MTRX

Legal / DPA

Data Processing Addendum

Version 1.0 Effective 11 July 2026

This Data Processing Addendum (the “DPA”) forms part of the MTRX Terms of Service or another written agreement governing a customer’s use of the MTRX Service (the “Agreement”). It applies where MTRX processes Customer Personal Data on the customer’s behalf.

The customer entering into the Agreement is the “Customer” and “Controller”. DIVERGENT SOFTWARE LTD, company number 17324678, is “MTRX” and the “Processor”. Each is a “party” and together they are the “parties”.

01Definitions and interpretation

1.1. Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other data protection law that applies to processing under the Agreement.

1.2. Customer Personal Data means personal data contained in Customer Data that MTRX processes on the Customer’s behalf in providing the Service.

1.3. Data Subject, personal data, Personal Data Breach, processing, controller, and processor have the meanings given in Applicable Data Protection Law.

1.4. Subprocessor means another processor engaged by MTRX to process Customer Personal Data.

1.5. If this DPA conflicts with the Agreement on the protection or processing of Customer Personal Data, this DPA controls. The Agreement otherwise remains in effect.

02Scope, roles, and instructions

2.1. The parties acknowledge that the Customer is the controller and MTRX is the processor of Customer Personal Data. If the Customer processes personal data on behalf of another controller, the Customer acts as a processor and appoints MTRX as its subprocessor; the obligations in this DPA apply accordingly.

2.2. MTRX will process Customer Personal Data only:

  • on the Customer’s documented instructions, including the Agreement, this DPA, the Customer’s configuration and use of the Service, and support requests;
  • to provide, secure, maintain, and support the Service; or
  • where required by applicable law, in which case MTRX will inform the Customer before processing unless the law prohibits it.

2.3. MTRX will promptly inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. MTRX may suspend the affected processing until the parties agree a lawful instruction.

2.4. The subject matter, duration, nature, purpose, personal data types, and Data Subject categories are set out in Schedule 1.

03Customer responsibilities

3.1. The Customer is responsible for the lawfulness, fairness, accuracy, and quality of Customer Personal Data and for providing all notices and obtaining all rights, permissions, and lawful bases needed for MTRX to process it under the Agreement.

3.2. The Customer will issue lawful instructions, configure access appropriately, protect its account credentials, and avoid supplying personal data that is not necessary for use of the Service.

3.3. The Customer is responsible for responding to Data Subjects and supervisory authorities as controller, with MTRX’s assistance as described below.

04Confidentiality

4.1. MTRX will ensure that each person authorised to process Customer Personal Data is bound by a duty of confidentiality and accesses it only as necessary to perform their duties.

4.2. MTRX will limit access to Customer Personal Data to personnel and contractors who need it to provide or support the Service and will provide appropriate data-protection and security training.

05Security

5.1. Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks to Data Subjects, MTRX will maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

5.2. The current measures are described in Schedule 2. MTRX may update them as technology and the Service evolve, provided the overall level of protection is not materially reduced.

06Personal Data Breaches

6.1. MTRX will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2. To the extent information is available, the notice will describe the nature of the breach, affected data and Data Subject categories, likely consequences, measures taken or proposed, and a contact point for further information. MTRX may provide information in phases as its investigation progresses.

6.3. MTRX will take reasonable steps to contain, investigate, mitigate, and remediate the breach and will reasonably assist the Customer with any legally required notifications. A notice is not an admission of fault or liability.

07Subprocessors

7.1. The Customer gives MTRX general written authorisation to engage Subprocessors within the categories and subject to the selection requirements described in Schedule 3. MTRX will make its current Subprocessor register available to the Customer through the Service or on request.

7.2. MTRX will provide reasonable advance notice of an intended new or replacement Subprocessor that will process Customer Personal Data. The Customer may object on reasonable data-protection grounds by contacting MTRX before the change takes effect. The parties will work in good faith to address the objection. If no reasonable alternative is available, the Customer may stop using the affected part of the Service and terminate it in accordance with the Agreement.

7.3. MTRX will enter into a written agreement with each Subprocessor imposing data-protection obligations that provide materially equivalent protection to this DPA, as applicable to the services it performs. MTRX remains responsible for each Subprocessor’s performance of those obligations.

08International transfers

8.1. MTRX will not transfer Customer Personal Data outside the United Kingdom unless it complies with Applicable Data Protection Law.

8.2. Where a restricted transfer is not covered by UK adequacy regulations, the parties will use an approved safeguard, such as the ICO’s International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses, together with any required transfer risk assessment and supplementary measures.

8.3. The Customer authorises MTRX to enter into those transfer mechanisms on the Customer’s behalf where MTRX acts as its processor, and to procure equivalent safeguards from relevant Subprocessors.

09Data Subject requests

9.1. Taking into account the nature of processing, MTRX will provide reasonable assistance through appropriate technical and organisational measures so the Customer can fulfil its obligations to respond to Data Subject requests.

9.2. If MTRX receives a request relating to Customer Personal Data directly from a Data Subject, MTRX will not respond on the Customer’s behalf unless authorised or legally required. Where permitted, MTRX will direct the Data Subject to the Customer or promptly forward the request.

10Compliance assistance

10.1. Taking into account the nature of processing and information available to it, MTRX will reasonably assist the Customer with its obligations concerning security, breach notification, data protection impact assessments, and prior consultation with a supervisory authority.

10.2. If assistance requires material work beyond the normal operation of the Service, MTRX may charge reasonable fees agreed in advance, unless the assistance is required because MTRX breached this DPA.

