Last updated: 10 June 2026
Version 1.0.0
These terms and conditions (the "Terms") govern your use of the Slipp platform as a vendor. They form a binding agreement between Slipp ApS, CVR no. 46359070, Denmark ("Slipp", "we", "us"), and the legal entity that accepts the Terms during onboarding (the "Vendor", "you").
The Terms apply in addition to Schedule 1 (Data Processing Agreement), which governs Slipp's processing of personal data on the Vendor's behalf where applicable. By accepting the Terms, you also accept Schedule 1.
These Terms are written in English. English is the authoritative language of the contract; no Danish translation is published for the Vendor Terms.
"Platform" means the Slipp software, including the vendor app, the attendee app, the supporting backend services, and the marketing site.
"Attendee" means a consumer who places an order with the Vendor via the Platform.
"Event" means an event, festival, market, or similar gathering at which the Vendor offers goods to Attendees via the Platform.
"Order" means an Attendee's binding purchase of goods from the Vendor, concluded on Stripe's hosted checkout.
"Connected Account" means the Vendor's Stripe Connect account onto which Order proceeds are paid.
"Platform Service Fee" means Slipp's fee for providing the Platform, added on top of the Attendee-facing order total at checkout.
Slipp provides the technical Platform that enables Attendees to order goods from the Vendor and pay for them.
The sales contract for each Order is concluded between the Attendee and the Vendor. Slipp is not a party to the sales contract and is not the seller of the goods. The Vendor is the merchant of record and is responsible to the Attendee for the goods sold.
The Vendor must be a legal entity or sole trader with the capacity to enter into and perform commercial contracts in its jurisdiction of establishment.
Slipp provides the Vendor with: a vendor dashboard for managing the menu, shop opening hours and item availability; the Attendee-facing menu and ordering flow; payment routing via Stripe Connect; order notifications; and pickup-flow tooling.
Slipp may make changes to the Platform from time to time, including changes to features, user interface, and the technical interfaces with Stripe. Material changes that affect the Vendor's commercial position are notified in advance per section 23.
Onboarding to the Platform requires the Vendor to create and connect a Stripe Connect account. Stripe Payments Europe, Ltd. ("Stripe") performs all Know-Your-Customer and merchant verification for the Connected Account; Slipp does not collect identity documents independently of Stripe.
The Vendor is bound by Stripe's Connected Account Agreement and Stripe Services Agreement in addition to these Terms. The Vendor is responsible for keeping the information in its Connected Account accurate and up to date.
Slipp may refuse onboarding or off-board a Vendor whose Connected Account is restricted, suspended, or rejected by Stripe.
Slipp charges a Platform Service Fee on each Order. The fee is **added on top** of the Vendor's order total at checkout and is paid by the Attendee as part of the single payment processed by Stripe. The fee is not deducted from the Vendor's proceeds.
The applicable rate is disclosed to the Vendor at Event onboarding and may vary per Event or Event category. The Terms do not state a fixed rate because the rate is set per Event in writing (typically by email or in the Vendor onboarding flow) before any Order is taken.
Technically, the fee is implemented as `application_fee_amount` on a Stripe Connect direct charge: the gross payment lands on the Connected Account, and Slipp's Platform Service Fee is automatically routed to Slipp's platform balance.
The fee is itemised on the Attendee receipt and on the per-Order data the Vendor can inspect in the dashboard, so the Vendor sees exactly what the Attendee paid for the goods and what was charged as a Platform Service Fee.
The Platform Service Fee rate communicated to the Vendor is a gross, VAT-inclusive rate. Slipp's monthly invoice decomposes the collected fees into a net amount and 25% Danish VAT — see section 10.
Payment for each Order is processed by Stripe as a direct charge on the Connected Account. The Vendor is the merchant of record. The Attendee's card is charged in the Vendor's name (or in the name shown for the Connected Account in Stripe's descriptor configuration).
Slipp never holds Vendor or Attendee funds. Order proceeds settle directly into the Connected Account in accordance with Stripe's payout schedule for that account.
