This DPA forms part of the agreement between you (a "Customer", acting as data controller) and ENTRRO (acting as data processor). It applies whenever ENTRRO processes personal data on your behalf — for example, when promoters deliver guests to your venue and we relay the attribution.
"Personal Data", "Data Subject", "Controller", "Processor", "Sub-processor" have the meanings given in Regulation (EU) 2016/679 (GDPR). "CCPA" means the California Consumer Privacy Act. References to GDPR include the UK GDPR where you operate in the UK.
ENTRRO processes Personal Data only on Customer's documented instructions, for the purpose of delivering the platform services described in the Business Terms: managing campaigns, attributing arrivals, processing payments, fraud prevention, support, and reporting.
Current list at /subprocessors/. We notify Customer at least 30 days before adding a new sub-processor; Customer may object on reasonable grounds.
Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access, least-privilege defaults, audit logs, mandatory MFA on staff accounts, annual penetration testing, ISO 27001-aligned controls. Detailed security overview available on request under NDA.
For transfers outside the EEA/UK, we rely on the EU Standard Contractual Clauses (2021/914) and the UK IDTA / UK Addendum where applicable. Transfer impact assessments are available on request.
ENTRRO assists Customer in responding to data subject access, rectification, erasure, restriction, portability, and objection requests within statutory timelines. Customer is the primary point of contact for data subjects whose data flows through Customer's brief.
ENTRRO notifies Customer without undue delay (target: 24 hours) of any confirmed personal data breach affecting Customer's data, including details required under Article 33 GDPR.
Once per year on reasonable notice, Customer may audit ENTRRO's processing of their data, either by reviewing third-party audit reports (e.g., SOC 2 once obtained) or — for material risk — on-site by mutual agreement.
Upon termination, ENTRRO returns or deletes Customer's personal data within 90 days, except where retention is required by law (e.g., payment records for 7 years for tax compliance).
Liability under this DPA is subject to the limitations in the underlying agreement, except where law prohibits limitation (e.g., regulatory fines arising from the processor's specific breach).
For enterprise customers requiring an executed DPA with signatures, contact legal@entrro.com. This online version applies by default to all customers from the effective date.
Questions? legal@entrro.com. This is a plain-language version of the legal document; the formal text is available on request and prevails in any conflict.
Tell us a little about you and we'll be in touch.