Sign inTry for free

Version 2026-06-06 · Effective 2026-06-06 · Hash ee48fcf66264d4d6

Microstage — Data Processing Agreement (DPA)

Last updated: 6 June 2026 Effective date: 6 June 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Microstage (microstage.io) ("Microstage", "Processor") and the Customer ("Controller"). It applies to Processing of Personal Data by Microstage on the Controller's behalf in connection with the Service. Capitalised terms not defined here have the meaning given in the Terms or in the GDPR.

1. Definitions and order of precedence

"GDPR", "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings in Regulation (EU) 2016/679 ("GDPR"). "Data Protection Laws" means the GDPR and the Dutch Implementation Act (Uitvoeringswet AVG), together with all other applicable national data-protection laws and the ePrivacy Directive (2002/58/EC) as implemented in the EU Member States.

Order of precedence (data-protection matters only). Where there is a conflict, the documents control in this order: (i) the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two), where incorporated for an international transfer; (ii) this DPA; (iii) the Terms. Nothing in this DPA limits any party's obligations or any Data Subject's rights under the GDPR.

2. Roles and scope

The Controller is the controller of, and Microstage is the processor of, the Personal Data described in Annex 1 ("Customer Personal Data"), being principally Visitor email addresses and engagement data captured through the Service. Microstage Processes Customer Personal Data only to provide the Service and only on the Controller's documented instructions, including those in the Terms, this DPA, and the Service configuration. If Microstage believes an instruction infringes Data Protection Laws, it will inform the Controller. Microstage will not Process Customer Personal Data for its own purposes; doing so would make it a controller and is outside this DPA. In particular, Microstage will not sell, rent, license, profile, or otherwise commercialise Customer Personal Data, and will not use Customer Personal Data, Visitor audio, or AI-translated text to train, fine-tune, or evaluate any AI or machine-learning model — either its own or a third party's.

3. Controller's obligations

The Controller warrants that it has a valid legal basis for the collection and use of Customer Personal Data and for any follow-up communications; that it provides Data Subjects with a compliant privacy notice at the point of collection (including a link to the Controller's own privacy policy configured in the Service); that its instructions comply with Data Protection Laws; and that it will respond to Data Subjects and Supervisory Authorities as the controller.

4. Microstage's obligations

Microstage will: (a) Process only on documented instructions; (b) ensure persons authorised to Process are bound by confidentiality; (c) implement the technical and organisational measures in Annex 2 (Article 32); (d) assist the Controller, by appropriate measures and taking into account the nature of Processing, in responding to Data Subject requests and in meeting its obligations under Articles 32–36 (security, breach notification, impact assessments, and prior consultation), insofar as possible; (e) at the Controller's choice, delete or return Customer Personal Data at the end of the Service and delete existing copies, except where retention is required by law (see Section 9); and (f) make available information necessary to demonstrate compliance with Article 28 and allow for audits as set out in Section 8.

5. Confidentiality

Microstage ensures that personnel with access to Customer Personal Data are subject to a duty of confidentiality and are trained appropriately.

6. Sub-processors

The Controller provides a general authorisation for Microstage to engage Sub-processors to deliver the Service (e.g., hosting, telephony/voice, translation/transcription, email delivery, analytics). A current list is published at microstage.io/legal/subprocessors. Microstage imposes data-protection obligations on Sub-processors no less protective than this DPA and remains liable for their performance. Microstage will give notice of intended additions or replacements (e.g., by updating the list with email notification to the change-notification list) and allow the Controller a reasonable period of 30 days to object on reasonable data-protection grounds; if an objection cannot be resolved, the Controller may terminate the affected part of the Service.

7. International transfers

Where Processing involves transfer of Customer Personal Data outside the EEA, the parties rely on an appropriate Article 46 safeguard. The parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: controller-to-processor) are incorporated by reference and completed by the information in the Annexes. Where a recipient is certified under the EU–US Data Privacy Framework, that adequacy mechanism may also be relied upon. Following Schrems II (C-311/18), Microstage has performed and documented a transfer impact assessment for each ongoing transfer, implements the supplementary technical and contractual measures summarised in Annex 2, and will share its TIA on request. If a transfer mechanism is invalidated or becomes unreliable, the parties will cooperate in good faith to put an alternative safeguard in place or to suspend the affected transfer.

8. Audits

Microstage will make available information reasonably necessary to demonstrate compliance and will contribute to audits conducted by the Controller or an independent auditor on at least 30 days' prior written notice and no more than once per calendar year (except following a Personal Data Breach or a binding regulator request), subject to confidentiality, professional conduct of the auditor, and to minimising disruption to the Service. Microstage may satisfy audit requests by providing relevant certifications, summary penetration-test reports, or third-party audit reports where they reasonably answer the Controller's questions. The Controller bears the costs of any on-site audit it commissions, except where the audit reveals material non-compliance attributable to Microstage, in which case Microstage bears its own reasonable cooperation costs.

