Data Processing Addendum

This Data Processing Addendum (including its appendices) (“DPA”) forms part of and is incorporated in the Agreement between Client and TEVO.  As used herein, “Agreement” refers to an agreement or terms of service applicable to software and services provided by Ticket Evolution Inc. and/or any of its subsidiaries, affiliates and divisions as may change from time to time (collectively, “TEVO”).  As used herein, “Client” refers to the individual or entity subject to the Agreement.  

This DPA supplements the terms and conditions set forth in the Agreement and supersedes any of the terms of the Agreement relating to data processing and security.  This DPA will be effective as of the effective date of the Agreement. To the extent of any conflict or inconsistency between this DPA and the Agreement, this DPA will govern.

Definitions

  1. In this DPA:
  1. Applicable SCCs” means the Standard Contractual Clauses (i.e. EU SCCs and/or UK SCCs) that apply to this DPA.
  2. Data Privacy Laws” means all laws, regulations and other legal requirements applicable to either (i) TEVO or its affiliates in their role as service provider processing data or (ii) Client, as the case may be. Data Privacy Laws includes all laws, regulations and other legal requirements of any jurisdiction relating to privacy, data security, communications secrecy, Personal Data Breach notification, or the Processing of Personal Data, such as, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Data Protection Act, and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”). For the avoidance of doubt, each party is only responsible for the Data Privacy Laws applicable to it.
  3. EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Schedule A to this DPA.
  4. Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in relation to the Agreement.  
  5. Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.  
  6. Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  7. Subprocessor” means any TEVO affiliate or subcontractor engaged by TEVO for the Processing of Personal Data.
  8. UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in this DPA.

Scope

  1. This DPA applies to the Personal Data that TEVO receives from Client, or otherwise Processes for or on behalf of Client, through the ticket management services that TEVO provides under the Agreement (the “Services”).  

Client Responsibilities

  1. Client acknowledges that it is using the Services as the lawful owner of a physical or virtual ticket allowing entry into an event (“Ticket”) and, therefore, is considered to be a “controller” under the GDPR and that TEVO is a “processor.”

  1. Client will comply with all Data Privacy Laws, including that it will establish legal bases for its and TEVO’s Processing of Personal Data and obtain any consents required under Data Privacy Laws for TEVO to provide the Services.

Client Instructions to TEVO

  1. TEVO will Process the Personal Data only as described under the Agreement, unless obligated to do otherwise by Data Privacy Laws. In such case, TEVO shall inform Client of that legal requirement before Processing, unless that legal requirement prohibits providing such information on important grounds of public interest. TEVO will not sell Personal Data or otherwise Process Personal Data for any purpose other than for the specific purposes set forth herein. For purposes of this paragraph, “sell” shall have the meaning set forth in the CCPA. TEVO certifies it understands the restrictions and obligations set forth in this DPA and will comply with them.

  1. For the avoidance of doubt, the details of the Processing are as follows:

  1. Subject matter of the Processing: The subject matter of the Processing is the Personal Data Processed by TEVO on behalf of Client. See the Agreement for details.

  1. Duration of the Processing:  The duration of the Processing under this DPA is the term of the Agreement, subject to any applicable deletion or retention provisions. See the Agreement for details.

  1. Purpose and nature of the Processing: Provision of the Services, which may include, ticket management and data management.

  1. Type(s) of Personal Data Processed: Personal Data provided by Client to TEVO for Processing under the Agreement, which could consist of any Personal Data associated with the purchase or sale of Tickets.

 

  1. Categories of data subjects: The data subjects whose Personal Data Client provides to TEVO for Processing under the Agreement, which could consist of buyers of Tickets.
  1. The Agreement and this DPA (each as may be amended from time to time), along with Client’s use of any options in the Services (as Client may be able to select from time to time, depending on the Services), constitute Client’s complete and final instructions to TEVO regarding the Processing of Personal Data, including for purposes of the Applicable SCCs. Client shall not instruct TEVO to Process Personal Data in violation of Data Privacy Laws, and TEVO shall promptly inform Client if, in TEVO’s opinion, an instruction from Client infringes Data Privacy Laws.

Subprocessors

  1. TEVO may subcontract the collection or other Processing of Personal Data only in compliance with Data Privacy Laws and any additional conditions for subcontracting set forth in the Agreement. Prior to a Subprocessor’s Processing of Personal Data, TEVO will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on TEVO under this DPA. Upon written request from Client to TEVO at legal@ticketevolution.com, TEVO will provide a current list of Subprocessors for the services Client obtains under the Agreement. TEVO remains responsible for its Subprocessors and liable for their performance under the Agreement and this DPA. This paragraph constitutes Client’s consent to both TEVO’s use of the Subprocessors and its subprocessing under the Standard Contractual Clauses, as applicable.

