Table of Contents

BACKGROUND

(A) RSVPify and the counterparty to this DPA (“Customer”) are a party to the Terms of Service (defined below) for RSVPify’s provision of Services (as defined in the Terms of Service).

(B) In order to supply all or part of the Services, RSVPify may be required to Process certain Personal Data on behalf of Customer.

(C) Where the Customer is a Business & Non-Profit Customer or an Enterprise Customer and is subject to the GDPR and/or UK GDPR (defined below), the parties are entering into this DPA to comply with data privacy laws and to set out their respective rights and obligations in respect of such processing.

DEFINITIONS AND INTERPRETATION

1.1. Unless otherwise defined in this DPA, capitalized terms and expressions used in this DPA shall have the meanings given to those terms in the Terms of Service.

1.2. In this DPA, the following terms shall have the following meanings:

“Terms of Service” means the agreement between RSVPify and the Customer at https://rsvpify.com/tos that incorporates this DPA;

“Business & Non-Profit Customer” means a Customer who has purchased the Business & Non-Profit Service which entails a non-profit discount for premium plans;

“Customer Personal Data” shall mean any Personal Data: (a) supplied to RSVPify by or on behalf of Customer for the purposes of delivery of the Services to the Customer; and/or (b) obtained by, or created by, RSVPify on behalf of Customer in the course of delivery of Services to the Customer;

“Data Privacy Laws” shall mean the following as amended, extended, re-enacted or replaced from time to time:

(a) UK Data Protection Act 2018 and the UK GDPR; (b) EC Regulation 2016/679 (the “GDPR”) on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data; (c) EC Directive 2002/58/EC on Privacy and Electronic Communications; (d) all local laws or regulations implementing or supplementing the EU legislation mentioned in (b)-(c) above (including the UK Privacy and Electronic Communications Regulations 2003); (e) all codes of practice and guidance issued by national supervisory authorities, regulators or EU or UK institutions relating to the laws, regulations and EU legislation mentioned in (a)–(d) above;

“EEA” means the European Economic Area;

“Enterprise Customer” means a Customer who has purchased the Enterprise Service which entails a full suite of tools for marquee events;

“European Law” means any law in force in the EEA or the United Kingdom, including the Data Privacy Laws;

“International Transfer Requirements” means the requirements of Chapter V of the GDPR (Transfers of Personal Data to third countries or international organisations);

“Restricted Country” means a country, territory or jurisdiction which is not considered by the EU Commission (or in respect of personal data transfers caught by the requirements of UK GDPR, the relevant UK governmental or regulatory body) to offer an adequate level of protection in respect of the processing of personal data pursuant to Article 45(1) of the GDPR;

“Restricted Transfer” means a transfer of Personal Data from an entity who is established in the United Kingdom and/or the European Union (as applicable) and/or whose processing of Personal Data under the Terms of Service is caught by the requirements of the GDPR and/or Data Protection Act 2018, to an entity that processes the relevant Personal Data in a Restricted Country;

“Relevant Transfer Mechanism” means: a) in a respect of a Restricted Transfer subject to the GDPR, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”); or b) in respect of a Restricted Transfer subject UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the ICO under or pursuant to section 119A(1) of the Data Protection Act 2018 (as may be amended by the ICO from time to time pursuant to its terms) (“UK Addendum”);

“UK” means the United Kingdom; and

“UK GDPR” has the meaning given to it in the Data Protection Act 2018 (as amended from time to time).

1.3. In this DPA a reference to the GDPR and/or an Article or Chapter of the GDPR shall, where the context so requires and insofar as the Data Privacy Law(s) is that of the UK, be construed as a reference to the equivalent Data Privacy Law(s) of the UK and/or the corresponding provision of such Data Privacy Law(s).

1.4. Unless the context otherwise requires, a reference to a clause shall be a reference to a clause of this DPA.

1.5. The terms, “Processor”, “Controller”, “Sub-processor” “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Process”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.

1.6. In the case of any conflict:

(a) between the terms of Service and this DPA, this DPA will take precedence; and

(b) between the EU SCCs and/or the UK Addendum and the main body of this DPA, the former shall prevail.

