Janix Data Processing Addendum

v2026-06-24 · Effective Date: June 24, 2026

This Data Processing Addendum (“DPA”) forms part of the Janix Terms of Service (the “Agreement”) between Janix, Inc. (“Janix,” the “Processor”) and the event organizer that uses the Services (the “Organizer,” the “Controller”). It governs Janix’s processing of Personal Data on the Organizer’s behalf in connection with the Services, is incorporated into the Agreement by reference, and applies automatically to every Organizer. If this DPA and the rest of the Agreement conflict on a data-protection matter, this DPA controls.

1. Definitions

“Applicable Data Protection Law” means all data-protection and privacy laws applicable to the processing, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the Swiss FADP, and U.S. state privacy laws including the California Consumer Privacy Act as amended (“CCPA/CPRA”) and the Texas Data Privacy and Security Act (“TDPSA”). “SCCs” means the EU Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914. “Organizer Personal Data” means Personal Data that Janix processes on the Organizer’s behalf under the Agreement. The terms “controller,” “processor,” “personal data,” “data subject,” “processing,” “sub-processor,” “personal data breach,” “service provider,” “sale,” and “share” have the meanings given in Applicable Data Protection Law.

2. Roles and Scope of Processing

The Organizer is the controller (or, where it acts on another controller’s behalf, a processor) and Janix is the processor of Organizer Personal Data. For purposes of the CCPA/CPRA, the Organizer is the business and Janix is a service provider. Janix processes Organizer Personal Data only to provide the Services and on the Organizer’s documented instructions (which include the Agreement and the Organizer’s configuration and use of the Services), unless required by law—in which case Janix will notify the Organizer first unless the law prohibits it. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of data subjects are described in Annex I.

3. Organizer Obligations

The Organizer is responsible for the lawfulness of its instructions and of its own collection and use of Organizer Personal Data, including giving any required notices and obtaining any required consents—for example, for marketing email sent through the autonomous Marketing Assistant, and for any advertising or conversion tags it enables using its own advertising accounts. The Organizer will not instruct Janix to process Organizer Personal Data in violation of Applicable Data Protection Law.

4. Confidentiality

Janix ensures that personnel authorized to process Organizer Personal Data are bound by appropriate confidentiality obligations.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and risks of the processing, Janix implements appropriate technical and organizational measures to protect Organizer Personal Data, as described in Annex II.

6. Sub-processors

The Organizer gives Janix a general authorization to engage sub-processors to process Organizer Personal Data. The current sub-processors are listed in Annex III. Janix imposes on each sub-processor data-protection obligations no less protective than those in this DPA and remains responsible for its sub-processors’ performance. Janix will give the Organizer notice of any intended addition or replacement of a sub-processor (by email or by posting an updated list), and the Organizer may object on reasonable data-protection grounds within 30 days. If the parties cannot resolve the objection, the Organizer may terminate the affected Services.

7. Data Subject Requests

Taking into account the nature of the processing, Janix will assist the Organizer, by appropriate technical and organizational measures and insofar as possible, to respond to data subjects exercising their rights under Applicable Data Protection Law. If Janix receives a request directly from a data subject relating to Organizer Personal Data, it will refer the data subject to the Organizer.

8. Personal Data Breach

Janix will notify the Organizer without undue delay after becoming aware of a personal data breach affecting Organizer Personal Data, and will provide information reasonably available to it to help the Organizer meet its own breach-notification obligations, including under the GDPR and U.S. state breach-notification laws such as Texas Business & Commerce Code § 521.053.

9. Data Protection Impact Assessments

Janix will provide reasonable assistance to the Organizer with data protection impact assessments and any prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Janix.

10. Return or Deletion of Data

On termination or expiry of the Services, Janix will, at the Organizer’s choice, delete or return Organizer Personal Data and delete existing copies, unless retention is required by law. Janix deletes customer content on request.

11. Audits

Janix will make available to the Organizer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including by providing available third-party certifications or reports. Any on-site audit will be on reasonable prior notice, during business hours, no more than once per year (absent a regulator requirement or a breach), and subject to confidentiality.

