Data processing addendum.

U.S.-Focused Draft
Status: Draft for business and legal review
Date: March 20, 2026
Related agreement: ConfDay Portal Terms of Service, applicable Order, checkout flow, or other written agreement for organizer/customer use of ConfDay

Drafting note

This addendum is structured for a U.S.-focused service-provider / contractor model. It is not drafted as a standalone GDPR or international transfer addendum, but it can be adapted later if ConfDay expands internationally.

1. Purpose and Scope

This Data Processing and Service Provider Addendum ("Addendum") forms part of the agreement between ConfDay, LLC ("ConfDay") and the organizer, company, or other customer entity that uses the ConfDay service ("Customer"). This Addendum applies when ConfDay processes Customer Data that includes Personal Information on behalf of Customer in connection with the ConfDay portal, related public event pages, related mobile application functionality, and associated organizer-facing services (collectively, the "Services").

This Addendum is intended to support a U.S.-focused service-provider / contractor framework for organizer-customer data handling. It is not drafted as a GDPR-only or international transfer addendum, although it may be adapted later if ConfDay expands internationally.

2. Order of Precedence

If there is a conflict between this Addendum and the ConfDay Portal Terms of Service or another applicable service agreement between the parties (the "Agreement"), this Addendum controls solely with respect to the processing of Personal Information subject to this Addendum. In all other respects, the Agreement remains in effect.

3. Definitions

• Applicable Privacy Law means U.S. federal, state, and local privacy, data protection, data security, breach notification, and consumer protection laws applicable to the Services and the processing of Personal Information under the Agreement, as amended from time to time.
• Business Purpose(s) means the limited and specific purposes for which Customer discloses Personal Information to ConfDay, as described in Section 5 and Exhibit A.
• Customer Data means data, content, records, files, materials, and information submitted to, stored in, or processed through the Services by or for Customer or its Authorized Users, including Personal Information.
• Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with an identified or reasonably identifiable individual, as defined by Applicable Privacy Law.
• Process / Processing means any operation performed on Personal Information, including collection, access, storage, organization, use, disclosure, transmission, deletion, or destruction.
• Sell, Share, Service Provider, Contractor and similar terms have the meanings assigned by Applicable Privacy Law where those laws apply.
• Subprocessor means a third party engaged by ConfDay to process Personal Information on behalf of Customer and ConfDay in connection with providing the Services.

4. Roles of the Parties

1. Customer determines the purposes for which Customer uses the Services, the categories of Personal Information Customer chooses to submit, and which Customer Data is made public or private through the Services.
2. ConfDay processes Personal Information on behalf of Customer as a service provider, contractor, processor, or similar provider role, to the extent such role applies under Applicable Privacy Law, for the limited and specified Business Purposes described in this Addendum and the Agreement.
3. For ConfDay's own independent business functions — such as managing its own company records, financial records, legal compliance, fraud prevention, account administration, and direct relationship with Customer — ConfDay may act in its own capacity with respect to information it collects for those purposes.

5. Limited and Specific Business Purposes

1. Service Provision and Workspace Administration.
2. Event Management and Publishing.
3. Customer-Directed Communications.
4. Support, Maintenance, and Troubleshooting.
5. Security and Abuse Prevention.
6. Billing and Commercial Administration.
7. Service Improvement limited to operating and improving the services provided to Customer and not for advertising, cross-context behavioral advertising, or unrelated commercial data products.

6. ConfDay Restrictions and Certifications

ConfDay certifies that it understands the restrictions in this Addendum and will comply with them.

1. ConfDay shall not Sell or Share Personal Information received from or on behalf of Customer.
2. ConfDay shall not retain, use, or disclose Personal Information for any purpose other than the limited and specified Business Purposes in this Addendum and the Agreement, except as expressly permitted by Applicable Privacy Law.
3. ConfDay shall not retain, use, or disclose Personal Information outside the direct business relationship between ConfDay and Customer.
4. ConfDay shall not combine Personal Information received from or on behalf of Customer with Personal Information received from another person or collected from ConfDay's own interactions with an individual, except as expressly permitted by Applicable Privacy Law and solely to the extent reasonably necessary for the permitted Business Purposes.
5. ConfDay shall not use Personal Information for cross-context behavioral advertising, targeted advertising, sale, independent data brokerage, or unrelated profiling.
6. ConfDay shall not attempt to re-identify data that has been validly deidentified, except where permitted by law for testing or validation and subject to appropriate safeguards.

