Data Processing Agreement
Last updated: 29 June 2026
This Data Processing Agreement (the "DPA") governs how Pistio processes personal data on behalf of organisations using Moimio. It restates and supplements the data processing terms in the Moimio Terms agreed at checkout. If there is any conflict between this DPA and the Moimio Terms in relation to the processing of personal data, this DPA prevails. For most customers the version agreed at checkout is sufficient. A countersigned copy is available to organisations whose own compliance requires a separate signed agreement.
This DPA forms part of the agreement between:
(1) the Customer, the organisation that holds a Moimio account (the "Controller"); and
(2) Pistio, a sole trader established in the United Kingdom, of 66 Paul Street, London EC2A 4NA, registered with the UK Information Commissioner's Office under registration reference ZC158582 (the "Processor"),
and governs the Processor's processing of personal data on the Controller's behalf in connection with the Moimio service.
1. Definitions
1.1 The terms "personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in the UK GDPR and the EU GDPR. Where the processing is subject to a law that uses different terms for these concepts, those terms have the corresponding meaning. In particular, "personal data" includes "personal information" as defined under United States state privacy laws, and "controller" and "processor" include "business" and "service provider" or "contractor" as defined under the CCPA.
1.2 "Applicable Data Protection Law" means each data protection law that applies to the processing of personal data under this DPA, which may include: (a) the UK GDPR and the Data Protection Act 2018; (b) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "EU GDPR"); (c) United States state privacy laws that apply to the Controller or the processing, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (the "CCPA"); (d) the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles; and (e) any other data protection law applicable to the processing.
2. Subject matter, nature, and purpose
2.1 The Processor processes personal data on the Controller's behalf solely to provide the Moimio service, namely the registration of event participants and their assignment to rooms, groups, and teams according to the Controller's configuration, and for no other purpose. Processing continues for the duration of the Controller's Moimio account.
3. Categories of data and data subjects
3.1 The categories of personal data and of data subjects are set out in Annex 1.
4. Controller instructions and use limitation
4.1 The Processor processes the personal data only on the Controller's documented instructions, including as set out in this DPA, the Moimio Terms, and the Controller's configuration and use of the software, unless required to process by a law to which the Processor is subject. In that case the Processor informs the Controller of the legal requirement before processing, unless that law prohibits such information.
4.2 The Processor informs the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
4.3 The Processor does not use the personal data for its own purposes. The Processor does not retain, use, or disclose the personal data for any purpose other than providing the Moimio service, or outside the direct business relationship between the parties, and does not "sell" or "share" the personal data, in each case within the meaning of the CCPA where it applies. The Processor does not combine the personal data with personal information that it receives from, or on behalf of, any other person, except as permitted by the CCPA.
4.4 The Processor certifies that it understands the restrictions and obligations set out in clauses 4 and 5 and will comply with them.
4.5 The Controller determines whether any special category data is collected through the service, and is responsible for ensuring a valid condition for processing it (for example, a condition under Article 9(2) of the UK GDPR and EU GDPR and, in the United Kingdom, any additional condition required under the Data Protection Act 2018). For the purposes of this clause, special category data also includes "sensitive personal information" under the CCPA and "sensitive information" under the Australian Privacy Act 1988 (Cth). In the Moimio service this typically arises as data concerning health, for example dietary, allergy, accessibility, or medical needs, and may reveal religious or philosophical beliefs. The Processor does not require or solicit such data.
4.6 The Processor processes special category data only on the Controller's documented instructions and only to provide the service, in accordance with clause 4, and applies to it the technical and organisational measures set out in Annex 2.
4.7 Where special category data is "sensitive personal information" under the CCPA, the Processor's retention, use, and disclosure of it are limited as set out in clauses 4 and 5. Where it is "sensitive information" under the Australian Privacy Act, the Processor handles it in a manner consistent with the Australian Privacy Principles to the extent they apply. In each case the Controller remains responsible for the consent or other condition required to collect it.
