DPA, retention, consent: a procurement checklist for agencies
Selling guest media to a private host is a handshake; selling it to a corporate client is a procurement process. Once a real company is involved, someone in legal or IT will ask for specifics before signing: a data processing agreement, your retention terms, how consent is handled, and where the data lives. Agencies that have these answered in advance close faster and look more professional; agencies that scramble lose momentum. This is the checklist to have ready (general guidance, not legal advice).
The single most-requested item is the DPA -- the GDPR Article 28 data processing agreement that formalises the controller-processor relationship. Your client is typically the controller, you and the platform are in the processing chain, and the DPA documents it. Gathmo provides a DPA on request, so you can supply it the moment procurement asks rather than going back to ask the vendor. Having it ready is often what keeps a deal moving.
Beyond the DPA, procurement wants to know about data location (EU-hosted, no third-country transfer?), retention (how long is guest media kept, and who controls deletion?), consent (how are guests informed and their agreement captured?), and access controls for larger buyers (SSO). The checklist below maps each to what Gathmo provides, so you can answer confidently. For the underlying detail, see EU-hosted guest media and the data processing terms.
What you will need
- A corporate client or tender that requires data-protection answers
- Your Gathmo plan details (and Enterprise if SSO is required)
- The platform's DPA ready to share
Quick recap
- DPA: GDPR Art. 28 agreement available to sign (Gathmo: yes, on request)
- Data location: EU-hosted, no third-country transfer (Gathmo: Frankfurt, none)
- Retention: defined windows; host controls deletion
- Consent: guests informed at upload; consent captured
- Erasure: ability to honour deletion requests (built-in tools)
- Access control: SSO for enterprise buyers (Gathmo: Enterprise €499/mo)
- Moderation: host + automatic moderation to keep UGC safe
Frequently asked
Typically: a data processing agreement (DPA), where the data is hosted (EU, no third-country transfer?), retention terms and who controls deletion, how guest consent is captured, erasure capability, and -- for larger buyers -- access controls like SSO. Having each answered in advance speeds the deal. Gathmo covers these with an EU-hosted platform (Frankfurt), a GDPR Article 28 DPA on request, defined retention, consent and erasure tools, and SSO on the Enterprise plan.
Because it is the contract procurement must have under GDPR to formalise the controller-processor relationship, and corporate or public-sector clients will not sign without it. Your client is usually the controller; you and the platform are in the processing chain. Gathmo provides the DPA on request, so as an agency you can supply it immediately rather than going back to the vendor -- which is often what keeps a deal from stalling.
Gathmo hosts guest media in the EU (Frankfurt) with no third-country transfer of guest data. For procurement, that means you can answer the data-location question cleanly without invoking Standard Contractual Clauses or transfer risk assessments. EU hosting with no third-country transfer is the simplest answer to give a European corporate buyer, and it is increasingly a hard requirement in tenders.
That guest media is kept for a defined window appropriate to the event and then removed, and that deletion can be controlled by the host -- with erasure tools available to honour specific deletion requests. GDPR expects data not to be kept longer than necessary, so a clear retention period you can state and apply consistently is what procurement wants to hear. Document the window you use so you can explain it on request.
Guests are informed at the point of upload about what is being collected and why, and their agreement is captured through the flow. As an agency you should ensure signage and the upload notice make the purpose clear. The platform captures consent and provides erasure tools; the controller-side judgement (lawful basis, notice wording) remains with you or your client. Being able to describe this clearly reassures procurement that consent is handled deliberately, not by accident.
Larger organisations often require single sign-on (SSO) for access control, and sometimes branded SMS for guest communications. Gathmo's Enterprise plan (€499/month, €4,990/year) adds SSO and branded SMS on top of EU hosting and the full feature set. For most agency work the Agency plan (€149/month) is sufficient, but when a tender specifies SSO or enterprise identity requirements, Enterprise is the tier that answers it.
Have the DPA ready to share, know your data-location answer (EU-hosted, no third-country transfer), be able to state your retention window and deletion process, and understand the consent flow. If the client is large, confirm whether SSO is required so you can quote Enterprise if needed. Walking into the conversation with these answered -- rather than promising to find out -- is what makes an agency look like a trustworthy, prepared supplier.
StoryWhat a white-label event photo app actually means (and what's fake)
White-label event photo apps range from a cosmetic logo swap to a fully de-branded guest gallery on your own domain. Here is how to tell the real thing from the fake -- and which tier actually unlocks it.
ComparisonGuestpix alternative with custom domains and voice
Guestpix sells per-event bundles without a custom domain. Gathmo gives resellers a fully branded guest gallery on their own domain, voice notes included -- and you keep 100% of what you charge clients.
ComparisonKululu alternative: white-label without the "contact sales"
Kululu puts custom domains behind a "contact sales" Custom plan. Gathmo productizes white-label and your own domain at a published €149/month Agency tier you can start the same day -- no sales call.