PROCESSING OF CUSTOMER PERSONAL DATA

2.1. Roles of the parties and processing activities

(a) In relation to all Customer Personal Data, the parties acknowledge and agree that to the extent RSVPify Processes Customer Personal Data on behalf of the Customer in connection with the provision of the Services, the Customer shall be considered a Controller and RSVPify shall be considered a Processor.

(b) Each of the parties acknowledges and agrees that the subject-matter and duration of the Processing carried out by RSVPify on behalf of Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are accurately documented in Appendix 1 to this DPA (which may from time to time be updated by the written agreement of the parties).

(c) If at any time either party considers that the relationship between the parties and/or the scope of Processing carried out by RSVPify no longer corresponds with clause 1(a) or (b), that party shall promptly notify the other and the parties shall discuss and agree in good faith such steps that may be required to reflect the true status and/or the scope of Processing undertaken by RSVPify.

(d) The parties acknowledge and agree that RSVPify collects aggregated analytics data for all visitors to RSVPify properties, including guests registering for events on the platform. This data is used in aggregate to help assess core business metrics and indicators, understand user growth trends, and to help improve the usability of the platform. This aggregated information does not constitute Customer Personal Data and RSVPify is not a Processor in relation to this information.

2.2. General obligations of the parties

Each party shall comply with the obligations imposed on it by applicable Data Privacy Laws with regard to Customer Personal Data Processed by it in connection with Services. Customer acknowledges and agrees that RSVPify’s compliance with applicable Data Privacy Laws may be dependent on Customer’s compliance with applicable Data Privacy Laws and accordingly RSVPify will not be liable for failure to comply with applicable Data Privacy Laws where such failure results from a failure of Customer to comply with applicable Data Privacy Laws (including any failure to comply with clause 2.4).

2.3. Obligations of RSVPify

(a) RSVPify shall only Process Customer Personal Data in accordance with the documented instructions of Customer (including those in Appendix 1, as updated), unless required to do so by European Law to which RSVPify is subject, in which event RSVPify shall inform Customer of such legal requirement unless prohibited from doing so by European Law on important grounds of public interest.

(b) RSVPify shall inform Customer if, in RSVPify’s opinion, an instruction given by Customer to RSVPify under clause 3(a) infringes the Data Privacy Laws.

(c) RSVPify shall ensure that any persons authorized by it to Process Customer Personal Data are subject to an obligation of confidentiality.

(d) RSVPify shall implement appropriate technical and organizational measures to ensure that Customer Personal Data is subject to a level of security appropriate to the risks arising from its Processing by RSVPify or its sub-processors, taking into account the factors and measures stated in Article 32 of the GDPR. The parties agree that the measures set out in Appendix 3 are sufficient to meet this obligation.

(e) RSVPify shall notify Customer without undue delay after becoming aware of a Personal Data Breach.

(f) Taking into account the nature of the Processing, RSVPify shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising a Data Subject’s rights under Chapter III of the GDPR. For the avoidance of doubt, such assistance may be provided by RSVPify providing, as part of the Services, the Customer with functionality to fulfill such requests on a self-service basis and, where RSVPify does so, RSVPify shall not be obliged to provide any further assistance unless and to the extent that such functionality cannot be used to fulfill the relevant request.

(g) Taking into account the nature of the Processing and the information available to RSVPify, RSVPify shall assist Customer with regard to Customer’s compliance with its obligations under the following Articles of the GDPR:

i. Article 32 (Security of Processing);

ii. Articles 33 and 34 (Notification and communication of a Personal Data Breach);

iii. Article 35 (Data protection impact assessment); and

iv. Article 36 (Prior consultation by Customer with the Supervisory Authority).

(h) Upon termination of Services that required the Processing of Customer Personal Data (in whole or in part) RSVPify shall, within 30 business days of the date of cessation of the Services, at the election of Customer, in the form of the select and specific data deletion capability available in the RSVPify Service or by request for account deletion, delete and procure the deletion of all copies of those Customer Personal Data unless European Law requires RSVPify to store such Customer Personal Data.