12. International Data Transfers

Janix stores Organizer Personal Data in the United States. Where Organizer Personal Data of data subjects in the EEA, the UK, or Switzerland is transferred to a country without an adequacy decision, the SCCs (together with the UK International Data Transfer Addendum and any Swiss amendments, as applicable) are incorporated into this DPA by reference and apply to that transfer, with the modules and selections set out in Annex IV.

13. CCPA/CPRA Service-Provider Terms

With respect to Organizer Personal Data subject to the CCPA/CPRA, Janix acts as a service provider and will: (a) not sell or share that data; (b) not retain, use, or disclose it except as necessary to provide the Services under the Agreement (the business purpose) or as otherwise permitted by law; (c) not combine it with personal information from other sources except as permitted by the CCPA/CPRA; and (d) comply with the applicable obligations of a service provider. Janix certifies that it understands and will comply with these restrictions.

14. Liability

Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Where the SCCs apply, nothing in this DPA limits a data subject’s rights under the SCCs.

15. General

This DPA is governed by the law that governs the Agreement, except where Applicable Data Protection Law requires otherwise. If any provision of the SCCs conflicts with this DPA, the SCCs prevail for the relevant transfer.

Annex I — Details of Processing

• Subject matter: Janix’s provision of the Services to the Organizer.
• Duration: the term of the Agreement, plus any deletion or retention period.
• Nature and purpose: hosting and storage; audience analysis; autonomous email marketing; event pre-production and advancement; contact enrichment; and payment facilitation.
• Categories of data subjects: the Organizer’s attendees, registrants, contacts, leads, and staff.
• Types of Personal Data: name; email; mailing address; optional age range; profile information; event registration and attendance data; contacts; photos; communications; enrichment data (publicly available business information); and usage data.
• Special categories: none are intended; the Organizer must not upload special-category data without a separate written arrangement.

Annex II — Technical and Organizational Security Measures

Janix maintains the following technical and organizational measures to protect Organizer Personal Data:

• Encryption in transit: TLS/HTTPS for data transmitted to and from the Services.
• Encryption at rest: Organizer Personal Data is encrypted at rest in Janix’s Amazon Web Services environment.
• Authentication: passwordless magic-link sign-in; session tokens (JWT) expire after 30 minutes, and magic links are single-use and expire after 60 minutes.
• Access control: role-based, least-privilege access to systems and data.
• Tenant isolation: multi-tenant logical isolation, with organization-level scoping (organization_id) enforced on data records and queries.
• Payment data: card data is handled by Stripe (PCI DSS compliant); Janix does not store full payment-card data.
• Logging and monitoring: logging, monitoring, and alerting via Amazon CloudWatch.
• Resilience: backups, redundancy, and recovery (Amazon RDS).
• Vendor management: security review of sub-processors.
• Incident response: a documented incident-response process for personal data breaches.

Annex III — Sub-processors

• Stripe, Inc. — payment processing.
• Resend — transactional and marketing email delivery.
• Amazon Web Services — hosting and infrastructure.
• Apollo.io — contact enrichment (publicly available business data).
• Exa.ai — contact enrichment (publicly available web data).
• Anthropic, PBC — AI features (Claude models via the Anthropic API); does not train on inputs or outputs under its commercial terms; limited retention (currently up to seven days) per those terms.
• Google LLC (Google Cloud / Vertex AI) — AI features for content generation (Gemini); does not use the data to train its models; brief caching (up to 24 hours) and abuse-monitoring logging (up to 90 days, not used for training) per Google’s Vertex AI data-governance terms.
• Meta and Google — only where the Organizer connects its own advertising accounts, under the Organizer’s control.

Annex IV — Transfer Mechanism and SCC Selections

• EU SCCs: Module Two (controller-to-processor) where the Organizer is a controller; Module Three (processor-to-processor) where the Organizer is itself a processor.
• United Kingdom: the UK International Data Transfer Addendum to the EU SCCs.
• Switzerland: the EU SCCs as amended for the Swiss FADP.
• Docking clause (Clause 7): included. Optional redress clause: the optional independent-dispute-resolution-body election is not made. Governing law (Clause 17): the law of Ireland. Forum (Clause 18): the courts of Ireland. These are conventional defaults for an EU member-state selection and should be confirmed on legal review.