Data Processing Agreement (GDPR Article 28)

Customer acts as controller and StageReady Web as processor under this DPA.

Processing is limited to hosting, maintenance, support, analytics implementation, and contact form operations.

Name, email, phone, IP address, form submissions, and CMS-related customer data may be processed.

Website visitors, customer end-users, and where relevant employee contacts.

Processing continues during the main agreement term and ends upon deletion/return at termination.

StageReady Web processes data on documented instructions, ensures confidentiality, applies security measures, assists with rights requests and incidents, and supports audit documentation.

Sub-processors may be used for hosting, email, and analytics. StageReady Web ensures equivalent contractual data protection obligations.

Transfers outside EU/EEA may occur depending on services used and rely on valid transfer mechanisms, including SCCs where relevant.

Security includes access controls, limited access, relevant encryption, and regular system updates.

On termination, personal data is deleted or returned per instruction unless legal retention applies.

Each party is responsible for its GDPR role. Liability follows the main agreement.