companion.

Data Processing Addendum

Effective date: July 1, 2026

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the Terms of Service (the “Terms”) between Companion App LLC (“Companion,” “we,” “us,” or “our”) and the customer organization that accepts the Terms and uses the Services (“Customer,” “you”). It applies where you process the personal data of other individuals through the Services. Capitalized terms not defined here have the meaning given in the Terms.

Parties and roles

Processor / Service Provider: Companion App LLC, a Florida limited liability company. Controller / Business: the Customer.

For personal data you submit or generate through the Services about your own people and your guests or talent, you are the controller/business and Companion is the processor/service provider. For account-administration and security data Companion determines (for example, sign-in security records and billing), Companion may act as a controller; that processing is governed by our Privacy Policy.

1. Definitions

Terms such as “personal data,” “processing,” “controller,” “processor,” “data subject,” “personal data breach,” “sub-processor,” “business,” “service provider,” and “sell” or “share” have the meanings given in applicable data protection law, including the EU and UK GDPR and the CCPA/CPRA. “Applicable Data Protection Law” means all privacy and data-protection laws applicable to the processing under this DPA. “Customer Personal Data” means personal data Companion processes on your behalf under this DPA.

2. Scope, subject matter, and duration

This DPA applies to Companion's processing of Customer Personal Data on your behalf in connection with the Services. It is effective for as long as Companion processes Customer Personal Data and survives termination until such data is deleted or returned (Section 9).

3. Processing details (Annex A)

  • Nature and purpose: providing the Services — a coordination platform for live event production (account management, messaging, itineraries and tasks, talent and guest intake, calendar feeds, push notifications, and an opt-in live location feature), plus billing and security.
  • Duration: the term of your subscription plus the deletion windows in Section 9 and the Privacy Policy.
  • Categories of data subjects:your organization's members and administrators; guests, talent, and attendees whose information you enter; and, where you choose to use the Services for youth or family events, potentially minors (see Section 10).
  • Types of personal data: identifiers (name, email, phone, account ID); profile and intake details (emergency contacts, dietary, travel, and logistics preferences); authentication and security data (two-factor material, sign-in and IP records); precise geolocation of opted-in members during active events; file attachments and photos; usage and device metadata; and billing contact and payment metadata (card brand and last four digits, invoice history).
  • Special or sensitive categories:precise geolocation (sensitive personal information under the CPRA) and potentially children's data entered by you. Companion does not request special-category data and instructs you not to submit health, biometric, or other special-category data except the geolocation inherent to the tracking feature.

4. Processing only on documented instructions

Companion will process Customer Personal Data only (a) to provide the Services per the Terms, (b) as further documented in writing by you, and (c) as required by law (with notice to you unless legally prohibited). Companion will inform you if, in its opinion, an instruction infringes Applicable Data Protection Law.

5. Confidentiality

Companion ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and access it only as needed to provide the Services.

6. Security (Annex B)

Companion maintains the following technical and organizational measures, and regularly reviews them and may update them provided protection is not materially reduced:

  • Encryption in transit. All traffic is served over HTTPS/TLS with HSTS enforced; database and cache/queue connections use TLS, and session cookies are HttpOnly and Secure.
  • Encryption at rest. The production database and uploaded files are encrypted at rest (AES-256, provider-managed); two-factor secrets are additionally encrypted at the application layer, and passwords and 2FA backup codes are stored only as bcrypt hashes.
  • Access control and least privilege. Role-based access control across the Organization, Company, Event, and Group hierarchy, with tenant isolation between organizations; internal administrative tools and production infrastructure access are restricted to authorized personnel on a least-privilege basis.
  • Authentication. Email/password with bcrypt and automatic lockout after repeated failures, plus federated sign-in (Google, Microsoft, Apple). TOTP two-factor authentication is available to all users and can be required organization-wide by an administrator.
  • Session security. Signed-token sessions over HttpOnly/Secure cookies, with server-side session records that allow immediate revocation and expire after 30 days.
  • Audit logging. Customer-facing and internal administrative actions are recorded with actor, timestamp, and (for administrative actions) before-and-after snapshots.
  • Rate limiting. Sliding-window rate limits on authentication, password-reset, signup, guest-intake, and general API mutation endpoints, applied per IP and per account.
  • Error monitoring. Errors are monitored with session replay disabled and personal-data collection off by default; no message, file, or profile content is captured.
  • Automated retention and deletion. Scheduled jobs delete location and tracking data on event completion or cancellation and within 30 days of an event ending; delete archived companies, events, and chats 30 days after archival; and permanently delete account data 30 days after a deletion request, with support-record personal data redacted beforehand.
  • Backups. Provider-managed, encrypted at rest and in transit, with point-in-time restore.
  • Vulnerability and dependency management. Automated dependency-vulnerability scanning on every change and on a weekly schedule, and automated secret scanning that blocks credentials from being committed to source control.
  • Platform, network, and environment isolation. Hosting with edge TLS and platform-level DDoS protection and standard security response headers; application secrets are stored as managed environment variables, never in source control; production and non-production environments are isolated, and non-production has no access to production data.