11Deletion and return

11.1. During the term, the Customer may export Customer Data using the Service’s available export features.

11.2. On expiry or termination of the Service, and at the Customer’s choice where technically practicable, MTRX will delete or return Customer Personal Data unless applicable law requires continued storage. Customer Personal Data is deleted from live systems in accordance with the Agreement and is then removed from backups on the normal backup-retention cycle.

11.3. If the Customer instructs MTRX to delete its organisation, deletion may be irreversible. The Customer should export required data before confirming deletion.

12Information and audits

12.1. MTRX will make available information reasonably necessary to demonstrate compliance with Article 28 of the UK GDPR and this DPA.

12.2. The Customer may audit MTRX’s relevant processing once in any 12-month period, and additionally after a confirmed Personal Data Breach or where required by a supervisory authority. Audits must be requested on reasonable written notice, occur during normal business hours, avoid unreasonable disruption, and protect other customers’ confidential information and personal data.

12.3. MTRX may first satisfy an audit request by providing current independent audit reports, certifications, security documentation, or questionnaire responses. If those materials are insufficient, the parties will agree the scope, duration, and method of a further audit. The Customer bears its audit costs unless the audit identifies a material breach by MTRX.

13Term and general provisions

13.1. This DPA begins when the Agreement takes effect and continues while MTRX processes Customer Personal Data.

13.2. The liability terms and governing law in the Agreement apply to this DPA. Nothing in this DPA limits a Data Subject’s rights or any liability that cannot lawfully be limited.

13.3. If part of this DPA is unenforceable, the remainder stays in effect.

14Contact

DIVERGENT SOFTWARE LTD
Company number 17324678
Tagus House, 9 Ocean Way
Southampton, England, SO14 3TJ

Customers can also contact MTRX about this DPA through the in-app support form in their organisation’s settings.

15Schedule 1 — Details of processing

Subject matter and purpose

Providing the MTRX ticketing analytics Service, including connecting to Customer-selected ticketing providers, retrieving and storing event and ticket-sales data, displaying dashboards, producing and sharing reports, sending Customer-configured report emails and alerts, providing support, securing the Service, and maintaining service reliability.

Nature of processing

Collection, retrieval, recording, organisation, structuring, storage, adaptation, analysis, consultation, display, transmission at the Customer’s instruction, restriction, export, and deletion.

Duration

For the term of the Agreement and the limited deletion and backup-retention periods described in the Agreement and this DPA.

Categories of Data Subjects

  • ticket buyers, event attendees, and prospective attendees;
  • the Customer’s staff, contractors, agents, venue partners, promoters, agencies, and outlet users;
  • individuals whose details appear in reports or data supplied by connected ticketing providers; and
  • other individuals whose personal data the Customer lawfully submits to the Service.

Types of personal data

  • names, email addresses, and other contact or account identifiers;
  • event, order, ticket, transaction, attendance, and refund information;
  • sales channel, outlet, promoter, venue, and campaign attribution;
  • technical identifiers and activity relevant to securing and auditing Customer access; and
  • report content, notes, and other data the Customer chooses to submit or retrieve.

Special category and criminal-offence data

The Service is not designed for special category or criminal-offence data, and the Customer must not intentionally submit it unless the parties expressly agree appropriate additional safeguards in writing.

Frequency

Continuous or recurring for the duration of the Agreement, depending on the Customer’s configuration, provider sync schedule, and use of the Service.

16Schedule 2 — Security measures

  1. Access control. Organisation-scoped permissions, least-privilege access, database row-level security, separate staff identities, and time-boxed, revocable, logged support access.
  2. Authentication. Managed authentication, secure session handling, and support for multi-factor authentication where configured.
  3. Encryption. TLS encryption in transit; encryption at rest through hosting providers; envelope encryption for ticketing-provider credentials; stored credentials are never displayed back.
  4. Tenant isolation. Customer data is scoped by organisation in application logic and database policies, with automated cross-tenant isolation testing.
  5. Logging and monitoring. Security audit logs, structured application logs, error monitoring, worker-health monitoring, and alerts for relevant service failures.
  6. Resilience and recovery. Managed infrastructure and database backups, health checks, and documented deployment and recovery processes appropriate to the Service.
  7. Secure development. Version-controlled changes, code review and testing practices, dependency management, secrets kept out of source code, and separation of production environments.
  8. Incident response. Procedures to identify, investigate, contain, remediate, and communicate security incidents.
  9. Deletion. Organisation-scoped export and deletion controls, cascading deletion from live systems, and backup expiry on a rolling retention cycle.
  10. Review. Periodic evaluation and improvement of technical and organisational measures in response to risks and changes to the Service.

17Schedule 3 — Subprocessor authorisation

MTRX may appoint Subprocessors in the following categories where reasonably necessary to provide, secure, or support the Service:

Subprocessor categoryProcessing purpose
Cloud infrastructure and data-storage providersApplication hosting, background processing, managed databases, authentication, storage, backup, and related infrastructure
Communications providersTransactional email delivery, including Customer-configured reports, notifications, and alerts
Security and service-monitoring providersError detection, performance monitoring, incident investigation, and protection of the Service; Customer Personal Data is limited where practicable

Before appointing a Subprocessor, MTRX will assess whether it provides sufficient guarantees to protect Customer Personal Data, enter into the written terms required by clause 7.3, and put an appropriate transfer mechanism in place where required. MTRX will maintain a current register containing each Subprocessor’s identity, purpose, and relevant processing location.

Payment providers used only for MTRX account billing are not used to process ticket-buyer or attendee Customer Personal Data as part of the analytics Service. Customer-selected ticketing providers are data sources acting under the Customer’s own agreements, not MTRX Subprocessors.