(i) RSVPify shall be generally entitled to appoint further processors to process the Customer Personal Data in accordance with clause 6.

(j) RSVPify shall, at the request of Customer, provide Customer with all information necessary to demonstrate RSVPify’s compliance with its obligations under this clause 3 and, if and to the extent that such provision of information does not demonstrate RSVPify’s compliance with its obligations under this clause 2.3, RSVPify shall allow for and contribute to audits and inspections conducted by or on behalf of Customer subject to the following:

i. the Customer may perform such audits no more than once per year save that further audits may be performed if an audit reveals any material non-compliance by RSVPify with its obligations in this clause 2.3 (the scope of such further audits being limited to auditing RSVPify’s compliance with those obligations that were not complied with);

ii. the Customer shall, and shall procure that any third party auditor will, enter into a confidentiality agreement in such form as is reasonably requested by RSVPify prior to the conduct of such audit;

iii. audits must be conducted during regular business hours (i.e. 9am to 5pm UK time) and must not unreasonably interfere with RSVPify’s business;

iv. nothing in this clause shall require RSVPify to breach any duties of confidentiality owed to any of its clients, employees or other third parties;

v. notwithstanding anything else in this DPA and/or the Terms of Service, all audits are at the Customer’s sole cost and expense.

2.4. Obligations of Customer

(a) Without prejudice to the generality of clause 2.2, Customer shall ensure that:

i. the supply to RSVPify of Customer Personal Data by or on behalf of the Customer for the purposes of Processing undertaken by RSVPify and its permitted sub-processors where such Processing is authorized by Customer shall comply with the Data Privacy Laws;

ii. there is a lawful basis in respect of RSVPify’s Processing of the Customer Personal Data and Data Subjects have been provided with a privacy policy or notice that complies with the requirements of Article 13/14 of the GDPR in respect of such Processing; and

iii. the instructions given by Customer to RSVPify by operation of clause 2.3(a) shall comply with the Data Privacy Laws.

Without limiting the foregoing responsibilities of the User, RSVPify may monitor use of the Website to determine compliance with this agreement. RSVPify may remove or refuse your Content for any reason.

2.5. Costs of compliance

The Customer acknowledges and agrees that the remuneration in respect of the Services does not take into account costs that may be incurred by RSVPify in providing assistance under this DPA, including clauses 2.3 (f),(g) and (j). Accordingly, Customer will pay RSVPify in respect of any material costs that are (or are to be) reasonably incurred by RSVPify in respect of such assistance, except where such performance is required as a result of a breach by RSVPify of its obligations under this DPA. Where practicable to do so, RSVPify will seek Customer’s written approval prior to incurring such costs.

2.6. RSVPify’s appointment of sub-processors

(a) Notwithstanding any other provision of the Terms of Service (including this DPA), RSVPify shall be entitled to appoint further Processors to Process Customer Personal Data (“Sub-processor”). The following terms apply in respect of the appointment of Sub-processors:

i. the Customer approves the appointment of the Sub-processor’s identified in Appendix 1;

ii. RSVPify shall notify Customer in writing of its intention to engage any additional Sub-processor. Such notice shall give details of the identity of such Sub-processor and the services to be supplied by it;

iii. RSVPify shall only use a Sub-processor that has provided sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Privacy Laws and ensures the protection of the rights of data subjects;

iv. RSVPify shall impose through a legally binding contract between RSVPify and the Sub-processor, data protection obligations on the Sub-processor that are in all material respects equivalent to those set out in this DPA and which in any event meet the requirements set out in the Data Privacy Laws;

v. the Client shall be entitled to object to the appointment of the Sub-processor where it considers that such appointment will not comply with the requirements of this clause 2.6. Customer shall be deemed to have approved the engagement of the Sub-processor if it has not served a notice in writing on RSVPify objecting (in accordance with this clause 2.6(a)(v)) to such appointment within 10 days of the date that the notice is deemed to be received by Customer in accordance with clause 2.6(a)(ii);

vi. where the Customer objects to the proposed appointment, RSVPify will use commercially reasonable efforts to provide the Services without the use of the relevant Sub-processor. Where RSVPify is unable to provide the Services notwithstanding its use of such commercially reasonable efforts, RSVPify shall have no liability for any failure to provide the relevant Services in accordance with the Terms of Service; and

vii. RSVPify shall remain fully liable for all acts or omissions of the Sub-processors as if they were acts or omissions of RSVPify.

