Data Processing Agreement (DPA)
Owners Club Events
Valid in the EU / Finland
Last updated: March 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between:
- Organizer (“Controller”) - the entity using the Service to manage communities, memberships, and events
- Owners Club Events (“Processor”) - the provider of the platform when processing personal data on behalf of the Controller
This DPA ensures compliance with the EU General Data Protection Regulation (GDPR) and applicable Finnish data protection laws.
1. Subject Matter and Purpose
The Processor processes personal data on behalf of the Controller solely to provide the Owners Club Events platform, including:
- membership management
- event registration and participation
- payment facilitation
- communication between participants and organizers
Processing is limited to what is necessary to deliver the Service.
2. Roles of the Parties
- The Controller determines the purposes and means of processing personal data
- The Processor processes personal data only on behalf of the Controller
- The Controller is responsible for ensuring a lawful basis for processing.
2A. Role Clarification and Scope
Owners Club Events acts in dual roles depending on the processing context.
- As a Data Processor when processing personal data on behalf of Organizers (for example, event participant and membership management data).
- As an Independent Data Controller for user accounts and authentication, platform operation, security and analytics, and legal or regulatory obligations.
This DPA applies only to processing where Owners Club Events acts as a Processor.
3. Duration
This DPA remains in force for as long as the Processor processes personal data on behalf of the Controller.
4. Nature and Purpose of Processing
Processing includes:
- collection
- storage
- organization
- retrieval
- transmission
- deletion
All processing is performed solely to provide the Service.
5. Categories of Data Subjects
Personal data may relate to:
- event participants
- community members
- organizers and administrators
- website users
6. Types of Personal Data
The Processor may process:
Identification Data
- name
- email address
Profile Data
- profile details (e.g., bio, vehicle/garage info, social links)
- visibility preferences
Membership Data
- club memberships
- roles and permissions
Event Data
- registrations
- attendance
- event-specific preferences (e.g., dietary info, passenger details)
Payment Data
- transaction metadata (status, amount, timestamps)
- no payment card data is stored
Payment processing is handled by Stripe as an independent controller.
Technical Data
- IP address
- device and usage logs
The Service is not intended for processing special categories of personal data under Article 9 GDPR.
7. Processing Instructions
The Processor shall:
- process personal data only on documented instructions from the Controller
- not process data for its own purposes
- inform the Controller if an instruction violates applicable law
The Processor shall comply with Article 28(3) GDPR and process personal data only in accordance with documented instructions from the Controller, unless required to do so by Union or Member State law.
Instructions provided by the Controller through use of the Service (including configuration and user actions) are considered documented instructions.
8. Confidentiality
The Processor ensures that:
- all personnel with access to personal data are bound by confidentiality obligations
- access to personal data is limited to authorized personnel only
9. Security Measures
The Processor implements appropriate technical and organizational measures, taking into account the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of individuals, including:
- encryption of data in transit and at rest
- role-based access control
- row-level security (RLS)
- logging and monitoring
- secure infrastructure (via Supabase)
- regular security practices aligned with industry standards
10. Subprocessors
The Controller authorizes the use of the following subprocessors:
- Supabase - hosting, database, authentication
- Vercel - frontend hosting and delivery
The Processor ensures that all subprocessors are bound by GDPR-compliant obligations.
The Processor will inform the Controller in advance of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes.
Stripe acts as an independent data controller for payment processing and is not a subprocessor of the Processor.
11. International Data Transfers
Personal data is primarily processed within the EU/EEA.
If data is transferred outside the EU/EEA, the Processor ensures appropriate safeguards, such as:
- Standard Contractual Clauses (SCCs)
- equivalent legal mechanisms
12. Assistance to the Controller
The Processor shall assist the Controller in fulfilling GDPR obligations, including:
- responding to data subject requests
- ensuring security of processing
- conducting data protection impact assessments (where applicable)
13. Data Breach Notification
The Processor shall notify the Controller without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach affecting Controller data.
The notification will include relevant details to enable compliance with GDPR reporting obligations.
14. Data Subject Rights
The Processor shall assist the Controller in enabling data subjects to exercise their rights, including:
- access
- rectification
- erasure
- restriction
- portability
- objection
15. Deletion and Return of Data
Upon termination of the Service:
- personal data will be deleted or returned to the Controller
- where applicable, returned data will be provided in a structured, commonly used, and machine-readable format
- unless retention is required by law (e.g., accounting obligations under Finnish law)
16. Audit and Compliance
The Processor shall:
- make available information necessary to demonstrate compliance
- allow reasonable audits or inspections by the Controller
Audits must:
- be reasonable and proportionate
- be conducted no more than once annually, unless required by law or in case of a verified security incident
- be conducted at the Controller's expense
- not disrupt normal operations
- respect confidentiality and security requirements
17. Liability
Each party is responsible for its own compliance with GDPR.
Liability is subject to the limitations set out in the main Terms of Service, to the extent permitted by law.
18. Governing Law
This DPA is governed by the laws of Finland.
19. Contact
For data protection matters:
Owners Club Events
Email: support@ownersclubevents.com
Annex I - Processing Details
This annex describes the Processor activities carried out on behalf of the Controller.
- Subject matter: Provision of the Owners Club Events platform for membership and event operations.
- Duration: For the duration of the service relationship and any statutory retention period where applicable.
- Nature of processing: Collection, storage, organization, retrieval, transmission, and deletion.
- Purpose: Event management, membership administration, participant communications, and related platform operations requested by the Controller.
- Categories of data subjects: Event participants, community members, organizers, administrators, and website users.
- Categories of personal data: Identification, profile, membership, event, payment metadata, and technical data as described in this DPA.
Annex II - Security Measures
The Processor applies technical and organizational security controls appropriate to risk, including:
- encryption in transit and at rest
- role-based access controls and least-privilege access
- row-level security where supported
- audit logging and monitoring
- secure hosting infrastructure and operational safeguards
- periodic review and improvement of security practices