Security

  1. TEVO will assist Client in ensuring Client’s compliance with the security obligations of the GDPR and other Data Privacy Laws, as relevant to TEVO’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to TEVO, by complying with the following paragraph and, if available in the Services, by providing configurable security options.
  2. To protect the Personal Data TEVO shall implement appropriate technical and organizational measures that comply with Schedule A, Annex II, without prejudice to TEVO’s right to make future updates to the measures that do not lower the level of protection of Personal Data.  
  3. Client is solely responsible for reviewing the available security documentation and evaluating for itself whether the Services and related security will meet Client’s needs, including Client’s security obligations under Data Privacy Laws. Client agrees that the security commitments in this DPA will provide a level of security appropriate to the risk in respect of the Personal Data.
  4. TEVO will ensure that the persons TEVO authorizes to Process the Personal Data are subject to a written confidentiality agreement covering such data or are under an appropriate statutory obligation of confidentiality.  

Personal Data Breach Notification

  1. TEVO will comply with the Personal Data Breach-related obligations directly applicable to it under the GDPR and other Data Privacy Laws. Taking into account the nature of Processing and the information available to TEVO, TEVO will assist Client in complying with those obligations applicable to Client by informing Client of a confirmed Personal Data Breach without undue delay.

Assistance Responding to Data Subjects

  1. Taking into account the nature of the Processing, TEVO will assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to honor requests by individuals (or their representatives) to exercise their rights under the GDPR and other Data Privacy Laws (such as rights to access their Personal Data).  

Assistance with DPIAs and Consultation with Supervisory Authorities

  1. Taking into account the nature of the Processing and the information available to TEVO, TEVO will provide reasonable assistance to and cooperation with Client for Client’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving TEVO and related consultation with supervisory authorities by providing Client with access to documentation for the Services. Additional support for data protection impact assessments or relations with regulators is available at Client expense and will require a statement of work and mutual agreement on fees, the scope of TEVO’s involvement, and any other terms that the parties deem appropriate.

Data Transfers

  1. Client agrees and will ensure that Client and its affiliates are entitled to transfer the Personal Data to TEVO so that TEVO and its Subprocessors may lawfully Process the Personal Data in accordance with the Agreement and this DPA.
  2. Client authorizes TEVO and its Subprocessors to make international transfers of the Personal Data in accordance with Data Privacy Laws and this DPA.
  3. United Kingdom. With respect to Personal Data transferred from the United Kingdom for which the UK Privacy Act (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs that, upon notice from Client, will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
  1. Table 1 of the UK SCCs:
  1. The Parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Schedule A.  
  2. The Key Contact shall be the contacts set forth in Schedule A.
  1. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the parties.
  2. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedule A.
  3. Table 4 of the UK SCCs: TEVO may end this DPA as set out in Section 19 of the UK SCCs.
  4. By entering into this DPA, the parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.
  1. Switzerland. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner.
  2. European Economic Area. With respect to Personal Data transferred from the European Economic Area, the EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA as set forth in the EU SCCs. They will be deemed completed as follows:
  1. Client acts as a controller and TEVO acts as Client’s processor with respect to the Personal Data subject to the EU SCCs, and its Module 2 applies.
  2. Clause 7 (the optional docking clause) is included.
  3. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization).
  4. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
  5. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Ireland.
  6. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
  7. Annexes I and II of the 2021 Standard Contractual Clauses are set forth in Schedule A of the DPA.
  1. Statutory Revisions to Applicable SCCs. In the event that Data Privacy Laws require the use of revised Standard Contractual Clauses (each, “Revised SCCs”) applicable to this DPA, such Revised SCCs shall automatically be deemed to replace the EU SCCs and/or UK SCCs, as applicable, without the need for any further action, unless TEVO otherwise notifies Client.

Return or Destruction

  1. TEVO will, at the choice of Client, return to Client and/or destroy all Personal Data after the end of the provision of services relating to Processing except to the extent applicable law requires storage of the Personal Data.
  2. Nothing will oblige TEVO to delete Personal Data from files created for security, backup and business continuity purposes sooner than required by TEVO’s data retention processes. If Client requires earlier deletion of such Personal Data, and such deletion is commercially feasible, Client must first pay TEVO’s reasonable charges for such deletion, which may include costs for business interruptions associated with such a request.

Audits

  1. TEVO will allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, as follows:
  1. If the requested audit scope is addressed in an ISO or similar audit report issued by a third party auditor within the prior twelve (12) months and TEVO provides such report to Client confirming there are no known material changes in the controls audited, Client agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.  
  2. In the event an audit report is not provided, any audit, whether by Client or a third party, must be limited to no more than once per twelve (12) month period, and Client will (i) conduct the audit only on an agreed date during normal business hours (9:00 am – 5:00 pm local time); (ii) limit its audit to only one business day; and (iii) pay TEVO’s then-current audit fee.  
  3. If a third party is to conduct the audit, Client will provide at least thirty (30) days’ advance notice. The third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). TEVO will not unreasonably withhold its consent to a third-party auditor requested by Client, unless such third-party auditor is a competitor or another customer of TEVO’s Any third-party auditor must execute a written confidentiality agreement acceptable to TEVO.
  4. Client must promptly provide TEVO with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than Client’s Personal Data) is confidential information of TEVO.
  5. Nothing herein will require TEVO to disclose or make available:
  1. any data of any other customer of TEVO;
  2. TEVO’s internal accounting or financial information;
  3. any trade secret of TEVO;
  4. any information that, in TEVO’s reasonable opinion, could (i) compromise the security of TEVO systems or premises; or (ii) cause TEVO to breach its obligations under Data Privacy Laws or its security and/or privacy obligations to Client or any third party; or
  5. any information sought for any reason other than the good faith fulfilment of Client’s obligations under the Standard Contractual Clauses or Data Privacy Laws.
  1. In addition, to the extent required by Data Privacy Laws, including where mandated by Client’s Supervisory Authority, Client or Client’s Supervisory Authority may perform, at Client’s expense, a broader audit, including inspections of the data center facility that Processes Personal Data. TEVO will contribute to such audits by providing Client or Client’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services.
  2. Client must provide TEVO with any audit reports generated in connection with this DPA, unless prohibited by Data Privacy Laws. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and/or confirming compliance with the terms of this DPA.
  3. Client agrees that any audit conducted in accordance with Sections 24-26 above satisfies TEVO’s audit obligations under the Applicable SCCs.