7. Customer Obligations

1. Customer has provided all required notices and obtained all required rights, permissions, and consents.
2. Customer is responsible for the legality, accuracy, quality, and appropriateness of Customer Data and public event content.
3. Customer will not submit prohibited sensitive regulated data unless ConfDay expressly enables it in writing.
4. Customer remains responsible for its own compliance obligations under Applicable Privacy Law.

8. Personnel Confidentiality and Training

ConfDay shall ensure that persons authorized to process Personal Information are subject to appropriate confidentiality obligations and receive appropriate training or guidance regarding secure and lawful handling.

9. Security Measures

ConfDay shall implement and maintain reasonable and appropriate administrative, technical, and organizational safeguards designed to protect Personal Information against unauthorized or illegal access, acquisition, use, disclosure, alteration, destruction, or loss. Baseline commitments are summarized in Exhibit B.

10. Security Incidents

ConfDay shall notify Customer without unreasonable delay after confirming a Security Incident involving Personal Information subject to this Addendum and provide reasonably available information needed to support Customer's response obligations.

11. Assistance with Consumer and Data Rights Requests

To the extent required by Applicable Privacy Law, ConfDay shall provide reasonable assistance to enable Customer to respond to valid requests from individuals concerning Personal Information processed by ConfDay on Customer's behalf.

12. Assistance with Compliance, Audits, and Assessments

To the extent required by Applicable Privacy Law and reasonably requested by Customer, ConfDay shall provide information reasonably necessary for Customer to assess ConfDay's processing of Personal Information under this Addendum. Audit and assessment rights are limited to reasonable and appropriate steps and generally no more than once in any twelve-month period absent a material issue.

13. Notice of Inability to Comply; Remediation Rights

ConfDay shall notify Customer if ConfDay determines that it can no longer meet its obligations under Applicable Privacy Law or this Addendum with respect to Personal Information processed on Customer's behalf.

14. Subprocessors

Customer authorizes ConfDay to engage Subprocessors as reasonably necessary to provide the Services. ConfDay shall ensure each relevant Subprocessor is bound by a written agreement imposing materially consistent confidentiality, security, and restricted-use obligations.

15. Return, Deletion, and Retention

ConfDay's intended default model is:

1. access through the end of the paid term;
2. a 30-day read-only export or retrieval window where feasible; and
3. deletion or deidentification from active systems within approximately 60 days after that window, subject to technical limitations, legal holds, dispute preservation, fraud or security needs, backup systems, and ordinary business records retention.

16. Deidentified and Aggregated Information

Nothing in this Addendum prohibits ConfDay from creating or using deidentified or aggregated information to the extent permitted by Applicable Privacy Law, provided that such information does not identify Customer or any individual.

17. Government and Legal Requests

If ConfDay receives a compulsory legal demand seeking Personal Information processed on Customer's behalf, ConfDay shall, to the extent legally permitted and reasonably practicable, provide prompt notice to Customer.

18. No Sale / No Share / No Targeted Advertising Position

For Personal Information processed by ConfDay on Customer's behalf under this Addendum, ConfDay shall not treat that Personal Information as sold or shared for cross-context behavioral advertising purposes.

19. Limitation of Liability

This Addendum is subject to the liability allocation, disclaimers, exclusions, and limitations of liability set forth in the Agreement.

20. Term and Survival

This Addendum remains in effect for as long as ConfDay processes Personal Information on Customer's behalf under the Agreement.

21. Contact Information

ConfDay, LLC
PO Box 612
Hatboro, PA 19040
privacy@confday.com
legal@confday.com

Exhibit A — Processing Details

Organizer-facing conference and event management processing, including organizer account administration, event management and publishing, customer-directed operational notifications, support and maintenance, security and abuse prevention, billing administration, and internal service quality improvement for the services provided to Customer.

Exhibit B — Baseline Security Commitments Summary

Access controls, authentication and credential protection, encryption and secure transmission, logging and monitoring, vulnerability and patch management, backup and recovery, incident response, subprocessor management, confidentiality, and data minimization by design direction.