Refunds are the Vendor's primary responsibility. The Vendor processes refunds via its Stripe dashboard. Refunds are debited from the Connected Account; the Platform Service Fee for the refunded portion is, where supported by Stripe Connect, refunded to the Attendee from Slipp's platform balance.
Chargebacks and Stripe disputes are routed to the Connected Account per Stripe Connect defaults. The Vendor is the primary respondent and is responsible for submitting evidence in its Stripe dashboard. With the Vendor's prior written authorisation, Slipp may submit evidence on the Vendor's behalf via the Stripe Connect API; such assistance does not transfer dispute liability to Slipp.
The Vendor bears Stripe's per-transaction payment processing fees. These fees are deducted from the gross payment on the Connected Account by Stripe before the proceeds settle to the Vendor's available balance, in accordance with Stripe's pricing in effect for the Connected Account.
Stripe is solely responsible for the calculation and collection of its processing fees. Slipp does not control, mark up, or rebate Stripe's processing fees.
Payouts from the Connected Account to the Vendor's linked bank account are scheduled directly in Stripe. The Vendor selects the payout schedule (daily, weekly, monthly, or manual) within its Stripe dashboard.
Slipp does not schedule, hold, or release payouts. Payout disputes are addressed to Stripe in the first instance.
Slipp issues a monthly VAT-compliant invoice to the Vendor covering the Platform Service Fees applied to the Vendor's Orders during the preceding calendar month, net of refunds. Collected fees are treated as gross (VAT-inclusive): the invoice decomposes each amount into a net amount and 25% Danish VAT, so the Vendor can deduct the VAT as input VAT on its own VAT return. The invoice is denominated in DKK unless otherwise agreed in writing and complies with the requirements of Bogføringsloven and Momsloven.
The invoice itemises Orders for the period and reflects any refunds processed during the same period. Where the Vendor is established in another EU Member State and supplies a valid VAT number, Slipp applies the EU reverse-charge regime in accordance with applicable VAT rules.
Settlement of the invoice does not involve a separate cash transfer between Slipp and the Vendor: Platform Service Fees have already been collected on each Order via `application_fee_amount` and routed to Slipp's platform balance. The monthly invoice is the accounting record of those fees for both parties' bookkeeping.
The Vendor warrants to Slipp, on a continuing basis, that:
The Vendor will notify Slipp without undue delay if any of these warranties ceases to be accurate.
The Vendor is solely responsible for the accuracy of product descriptions, prices, and any other information it publishes on the Platform, as well as for the accuracy and completeness of allergen disclosures made to Attendees through any channel (in-person at pickup, on-site signage, item description text on the Platform, or a dedicated allergen field on the Platform where such a feature is provided). The Vendor must ensure that allergen information communicated through one channel does not contradict information communicated through another.
Where the Vendor sells age-restricted goods, age verification at the point of delivery is the Vendor's responsibility. Slipp does not perform age verification at order intake; Slipp requires Attendees to confirm they are 18 or older at signup, but this confirmation does not relieve the Vendor of statutory verification obligations at delivery.
If an Order is refused at delivery due to missing documentation, intoxication, or other circumstances on the Attendee's side, the Order is treated as not picked up under section 7 of the Attendee Terms; no refund is due.
The Vendor grants Slipp a non-exclusive, royalty-free, worldwide licence to host, store, reproduce, display and transmit the content the Vendor uploads to the Platform (including logos, banners, menu item descriptions and photos) for the sole purpose of operating the Platform, displaying it to Attendees, and promoting the Event participation.
The licence is granted for the duration of the Vendor's use of the Platform and a reasonable archival period thereafter to comply with the audit-log retention period in section 14. The Vendor retains ownership of the content.
Slipp may resize, recompress, or convert formats of uploaded media for delivery via the Platform's CDN (currently Cloudflare Images). No editorial modification of the content is performed.
