Data Processing Agreement (DPA)

Last Updated: March 2025

1. Introduction

This Data Processing Agreement ("Agreement") forms part of the Terms & Conditions and Privacy Policy between TicketRoot, a product of Root ID Private Limited ("Processor"), and the event organizer or client ("Controller"). This Agreement ensures compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

TicketRoot acts as a Data Processor, processing personal data on behalf of event organizers (the Data Controllers) who use our services, including ticketing, registration, check-in, networking, lead scanning, managed services, cashless payments, and event-based transactions.

2. Scope & Applicability

This Agreement applies when TicketRoot processes personal data on behalf of the Controller. This includes:
- Event Ticketing & Registration: Name, email, phone, company details, attendee preferences.
- Check-in & Badge Printing: Attendee authentication, access control logs.
- Networking & Lead Scanning: Attendee connections, business exchanges, notes.
- Cashless Payments & Event Wallets: Transactions within an event, spend tracking at merchant stalls (primarily F&B), and top-up data limited to the event duration.
- Managed Services & Analytics: Live engagement, polling, and event participation tracking.

3. Roles & Responsibilities

3.1 Controller Responsibilities
The event organizer (Controller) is responsible for:
- Ensuring lawful collection of personal data.
- Obtaining attendee consent for processing beyond core event services.
- Defining data retention periods for event-specific processing.
- Ensuring any third-party vendors comply with data protection laws.

3.2 Processor Responsibilities (TicketRoot)
TicketRoot, as a Data Processor, shall:
- Process personal data only on documented instructions from the Controller.
- Implement appropriate technical and organizational measures to protect personal data.
- Ensure encryption and access controls for data security.
- Assist the Controller in fulfilling GDPR obligations (data access, correction, deletion requests).
- Delete or return personal data after event completion, as per retention policies.
- Ensure that subprocessors (e.g., Razorpay for payments, Premagic for engagement tools) adhere to GDPR compliance.

4. Data Retention & Deletion

- Personal data related to ticketing, check-in, and networking is stored on active servers for 2 weeks post-event.
- After 2 weeks, data is moved to passive storage for up to 1 year before permanent deletion.
- Cashless payment data (transaction records, spend tracking) is deleted within 30 days post-event, unless required by the Controller for reconciliation.
- The Controller can request data deletion at any time via written request to av@ticketroot.com.

5. Subprocessors & Third-Party Integrations

TicketRoot engages the following subprocessors, who comply with GDPR:
- Payment Processing: Razorpay for cashless payments & wallet top-ups.
- Event Engagement Tools: Premagic for event gamification, photo distribution.
- Infrastructure & Hosting: AWS India for secure data storage.

TicketRoot ensures all subprocessors enter into Data Processing Agreements (DPAs) before handling user data.

6. Data Subject Rights & Assistance

TicketRoot assists the Controller in fulfilling user rights under GDPR:
- Access Requests: Users can request access to their event data.
- Rectification: Users can correct personal details within the platform.
- Erasure (Right to be Forgotten): Users may request deletion of their data post-event.
- Restriction of Processing: Users can opt out of non-essential processing, such as networking.

7. Security & Breach Notification

- TicketRoot employs encryption, role-based access control, and regular security audits to protect user data.
- In the event of a data breach, TicketRoot will notify the Controller within 72 hours, providing details of affected data and mitigation measures.

8. Data Transfers Outside the EEA

- TicketRoot stores data on AWS India servers to comply with Indian IT laws and GDPR.
- If data is transferred outside the EEA, TicketRoot ensures compliance through Standard Contractual Clauses (SCCs) or equivalent safeguards.

9. Liability & Indemnification

- TicketRoot shall not be liable for compliance failures caused by the Controller’s actions or third-party breaches.
- The Controller shall indemnify TicketRoot against claims arising from improper data collection or processing beyond agreed purposes.

10. Term & Termination

- This Agreement remains in effect for the duration of the Controller’s use of TicketRoot’s services.
- Upon termination, all event data is deleted per the retention policy, unless legally required to be retained.

11. Governing Law & Dispute Resolution

- This Agreement is governed by Indian law.
- Any disputes shall be resolved through arbitration in Mumbai, India, before any court proceedings

12. Contact Information

For GDPR compliance or data processing inquiries, contact

Root ID Private Limited
Registered Address: 5th Floor, 52, Prem Bhavan, Jamshedbaug Compound, SBS Road, Colaba, Mumbai City, Maharashtra, 400005
Email: av@ticketroot.com

Let’s Get Started

Access all the data you need for events of all kinds and sizes. Enjoy the flexibility to build nuancing, with low-cost fees and personalised support

Get Your Branded Event Page

FAQs

What services does TicketRoot provide?

Do you support both paid and unpaid registrations?

How do attendees check in at events?

Can you pre-print badges in eco-friendly materials?

What solutions do you offer for onsite badge printing?

What is cashless payments, in contect to F&B spends at an event?

Do you provide event analytics?