Data Processing Addendum (DPA)
Raflia — Contest Platform
Last updated: July 7, 2026
1. Introduction and scope
1.1. This Data Processing Addendum (“DPA”) forms part of the Terms and Conditions (“Agreement”) between VeroMotion s.r.o., a company registered in the Czech Republic under registration number 27170730, with its registered address at Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic (“VeroMotion”, “Processor”) and the Customer (the “Controller”) for the Raflia platform (the “Service”).
1.2. This DPA applies to the processing of Personal Data by VeroMotion on behalf of the Customer in connection with the provision of the Service. It does not apply to Personal Data that VeroMotion processes as a Data Controller for its own operational purposes (such as account management, billing, and direct communication with the Customer), which is described in our Privacy Policy.
1.3. This DPA is incorporated into the Agreement by reference and takes effect when the Customer accepts the Agreement. No separate signature is required.
1.4. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
2. Definitions
Terms not defined in this DPA have the meanings given in the Agreement. In addition:
“Data Protection Laws” means all applicable data protection and privacy laws, including: the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); the UK GDPR and the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection (“FADP”); and any other applicable national implementing or equivalent legislation, each as updated or replaced from time to time.
“Personal Data”, “Data Controller”, “Data Processor”, “Data Subject”, “processing”, and “Personal Data breach” have the meanings given in the GDPR.
“Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses for the transfer of personal data to third countries, as set out in the Annex to Commission Implementing Decision (EU) 2021/914.
“Sub-processor” means a third party engaged by VeroMotion to process Personal Data on behalf of the Customer.
“Contest” means any contest, promotion, giveaway, raffle, sweepstake, or winner-selection activity conducted by the Customer through the Service.
“Drawing” means any random or weighted selection of winners conducted by the Customer through the Service.
“Entry” means a record submitted to a Contest by or on behalf of a Participant, including any Personal Data contained in that record.
“Participant” means a natural person whose Personal Data is included in an Entry.
3. Roles of the parties
3.1. The Customer (the contest organizer) acts as the Data Controller and VeroMotion acts as the Data Processor with respect to Personal Data submitted to or processed through the Service — whether the Customer uploads Participant data itself or Participants submit Entries directly through a form provided by the Service. In both cases the Customer determines the purposes and means of processing, and VeroMotion processes on the Customer’s behalf.
3.2. Where the Customer itself acts as a Data Processor on behalf of a third party (for example, an agency running a Contest for its own client), VeroMotion acts as a Sub-processor. The Customer warrants that it has obtained all necessary authorizations from the relevant Data Controller to engage VeroMotion as a Sub-processor.
3.3. VeroMotion acts as an independent Data Controller for Personal Data it processes for its own purposes, such as Customer account management, billing, security, fraud prevention, and service improvement. Such processing is described in our Privacy Policy and is not subject to this DPA.
4. Processing instructions
4.1. VeroMotion shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Agreement, this DPA, and the Customer’s use of the Service through its standard configuration options (including the design of any entry form and the Contest settings the Customer chooses) constitute the Customer’s initial instructions. Additional instructions may be agreed in writing.
4.2. VeroMotion shall inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. VeroMotion is not obligated to independently assess the legality of the Customer’s instructions.
4.3. The details of processing (subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects) are described in Annex A.
4.4. Records of processing. VeroMotion shall maintain a record of the categories of processing carried out on behalf of the Customer as required by Article 30(2) GDPR, and shall make it available to the Customer or the relevant supervisory authority on request.
5. Customer obligations
5.1. The Customer is responsible for:
(a) ensuring it has a lawful basis under Data Protection Laws for processing Personal Data and for any instructions given to VeroMotion;
(b) providing all required notices to, and obtaining all necessary consents from, Participants before their Personal Data is submitted to the Service (including where Participants enter via a form);
(c) the accuracy, quality, and legality of Personal Data provided to the Service, including Entries;
(d) ensuring that any Contest or Drawing conducted via the Service complies with applicable laws (including those relating to lotteries, raffles, gambling, sweepstakes, and promotional contests);
(e) configuring the Service appropriately for its use case, including the public visibility level applied to winners and Entries, whether to publish an identifiable list of Participants, retention and archive settings, and Participant communications — each of which constitutes the Customer’s documented processing instruction under Section 4.1;
(f) complying with all applicable Data Protection Laws in connection with its use of the Service.
6. Confidentiality
6.1. VeroMotion shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. Security measures
7.1. VeroMotion shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.
7.2. A description of the key security measures is set out in Annex B. VeroMotion may update these measures from time to time, provided that the overall level of security is not materially reduced.