2.7. Restricted Transfers

Between the parties

(a) The parties acknowledge and agree that to the extent the transfer of personal data from the Customer to RSVPify is considered a Restricted Transfer, as at the date of the Terms of Service, the parties shall rely on the applicable Relevant Transfer Mechanism to transfer the personal data from the data exporter to the data importer.

(b) Accordingly each party agrees that by entering into the Terms of Service, the Relevant Transfer Mechanism shall be deemed agreed, incorporated by reference into the Terms of Service and executed by each of the parties acting on their own behalf and on behalf of their affiliates (where applicable) without the need for any further signature from either party, with Customer being the data exporter (and any relevant affiliates) and RSVPify (and any relevant affiliates) being the data importer.

(c) For the purpose of the EU SCCs, the following provisions shall apply:

i. the Controller to Processor module (module 2) of the EU SCCs shall apply in respect of Restricted Transfers and the elections in respect of those modules are as follows:

ii. Clause 7 (Docking Clause) shall not apply;

iii. Clause 9 shall reflect the  General Authorisation option and the data importer shall be required to submit the notification at least 10 days prior to the engagement of the sub-processor;

iv. Clause 11 – Optional clause shall not apply;

v. Clause 17, Option 1 applied and the EU SCCs are governed by [Irish] law; vi. Clause 18(b), disputes will be resolved before the courts of [Ireland];

vii. Annex 1.A, the details of the parties are deemed populated with the relevant information set out at Annex 1.A of Appendix 2 this DPA;

viii. Annex 1.B, the details of the transfer are deemed populated with the information set out at Annex I.B of Appendix 2 to this DPA;

ix. Clause 13(a) and Annex 1.C, the [Irish Data Protection Commissioner] will act as competent supervisory authority;

x. Annex 2, the description of the technical and organizational security measures shall be in accordance with Annex 2; and

xi. Annex 3, the list of sub-processors shall be in accordance with Appendix 1.

(d) For the purpose of the UK Addendum, the following provisions shall apply:

i. the Controller to Processor module (module 2) of the EU SCCs shall apply in respect of Restricted Transfers and the elections in respect of those modules are as follows:

ii. Clause 7 (Docking Clause) shall apply;

iii. Clause 9 shall reflect the General Authorization option and the data importer shall be required to submit the notification at least 10 days prior to the engagement of the sub-processor;

iv. Clause 11 – Optional clause shall not apply;

v. The information required for Table 1 of the UK Addendum shall be set out in Annex 1.A of Appendix 2 this DPA;

vi. The Appendix Information required for Table 3 of the UK Addendum is as described in clauses 2.7(c)vii, 2.7(c)viii(c), 2.7(c)x and 2.7(c)xi: and

vii. For the purpose of Table 4 of the UK Addendum, the parties agree that only the data importer may end the UK Addendum as set out in Section 19 of the UK Addendum.

(e) The Relevant Transfer Mechanism shall cease to apply to the processing of personal data under the Terms of Service if and to the extent that the relevant transfer of the personal data ceases to be a Restricted Transfer.

(f) For the avoidance of doubt, nothing in this DPA is intended to vary, modify or contradict the provisions of the EU SCCs and/or the UK Addendum.

(g) The parties acknowledge and agree that the Relevant Transfer Mechanism may not, in isolation, ensure that the data importer’s Processing complies with the International Transfer Requirements. Accordingly, the data importer may implement and maintain such supplementary measures in respect of the Restricted Transfer to ensure the Restricted Transfer complies with the International Transfer Requirements (including applicable technical, contractual and organizational supplementary measures recommended by the European Data Protection Board as set out in its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of Personal Data adopted on 18 June 2021 as may be updated, amended or replaced from time to time), or such other measures or safeguards as may be agreed between the parties (“Supplementary Measures”).

