Data Processing Addendum

Our standard DPA for venue, brand, and enterprise customers whose engagement involves JazzNode processing personal data on their behalf.

Effective date: April 14, 2026·Version 1.0

How to execute this DPA

This page is the current standard DPA text. By entering into a paid subscription with JazzNode, you agree to this DPA in its current form where it applies to your engagement. For a signed counterpart, a redlined version, or an enterprise-specific variant, email security@jazznode.com with subject line "DPA execution" and include your legal entity name, jurisdiction, and any modifications you're requesting.

Draft version — legal review recommended before countersigning

1. Definitions

Terms used in this DPA have the meanings assigned in the GDPR, UK GDPR, or equivalent local data-protection law. For clarity:

Controller — you, the JazzNode customer, who determines the purposes and means of processing personal data.
Processor — JazzNode Inc. (Delaware, USA) and 娛興喂有限公司 (Taiwan), processing personal data on your behalf.
Personal data — as defined in GDPR Art. 4(1); covers data relating to an identified or identifiable natural person.
Processing — any operation performed on personal data (collection, storage, use, transmission, deletion, etc.).
Sub-processor — a third party engaged by JazzNode to process personal data on behalf of the Controller, listed in §5.
Services — the JazzNode platform, including artist/venue/brand profiles, event discovery, ticketing, messaging, and related features.

2. Subject matter, duration, nature and purpose

Subject matter: JazzNode's processing of personal data in connection with providing the Services to the Controller.

Duration: For the term of the Controller's JazzNode subscription, plus any retention period required by law (e.g., tax records for ticket revenue).

Nature and purpose: Hosting, authenticating, displaying, delivering, and supporting the Controller's use of the JazzNode platform. Includes ticket issuance, payment settlement via Stripe, transactional email via Resend, and analytics on platform usage.

3. Categories of data subjects & personal data

Categories of data subjects: End users of the Services, including fans/ticket buyers, musicians/artist profile owners, venue operators, brand operators, and their invited staff.

Categories of personal data:

Identification: name, display name, email, profile image.
Authentication: hashed passwords (Supabase Auth), OAuth tokens (Google).
Commerce: ticket purchase records, order totals, payout destinations (for venues/brands). JazzNode does not store raw card numbers — those are held by Stripe as a separate controller under PCI DSS.
Communications: messages sent through the platform, shoutouts, reviews.
Usage: anonymized analytics, referrer sources, general geographic region.
Device (mobile app only): push notification tokens, device name, OS/app version.

JazzNode does not intentionally process special categories of personal data (GDPR Art. 9). Controllers must not submit such data through the Services.

4. Obligations of JazzNode as Processor

JazzNode will:

Process personal data only on documented instructions from the Controller (the subscription agreement, these terms, and any written instructions the Controller provides).
Ensure that persons authorized to process personal data are under a contractual duty of confidentiality.
Implement appropriate technical and organizational security measures (see §7).
Assist the Controller with responding to data-subject requests and meeting its obligations under GDPR Articles 32 through 36, taking into account the nature of processing.
Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28.
At the Controller's choice, delete or return all personal data after the end of the Services (see §11).

5. Sub-processors

The Controller authorizes JazzNode to engage the following sub-processors, each of whom has signed a written agreement imposing data-protection terms at least as protective as this DPA:

Supabase, Inc.: Database, authentication, object storage. SOC 2 Type 2, ISO 27001. Data primarily hosted in AWS regions selected to match JazzNode's operating regions.
Vercel Inc.: Application hosting, edge network, build pipeline. SOC 2 Type 2, ISO 27001.
Stripe, Inc.: Payment processing. Stripe acts as an independent controller for card data under PCI DSS Level 1.
Resend, Inc.: Transactional email delivery. SOC 2 Type 2. Tokyo region for APAC.
Amazon Web Services, Inc.: Underlying cloud infrastructure used via Supabase and for selected file storage. SOC 2, ISO 27001.
Google LLC: OAuth identity provider for sign-in with Google; Google Workspace as internal identity provider.

