub-processor's obligations.

8.4 Current Sub-processors

The following Sub-processors are engaged as of the effective date. The list is illustrative and may be updated from time to time as described above:

Sub-processor	Purpose	Location
PayPal (Europe) S.à r.l.	Payments and subscription billing	EU / US
Resend, Inc.	Transactional and notification email delivery	US
Anthropic, PBC	AI processing (Trip Planner, translations, content moderation)	US
Google LLC / Google Ireland Ltd.	Maps and Places APIs, optional Sign-In, Google Analytics, Google Cloud services	US / EU
Hosting provider (current: managed PHP/MySQL host)	Application hosting, database, backups	EU / Israel
OpenStreetMap Foundation	Map tiles for the world map	UK
hCaptcha (Intuition Machines, Inc.)	Bot protection on submission forms	US
TripAdvisor LLC	Public venue data and reviews via API	US
fonts.bunny.net	Privacy-friendly web fonts (no user tracking)	EU

9. Assistance with Data Subject requests

Taking into account the nature of the Processing, GayOut shall assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

If GayOut receives a Data Subject request relating to Personal Data Processed under this DPA, GayOut shall, without undue delay and unless prohibited by law, forward the request to Customer and shall not respond directly except as instructed by Customer or as required by law.

10. Assistance with DPIA & prior consultation

GayOut shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities required of Customer under Articles 35 and 36 GDPR or equivalent provisions of Applicable Data Protection Law, in each case solely in relation to the Processing of Personal Data by GayOut on behalf of Customer and taking into account the nature of the Processing and information available to GayOut.

11. Personal Data breach notification

GayOut shall notify Customer without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. The notification shall include, to the extent known and as it becomes available:

a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
the name and contact details of the Data Protection Officer or other point of contact;
a description of the likely consequences of the breach;
a description of the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

GayOut shall cooperate with Customer and provide reasonable assistance to enable Customer to comply with its own breach-notification obligations to Data Subjects and Supervisory Authorities. GayOut's notification of, or response to, a Personal Data Breach under this Section is not an acknowledgement by GayOut of any fault or liability with respect to the breach.

12. Return or deletion of Personal Data

Upon termination or expiry of the Principal Agreement, or on Customer's earlier written request, GayOut shall, at Customer's choice, delete or return to Customer all Personal Data Processed on Customer's behalf, and delete existing copies, within 90 days of the termination date, unless EU, Member State, or other Applicable Data Protection Law to which GayOut is subject requires storage of the Personal Data. Aggregated or anonymised data that no longer constitutes Personal Data may be retained.

Backup copies will be deleted in accordance with GayOut's standard backup-rotation cycle (typically 90 days). During any such residual retention, the Personal Data remains subject to the obligations of this DPA.

13. Audit rights

GayOut shall make available to Customer, on reasonable written request, the information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, including any current third-party certifications, penetration-test summaries, or SOC-style attestations that GayOut may hold.

Where the information made available is, in Customer's reasonable opinion, insufficient to demonstrate compliance, Customer (or an independent auditor mandated by Customer who is not a competitor of GayOut) may, on at least 30 days' prior written notice and not more than once per twelve-month period (except in the event of a Personal Data Breach or pursuant to a Supervisory Authority's instruction), conduct an on-site audit during regular business hours, in a manner that does not unreasonably interfere with GayOut's business. Customer bears the cost of the audit unless it reveals a material breach of this DPA, in which case GayOut bears its own costs of remediation. The auditor must execute appropriate confidentiality undertakings.

14. International transfers & SCCs

To the extent the Processing involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that is not the subject of an adequacy decision under Applicable Data Protection Law, the Parties agree that the relevant Standard Contractual Clauses are hereby incorporated into this DPA by reference, with the following selections:

EU SCCs (2021/914): Module Two (Controller-to-Processor) applies where Customer is the Controller and GayOut is the Processor. Module Three (Processor-to-Processor) applies where Customer is itself a Processor. The optional docking clause (Clause 7) applies. The general written authorisation option in Clause 9(a) applies, with a notice period of 30 days. Option 1 of Clause 17 applies and the governing law is the law of Ireland. Clause 18(b): the courts of Ireland have jurisdiction. Annexes I, II and III of the SCCs are completed by reference to Annex 1, Annex 2, and Section 8 of this DPA, respectively.
UK Addendum: the UK International Data Transfer Addendum issued by the ICO is incorporated and supplements the EU SCCs for transfers subject to UK data-protection law.
Swiss transfers: the EU SCCs apply with the modifications recognised by the Swiss Federal Data Protection and Information Commissioner (e.g., references to the GDPR are read as references to the Swiss FADP, references to EU Member State courts include Swiss courts).
Adequacy and other mechanisms: where an adequacy decision applies (notably for transfers to Israel, which benefits from a partial adequacy decision), the Parties may rely on it. Other lawful transfer mechanisms (such as a recipient's certification under a recognised data privacy framework) may be relied upon where applicable.

The full text of the SCCs is not reproduced in this DPA but is incorporated by reference and is available from the European Commission, the UK ICO, or the Swiss FDPIC. In the event of any conflict between this DPA and the SCCs, the SCCs prevail in respect of restricted transfers.

15. Term & termination

This DPA takes effect on the effective date of the Order Form (or, if no Order Form is signed but Customer has commenced use of the Services that involve Processing of Personal Data, on the date such use commenced) and remains in force for as long as GayOut Processes Personal Data on behalf of Customer under the Principal Agreement.

Termination of this DPA without simultaneous termination of the Principal Agreement is permitted only where required by Applicable Data Protection Law or to remedy a material breach of this DPA that has not been cured within 30 days of written notice. The provisions of this DPA that by their nature should survive termination (including Sections 11, 12, 13, 16 and 17) survive termination.

16. Liability

Each Party's liability arising out of or in connection with this DPA, whether in contract, tort, or under any other theory of liability, is subject to the aggregate liability cap and the exclusions of indirect, consequential, and similar damages set out in the Principal Agreement. If the Principal Agreement does not contain such limitations, each Party's aggregate liability under this DPA is capped at the fees paid or payable by Customer to GayOut in the twelve months preceding the event giving rise to liability. Nothing in this Section limits liability that cannot lawfully be excluded under Applicable Data Protection Law (for example, liability to Data Subjects under Article 82 GDPR).

17. Governing law & dispute resolution

Except where the SCCs require otherwise (in which case the SCCs' governing-law and forum clauses prevail in respect of the relevant restricted transfer), this DPA is governed by the laws of the State of Israel, without regard to its conflict-of-laws principles. The competent courts of Tel Aviv-Yafo, Israel, have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, subject to any mandatory venue rules in favour of consumers or Data Subjects.

18. General & order of precedence

If there is a conflict between this DPA and the Principal Agreement, this DPA prevails in respect of the Processing of Personal Data. If there is a conflict between this DPA and the SCCs (where applicable), the SCCs prevail. No modification to this DPA is binding unless made in writing and signed by authorised representatives of both Parties. If any provision of this DPA is found to be unenforceable, the remaining provisions remain in full force and effect.

This DPA may be executed in counterparts and by electronic signature. Notices to GayOut concerning this DPA must be sent to dpo@gayout.com with a copy to legal@gayout.com.

Annex 1 — Description of Processing

A. List of Parties

Data exporter (Controller): The Customer identified in the Order Form. Contact details, role, and signatory as stated there.

Data importer (Processor): ACTV-TEC Ltd., trading as GayOut, a company organised under the laws of Israel. Contact: dpo@gayout.com.

B. Description of transfer / Processing

Categories of Data Subjects: Customer's end-users (e.g. visitors to a venue chain or attendees of an event), Customer's administrative personnel, and prospective end-users routed through Customer integrations.
Categories of Personal Data: identifiers (name, email), contact data (phone, address), account and session data (IP address, browser metadata, authentication tokens), usage data (page views, search queries, items saved, transaction identifiers), and user-generated content (reviews, photos, ratings). Limited financial metadata only — full payment-card data is processed directly by PayPal and is not stored by GayOut.
Special categories of data: none Processed under this DPA unless expressly added in the Order Form. Customer acknowledges that information about LGBTQ+ orientation may, in some jurisdictions, be inferred from use of GayOut surfaces; both Parties shall handle such inferences with heightened care.
Frequency of transfer: continuous, on a per-request basis, for the duration of the Services.
Nature of the Processing: hosting, storage, retrieval, display, transformation, indexing, search, analytics, transmission to Sub-processors, and (on Customer's instruction) deletion.
Purpose of the Processing: provision of the Services described in the Principal Agreement, including listing of venues and events, routing of bookings or ticket-purchase intents, display of user-generated content, generation of reports for Customer, and security and fraud prevention.
Period of retention: for the duration of the Principal Agreement plus the wind-down period in Section 12, except where applicable law requires longer retention (e.g. tax records).
Sub-processors: as listed in Section 8.4 of this DPA, with purpose and location.

