Data processing agreement

For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR) Between the data controller and Happenings Group A/S (the data processor) The parties have agreed on the following contractual clauses to meet the requirements of the GDPR and to ensure the protection of the rights of data subjects. These contractual clauses set out the rights and obligations of the data controller and the data processor when processing personal data on behalf of the data controller. The clauses have been designed to ensure compliance with Article 28(3) of Regulation 2016/679 (GDPR). In the context of providing event management, ticketing, membership, and social platform services, Happenings Group A/S will process personal data on behalf of the data controller. These clauses take priority over any similar provisions in other agreements between the parties. Four appendices are attached and form an integral part of this agreement.

The data controller is responsible for ensuring that processing of personal data complies with the GDPR, applicable EU or Member State data protection provisions, and these clauses. The data controller has the right and obligation to make decisions about the purposes and means of processing personal data. The data controller shall ensure that processing has a legal basis.

Happenings Group A/S shall process personal data only on documented instructions from the data controller, unless required by law. Instructions are specified in Appendices A and C. Subsequent instructions shall be documented in writing. Happenings Group A/S shall immediately inform the data controller if instructions appear to contravene the GDPR.

Happenings Group A/S shall grant access to personal data only to authorized personnel who have committed to confidentiality on a need-to-know basis. A list of authorized persons shall be kept under periodic review. Happenings Group A/S shall demonstrate that personnel are subject to confidentiality obligations upon request.

Happenings Group A/S implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: Pseudonymization and encryption; ongoing confidentiality, integrity, availability and resilience; ability to restore data in a timely manner; regular testing and evaluation of security measures. Happenings Group A/S independently evaluates risks and implements mitigation measures. Happenings Group A/S assists the data controller in ensuring compliance with Article 32 GDPR.

Happenings Group A/S may engage sub-processors with general written authorization from the data controller. Data controllers will be informed of any intended changes to sub-processors at least 30 days in advance. The same data protection obligations as in these clauses are imposed on sub-processors. A list of current sub-processors is maintained in Appendix B. Happenings Group A/S remains fully liable for sub-processor obligations.

Any transfer to third countries shall only occur on documented instructions and in compliance with Chapter V GDPR. Transfers required by EU or Member State law shall be communicated to the data controller prior to processing. Primary data storage is located within the EU (Denmark and other EU countries). Appropriate safeguards are in place for any transfers outside the EU.

Happenings Group A/S shall assist the data controller in fulfilling obligations to respond to data subject rights requests, including: Right to be informed, right of access, right to rectification, right to erasure, right to restriction, right to data portability, right to object, and rights related to automated decision-making. Happenings Group A/S shall assist the data controller in: Notifying personal data breaches to supervisory authorities; communicating breaches to data subjects; conducting data protection impact assessments; consulting supervisory authorities when required.

In case of any personal data breach, Happenings Group A/S shall notify the data controller without undue delay. Notification shall occur within 24 hours when possible to enable compliance with Article 33 GDPR. Happenings Group A/S shall assist in obtaining breach information including nature, consequences, and mitigation measures.

On termination of services, Happenings Group A/S shall delete all personal data and certify deletion, unless law requires storage. Data subjects may request deletion of their personal data at any time through the platform. Data controllers may export all data prior to termination.

Happenings Group A/S shall make available all information necessary to demonstrate compliance with Article 28. Happenings Group A/S shall allow for and contribute to audits and inspections. Procedures for audits are specified in Appendix C. Supervisory authorities shall have access to facilities upon presentation of appropriate identification.

The parties may agree on additional clauses that do not contradict these clauses or prejudice data subject rights.

This agreement becomes effective when both parties have agreed to these terms. Either party may require renegotiation if changes to law or circumstances warrant it. This agreement applies for the duration of personal data processing services. Upon termination of services and deletion or return of data, this agreement may be terminated by written notice.

Happenings Group A/S Klostergade 56B, ST., 8000 Aarhus C, Denmark CVR/VAT: 40979956 Email: legal@happenings.dk Phone: +45 31 45 09 14 Data Protection Officer: legal@happenings.dk

Appendix A: Information about the processing Purpose of processing: To provide event management, ticketing, membership management, social networking, payment processing, and related services through the Happenings platform. Nature of processing: Collection, storage, organization, structuring, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, and destruction of personal data. Types of personal data: Name, email address, phone number, profile information, event attendance data, payment information, membership data, social connections, messages, and user-generated content. Categories of data subjects: Event attendees, club/organization members, page administrators, users of the social platform, ticket purchasers. Duration of processing: For the duration of the service agreement and as required by applicable retention obligations. Appendix B: Authorized sub-processors Happenings Group A/S may use the following categories of sub-processors: Cloud Infrastructure Providers: For hosting and data storage (e.g., Google Cloud Platform, Amazon Web Services - EU regions only). Payment Processors: For processing payments (e.g., Reepay, MobilePay, Apple Pay, Google Pay, Stripe). Communication Services: For email and push notifications (e.g., SendGrid, Firebase Cloud Messaging). Analytics Providers: For platform analytics (e.g., Google Analytics with data processing agreement in place). Data controllers will be notified 30 days in advance of any changes to sub-processors. Appendix C: Instructions and security measures Processing instructions: Process personal data to provide the services described in Appendix A, in accordance with applicable law and data controller instructions provided through the platform. Security measures: Encryption in transit (TLS/SSL) and at rest; access controls and authentication; regular security testing and monitoring; incident response procedures; employee training; physical security; regular backups; ISAE 3000 compliance. Assistance obligations: Provide data export functionality; respond to data subject rights requests within 7 days; assist with breach notifications within 24 hours; provide security documentation upon request. Storage and erasure: Data is stored for the duration of the service agreement. Upon termination or request, all data is deleted within 30 days unless retention is required by law. Processing location: Primary processing occurs in Denmark and other EU member states. No transfers to third countries without explicit consent. Audit procedures: Annual ISAE 3000 audit reports are available upon request. Data controllers may request additional audits with 30 days notice. Appendix D: Other terms Liability: Liability is governed by the Terms of Partners and applicable law. Amendments: This agreement may be amended by mutual written consent of both parties.