8. Personal Data breach notification
8.1. VeroMotion shall notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA, to enable the Customer to comply with its own notification obligations under applicable Data Protection Laws.
8.2. The notification shall include reasonable details about the nature of the breach to the extent known at the time, including the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
8.3. VeroMotion’s obligation to notify does not constitute an acknowledgment of fault or liability.
9. Sub-processors
9.1. The Customer provides general written authorization for VeroMotion to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is available at https://raflia.com/subprocessors.
9.2. VeroMotion shall notify the Customer of any intended changes to its Sub-processors at least 30 days in advance by email to the address associated with the Customer’s Account, or by another reasonable means of notification.
9.3. The Customer may object to a new Sub-processor by notifying VeroMotion in writing within 30 days of receiving the notification, on reasonable data protection grounds. Following an objection, VeroMotion shall use commercially reasonable efforts to provide an alternative arrangement. If VeroMotion cannot reasonably accommodate the objection, the Customer may terminate the affected part of the Service upon written notice. Previously accrued rights and obligations survive such termination.
9.4. VeroMotion shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA.
9.5. For the avoidance of doubt, cloud infrastructure and service providers used to host the Service and process Customer Data (for example, hosting and storage, email delivery, error monitoring, and payment processing) are considered Sub-processors and are subject to this Section 9.
9.6. VeroMotion remains liable for the acts and omissions of its Sub-processors to the same extent VeroMotion would be liable if it performed those services directly under this DPA.
10. International transfers
10.1. Personal Data is primarily stored within the European Union.
10.2. Where Personal Data is transferred outside the European Economic Area (“EEA”) — including transfers by VeroMotion to a Sub-processor outside the EEA, or transfers where the Customer is established outside the EEA, the UK, or Switzerland — the transfer shall be protected by appropriate safeguards under GDPR Chapter V, including:
(a) an adequacy decision covering the recipient country;
(b) the EU-US Data Privacy Framework (where applicable); or
(c) the Standard Contractual Clauses.
10.3. SCC modules. Where the SCCs apply: (a) where the Customer is a controller and VeroMotion a processor, Module Two (Controller to Processor) applies; (b) where the Customer is a processor and VeroMotion a sub-processor, Module Three (Processor to Sub-processor) applies. The optional docking clause (Clause 7) applies. Annex A and Annex B of this DPA serve as the SCC annexes; VeroMotion is the “data importer” and the Customer the “data exporter.” The supplementary safeguards in Annex D apply.
10.4. UK transfers. For Personal Data subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (issued by the ICO under s.119A of the Data Protection Act 2018) is incorporated by reference and completed using the information in Annex A and Annex B. The UK Addendum prevails for UK-origin data to the extent of any conflict.
10.5. Swiss transfers. For Personal Data subject to the FADP, the SCCs apply with the adjustments required under the FADP: references to the GDPR are read as references to the FADP; the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority; and data subjects in Switzerland may enforce their rights as third-party beneficiaries.
10.6. Alternative mechanism. If the Customer adopts an alternative lawful transfer mechanism recognised under Data Protection Laws, the parties shall cooperate to implement it, and it shall apply instead to the extent it covers the relevant transfers.
11. Data Subject rights
11.1. VeroMotion shall, to the extent technically feasible, assist the Customer in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including access, rectification, erasure, portability, restriction, and objection).
11.2. The Service provides self-service features that allow the Customer to access, correct, export, and delete Personal Data, including individual Entries and entire Contest records. The Customer shall use these features as the primary means of responding to Data Subject requests.
11.3. If the Customer is unable to fulfill a Data Subject request through the Service, the Customer may contact VeroMotion at info@raflia.com for additional assistance.
11.4. If a Data Subject request is made directly to VeroMotion concerning a Contest run by a Customer, VeroMotion shall promptly inform the Customer and direct the Data Subject to contact the Customer.
11.5. Erasure against public records and archives. Where a Participant seeks erasure from a published Contest record, the Participant’s details are removed from the public page and from search, while a sealed cryptographic token that evidences the Drawing was not altered is retained (that token is not publicly reversible to the Participant’s identity). Where the relevant Entries have been archived (Section 13.2(a)), the Participant’s record is located and removed from the archive on request; because archived data is held outside the live system, this is carried out manually and within the response time required by applicable Data Protection Laws.