5. Processor obligations
5.1 The Processor shall:
(a) process the personal data only as set out in clause 4 (Controller instructions and use limitation), and not for its own purposes;
(b) ensure that persons authorised to process the personal data are subject to an appropriate duty of confidentiality, whether contractual or statutory, that continues after their engagement ends, and limit access to the personal data to those persons who need it to provide the service;
(c) implement and maintain the technical and organisational security measures set out in Annex 2, appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing;
(d) respect the conditions in clause 6 for engaging subprocessors;
(e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, so far as possible, in responding to requests from individuals exercising their rights under Applicable Data Protection Law, including rights of access, rectification or correction, erasure or deletion, restriction, and portability, and, under United States state privacy law, the right to opt out of the sale or sharing of personal information and to limit the use of sensitive personal information; the Processor shall not respond directly to such a request, other than to acknowledge it and direct the individual to the Controller, but shall promptly inform the Controller and assist it in responding;
(f) assist the Controller in ensuring compliance with its obligations relating to security of processing, notification of personal data breaches to supervisory authorities and to affected individuals (including under the UK GDPR and EU GDPR, the Australian Notifiable Data Breaches scheme, and applicable United States state breach-notification laws), data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of the processing and the information available to the Processor, and within the time limits the Controller is required to meet;
(g) at the Controller's choice, delete or return the personal data at the end of the provision of the services, and delete existing copies, as described in clause 8;
(h) make available to the Controller the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in clause 9;
(i) maintain a record of the categories of processing carried out on behalf of the Controller, as required by Article 30(2) of the UK GDPR and EU GDPR;
(j) provide a level of protection for the personal data at least equivalent to that required of the Controller under Applicable Data Protection Law; in particular, the Processor shall provide the same level of privacy protection for personal information as the CCPA requires of a business, shall handle personal data in a manner consistent with the Australian Privacy Principles to the extent they apply, and shall not act in a way that causes the Controller to breach Applicable Data Protection Law;
(k) notify the Controller without undue delay if the Processor determines that it can no longer meet its obligations under this DPA or under Applicable Data Protection Law; and
(l) on reasonable notice from the Controller, permit and reasonably cooperate with steps the Controller takes to stop and remediate any unauthorised or non-compliant processing of the personal data.
6. Subprocessors
6.1 The Controller grants the Processor general authorisation to engage the subprocessors listed in Annex 3. The Processor keeps Annex 3, or an equivalent list that it makes available to the Controller, up to date.
6.2 The Processor engages only subprocessors that provide sufficient guarantees to implement appropriate technical and organisational measures meeting the requirements of Applicable Data Protection Law.
6.3 The Processor imposes on each subprocessor, by a written contract, data-protection obligations equivalent to those in this DPA, in particular the obligation to implement appropriate technical and organisational measures. Where the personal data is subject to the CCPA, that contract includes the service-provider terms the CCPA requires. Where a subprocessor processes personal data outside the United Kingdom or the EEA, the Processor ensures that an appropriate transfer safeguard is in place as described in clause 10. Where the personal data is subject to the Australian Privacy Act, the Processor takes reasonable steps to ensure the subprocessor handles it consistently with the Australian Privacy Principles.
6.4 The Processor remains fully liable to the Controller for the performance of each subprocessor's data-protection obligations.
6.5 The Processor informs the Controller of any intended addition or replacement of a subprocessor at least 30 days before that subprocessor begins processing the Controller's personal data, by email to the Controller's account contact or by updating the list referred to in clause 6.1, or both.
6.6 The Controller may object to the change on reasonable data-protection grounds within 30 days of being informed. The parties will discuss the objection in good faith. If the Processor cannot reasonably accommodate the objection, for example by offering an alternative, the Controller may terminate the affected part of the service.
7. Personal data breach
7.1 The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data.
7.2 The notification includes, to the extent known to the Processor: the nature of the breach, including where possible the categories and approximate number of data subjects and of records affected; the likely consequences of the breach; and the measures the Processor has taken or proposes to take to address it. Where the Processor cannot provide all of this information at once, it provides it in phases as it becomes available.
7.3 The Processor takes reasonable steps to mitigate the breach, and cooperates with and assists the Controller so that the Controller can meet its own obligations to notify supervisory authorities and affected individuals under Applicable Data Protection Law.
7.4 The Processor does not notify any supervisory authority or data subject about a breach affecting the Controller's personal data in a way that identifies the Controller, without the Controller's prior agreement, unless required to do so by law.
8. Deletion and return
8.1 During the term, the Controller may export or delete its personal data at any time using the features of the service.
8.2 On closure of the account, the Processor makes the Controller's participant data available to the Controller for export for 30 days, through a secure, time-limited link sent to the Controller's account contact. This is the return of the personal data for the purposes of clause 5.1(g).
8.3 If the account is not reactivated, the workspace and all personal data in it are permanently erased within 44 days of closure. This erasure includes the live database, the export bundle, and the entire backup repository for that workspace.
8.4 Where the Controller deletes an individual event rather than closing the account, the live copy is removed promptly, and any copy remaining in routine backups is overwritten as those backups roll off the backup retention window, which is approximately the most recent five weeks (currently seven daily and four weekly snapshots).
8.5 Where a refund is taken in the circumstances described in the Moimio Refund Policy, the account and its personal data are erased immediately rather than after the period in clause 8.3.
