Amego Data Processing Addendum

Last Updated: January 1, 2026

This Data Processing Addendum (“DPA”) forms part of the Amego Terms & Conditions or other agreement governing the use of the Amego platform and services (the “Agreement”) between Amego, Inc. (“Amego”) and the entity agreeing to the Agreement (“Customer”).

This DPA governs the processing of Personal Data by Amego in connection with the Services.

If there is any conflict between this DPA and the Agreement relating to data protection or processing of Personal Data, this DPA shall prevail.

Index

Definitions
Roles of the Parties
Purpose Limitation
Compliance with Data Protection Laws
Processing of Personal Data
Confidentiality
Sub-processors
Data Subject Rights
Data Protection Impact Assessments
Personal Data Breaches
Security Measures
Audits and Compliance
International Data Transfers
Data Retention and Deletion
Cooperation and Third-Party Requests
Liability
Governing Law
Artificial Intelligence Processing
AI Model Training Restrictions
Miscellaneous

Schedule 1 – Details of Processing
Schedule 2 – Technical and Organizational Security Measures
Schedule 3 – Cross Border Transfer Mechanisms

1. Definitions

For purposes of this DPA:

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA), and any implementing regulations or successor legislation.

‍“Controller” means the natural or legal person that determines the purposes and means of processing Personal Data.

‍“Processor” means an entity that processes Personal Data on behalf of the Controller.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation performed on Personal Data including collection, storage, use, disclosure, transmission, or deletion.

“Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Sub-processor” means a third party engaged by Amego to process Personal Data on behalf of Customer.

“Standard Contractual Clauses” means the standard contractual clauses adopted by the European Commission for transfers of Personal Data to third countries.

2. Roles of the Parties

2.1 Controller and Processor Relationship

Where Customer provides Personal Data to Amego through the Services, Customer acts as the Controller and Amego acts as the Processor.

2.2 Independent Controllers

In certain circumstances each party may act as an independent controller with respect to Personal Data it processes in connection with its own business operations, including employee data, account administration data, or contractual relationship management.

2.3 Customer Responsibilities

‍Customer is responsible for ensuring that it has obtained all necessary rights, consents, and permissions to provide Personal Data to Amego and to allow Amego to process that Personal Data in accordance with the Agreement and this DPA.

3. Purpose Limitation

Amego shall process Personal Data only for the purposes of providing the Services under the Agreement and in accordance with Customer’s documented instructions.

Amego will not sell Personal Data or use Personal Data for advertising or unrelated commercial purposes.

4. Compliance with Data Protection Laws

Each party shall comply with its obligations under Applicable Data Protection Law.

To the extent the California Consumer Privacy Act applies, Amego will:

act as a “Service Provider” under the CCPA
process Personal Data solely to provide the Services
not retain, use, or disclose Personal Data outside the direct business relationship between the parties.

5. Processing of Personal Data

Amego shall:

(a) process Personal Data only on documented instructions from Customer;

(b) ensure personnel authorized to process Personal Data are subject to confidentiality obligations;

(d) notify Customer if Amego believes a Customer instruction violates Applicable Data Protection Law.

6. Confidentiality

6.1 Confidential Processing

All personnel authorized to process Personal Data must be bound by confidentiality obligations.

6.2 Third-Party Requests

If Amego receives a request, inquiry, or complaint from a Data Subject or regulatory authority relating to Customer Personal Data, Amego will promptly notify Customer and will not respond without Customer’s instructions unless legally required.

7. Sub-processors

Customer provides general authorization for Amego to engage Sub-processors.

Amego shall:

(a) maintain an up-to-date list of Sub-processors in its Trust Center;

(b) ensure Sub-processors are bound by contractual obligations equivalent to those in this DPA;

Customer may object to a new Sub-processor on reasonable data protection grounds.

8. Data Subject Rights

Taking into account the nature of the processing, Amego shall assist Customer in responding to Data Subject requests, including requests for:

access
rectification
deletion
portability
restriction or objection to processing.

If Amego receives a request directly from a Data Subject relating to Customer Personal Data, Amego shall promptly notify Customer.

9. Data Protection Impact Assessments

Amego shall provide reasonable assistance to Customer in connection with:

Data Protection Impact Assessments
consultations with supervisory authorities

where such obligations relate to processing performed by Amego.

10. Personal Data Breaches

10.1 Breach Notification

Amego shall notify Customer of a Security Incident involving Customer Personal Data without undue delay and within the timeframe required by Applicable Data Protection Law.

10.2 Incident Details

Where available, such notification will include:

the nature of the Security Incident
categories of Personal Data involved
likely consequences
measures taken or proposed to mitigate the incident.