By RSVPify

(h) Customer acknowledges and agrees that Customer Personal Data may be transferred by RSVPify to Sub-processors located in a Restricted Country, which may be considered a Restricted Transfer. In the event of the transfer being considered a Restricted Transfer, RSVPify shall enter into a transfer mechanism to ensure that the Restricted Transfer meets the International Transfer Requirements, and RSVPify shall provide details of the relevant transfer mechanism on request.

Failure of transfer mechanism

(i) The parties acknowledge and agree that to the extent either party consider the use of the relevant lawful transfer mechanism relied on in respect of a Restricted Transfer is no longer an appropriate lawful transfer mechanism to legitimize the relevant Restricted Transfer pursuant to the International Transfer Requirements, the Restricted Transfer shall be suspended and the parties shall work together in good faith to agree and put in place an alternative lawful transfer mechanism or such other Supplementary Measures to enable the Restricted Transfer to continue. To the extent the parties agree that certain supplementary measures are required to legitimize the relevant Restricted Transfer, the parties shall, acting reasonably and in good faith, allocate the costs between the parties accordingly.

(j) In addition to clause 7(h), the parties will each use commercially reasonable efforts to ensure that the Services can continue to be provided in all material respects in accordance with the Terms of Service despite the suspension of the Restricted Transfer.

(k) RSVPify shall have no liability under the Terms of Service or otherwise for any inability to provide the relevant Services in accordance with the Terms of Service as a result of the suspension of such Restricted Transfer pursuant to clause 2.7(i).

2.8. Limitation of Liability

The total liability of each of party (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Terms of Service.

APPENDIX 1 TO THE DPA

Subject matter of processing:

The context for the processing of Customer Personal Data is RSVPify’s provision of the Services under the Terms of Service, which shall involve performance on behalf of Customer of the tasks and activites set out in the Terms of Service for the purpose of providing those Services.

Duration of the processing:

The period for which RSVPify will be providing the Services to the Customer.

Nature and purpose of the processing:

RSVPify may be required to access, receive, generate, store or otherwise process Customer Personal Data in order to provide the Services.

Categories of data subject: 

Guests who RSVPify contacts on behalf of the Customer as part of the Services.

Other third parties whose details are included in the Customer’s invitations.

Type of personal data:

The data is determined by the Customer when they create their specific invitation but this would typically include:

 

  • Name;
  • Email address;
  • RSVP response (can / cannot attend);
  • Dietary preferences;
  • Free text fields

Location of processing by RSVPify:

The United States

Sensitive personal data (if relevant):

It is not envisaged that sensitive or special personal data would be processed although this is determined by the Customer.

Frequency of the transfer(in the case of international data transfers):

For the duration of the Services

Period of retention of data (in the case of international data transfers):

For the duration of the Services

Permitted Sub-processors and location of processing

Name and contact details

Services

Location

Amazon Web Services (AWS)

Web hosting, data storage and security.

410 Terry Avenue
North Seattle, WA 98109
USA

Stripe

Payment processing and invoicing.

345 Oyster Point BLVD
South San Francisco, CA 94080
USA

Intercom

Chat-based support and email communications management.

55 2nd Street, 4th Floor,
San Francisco, CA 94105
USA

Zendesk

Email-based support.

1019 Market Street
San Francisco, CA 94103
USA

Twilio Sendgrid

Email delivery and tracking.

375 Beale Street
Suite 300
San Francisco, CA 94105
USA

MailGun

Email delivery and tracking.

112 E Pecan St
#1135
San Antonio, TX 78205
USA

Heap

Data analytics and reporting.

460 Bryant Street

3rd Floor
San Francisco, CA 94107

USA

Pipedrive

Sales CRM

530 5th Ave Suite 802
New York, NY 10036
USA

Feedback by Userfeed

Product feedback documentation.