8.6 After erasure, the Processor retains only: (a) an opaque record that the workspace existed and has been erased, consisting of its internal identifier and subdomain with personal data removed, kept for integrity and audit; and (b) payment and tax records, which are held by Paddle as Merchant of Record under its own legal obligations and are outside the scope of this clause. The Processor does not otherwise retain the Controller's personal data after erasure except to the extent required by law.
9. Audit
9.1 The Processor makes available to the Controller the information necessary to demonstrate compliance with this DPA.
9.2 The Processor allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller to verify the Processor's compliance with this DPA. Such audits are subject to the following: the Controller gives at least 30 days' written notice, except where an audit is required by a supervisory authority or follows a personal data breach; audits take place during normal business hours and must not unreasonably disrupt the Processor's operations; audits take place no more than once in any 12-month period, except where required by a supervisory authority or following a personal data breach; the Controller and its auditor are bound by confidentiality; and the audit is conducted so as not to access, or compromise the security of, the personal data or systems of any other customer of the Processor.
9.3 The Processor may satisfy an audit request, in whole or in part, by providing its own compliance documentation together with any relevant certifications or independent third-party audit reports held by the Processor or its subprocessors, where these reasonably address the matters the Controller wishes to verify. For personal information subject to the CCPA, any assessment may be carried out at least once in any 12-month period, consistent with the CCPA.
9.4 The Controller bears the reasonable costs of any on-site audit it requests under clause 9.2.
10. International transfers
10.1 Participant data is hosted and processed within the European Union (Germany). The Processor is established in the United Kingdom and accesses the personal data from there to operate and support the service. Personal data therefore moves between the United Kingdom and the European Economic Area. For so long as the European Commission's adequacy decision for the United Kingdom and the United Kingdom's recognition of the EEA remain in force, those flows require no additional safeguard. If either ceases to apply, the parties will put in place an appropriate safeguard permitted by Applicable Data Protection Law, such as the Standard Contractual Clauses or the United Kingdom International Data Transfer Addendum.
10.2 Certain subprocessors listed in Annex 3 process limited personal data outside the United Kingdom and the EEA: Paddle processes billing data in connection with payment (United Kingdom, with processing also in the United States), and Cloudflare provides DNS for the service and hosting for the public website (United States). Participant data is not routed through Cloudflare: the application is not proxied, so participant data in transit passes directly between the user's browser and the European Union host. Where a subprocessor processes personal data outside the United Kingdom or the EEA, that processing is covered by an appropriate transfer safeguard permitted by Applicable Data Protection Law, such as the Standard Contractual Clauses, the United Kingdom International Data Transfer Addendum, or an adequacy or data-privacy-framework mechanism.
10.3 Where the Controller is established outside the United Kingdom and the EEA, for example in the United States or Australia, the Controller's participant data is still hosted in the European Union and accessed from the United Kingdom as set out above, and the Processor processes it under this DPA. For a Controller subject to the Australian Privacy Act, this DPA is the Processor's binding commitment to handle the personal data in a manner consistent with the Australian Privacy Principles to the extent they apply, on which the Controller may rely for the purposes of Australian Privacy Principle 8.
10.4 The Processor does not transfer the personal data to any country that does not ensure an adequate level of protection except under a safeguard permitted by Applicable Data Protection Law.
11. EU and UK representatives
11.1 The Processor is established in the United Kingdom. It is therefore not required to appoint a representative under Article 27 of the UK GDPR.
11.2 Where the Processor is required to designate a representative in the European Union under Article 27 of the EU GDPR, it has appointed the following representative, who may be contacted on any matter relating to the processing of personal data of data subjects in the European Union:
Prighter Group, with its local partners. Data subjects and supervisory authorities may contact the representative via the Trust Center at https://app.prighter.com/portal/12350102426.
11.3 For any other data-protection matter in connection with this agreement, the Controller may contact the Processor at [email protected].
12. Liability
12.1 Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Moimio Terms.
12.2 Nothing in this DPA limits or excludes either party's liability to the extent that it cannot be limited or excluded under Applicable Data Protection Law or other applicable law.
13. Controller indemnity
13.1 The Controller indemnifies the Processor against: (i) claims made by a third party, including a data subject; (ii) reasonable costs and expenses (including reasonable legal fees) of dealing with such claims or with any investigation or enforcement action by a supervisory authority; and (iii) to the extent permitted by law, fines and penalties imposed on the Processor by a supervisory authority, in each case to the extent they arise out of or in connection with:
(a) the absence of, or a defect in, a lawful basis or, where required, a valid condition or consent on which the Controller relies for the personal data or its processing through the service;
(b) personal data uploaded to, or otherwise made available through, the service by or on behalf of the Controller in breach of Applicable Data Protection Law or in infringement of a third party's rights;
(c) an instruction given by the Controller that, when carried out by the Processor, causes the Processor to breach Applicable Data Protection Law, except where the Processor had formed the opinion that the instruction infringed and failed to inform the Controller under clause 4.2; and
(d) the Controller's breach of its own obligations relating to safeguarding or child protection, or to its employment or volunteer relationships, to the extent connected with the personal data or the Controller's use of the service.