10.3 Incident Cooperation

Amego shall cooperate with Customer in investigating and mitigating any Security Incident.

11. Security Measures

Amego maintains a risk-based information security program designed to protect Personal Data.

Security safeguards include administrative, technical, and organizational measures appropriate to the nature of the Services and consistent with industry standards.

Additional details regarding Amego’s security program are available through the Amego Trust Center.

12. Audits and Compliance

Upon reasonable request, Amego shall make available information necessary to demonstrate compliance with this DPA.

Amego may satisfy audit requests by providing documentation such as:

SOC 2 Type II reports
independent security certifications
security program documentation.

If such documentation does not reasonably demonstrate compliance, Customer may conduct an audit of Amego’s relevant data protection practices no more than once annually, subject to reasonable notice, confidentiality obligations, and minimal operational disruption.

13. International Data Transfers

Personal Data may be transferred internationally where necessary to provide the Services.

Where Personal Data is transferred outside the European Economic Area, United Kingdom, or Switzerland, Amego will implement appropriate safeguards including:

Standard Contractual Clauses
UK International Data Transfer Addendum
other lawful transfer mechanisms.

14. Data Retention and Deletion

Amego will retain Personal Data only for as long as necessary to provide the Services or comply with legal obligations.

Upon termination of the Agreement and at Customer’s request, Amego will return or securely delete Customer Personal Data unless retention is required by law.

15. Cooperation and Third-Party Requests

If either party receives a request from a Data Subject, regulator, or third party relating to Personal Data processed by the other party, the receiving party shall promptly notify the other party and cooperate in responding to the request.

16. Liability

Each party’s liability arising under this DPA shall be subject to the limitations of liability set out in the Agreement unless prohibited by Applicable Data Protection Law.

17. Governing Law

This DPA shall be governed by the law specified in the Agreement unless otherwise required by Applicable Data Protection Law.

18. Artificial Intelligence Processing

18.1 Use of AI Features

The Services may include artificial intelligence or machine learning features designed to provide recommendations, automation, or conversational assistance within the platform.

18.2 Data Minimization and Anonymization

Where AI features are used in connection with the Services, Amego implements technical safeguards designed to prevent the transmission of identifiable Personal Data to external AI or large language model providers.

Where data is processed by such systems, Amego uses anonymization, aggregation, or other privacy-preserving techniques designed to ensure that Personal Data is not disclosed to external AI providers.

18.3 Customer Control

Customer controls the Personal Data submitted to the Services and remains responsible for determining whether and how AI-powered features are used within the Customer’s deployment of the platform.

19. AI Model Training Restrictions

19.1 No Training on Customer Personal Data

Amego will not use Customer Personal Data to train artificial intelligence models or machine learning systems.

19.2 No Cross-Customer Data Training

Customer data will not be used to train or improve models for the benefit of other customers, and customer datasets are logically isolated within the platform.

19.3 AI Provider Restrictions

Where Amego utilizes third-party AI providers in connection with the Services, Amego implements contractual and technical controls designed to ensure that such providers:

(a) do not retain or use Customer data to train their models;
(b) do not combine Customer data with data from other sources for training purposes;
(c) process data only to generate responses required by the Services.

20. Miscellaneous

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

This DPA supersedes all prior agreements relating to the processing of Personal Data between the parties.

Schedule 1 – Details of Processing

Nature and Purpose of Processing

Personal Data is processed as necessary to provide the Amego platform and related services.

Categories of Data Subjects

event attendees
platform users and administrators
speakers, sponsors, and event participants
employees or representatives of the Customer.

Categories of Personal Data

Personal Data processed may include contact information, account information, event registration data, and platform usage data.

Duration of Processing

Personal Data will be processed for the duration of the Agreement unless earlier deletion is requested by Customer.

Schedule 2 – Technical and Organizational Security Measures

Amego maintains technical and organizational measures designed to protect Personal Data consistent with industry standards and its security program.

These measures include safeguards addressing:

data encryption
access control
system monitoring and logging
vulnerability management
secure software development practices
incident response and disaster recovery procedures.

Additional information about Amego’s security program is available through the Amego Trust Center.

Schedule 3 – Cross Border Transfer Mechanisms

Where required under Applicable Data Protection Law:

the 2021 EU Standard Contractual Clauses apply to transfers of Personal Data originating in the European Economic Area or Switzerland
the UK International Data Transfer Addendum applies to transfers originating in the United Kingdom.
‍

The relevant SCC modules apply depending on the controller–processor relationship between the parties.