C. Competent Supervisory Authority

The competent Supervisory Authority is determined in accordance with Clause 13 of the EU SCCs and is, by default, the supervisory authority of the EU Member State in which Customer's EU representative is established or, if Customer is itself established in the EU, the supervisory authority of that Member State.

Annex 2 — Technical & Organisational Measures

GayOut maintains the following technical and organisational measures to ensure a level of security appropriate to the risk under Article 32 GDPR. The measures may be updated from time to time provided the level of security is not materially diminished.

1. Pseudonymisation and encryption of Personal Data

TLS 1.2 or higher (preferring TLS 1.3) for all data in transit.
Encryption at rest for sensitive database fields and for backups.
Hashed and salted authentication tokens; magic-link tokens are single-use and time-limited (7 days).
Pseudonymisation of analytics data (anonymised IPs, short retention windows).

2. Confidentiality, integrity, availability and resilience

Role-based access control (RBAC) with least-privilege principle and quarterly access reviews.
Multi-factor authentication enforced on administrative interfaces.
Network segmentation, firewalling, and rate limiting.
Application-level CSRF, XSS, and SQL-injection defences; parameterised queries throughout.
Bot protection (hCaptcha) on submission and authentication forms.
Centralised logging with retention of 30–90 days for security investigations.
Regular dependency scanning and patching for known vulnerabilities.

3. Restoration of availability and access

Automated database backups with 90-day rotation.
Documented disaster-recovery procedure with target RTO/RPO appropriate to the criticality of the Service.
Monitoring and alerting on availability of core services.

4. Process for regularly testing, assessing and evaluating effectiveness

Annual review of this Annex and of GayOut's security baseline.
Periodic vulnerability scanning of public-facing endpoints.
Independent penetration testing on a risk-driven cadence (and, in any event, prior to material architecture changes).
Post-incident reviews following any security event with documented lessons learned.

5. Personnel and organisational measures

Confidentiality undertakings for all personnel and contractors.
Security and privacy training for personnel handling Personal Data.
Documented information-security and incident-response policies.
Privacy-by-design and privacy-by-default in product development.

6. Sub-processor management

Due diligence prior to engaging Sub-processors that Process Personal Data.
Written contracts with Sub-processors imposing equivalent data-protection obligations.
Maintenance of an internal Sub-processor register and the public list referenced in Section 8.4.

Annex 3 — Order Form / Execution

To execute this DPA, complete the following minimum particulars and return a signed copy to dpo@gayout.com. GayOut will counter-sign and return an executed copy. Until both Parties have signed, this DPA is offered as a template only and is not binding.

Customer (legal name & jurisdiction): ___________________________
Customer registered address: ___________________________
Customer DPO / privacy contact (name & email): ___________________________
Principal Agreement reference (title & date): ___________________________
Description of Services / integration: ___________________________
Role allocation: ☐ Customer is Controller, GayOut is Processor ☐ Customer is Processor, GayOut is Sub-processor ☐ GayOut is Controller, Customer is Processor (reversed engagement)
Specific instructions or restrictions (if any): ___________________________
Special categories of data Processed (if any): ___________________________
Effective date: ___________________________

For Customer: Name __________________ Title __________________ Signature __________________ Date __________________

For GayOut (ACTV-TEC Ltd.): Name __________________ Title __________________ Signature __________________ Date __________________

Contact

For all matters relating to this DPA:

Data Protection Officer: dpo@gayout.com
Privacy: privacy@gayout.com
Legal: legal@gayout.com

© 2026 GayOut / ACTV-TEC Ltd. This DPA is provided as a template for transparency and to streamline B2B negotiations. It does not, by itself, constitute a binding contract or legal advice. A binding DPA exists only once both Parties have countersigned an executed version with the Annexes completed for the specific engagement. Please consult qualified legal counsel before signing.