JazzNode will notify Controllers of any intended additions or replacements of sub-processors with at least 30 days' notice via /trust and email. Controllers may object on reasonable data-protection grounds; if the objection cannot be resolved, either party may terminate the subscription.

6. International data transfers

JazzNode operates across multiple jurisdictions. When personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, JazzNode relies on the EU Standard Contractual Clauses (2021/914) and equivalent UK IDTA/Addendum as incorporated by reference.

Sub-processors that operate outside the EEA self-certify to SCC-equivalent protections or operate under adequacy frameworks. Current jurisdictions: United States (JazzNode Inc., Vercel, Stripe, AWS, Google), Taiwan (娛興喂), Japan (Resend Tokyo region where elected).

7. Security measures

JazzNode implements and maintains technical and organizational measures appropriate to the risk, as described at /trust and /legal/security. These include, at minimum:

Encryption in transit (TLS 1.2+, HSTS on all domains) and at rest (AES-256 via infrastructure providers).
Row Level Security enforced at the database layer for per-user, per-role access control.
Least-privilege internal roles (Owner / Admin / Editor) with elevated permissions required for sensitive operations.
Encrypted secrets management via Vercel environment variables; OIDC for cloud-to-cloud auth; no long-lived credentials in source control.
Supabase point-in-time backups and independently stored ticket records.
Published vulnerability disclosure program at /trust with security@jazznode.com as the contact channel.

Measures are reviewed annually and updated as the platform evolves. Material changes are reflected at /trust.

8. Assistance with data-subject rights

JazzNode will provide reasonable assistance, at the Controller's cost where such assistance is disproportionate, to help the Controller respond to data-subject requests under Chapter III of GDPR (access, rectification, erasure, restriction, portability, objection).

Where data subjects contact JazzNode directly about data originating from a Controller (for example, a fan emailing about their profile on a venue's event page), JazzNode will inform the data subject of the relevant Controller and, where appropriate, notify the Controller.

9. Personal-data breach notification

JazzNode will notify the Controller without undue delay, and in any event within 72 hours of confirmation, of any personal-data breach affecting the Controller's data.

Notifications will include, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach and mitigate adverse effects.

JazzNode will document all personal-data breaches and make records available to the Controller on request.

10. Audits and inspections

The Controller may verify JazzNode's compliance with this DPA by reviewing:

Current third-party audit reports of JazzNode's sub-processors (SOC 2, ISO 27001), made available on NDA request via security@jazznode.com.
JazzNode's responses to a reasonable security questionnaire (limit one per 12 months; responded to within 30 business days).

On-site inspections are reserved for cases where the above is demonstrably insufficient, or where required by a supervisory authority. In such cases the Controller gives 30 days' written notice, bears its own costs, and conducts the audit under mutually agreed scope and confidentiality terms during normal business hours.

11. Return and deletion

On termination of the Controller's subscription, JazzNode will, at the Controller's written choice within 30 days of termination: (a) delete all personal data processed on the Controller's behalf, or (b) return such data in a structured, commonly used, machine-readable format.

Absent a timely choice, JazzNode will delete the Controller's personal data after 90 days, subject to retention required by law (for example, tax records of ticket transactions under US and Taiwan tax law). Data in backup systems will be overwritten in the normal backup rotation.

12. Liability, governing law, and order of precedence

Liability arising under this DPA is subject to the liability caps and exclusions of the underlying JazzNode subscription agreement. Nothing in this DPA excludes liability that cannot lawfully be excluded.

This DPA is governed by the law of the JazzNode subscription agreement that incorporates it.

In case of conflict between this DPA and the underlying subscription agreement with respect to data-protection obligations, this DPA prevails. The EU Standard Contractual Clauses, where applicable, prevail over this DPA.

13. Contact

Data-protection and DPA questions: security@jazznode.com.

General contact through JazzNode HQ: .

JazzNode operating entities: JazzNode Inc. (Delaware, USA) and 娛興喂有限公司 (Taiwan, R.O.C.).