BackGuest List

Data Processing Agreement

Effective Date: March 26, 2026

This Data Processing Agreement (“DPA”) forms part of, and is subject to, the Guest List Terms of Service (“Agreement”) between Guest List (“Processor,” “we,” “us”) and the event organizer, photographer, or agency that uses our platform to upload and manage event photographs (“Controller,” “you”).

This DPA reflects the parties' agreement regarding the processing of Personal Data in accordance with applicable Data Protection Legislation.

1. Definitions

  • “Data Protection Legislation” means all applicable laws relating to the processing of Personal Data, including (where applicable) the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), and any other state, federal, or international data protection laws.
  • “Personal Data” means any information relating to an identified or identifiable individual that is processed by Guest List in connection with the Services, including but not limited to names, email addresses, and photographs.
  • “Controller” means the entity that determines the purposes and means of processing Personal Data (the event organizer or photographer using our platform).
  • “Processor” means the entity that processes Personal Data on behalf of the Controller (Guest List).
  • “Subprocessor” means any third party engaged by Guest List to assist in the processing of Personal Data.
  • “Data Subject” means the identified or identifiable individual to whom Personal Data relates (event attendees / guests).

2. Scope and Roles

When you (the event organizer or photographer) upload event photographs to Guest List, you act as the Controller of the Personal Data contained in those photographs. Guest List acts as the Processor, processing Personal Data only for the purpose of providing the Services described in the Agreement.

With respect to event attendees who create accounts and provide data directly to Guest List, Guest List acts as an independent Controller for that attendee-provided data, governed by our Privacy Policy.

3. Processing Instructions

Guest List will process Personal Data only in accordance with your documented instructions as set forth in the Agreement and this DPA, unless required to do otherwise by applicable law. If we are required by law to process Personal Data for any other purpose, we will inform you of that legal requirement before processing, unless the law prohibits such notification.

4. Data Security

We implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest;
  • Access controls limiting Personal Data access to authorized personnel and systems;
  • Regular security reviews and vulnerability assessments;
  • Secure cloud infrastructure (AWS, Supabase on AWS, Vercel);
  • Audit logging of consent, access, and data-modification events.

5. Subprocessors

You authorize us to engage the following Subprocessors to assist in providing the Services. We ensure that each Subprocessor is bound by data protection obligations no less protective than those in this DPA.

Current Subprocessors

  • Amazon Web Services, Inc. (AWS) — cloud hosting and image storage (S3). Location: United States.
  • Supabase, Inc. — database hosting, authentication services, and file storage (hosted on AWS). Location: United States.
  • Twilio, Inc. — SMS delivery for OTP authentication and photo notifications (where applicable). Location: United States.
  • Resend, Inc. — transactional email delivery for OTP verification codes and gallery notifications. Location: United States.
  • Stripe, Inc. — payment processing for Creator subscription billing. Location: United States.
  • Vercel, Inc. — application hosting and deployment. Location: United States.

We will notify you before engaging any new Subprocessor by updating this page. If you have a reasonable objection to a new Subprocessor, you may notify us in writing within 14 days, and we will work in good faith to address your concerns. If we cannot resolve the objection, you may terminate the affected Services.

6. Data Subject Requests

If we receive a request from a Data Subject to exercise their rights under applicable Data Protection Legislation (e.g., access, correction, deletion, portability), we will promptly notify you and provide reasonable assistance to enable you to respond. Where Guest List is the independent Controller of attendee account data, we will handle such requests directly in accordance with our Privacy Policy.

7. Data Breach Notification

In the event of a Personal Data breach, we will notify you without undue delay (and in any event within 72 hours of becoming aware of the breach) and provide sufficient information to enable you to meet any obligations to notify Data Subjects or supervisory authorities. Our notification will include:

  • A description of the nature of the breach;
  • The categories and approximate number of Data Subjects affected;
  • The likely consequences of the breach;
  • The measures taken or proposed to address and mitigate the breach.

8. International Data Transfers

Personal Data may be transferred to, stored, and processed in the United States. Where Personal Data originates from the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that transfers are conducted in accordance with approved transfer mechanisms, including EU Standard Contractual Clauses (SCCs), to provide an adequate level of data protection.

9. Data Retention and Deletion

We retain Personal Data only for as long as necessary to provide the Services or as required by applicable law. Upon termination of the Agreement, and at your written request, we will delete all Personal Data processed on your behalf within 30 days, unless we are required by applicable law to retain it. Data that we hold as an independent Controller (attendee accounts, consent logs) is governed by our Privacy Policy.

10. Audits and Compliance

Upon your reasonable request (no more than once per calendar year, with at least 30 days' advance notice), we will make available information necessary to demonstrate compliance with this DPA. You may also conduct or commission an audit, provided that the audit does not unreasonably disrupt our operations and that you bear the costs of such audit. Any audit findings will be treated as our confidential information.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not create any additional liability beyond what is stated in the Agreement.

12. Governing Law

This DPA is governed by the laws applicable to the Agreement, as set forth in the Terms of Service.

13. Contact

For questions about this DPA, please contact us at:

Email: ontheguestlistapp@gmail.com

See also: Privacy Policy · Terms of Service