12. Audit
12.1. VeroMotion shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
12.2. To minimise disruption and protect the confidentiality of other customers’ data, audits and inspections are subject to the following reasonable conditions: (a) no more than once per calendar year, except where required by applicable law or following a Personal Data breach; (b) at least 30 days’ written notice; (c) conducted during normal business hours; (d) auditors bound by appropriate confidentiality obligations; and (e) the Customer bears its own audit costs.
12.3. VeroMotion may satisfy its obligations under this Section 12 by responding to the Customer’s reasonable written questions or industry-standard security questionnaires, where this provides sufficient assurance of compliance.
13. Data retention and deletion
13.1. VeroMotion shall process Personal Data for the duration of the Agreement and as necessary to provide the Service.
13.2. Specific retention periods applicable to Personal Data include:
(a) Entries and Contest data: kept in the live system for an active period after the Contest ends — 12 months on paid plans, 3 months on free accounts. The Customer may request an extension for its Account (for example, for audit or grant records). After the active period the project is archived: Entries are removed from the live database and held as an encrypted archive file in secure storage, not accessible through the Service and not searchable, for 5 years by default (extendable to a maximum of 10 years per Account where the Customer has an audit or legal reason), after which they are deleted;
(b) Submission forensics (Entry IP address and user-agent): retained for up to 12 months for fairness, fraud-prevention, and dispute purposes, then removed or nulled;
(c) Consent records: retained as proof of consent and not pruned;
(d) Activity / audit logs: dashboard activity logs retained for 90 days; durable audit records retained longer as a proof-of-selection trail that Customers and Participants may rely on after a Drawing concludes;
(e) Draw verification record: the basic details of a completed Drawing (Contest name, dates, winners at the Customer’s chosen visibility, prizes) and a sealed cryptographic proof are retained as a permanent, tamper-evident public verification record. Full raw Entry identifiers are not part of this record.
13.3. Upon termination or expiration of the Agreement, the Customer may export its data through the Service’s standard export functionality. After the periods above, VeroMotion shall delete Personal Data from its systems, except where retention is required by applicable law.
13.4. VeroMotion may retain Personal Data in backup systems for a reasonable period following deletion from production systems. Such backup data remains subject to this DPA until permanently deleted in accordance with VeroMotion’s backup rotation schedule.
13.5. Public result pages. The Service publishes a public result / verification page for completed Contests. By default this page shows the winners (at the visibility level the Customer selects), aggregate figures about the Drawing (such as the total number of Entries and an anonymized breakdown of entry counts using non-identifying labels), and a sealed cryptographic proof; an identifiable list of Participants is shown only if the Customer chooses to publish it. The Customer determines the visibility level and is responsible for the lawful basis for, and for informing Participants about, any identifiable data it chooses to publish. The verification record is retained as described in Section 13.2(e); erasure against it is handled under Section 11.5.
14. Liability
14.1. The liability of each party under this DPA is subject to the limitations and exclusions set out in the Agreement.
14.2. Nothing in this DPA or the Agreement excludes or limits liability where such exclusion or limitation is not permitted under applicable Data Protection Laws, including liability arising under Article 82 GDPR.
15. Governing law
15.1. This DPA is governed by the laws of the Czech Republic, consistent with the governing law provisions of the Agreement.
15.2. Where Standard Contractual Clauses apply, the SCCs shall be governed by the law of the EU Member State in which the data exporter is established, or if the data exporter is not established in the EU, by Czech law.
16. Term and termination
16.1. This DPA takes effect when the Customer accepts the Agreement and terminates automatically upon termination or expiration of the Agreement.
16.2. Obligations relating to confidentiality, data deletion, and ongoing data protection survive termination of this DPA.