7. Sub-processors

You provide general authorization for Companion to engage sub-processors to provide the Services. The current list of sub-processors is provided to you on request and is attached to this DPA as Annex C. Companion imposes data-protection obligations on each sub-processor substantially as protective as this DPA and remains responsible for their performance. Companion will give you prior notice by email before adding or replacing a sub-processor, giving you a reasonable opportunity to object on reasonable data-protection grounds; if the objection is unresolved, you may terminate the affected Services.

8. Data subject requests and assistance

Taking into account the nature of the processing, Companion will assist you — by appropriate technical and organizational measures, insofar as possible — to respond to data subject requests (access, deletion, correction, portability, objection, and restriction).

Third-party data subjects. Because guests and talent are typically not Companion account holders, Companion will refer any request it receives directly from such individuals to you as the relevant controller and assist you in responding. Self-service tools in the dashboard (export, deletion, and the 30-day deletion grace) support this. Companion will also assist you with data protection impact assessments and regulator consultations where required (Articles 35–36 GDPR), to the extent applicable to the Services.

9. Deletion and return

On termination or expiry, or on your request, Companion will delete or return Customer Personal Data and delete existing copies, except where retention is required by law (for example, billing and tax records) or exists transiently in routine backups that cycle out. Location records are deleted automatically per Privacy Policy Section 12 (on event completion or cancellation, and in any case for events that ended more than 30 days prior). Account data is deleted or anonymized after the 30-day deletion grace (Privacy Policy Sections 9–10).

10. Minors and user age

Users must be adults.Account holders and all individuals you authorize to use the Services — including any person you assign to an operator or other location-tracked role — must be 18 years of age or older. The Services are directed at professionals coordinating live events and are not directed at children. Companion does not, and is not technically able to, verify the age of any user; ensuring every authorized user meets the 18+ requirement is your and your administrators' sole responsibility. You represent and warrant that each individual you grant access to, or assign a tracked role within, the Services is 18 or older.

Minors as Content.You may enter information about event participants — including minors — as Content (for example, guest or talent contact and emergency-contact details). Guests and attendees are not users and are never location-tracked. For any such minor's personal data, you are solely responsible for (a) determining the lawful basis for, and obtaining any required parental or guardian consent for, the data you enter; (b) ensuring you have the authority to provide that data; and (c) complying with the Children's Online Privacy Protection Act (COPPA) and any applicable children's or student-privacy laws as the controller.

Location tracking attaches to event roles, not to individuals.Only members you designate with a tracked operator or team role can share location, and under the 18+ requirement above those members must be adults. You are solely responsible for which individuals you assign to tracked roles. Companion's opt-in consent prompt does not substitute for, and does not verify, any consent or any user's age.

11. International transfers

Companion operates from the United States and currently processes data in the United States. Where Applicable Data Protection Law requires a transfer mechanism (for example, for an EU or UK customer), the parties incorporate the EU Standard Contractual Clauses (and the UK Addendum) by reference, with Companion as importer/processor; the relevant Annex details are completed at that time.

12. CCPA / CPRA service-provider terms

Companion is a service provider. Companion will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than performing the Services or as permitted by the CCPA; (c) retain, use, or disclose it outside the direct business relationship; or (d) combine it with personal data from other sources except as permitted by the CCPA. Companion certifies that it understands and will comply with these restrictions.

13. Personal data breach

Companion will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information then available to help you meet your own notification obligations, and will take reasonable steps to investigate and mitigate the breach.

14. Audits

Companion will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including by providing relevant third-party reports or certifications where available. On-site audits are reserved for negotiated enterprise agreements.

15. Liability and precedence

This DPA forms part of the Terms. The limitations of liability in the Terms (Section 14) apply to claims under this DPA. In case of conflict on the subject matter of data processing, this DPA controls over the Terms.

Annexes

  • Annex A — Processing details. As described in Section 3.
  • Annex B — Technical and organizational measures. As described in Section 6.
  • Annex C — Sub-processors.The current list of Companion's sub-processors is available to you on request, with advance notice of changes as described in Section 7.
  • Annex D — Standard Contractual Clauses. Incorporated by reference per Section 11 when an international transfer requires them; modules and annexes are completed at that time.

Contact

Questions about this DPA, or a request to receive the current sub-processor list, can be sent to contact@yourcompanion.io.

Companion App LLC
Florida, United States