Data Processing Agreement

Last updated: June 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller", "you") and nGage.band, established at Burgtstraat 1, 6701 DA Wageningen, The Netherlands, KvK 09213052 ("Processor", "we", "us"). It governs the processing of personal data by us on your behalf when you use the nGage.band service (the "Service").

Where you enter personal data about other individuals (such as band members, contacts and relations) into the Service, you act as Controller and we act as Processor. This DPA applies to that processing. It does not apply to data for which we are the controller (for example your account and billing data), which is covered by our Privacy Policy.

1. Definitions

Terms such as "personal data", "processing", "data subject", "controller", "processor", "sub-processor" and "personal data breach" have the meaning given in the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

2. Scope and roles

You determine the purposes and means of the processing of personal data you enter into the Service and are the Controller. We process that personal data only as your Processor, on your behalf, to provide the Service. The subject matter, nature, purpose and duration of the processing, the categories of data subjects and the types of personal data are set out in Annex I.

3. Our obligations

We will:

a. process personal data only on your documented instructions, including with regard to transfers, unless required to do otherwise by EU or Member State law, in which case we will inform you unless that law prohibits it. Your use of the Service and this DPA constitute your documented instructions;

b. ensure that persons authorised to process the personal data are bound by confidentiality;

c. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II;

d. respect the conditions for engaging sub-processors set out in Clause 5;

e. taking into account the nature of the processing, assist you by appropriate measures, insofar as possible, in responding to requests from data subjects exercising their rights;

f. assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments and prior consultation, taking into account the nature of processing and the information available to us;

g. at your choice, delete or return all personal data after the end of the provision of the Service, and delete existing copies unless EU or Member State law requires storage (such as the 7-year retention of financial records under Dutch tax law);

h. make available to you the information necessary to demonstrate compliance with this Clause and the GDPR, and allow for and contribute to audits as set out in Clause 6.

4. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting personal data processed on your behalf, and provide the information reasonably available to us to help you meet your notification obligations.

5. Sub-processors

You give us general authorisation to engage sub-processors to provide the Service. We maintain a list of current sub-processors in Annex III. We will inform you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object on reasonable grounds within 14 days. We impose on each sub-processor, by contract, data protection obligations equivalent to those in this DPA, and remain responsible for their performance.

6. Audits

We will make available information needed to demonstrate compliance with this DPA. Where you reasonably require an audit, it may be satisfied by our providing relevant documentation, certifications or third-party audit reports. Any on-site audit will be at your cost, agreed in advance, conducted during business hours and in a manner that does not disrupt our operations or the data of other customers.

7. International transfers

We store personal data within the EU. Where a transfer of personal data to a country outside the EEA is necessary (for example through a third-party integration you enable), we will ensure an appropriate transfer mechanism under the GDPR is in place, such as the European Commission's Standard Contractual Clauses.

8. Liability and term

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA takes effect when you accept the Terms of Service and remains in force for as long as we process personal data on your behalf.

9. Governing law

This DPA is governed by the laws of the Netherlands. In the event of any conflict between this DPA and the Terms of Service regarding the processing of personal data on your behalf, this DPA prevails.

Annex I — Details of processing

Subject matter: provision of the nGage.band band-management service.

Duration: for the term of the Terms of Service and for as long as we process personal data on your behalf.

Nature and purpose: hosting, storage, organisation, retrieval and display of data you enter, to provide the features of the Service (band, members, songs, setlists, gigs, rehearsals, riders, newsletters, calendar, invoicing, relations and similar).

Categories of data subjects: the band members, contacts, relations, clients and other individuals whose data you enter into the Service.

Categories of personal data: names, contact details (such as email address, phone number, address), role within the band, availability and scheduling data, calendar data, and invoicing and financial data relating to your contacts.

Special categories of personal data: none are required or requested. You should not enter special category data; if you do, you do so as Controller and at your own responsibility.

Annex II — Technical and organisational security measures

 

  • Access to systems is restricted to authorised personnel and protected by authentication.
  • Data in transit is protected using encryption (TLS/HTTPS).
  • Logical separation of customer data within the application.
  • Regular backups to support recovery of data.
  • Hosting on infrastructure within the EU with physical security provided by the hosting provider.
  • Logging and monitoring to detect and respond to security events.
  • Procedures to identify, assess and report personal data breaches.

Annex III — Sub-processors

 

  • Hetzner Online GmbH — hosting and infrastructure — Germany (EU).
  • Mollie B.V. — payment processing — The Netherlands (EU).