Slipp records an immutable audit log of Vendor-initiated operational state changes that affect Attendee-facing availability or pricing — including shop open/close, item availability, item price changes, and menu item additions or removals. Each entry captures the acting user, the entity affected, the action, the timestamp, and before/after values.
The audit log is retained for at least 5 years from the end of the financial year in which the entry was created, aligning with Bogføringsloven retention applied to Order records. Entries are visible to Slipp staff with admin role and are made available to the Vendor on request for dispute support.
The audit log evidences Slipp's role as platform intermediary and supports the Vendor's accountability in consumer-dispute proceedings (Forbrugerklagenævnet) by providing a defensible record of who changed what and when.
The Vendor must not list goods that are illegal under Danish or EU law, infringe third-party intellectual property rights, are deceptive or misleading, or breach the warranties in section 11.
Slipp may, in accordance with Article 14 of the Digital Services Act, restrict or remove content that does not comply with the Terms. Where Slipp does so, the decision is communicated to the Vendor with the specific clause or rule that the content was found to breach and the available appeal route. Slipp does not rank Vendors or their content; Vendors are presented in a neutral, non-weighted order.
Slipp does not currently apply algorithmic moderation, automated content classification, or recommender systems to Vendor content. If Slipp introduces algorithmic decision-making to the moderation flow, the Terms will be updated accordingly and the change communicated in advance per section 23.
Appeals against moderation decisions are addressed to support@slipp.app. Slipp will respond within 14 days of receipt.
Any person — including the Vendor, an Attendee, a third party, or an authority — may submit a notice of illegal content or illegal goods on the Platform by writing to legal@slipp.app. To allow Slipp to act, the notice should contain: (a) a sufficiently substantiated explanation of why the content or goods are alleged to be illegal; (b) a clear indication of the exact electronic location (e.g. URL, order or item reference); (c) the name and email of the submitter (except for notices concerning offences referred to in Articles 3–7 of Directive 2011/93/EU); and (d) a statement confirming the submitter's good-faith belief that the information in the notice is accurate and complete.
Slipp acknowledges receipt of notices submitted with valid contact details within 5 business days and communicates a decision to the reporter, with reasons, without undue delay and normally within 30 days. Where a notice identifies content controlled by the Vendor, Slipp will inform the Vendor of the notice and provide an opportunity to respond before any moderation action other than emergency interim measures.
The single point of contact for authorities and users on matters arising from Articles 11, 12 and 16 of the Digital Services Act is Jesper Halborg, legal@slipp.app. Notices are accepted in Danish and English.
Either party may terminate the Terms for convenience on 30 days' written notice to the other party. Existing Orders accepted before the effective date of termination continue to be processed under the Terms.
Slipp may suspend the Vendor's access to the Platform with immediate effect, or terminate the Terms with immediate effect, where the Vendor: materially breaches the Terms; loses any required permit, registration or authorisation; has its Connected Account suspended or terminated by Stripe; is the subject of repeated, substantiated consumer complaints; or where suspension is necessary to protect the safety of Attendees or the integrity of the Platform.
Where Slipp suspends or terminates the Vendor, Slipp provides a written statement of reasons in accordance with Article 17 of the Digital Services Act, identifying the specific clause or rule breached, the duration of any suspension (where applicable), and the route to appeal the decision.
On termination, Slipp retains audit-log entries and Order records for the retention periods stated in the Privacy Policy and section 14, and otherwise deletes or returns Vendor personal data in accordance with Schedule 1.
When Slipp processes personal data of Attendees on the Vendor's behalf — including, for the avoidance of doubt, the Attendee email addresses and Order data the Vendor accesses through the vendor dashboard — Slipp acts as the Vendor's processor. The terms of that processing are set out in Schedule 1 to the Terms (Data Processing Agreement), which forms an integral part of the Terms.
For Slipp's own processing of Vendor user account data and for Stripe's processing of payment data, Slipp and Stripe each act as independent controllers under their respective privacy notices. See slipp.app/privacy and stripe.com/privacy.