Annex A — Processing details
A.1. List of parties
| Data Exporter (Controller) | Data Importer (Processor) | |
|---|---|---|
| Entity | The Customer, as identified in the Account | VeroMotion s.r.o. |
| Address | As provided during Account registration | Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic |
| Contact | Email address associated with the Account | info@raflia.com |
| Role | Data Controller (or Data Processor, where applicable) | Data Processor (or Sub-processor, where applicable) |
A.2. Description of processing
| Details | |
|---|---|
| Subject matter | Processing of Personal Data in connection with the provision of the Raflia contest and promotion platform |
| Duration | For the term of the Agreement, plus any applicable data retention period (see Section 13) |
| Nature of processing | Collection, storage, retrieval, organization, random and weighted selection, jury scoring, display, transmission, result/certificate generation, and deletion of Contest data and associated Entries; optional features include entry forms, weighted entries, and public result publication |
| Purpose | To provide the Service as described in the Agreement, including collecting Entries, conducting fair and verifiable Drawings, selecting and notifying winners, and supporting Customer–Participant communications where enabled |
| Frequency | Continuous, for the duration of the Agreement |
A.3. Categories of Data Subjects
- The Customer’s employees, staff, and authorized account users
- Participants whose Personal Data is included in Entries
- Invited Users (e.g., judges in jury-scored Contests)
- Winners selected through a Drawing
- Visitors to public result pages or drawing certificates published by the Customer
A.4. Types of Personal Data
Depending on how the Customer configures its Contest and the Entries submitted, Personal Data processed may include:
- Identity data: names, usernames, social media handles
- Contact data: email addresses, and where collected for prize fulfilment, phone numbers and postal addresses
- Authentication data: email addresses and usernames used to access the Service
- Technical / fairness-forensic data: IP addresses, browser/user-agent, access timestamps, submission logs (retained to ensure draw integrity)
- Entry content: any Personal Data contained within Entries, the extent of which is determined by the Customer (including custom fields, ticket numbers, weights, or other Customer-defined attributes)
- Billing data: name, email, billing address, and payment-related identifiers (processed for VeroMotion’s own controller purposes — see Section 3.3)
A.5. Sensitive data
VeroMotion does not require or request special categories of Personal Data (GDPR Article 9). If such data is present in Entries submitted by the Customer, the Customer is solely responsible for ensuring a lawful basis and appropriate safeguards under Article 9.
A.6. Retention
Personal Data is retained in accordance with Section 13 of this DPA: Entry data lives in the system for an active period (12 months paid / 3 months free, extendable per Account), then in an encrypted archive for 5 years by default (up to 10 years on request), after which it is deleted; a minimized draw verification record is retained permanently. The Customer can export or delete data through the Service.
Annex B — Technical and organizational measures
VeroMotion implements and maintains the following categories of security measures, which may be updated provided the overall level of protection is not materially reduced.
B.1. Access control
- Role-based access control for all system components
- Unique user accounts with strong password requirements
- Optional two-factor authentication for Customer accounts
- Automatic session expiry after a period of inactivity
- Principle of least privilege for internal access to Personal Data
B.2. Data encryption
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest where supported by the underlying infrastructure
- Encrypted database connections
B.3. Infrastructure security
- Hosting within European Union data centers (Hetzner, Germany)
- Transactional email via AWS SES (EU, Frankfurt)
- Public static assets served via Bunny CDN (EU company); no database or Participant data passes through the CDN
- Error monitoring via Sentry (EU data-storage region)
- Network firewalls, regular security updates, and patch management
- Automated deployment through CI/CD pipelines with access controls
B.4. Data separation
- Logical separation of Customer Data by Account, team, and project (tenant isolation)
- Authorization checks on every data access operation
B.5. Backup and recovery
- Regular automated backups of databases and stored files
- Backups stored in encrypted form within the EU
- Periodic backup restoration testing
B.6. Logging and monitoring
- Audit logging of access to Personal Data
- Monitoring of system availability and performance
- Alerting for security-relevant events
B.7. Personnel measures
- Confidentiality obligations for all personnel and contractors with access to Personal Data
- Access to production systems limited to authorized personnel only
Annex C — Sub-processor list
The current list of Sub-processors authorized to process Personal Data on behalf of the Customer is published at https://raflia.com/subprocessors. This list may be updated in accordance with Section 9, with at least 30 days’ advance notice.
Annex D — Supplementary safeguards for the Standard Contractual Clauses
This Annex supplements, and is read together with, the Standard Contractual Clauses (and, where applicable, the UK Addendum). References to “the Clauses” mean the SCCs.
- The data subject may enforce paragraphs 1 and 3 of this Annex against the data importer as a third-party beneficiary, in accordance with Clause 3 of the Clauses.
- The data importer shall reasonably assist the data exporter in its ongoing assessment of the adequacy of protection for the Personal Data under applicable Data Protection Laws.
- On receiving a legally binding request from a law-enforcement or other public authority for disclosure of Personal Data, the data importer shall, supplementing Clause 15 of the Clauses:
(a) use reasonable efforts to redirect the authority to obtain the data directly from the data exporter;
(b) promptly notify the data exporter of the request and use reasonable efforts to assist it in opposing the request, where lawful; and
(c) where prohibited by law from notifying the data exporter, use reasonable efforts to challenge that prohibition.
Contact
VeroMotion s.r.o.
Karla Engliše 3208/5
Prague 5, 150 00
Czech Republic
Email: info@raflia.com
Web: https://raflia.com
< Back to Legal Documents