13.2 The indemnity in clause 13.1 does not apply to the extent that the relevant loss arises from the Processor's own breach of this DPA or its own negligence.
13.3 As a condition of the indemnity, the Processor shall: (a) notify the Controller promptly on becoming aware of a relevant claim; (b) not admit liability for, settle, or compromise the claim without the Controller's prior written consent, such consent not to be unreasonably withheld or delayed; (c) give the Controller reasonable information and cooperation in relation to the claim, at the Controller's reasonable expense; and (d) take reasonable steps to mitigate its loss. The Controller may, by written notice, assume conduct of the defence and settlement of the claim, provided it does not settle in a manner that imposes any non-indemnified liability or admission on the Processor without the Processor's consent.
14. Governing law and severability
14.1 This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with it, subject to any different provision in the Moimio Terms.
14.2 If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full effect.
Annex 1: Categories of data and data subjects
Data subjects. The personal data processed under this DPA relates to:
(a) the controller's organising team, namely the account holder and the staff users it authorises to use the workspace;
(b) participants in events organised by the controller, for example attendees of retreats, conferences, or camps; and
(c) other individuals named by a participant during registration, for example a person a participant asks to be grouped with, who may not themselves be registered.
Categories of personal data.
For participants: name; a participant number and a group code linking related registrations; contact details such as email address; gender, where the controller uses it for room or group allocation; language preference; registration status; room, group, team, session, and similar allocation assignments; responses to any custom registration fields the controller defines; colour-coded tags and free-text notes recorded about a participant by the organising team; stated preferences to be grouped with named other people; check-in records; and any other information the controller chooses to enter about a participant.
For the organising team: name; email address; role and permissions; and interface preferences such as language, date format, and timezone.
Special-category and sensitive data. Through custom registration fields, dietary, allergy, accessibility, or medical information, staff tags, and free-text notes, the controller may enter data that is special-category data within the meaning of Article 9 of the UK GDPR and the EU GDPR, in particular data concerning health. Given the nature of the organisations that use Moimio, information entered may also reveal religious or philosophical beliefs. The same information may be "sensitive personal information" under United States state privacy laws such as the CCPA. Moimio does not require or request such data. Whether to collect it, and the lawful basis and any explicit consent or other condition required for it, are the responsibility of the controller.
Annex 2: Security measures
The processor applies the following technical and organisational measures:
- Hosting within the European Union (Germany).
- Per-tenant isolation: each controller's workspace runs in its own container with its own separate database, so one controller's data is logically separated from every other controller's data.
- Encryption of personal data in transit using TLS (HTTPS).
- Encrypted backups, stored in the European Union (Germany), subject to a defined retention window and to permanent erasure when an account is erased.
- Restricted administrative access: access to the hosting infrastructure and to the operator console is limited to authorised personnel, protected by two-factor authentication, and reachable only over a private administrative network. Operator actions are recorded in an audit log.
- Passwordless sign-in: account sign-in uses single-use, time-limited email links, and only a hashed form of each link is stored, never the link itself.
- Data minimisation in logs: application logs do not contain participant names, postal addresses, dates of birth, or telephone numbers; a small number of operational log entries may contain an email address.
Annex 3: Subprocessors
| Subprocessor | Role | Location |
| Hetzner Online GmbH | Hosting, infrastructure, and encrypted backups | Germany (EU) |
| Scaleway SAS | Transactional email delivery | France (EU) |
| Zoho Corporation Limited (United Kingdom) | Customer support email inbox | European Union |
| Cloudflare, Inc. | DNS for the service; hosting and edge functions for the public website | United States (global) |
Independent controllers
The company named below processes personal data as an independent controller and therefore does not act as a subprocessor under this DPA.
| Company | Function |
| Paddle.com Market Ltd | Merchant of Record for payment processing and invoicing; an independent controller for payment and tax data, which it retains under its own legal obligations. Such data is not erased under clause 8. |
Processing by this company is governed by its own privacy terms and falls outside the scope of this DPA.
Notes:
- The Moimio application is not proxied through Cloudflare. Participant data in transit passes directly between the user's browser and the European Union host and does not traverse Cloudflare.
- The following support the operation of the service but do not process participant personal data: a private administrative network (Tailscale) and uptime monitoring (Healthchecks.io).
A countersigned PDF copy of this agreement is available to customers on request. Write to [email protected].