9. Data Subject requests and breaches

Data Subject requests: If a Data Subject contacts Microstage directly about Customer Personal Data, Microstage will refer them to the Controller and assist the Controller in responding as required.

Personal Data Breach: Microstage will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, with the information reasonably available to assist the Controller's own obligations under Articles 33–34.

10. Deletion and return

On expiry or termination of the Service, Microstage will, at the Controller's choice, delete or return Customer Personal Data within 30 days and delete remaining copies, unless legally required to retain it, in which case it will continue to protect it and Process it only as required by law.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms (in particular Section 15), except where Data Protection Laws require otherwise. Nothing in this DPA limits (i) a Data Subject's rights under the GDPR or the SCCs, or (ii) either party's liability under Article 82 GDPR.

Article 82 GDPR — allocation between the parties. Where a Data Subject brings a claim under Article 82 against either party for damage caused by Processing under this DPA, the parties shall bear the liability between themselves in proportion to their respective responsibility for the damage. A party that has paid compensation to a Data Subject in excess of its proportionate responsibility may claim back the excess from the other party. Each party will reasonably cooperate in the defence of any such claim and will pass on documents and information needed to determine the proportionate allocation.

Annex 1 — Description of Processing

  • Subject matter: provision of the Microstage Service to the Controller.
  • Duration: for the term of the Service plus the deletion period in Section 10.
  • Nature and purpose: capturing Visitor email addresses and engagement data; delivering automated follow-up communications on the Controller's behalf; hosting, transmission, translation/transcription, storage, analytics, and export.
  • Types of Personal Data: Visitor email address; engagement data (channel selected, language, listen duration, timestamps); device/technical data (IP address, browser/device); any additional fields the Controller configures; live audio content of presenters and Visitors as applicable.
  • Special categories: none intended; the Controller must not configure the Service to collect special-category data without separate agreement and safeguards.
  • Categories of Data Subjects: event Visitors who interact with the Controller's listener pages; the Controller's presenters and Authorized Users.
  • Frequency: continuous during events; otherwise as the Controller uses the Service.

Annex 2 — Technical and organisational measures (Article 32)

The following measures are implemented by Microstage today:

  • Encryption in transit. All public traffic to microstage.io and the listener pages is served over TLS 1.2+ (HTTPS); WebRTC audio is DTLS-SRTP encrypted end-to-end between the listener's browser and the Twilio media edge.
  • Encryption at rest. The PostgreSQL data volume and the email-attachment storage on the hosting provider are encrypted at rest using the provider's default disk encryption (AES-256).
  • Access control. Production database and host access is limited to named operator accounts with unique SSH keys; password authentication is disabled. Customer-side access to the dashboard is gated by single-use, time-limited magic links (no shared passwords).
  • Session security. Customer sessions are stored in iron-session first-party cookies, signed and encrypted with a high-entropy server secret. Session cookies are HttpOnly, Secure, and SameSite=Lax.
  • Audit logging. Every consent action (sign-up clickwrap, listener notice acknowledgement, email opt-in, unsubscribe) is written to an append-only consent_events table that captures the document version + content hash, IP address, and user agent. The table has no update or delete API.
  • Suppression list. Per-exhibitor email suppression list with idempotent inserts; the capture mailer hits the suppression list before every send and refuses to ship if the recipient is on it.
  • Rate limiting. Per-IP and per-resource token-bucket rate limits on the magic-link, capture, consent, and unsubscribe endpoints to absorb credential-stuffing and bot fan-out.
  • Backups. Daily managed PostgreSQL snapshots retained for 7 days; restoration tested on every release that touches a migration.
  • Sub-processor due diligence. Each sub-processor is contracted under a written DPA with EU Standard Contractual Clauses or an adequacy mechanism, and listed publicly at microstage.io/legal/subprocessors.
  • Supplementary measures for international transfers (Schrems II). For every transfer outside the EEA we (a) document a transfer impact assessment for the destination country, (b) require strong encryption in transit (TLS 1.2+ / DTLS-SRTP) and at rest for the data leaving the EEA, (c) restrict transferred data to what is strictly necessary for the sub-processor's role (e.g., audio in transit only, no retention), (d) instruct the sub-processor to challenge disproportionate government access requests and to publish transparency reports where lawful, and (e) re-evaluate the assessment when the destination country's law materially changes.
  • Personnel. Operating personnel are bound by written confidentiality obligations and receive periodic security and privacy training.
  • Incident response. Documented breach-detection and notification procedure aligned with the 48-hour customer-notification commitment in Section 9 and the 72-hour supervisory-authority notification under GDPR Article 33.
  • Data minimisation and retention. The Service collects only what the Visitor explicitly submits (email plus selected materials) and the engagement metadata required to deliver the follow-up; Visitor Data is deleted on request or at end of Service per Section 10. Live pitch audio is processed transiently — never recorded or stored.

Annex 3 — Sub-processors

The current sub-processor list is maintained at microstage.io/legal/subprocessors.