Data Processing Agreement

Last updated: April 2026. This document is provided for transparency and does not constitute legal advice. Mécène recommends all clients seek independent legal counsel before signing.

This Data Processing Agreement ("Agreement") forms part of the subscription agreement between the organising entity accessing the Mécène platform ("Controller") and [COMPANY NAME TBC], a company registered in England and Wales ("Processor"). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Mécène platform at mecene.art.

Scope and Subject Matter

The Processor provides a white-label event management platform through which the Controller manages guest lists, invitations, seating arrangements, check-in operations, and related workflows for private and public art events. In doing so, the Processor processes personal data on behalf of the Controller as a data processor within the meaning of the UK GDPR and, where applicable, EU GDPR.

The subject matter of processing is the operation of the Mécène platform as subscribed to by the Controller. The duration of processing corresponds to the active subscription period and any retention period agreed under this Agreement. The nature of processing includes collection, storage, organisation, retrieval, disclosure by transmission to sub-processors, and erasure of personal data. The purpose of processing is to enable the Controller to manage art events and their associated guest relationships. The categories of personal data processed include names, email addresses, dietary requirements and allergy information, relationship notes and guest tier classifications, attendance history, and platform access credentials. The data subjects are the Controller's guests, invitees, staff, and any individuals whose details the Controller enters into the platform.

Processor Obligations

The Processor shall process personal data only on documented instructions from the Controller, including those set out in this Agreement and in the platform's operational settings. The Processor shall not process personal data for any purpose other than the delivery of the contracted services.

All personnel engaged by the Processor who have access to personal data are bound by appropriate confidentiality obligations. The Processor maintains technical and organisational security measures appropriate to the risk presented by the categories of data processed, including encryption in transit and at rest, access controls, and audit logging.

The Processor shall not engage a new sub-processor or materially change the role of an existing sub-processor without giving the Controller at least fourteen days' written notice. The Controller may object to a proposed change within that period; where no resolution is reached, the Controller may terminate the subscription without penalty on this ground. The current list of sub-processors, covering hosting infrastructure, database services (EU-region), email delivery, and payment processing, is available on request.

Where the Processor receives a data subject access request, erasure request, or other rights exercise directed at data processed on the Controller's behalf, the Processor shall forward it to the Controller promptly and shall provide reasonable technical assistance to enable the Controller to respond within the statutory timeframe. The Mécène platform includes built-in tooling for DSAR export and right-to-erasure workflows to support this obligation.

On expiry or termination of the subscription, the Processor shall, at the Controller's election, return all personal data in a machine-readable format or securely delete it within thirty days, and shall certify deletion in writing on request. Anonymised audit log records required for platform integrity may be retained in non-identifiable form.

The Processor shall make available to the Controller such information as is reasonably necessary to demonstrate compliance with this Agreement and shall permit and contribute to audits or inspections conducted by the Controller or a mandated third party, subject to reasonable notice and cost allocation.

Controller Obligations

The Controller warrants that it has a lawful basis for processing the personal data it enters into the platform, and that it has provided appropriate notices to data subjects explaining how their data will be used in connection with the event. The Controller is responsible for the accuracy of the personal data it provides and for updating it as necessary. The Controller shall ensure that dietary and allergy information entered into the platform is communicated directly to catering suppliers; this operational responsibility does not transfer to the Processor.

International Transfers

Where personal data is transferred outside the UK or European Economic Area in connection with sub-processor services, the Processor shall ensure that appropriate safeguards are in place, including reliance on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses as applicable. The Processor shall provide details of transfer mechanisms on request.

Governing Law

This Agreement is governed by the laws of England and Wales. Any disputes arising under it shall be subject to the exclusive jurisdiction of the courts of England and Wales.

To request a signed copy of this agreement, write to hello@mecene.art.