General Data Protection Regulation (GDPR)


Bevy takes privacy seriously and is committed to complying with privacy and data protection laws. This page provides an overview of the steps Bevy has taken to address compliance with the General Data Protection Regulation (GDPR).

Please reach out to for further information.


The GDPR is a comprehensive data protection law that governs the processing of personal data from theEU. Personal data, as defined under the GDPR, includes any information relating to an identified or identifiable living individual, which includes information like names, email addresses and phone numbers.

Bevy's Role under the GDPR

The GDPR distinguishes between "controllers" and "processors". The difference between these roles is important, because each has different responsibilities. In simple terms, a "controller" makes decisions about personal data –it decides "how" and "why" data is processed. By contrast, a "processor" only processes personal data on behalf of a controller –it is a service provider and only uses the data as instructed by its controller.

In some situations, Bevy may act as a controller under the GDPR. For example, if you sign up to attend an event via the CMX Website, we may be a controller with respect to the personal data you share with us.

In other situations, Bevy may act as a processor. For example, if a customer contracts with Bevy for access to the Bevy Service and shares personal data with Bevy, the company may be the controller with respect to such data and Bevy may be a processor. This means that Bevy, in addition to complying with its customers' processing instructions, needsto comply with the legal obligations that apply to processors under the GDPR.


The GDPR mandates that personal data must be processed in a transparent manner and, accordingly, imposes some specific disclosure requirements.
Where we act as a controller, our privacy policy explains how we collect and process personal data and includes the necessary GDPR disclosures. You can read our privacy policy here.

Individual's Rights

Individuals are entitled to certain rights under the GDPR.  These include, for example, the rights to access, correct and delete their personal data, and to restrict or object to processing of their personal data.

As a matter of law, these rights can only be exercised against controllers rather than processors. Accordingly, we have an approach in place to handle data subject rights requests made to Bevy, whether in its capacity as a controller (where we handle the requests directly) or a processor (where we will refer the request back to our customer, the controller).


The GDPR requires that controllers and processors implement appropriate technical and organisational measures to protect personal data. These measures must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to individuals.

Bevy has put in place a number of robust security measures to protect personal data. These include:

  • Encrypting data in transit and at rest and implementing strong access controls.
  • Developing our platform using best practices from security industry frameworks and adhering to rigorous security standards (SOC 2 and ISO 27001:2013 certification)

You can read more about our security practices here.

Customer Data Processing Addendum

Where we process personal data on behalf of our customers and we act as a processor, we make a Data Processing Addendum (DPA) available as part of the contracting process. Our DPA contains provisions to assist us, and our customers, with compliance with the GDPR.


Where we act as a processor, we choose our sub-processors deliberately and require appropriate security due diligence to ensure that our customers' information remains protected. As such, sub-processors are part of our overall risk management process and vendor risk assessments occur at a minimum prior to vendor selection, upon relevant changes (such as our own requirements or noteworthy changes in their security posture) or annually.

You can find a list of our sub-processors in our DPA

EU-U.S. and Swiss-U.S. Privacy Shield

Bevy self-certifies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from the European Union and Switzerland. We apply the principles of the Privacy Shield to all personal data that we receive from individuals and companies in the European Union and Switzerland.

You can learn more about the Privacy Shield program and view our certification.

International Data Transfers

The GDPR places restrictions on the transfer of personal data outside theEuropean Economic Area (EEA) to non-EEA recipients unless appropriatetransfer mechanisms are in place. This requirement may apply where, forexample, we receive information from a customer based in the EEA and thecustomer's information is stored on our US servers.

Historically, we relied on the EU-U.S. Privacy Shield and Swiss-U.S.framework to receive and process personal data from the EEA andSwitzerland. However, on July 16, 2020, the Court of Justice of the EuropeanUnion declared the EU-U.S. Privacy Shield Framework invalid. Since that time,we have relied on the European Commission's standard contractual clauses(SCCs) to ensure we can receive and process personal data in compliancewith the GDPR. The SCCs are automatically included incorporated as part ofour Customer DPA.

Other measures

We have also taken steps to ensure that our contracts with vendors incorporatethe terms required by the GDPR and implemented internal data protectionpolicies to address GDPR requirements.

Further information

Please reach out to with further questions and/or feedback.