← Back to Accolade

GDPR & DATA PROCESSING

Last updated: 19 May 2026

OUR COMMITMENT

Accolade Events Holdings Ltd ("Accolade") is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We act as a data processor on behalf of our clients (data controllers) when handling attendee, nominee, and guest data within the platform.

DATA PROCESSING AGREEMENT

All Accolade customers on paid plans are covered by our standard Data Processing Agreement (DPA). The DPA sets out the terms under which we process personal data on your behalf, including the types of data processed, the purposes of processing, security measures, sub-processor obligations, and data subject rights.

To request a signed copy of our DPA, email legal@accolade.live with your organisation name and account email.

DATA WE PROCESS

CategoryExamplesLawful Basis
Attendee dataName, email, dietary requirements, accessibility needsContractual necessity
Nominee dataName, biography, category, supporting materialsContractual necessity
Judge dataName, email, scoring records, conflict declarationsContractual necessity
Sponsor dataCompany name, contact details, contract termsLegitimate interest
Analytics dataUsage patterns, feature adoption, session durationLegitimate interest

SUB-PROCESSORS

ProviderPurposeLocation
StripePayment processingUnited States (EU SCCs)
SendGrid (Twilio)Email deliveryUnited States (EU SCCs)
UK Cloud HostingInfrastructure & storageUnited Kingdom

SECURITY MEASURES

AES-256 encryption at rest. TLS 1.3 for all data in transit. Daily encrypted backups stored in geographically separate UK data centres. Role-based access controls with mandatory 2FA for all admin accounts. SOC 2 Type II certification is in progress.

DATA SUBJECT RIGHTS

Data subjects (attendees, nominees, guests) have the right to access, rectify, erase, restrict, and port their data. Client administrators can action these requests directly within the Accolade platform. For requests that cannot be resolved through the platform, contact privacy@accolade.live.

DATA RETENTION

Customer data is retained for the duration of the service agreement plus 90 days. Upon account termination, all personal data is permanently deleted within 90 days. Encrypted backups are purged within 180 days.

BREACH NOTIFICATION

In the event of a personal data breach, Accolade will notify the affected data controller within 72 hours of becoming aware, in accordance with Article 33 of UK GDPR.

CONTACT

For GDPR queries, DPA requests, or data protection concerns, contact our Data Protection Lead at privacy@accolade.live.