Except where prohibited by mandatory law, the parties' liability under the Terms is allocated as follows:
Each party is responsible for maintaining commercially reasonable insurance for its activities under the Terms.
The Vendor will indemnify and hold Slipp harmless from and against any third-party claim — including Attendee claims, regulatory action, and intellectual-property claims — arising from: the Vendor's goods (including food safety, product quality, and labelling); the Vendor's breach of the warranties in section 11; or the Vendor's content uploaded to the Platform.
Slipp will notify the Vendor of any covered claim without undue delay, will cooperate reasonably with the Vendor's defence at the Vendor's cost, and will not settle a covered claim without the Vendor's prior consent (not to be unreasonably withheld).
Each party will keep confidential any non-public information of the other party that is marked confidential or that a reasonable recipient would treat as confidential, and will use such information only for the purpose of performing the Terms.
Confidentiality obligations do not apply to information that is or becomes publicly available without breach of the Terms, was already known to the recipient without confidentiality obligation, is independently developed by the recipient, or is required to be disclosed by law or competent authority (with prompt notice to the other party where lawful).
Neither party is liable for failure or delay in performing its obligations under the Terms (other than payment obligations already accrued) caused by circumstances beyond its reasonable control, including power or network outages, failures of third-party providers such as Stripe, natural disasters, fire, war, terrorism, civil unrest, labour disputes, epidemics, or acts of public authorities.
The affected party must notify the other party without undue delay and use reasonable efforts to mitigate the effects. If a force majeure event persists for more than 30 consecutive days, either party may terminate the Terms with immediate effect by written notice.
Slipp may update the Terms — for example to reflect changes in law, in the Platform, or in commercial arrangements. Each version carries a version number and an effective date.
Material changes (changes that affect the Vendor's commercial position, the allocation of liability, or the scope of data processing) are notified at least 30 days in advance and require renewed acceptance before continued use of the Platform. Non-material changes (such as typographical fixes or formatting) take effect on publication.
Earlier versions of the Terms are available on request from support@slipp.app.
These Terms are governed by Danish law, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods.
Disputes arising out of or in connection with the Terms are subject to the exclusive jurisdiction of the Danish courts. The parties agree on Retten i Horsens as the agreed venue of first instance, subject to the mandatory rules on appellate jurisdiction.
Questions about the Terms should be sent to support@slipp.app.
Slipp ApS, CVR no. 46359070, 8700 Horsens, Denmark.
Last updated: 10 June 2026
Version 1.0.0
This Schedule 1 (the "DPA") is an integral part of the Vendor Terms & Conditions between Slipp ApS, CVR no. 46359070 ("Slipp") and the Vendor that accepts the Terms ("Vendor"). It governs Slipp's processing of personal data on the Vendor's behalf in connection with the Vendor's use of the Platform.
In the event of any conflict between the Vendor Terms and this DPA on matters of personal-data processing, this DPA prevails. Capitalised terms used but not defined here have the meaning given in the Vendor Terms.
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Danish Data Protection Act (Databeskyttelsesloven). It applies for as long as Slipp processes Attendee Personal Data on the Vendor's behalf in connection with the Platform.
By accepting the Vendor Terms, the Vendor accepts this DPA on behalf of the legal entity it represents. No separate signature is required; Slipp records acceptance with version, timestamp and Vendor identifier in the same way as the Vendor Terms.
The terms "personal data", "processing", "controller", "processor", "data subject", "sub-processor", "personal data breach", and "supervisory authority" have the meanings given in Article 4 GDPR.
"Attendee Personal Data" means the personal data of Attendees that Slipp processes on the Vendor's behalf in connection with Orders placed via the Platform, including the personal data accessible to the Vendor through the vendor dashboard and Platform APIs.
"Sub-processor" means a third party engaged by Slipp to process Attendee Personal Data on the Vendor's behalf.
"SCCs" means the Standard Contractual Clauses adopted by the European Commission under Decision (EU) 2021/914.
"DPF" means the EU-US Data Privacy Framework adopted by Commission Implementing Decision (EU) 2023/1795.
