Accolade Events Holdings Ltd ("Accolade") is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We act as a data processor on behalf of our clients (data controllers) when handling attendee, nominee, and guest data within the platform.
All Accolade customers on paid plans are covered by our standard Data Processing Agreement (DPA). The DPA sets out the terms under which we process personal data on your behalf, including the types of data processed, the purposes of processing, security measures, sub-processor obligations, and data subject rights.
To request a signed copy of our DPA, email legal@accolade.live with your organisation name and account email.
| Category | Examples | Lawful Basis |
|---|---|---|
| Attendee data | Name, email, dietary requirements, accessibility needs | Contractual necessity |
| Nominee data | Name, biography, category, supporting materials | Contractual necessity |
| Judge data | Name, email, scoring records, conflict declarations | Contractual necessity |
| Sponsor data | Company name, contact details, contract terms | Legitimate interest |
| Analytics data | Usage patterns, feature adoption, session duration | Legitimate interest |
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | United States (EU SCCs) |
| SendGrid (Twilio) | Email delivery | United States (EU SCCs) |
| UK Cloud Hosting | Infrastructure & storage | United Kingdom |
AES-256 encryption at rest. TLS 1.3 for all data in transit. Daily encrypted backups stored in geographically separate UK data centres. Role-based access controls with mandatory 2FA for all admin accounts. SOC 2 Type II certification is in progress.
Data subjects (attendees, nominees, guests) have the right to access, rectify, erase, restrict, and port their data. Client administrators can action these requests directly within the Accolade platform. For requests that cannot be resolved through the platform, contact privacy@accolade.live.
Customer data is retained for the duration of the service agreement plus 90 days. Upon account termination, all personal data is permanently deleted within 90 days. Encrypted backups are purged within 180 days.
In the event of a personal data breach, Accolade will notify the affected data controller within 72 hours of becoming aware, in accordance with Article 33 of UK GDPR.
For GDPR queries, DPA requests, or data protection concerns, contact our Data Protection Lead at privacy@accolade.live.