APPENDIX 2 TO THE DPA

COMPLETED ANNEXES TO THE STANDARD CONTRACTUAL CLAUSES


ANNEX 1

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

  1. Name: Customer
    Address: As specified in the Terms of Service
    Contact person’s name, position and contact details: As specified in the Terms of Service
    Activities relevant to the data transferred under these Clauses: As specified in the DPA
    Signature and date: As specified in the DPA
    Role (controller/processor): As specified in the DPA

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

  1. Name: RSVPify LLC
    Address: 4803 N Milwaukee Ave, Suite B #325, Chicago, IL 60630
    Contact person’s name, position and contact details: As specified in the DPA
    Activities relevant to the data transferred under these Clauses: As specified in the DPA
    Signature and date: As specified in the DPA
    Role (controller/processor): As specified in the DPA

B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred

See Appendix 1 for details

……………………………………………………………………………………………………………

Categories of personal data transferred

See Appendix 1 for details

……………………………………………………………………………………………………………

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

See Appendix 1 for details

……………………………………………………………………………………………………………

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

 

See Appendix 1 for details

……………………………………………………………………………………………………………

 

Nature of the processing

See Appendix 1 for details

……………………………………………………………………………………………………………

 

Purpose(s) of the data transfer and further processing

See Appendix 1 for details

……………………………………………………………………………………………………………

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

See Appendix 1 for details

……………………………………………………………………………………………………………

For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

See Appendix 1 for details

……………………………………………………………………………………………………………

  1. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

See DPA for details

ANNEX 2 

Technical and Organisational Measures including Technical and Organisational Measures to ensure the Security of the Data

 

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

 

Please see measures set out at Appendix 3.

Annex 3

List of Sub-Processors

 

See Appendix 1 for details

APPENDIX 3 TO THE DPA

RSVPify Security Standards

As a leading private event management and scheduling platform, the safety and security of all of our user’s data — and that of their guests and patients — is of paramount importance to us. We’ve compiled a set of frequently asked questions to address RSVPify’s procedures, controls and handling of data.

 

Does RSVPify operate its own data centers?

No, RSVPify contracts with Amazon Web Services (AWS), and all data centers, physical data center security protocols, and server and network-level security operations and are under the purview of Amazon Web Services.

 

What data center security precautions are taken to ensure the safe handling of my data?

You can learn more about the controls and physical security operations of AWS here.

 

Is my data encrypted?
All data associated with your account, including guest and patient data and registrations, is encrypted at rest. All information sent or received is encrypted during transit using contemporary military-grade TLS/SSL standards. All data within our system layers is encrypted at rest using AES-256 encryption with keys rotated regularly. All requests must be performed over HTTPS to RSVPify systems including internal requests. Any user who attempts to connect over HTTP will be redirected to HTTPS. All internal communications between our servers use encrypted communication.

Is my data backed up? Does RSVPify have a disaster recovery plan in place?

In the unlikely event of system failure and data loss, RSVPify can leverage auxiliary systems and data backups to allow for the timely execution of our disaster recovery plans.

 

Does RSVPify limit access to systems and data on an “as-needed” or “minimum-necessary” basis?

RSVPify limits staff and contractor access to systems and data sets required in the execution of individual job roles and responsibilities. In order to support your account and your use of RSVPify services, you agree to grant RSVPify Support Staff access to your account and data on an as-needed basis.

 

Are RSVPify staff required to complete a security and confidentiality agreement? What IT security training must RSVPify staff undergo?

All RSVPify staff and contractors must certify their agreement to respect the security and confidentiality of all RSVPify data and any data associated with client accounts. RSVPify staff agree to access only information required to satisfy their job role or the needs of a given request. All RSVPify staff and contractors must undergo basic security and awareness training.

 

Does RSVPify employ malware and virus detection?

Servers: RSVPify 3 isn’t hosted on “servers” in the traditional sense of the word. To provide scalability and security, we deploy “images” to Lambda instances. These images are immutable — and as such, unless locally compromised, don’t allow for the possibility of remote malware installation or virus infection.

 

Database: RSVPify leverages AWS Relational Database Service. Malware and virus detection is managed by AWS.

Software Dependencies: RSVPify regularly scans its software dependencies for known security issues and applies patches as-needed.

 

Can RSVPify share additional technical details regarding its security operations and infrastructure?

RSVPify may share additional technical, operational, and penetration testing details on a case-by-case basis to verified customers or potential customers during the Enterprise license procurement process.