In respect of Attendee Personal Data accessed by the Vendor through the Platform, the Vendor is the controller and Slipp is the Vendor's processor. Slipp processes Attendee Personal Data only on the Vendor's documented instructions as set out in clause 7 below.
For Slipp's own processing of Vendor user-account data, billing data and platform-operation analytics, Slipp acts as an independent controller under Slipp's Privacy Policy (slipp.app/privacy). Slipp does not send marketing communications.
Stripe acts as an independent controller for payment data in accordance with its own privacy notice (stripe.com/privacy). Stripe is not Slipp's sub-processor in respect of payment-data processing and is not listed in Appendix A.
The subject matter of the processing is the operation of the Platform on the Vendor's behalf to receive and fulfil Orders from Attendees, communicate Order status to Attendees, support the pickup flow, and maintain the operational audit log referenced in section 14 of the Vendor Terms.
The duration of the processing is the term of the Vendor Terms, plus any retention period required by law (in particular Bogføringsloven, which mandates 5-year retention of Order records from the end of the financial year in which the Order was placed) or by section 14 of the Vendor Terms.
The nature of the processing comprises collection, storage, organisation, retrieval, transmission, display and deletion of Attendee Personal Data through the Platform's standard functionality, including making Attendee email addresses visible to authorised Vendor users in the vendor dashboard.
The purpose of the processing is to enable the Vendor to receive and fulfil Orders, contact Attendees about Order status (e.g., "order ready for pickup"), respond to consumer complaints under Danish consumer law, and meet the Vendor's own bookkeeping and tax-record obligations.
The Attendee Personal Data processed on the Vendor's behalf is limited to:
The categories of data subjects are Attendees who have placed an Order with the Vendor through the Platform. Slipp does not process special categories of personal data (Article 9 GDPR) or Danish CPR numbers on the Vendor's behalf.
The Vendor warrants and undertakes that:
Slipp processes Attendee Personal Data only on the Vendor's documented instructions, including with regard to transfers of Attendee Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Slipp is subject. In such a case, Slipp informs the Vendor of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Vendor's documented instructions are: (a) the Vendor Terms and this DPA; (b) the operations the Vendor performs through the Platform's standard functionality (e.g., updating menu items, opening or closing the shop, refunding an Order via Stripe); and (c) any further instructions agreed in writing in advance with Slipp.
Slipp informs the Vendor without undue delay if, in Slipp's opinion, an instruction infringes GDPR or other applicable data-protection law. Slipp may suspend execution of any such instruction until the Vendor confirms or modifies it.
Slipp ensures that persons authorised to process Attendee Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Access to Attendee Personal Data is limited to personnel and contractors who need access to perform their duties under the Vendor Terms and is governed by role-based access controls.
Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons, Slipp implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
A summary of the measures in place as of the effective date of this DPA is set out in Appendix B. Slipp may update those measures from time to time to reflect changes in the state of the art, regulatory expectations, or risk, provided the updated measures continue to provide a level of protection no less protective than that described in Appendix B.
The Vendor grants Slipp general written authorisation to engage sub-processors to assist in the performance of the Vendor Terms and this DPA. The list of sub-processors authorised as of the effective date of this DPA is set out in Appendix A and is also reproduced in Slipp's Privacy Policy (slipp.app/privacy).
Slipp enters into a written contract with each sub-processor that imposes data-protection obligations no less protective than those in this DPA, including in respect of security, confidentiality, breach notification, and international transfers.
Slipp remains fully responsible to the Vendor for the performance of each sub-processor's obligations under this DPA.
Slipp gives the Vendor at least 30 days' prior notice of any intended addition or replacement of a sub-processor that processes Attendee Personal Data. Notice is given by updating the sub-processor list in Slipp's Privacy Policy and by an in-app notification to the Vendor's primary contact in the vendor dashboard.
The Vendor may, within 30 days of the notice, object to the change on reasonable data-protection grounds. The parties will discuss the objection in good faith and seek a workable solution. If no resolution is reached, the Vendor may terminate the Vendor Terms with effect from the date the new sub-processor is engaged; in such a case the Vendor is not entitled to any refund of Platform Service Fees already accrued.
Where Slipp needs to engage a new sub-processor on shorter notice to respond to a security incident or to maintain service continuity, Slipp may do so and inform the Vendor as soon as reasonably practicable thereafter, recording the rationale in its internal records.
Taking into account the nature of the processing, Slipp assists the Vendor by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Vendor's obligation to respond to requests from Attendees exercising their rights under Chapter III GDPR (Articles 12 to 22).
Assistance is provided on written request: requests to access, export, correct or delete the Vendor's records of Attendee Personal Data are sent to support@slipp.app, and Slipp responds within 14 days. Where the Platform later provides self-service functions for these operations, they supplement — and do not replace — this written-request channel. Slipp may charge a reasonable, cost-based fee for materially burdensome requests, communicated to the Vendor in advance.
Where an Attendee submits a data-subject request directly to Slipp that concerns processing carried out on the Vendor's behalf, Slipp forwards the request to the Vendor without undue delay and acknowledges receipt to the Attendee with a pointer to the Vendor as the responsible controller.
Taking into account the nature of the processing and the information available to Slipp, Slipp assists the Vendor in ensuring compliance with the obligations under Articles 32 to 36 GDPR, including security of processing, notification of personal data breaches, communication of personal data breaches to data subjects, data protection impact assessments, and prior consultation with a supervisory authority.
The assistance is provided in writing in response to Vendor requests sent to support@slipp.app. Slipp may charge a reasonable, cost-based fee for materially burdensome requests.
Slipp notifies the Vendor without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Attendee Personal Data processed on the Vendor's behalf.
The notification is sent to the Vendor's primary contact in the vendor dashboard and, where contact details have been provided, to a designated data-protection contact for the Vendor. It includes, to the extent then known: (a) a description of the nature of the breach, the categories and approximate number of data subjects affected, and the categories and approximate number of personal-data records affected; (b) the name and contact details of Slipp's privacy contact (privacy@slipp.app); (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.
Where the information cannot be provided in full at once, Slipp provides further information in phases without undue further delay. Slipp cooperates with the Vendor as reasonably required for the Vendor to comply with Articles 33 and 34 GDPR. Notification by Slipp under this clause is not an admission of fault or liability.
On termination of the Vendor Terms, the Vendor may instruct Slipp, within 30 days of termination, to either return or delete the Attendee Personal Data processed on the Vendor's behalf. In the absence of an instruction within that period, Slipp deletes the data in accordance with this clause.
The return or deletion obligation does not apply to: (a) Order records that Slipp is required to retain for 5 years from the end of the financial year under Bogføringsloven; (b) audit-log entries retained for the period stated in section 14 of the Vendor Terms; (c) data retained in anonymised form such that the data subject is no longer identifiable; and (d) data Slipp is otherwise required by Union or Danish law to retain.
Data retained under paragraph (a) to (d) is processed only for the purpose, and for the duration, of that legal requirement, and remains subject to the confidentiality and security obligations of this DPA.
Slipp confirms the return or deletion in writing on the Vendor's request.
Slipp makes available to the Vendor all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and allows for and contributes to audits, including inspections, conducted by the Vendor or another auditor mandated by the Vendor.
The Vendor's primary audit mode is a written information request, submitted no more than once per calendar year, to which Slipp responds within 30 days. Slipp may satisfy this obligation by providing relevant third-party audit reports, certifications, or attestations held by Slipp or its sub-processors (for example, SOC 2 Type II reports, ISO 27001 certificates, or equivalent).
Where a written response is insufficient and an on-site audit is required — for example following a personal data breach or on instruction from a competent supervisory authority — the parties agree to schedule the audit at mutually convenient times during normal business hours, on at least 30 days' written notice, subject to appropriate confidentiality undertakings, with reasonable scoping to minimise disruption to Slipp's operations and to other customers, and at the Vendor's reasonable cost.
The Vendor's audit rights do not entitle the Vendor to access information about other Slipp customers, Slipp's commercially sensitive information unrelated to the processing of Attendee Personal Data, or systems located on sub-processor premises beyond what the sub-processor permits under its own audit programme.
Slipp processes Attendee Personal Data within the EU/EEA wherever practicable. Where Attendee Personal Data is transferred to a third country outside the EU/EEA — for example through a sub-processor with US-based corporate functions — the transfer is protected by an appropriate Article 46 GDPR transfer mechanism.
In particular: (a) where the recipient is certified under the DPF, the transfer relies on the DPF adequacy decision; (b) where the DPF is not available, the transfer relies on the SCCs (Module Two: controller-to-processor, or Module Three: processor-to-processor, as applicable), supplemented where appropriate by additional technical, organisational and contractual measures.
The Vendor authorises Slipp to conclude, on its behalf where required, the SCCs with each affected sub-processor for the purpose of giving effect to this clause. A copy of the relevant SCCs and any supplementary measures applied is available to the Vendor on written request to privacy@slipp.app.
The liability allocation in section 19 of the Vendor Terms applies to this DPA. Nothing in this DPA limits or excludes either party's liability where such limitation or exclusion is prohibited by mandatory law, in particular Article 82 GDPR.
Where a data subject is awarded compensation under Article 82 GDPR for damage caused by processing that infringes GDPR, each party is liable as between themselves in proportion to its responsibility for the event giving rise to the damage, in accordance with Article 82(5) GDPR.
This DPA enters into force on the effective date of the Vendor Terms and remains in force for as long as Slipp processes Attendee Personal Data on the Vendor's behalf.
Clauses 14 (Personal data breach notification — for events relating to the term), 15 (Return or deletion), 16 (Audit rights — for the retention period of records retained under clause 15), 17 (International transfers — for any continued retention), and 18 (Liability) survive termination of the Vendor Terms to the extent necessary to give them effect.
This DPA is governed by Danish law and is subject to the jurisdiction provisions in section 24 of the Vendor Terms.
Nothing in this clause prevents either party from seeking interim or injunctive relief from any court of competent jurisdiction, nor restricts a data subject's right to bring proceedings under Article 79 GDPR.
The following sub-processors are authorised to process Attendee Personal Data on the Vendor's behalf as of the effective date of this DPA. Updates to this list are published in Slipp's Privacy Policy and notified per clause 11.
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Cloudflare, Inc. | Content delivery network, image delivery (Cloudflare Images), bot protection and DDoS mitigation for the Platform. | US, with EU edge processing. | DPF + SCCs. Sub-processor disclosures at cloudflare.com. |
| Fly.io, Inc. | Application hosting and managed PostgreSQL database for the Platform. | Primary region Frankfurt (EU); company in US. | DPF + SCCs. |
| Resend | Transactional email delivery on the Vendor's behalf (e.g., order confirmations, pickup-ready notifications) and authentication emails (magic links, one-time codes). | US. | DPF + SCCs. |
| BetterStack | Error monitoring across the Platform under Slipp's legitimate interest. Session replay only where the Attendee has given explicit consent; not used as a Vendor-instructed processing activity in this DPA. | EU. | EU hosting; DPA in place. See betterstack.com. |
| PostHog | Product analytics in the apps, limited to events emitted after Attendee Statistics consent. Operational funnel telemetry that does not depend on consent is processed under Slipp's legitimate interest and is not part of Vendor-instructed processing. | EU. | EU hosting; DPA in place. See posthog.com. |
Stripe Payments Europe, Ltd. is not a sub-processor of Slipp. Stripe acts as an independent controller for payment data under its own privacy notice and contracts directly with the Vendor under the Stripe Connected Account Agreement.
Slipp implements and maintains the following technical and organisational measures, taking into account the state of the art and the risk profile of the Platform. The list is illustrative and not exhaustive; Slipp may update specific measures over time provided overall protection is not reduced.