Schedule A

Annex I

  1. LIST OF PARTIES

Data exporter(s):

[Please provide identity and contact details of the data exporter(s) (e.g., the TEVO client(s)) and, where applicable, its/their data protection officer and/or representative in the European Union]

Name:        

Address:

Contact person’s name, position and contact details:

Activities relevant to the data transferred under these Clauses:

Signature and date: _________________________________________________

Role (controller/processor): controller

Data importer(s):

Name:  Ticket Evolution Inc.

Address: 2700 S. Quincy Street, Suite 225, Arlington, VA 22206

Contact person’s name, position and contact details:  Malin Luca, COO, mluca@ticketevolution.com or Manish Bardolia, Chief Product Officer, manish@ticketevolution.com 

Activities relevant to the data transferred under these Clauses: Data importer will process the data in order to provide the Services pursuant to the Agreement.

Signature and date: __________________________________________________

Role (controller/processor): processor

B.  DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

  • The categories of data subjects are set forth in Section 6 of the DPA.

Categories of personal data transferred

  • The categories of personal data are set forth in Section 6 of the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • The Personal Data shall be transferred continuously for as long as TEVO provides the Services pursuant to the Agreement.  

Nature of the processing

  • The nature of the processing consists of collecting, storing and transferring Personal Data to facilitate TEVO’s provision of the Services to Client as further described in the Agreement.  

Purpose(s) of the data transfer and further processing

  • The purposes of the data transfer is so that TEVO can provide the Services to Client as further described in the Agreement. There is no processing other than as set forth above.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • The Personal Data shall be retained as directed by TEVO as needed to provide the Services pursuant to the Agreement.  

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Same as above

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13: Ireland

…………………………. 

Annex II

  1. TEVO has agreed to employ appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (“Information Security Program”).
  2. TEVO’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Client Personal Data (“Data Personnel”). TEVO’s security requirements covers the following areas:
  1. Information Security Policies and Standards. TEVO will maintain information security policies, standards and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Client Personal Data. These policies, standards, and procedures shall be designed and implemented to:
  1. Prevent unauthorized persons from gaining physical access to Client Personal Data Processing systems (e.g. physical access controls);
  2. Prevent Client Personal Data Processing systems from being used without authorization (e.g. logical access control);
  3. Ensure that Data Personnel gain access only to such Client Personal Data as they are entitled to access (e.g. in accordance with their access rights) and that, in the course of Processing or use and after storage, Client Personal Data cannot be read, copied, modified or deleted without authorization (e.g. data access controls);
  4. Ensure that Client Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Client Personal Data by means of data transmission facilities can be established and verified (e.g. data transfer controls); and
  5. Ensure that all systems that Process Client Personal Data are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities.
  1. Physical Security. TEVO will maintain commercially reasonable security systems at all TEVO sites at which an information system that uses or stores Client Personal Data is located (“Processing Locations”) and will reasonably restrict access to such Processing Locations.
  2. Organizational Security. TEVO will maintain information security policies and procedures addressing:
  1. Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any Client Personal Data stored on media before they are withdrawn from the TEVO’s inventory or control.
  2. Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Client Personal Data stored on media.
  3. Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained.
  4. Incident Response. All Client Personal Data security incidents are managed in accordance with appropriate incident response procedures.
  1. Network Security. TEVO maintains commercially reasonable information security policies and procedures addressing network security.
  2. Access Control (Governance).
  1. TEVO governs access to information systems that Process Client Personal Data.
  2. Only authorized TEVO staff can grant, modify or revoke access to an information system that Processes Client Personal Data.
  3. TEVO implements commercially reasonable physical and technical safeguards to create and protect passwords.
  1. Virus and Malware Controls. TEVO protects Client Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Client Personal Data.
  2. Personnel.
  1. TEVO has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting.
  2. Data Personnel strictly follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
  3. TEVO shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Client Personal Data.
  1. Business Continuity. TEVO implements disaster recovery and business resumption plans. Business continuity plans are tested and updated regularly to ensure that they are up to date and effective.

Annex III

Subprocessor

Country of Jurisdiction

Brief Description of Processing

Amazon Web Services, Inc.

United States

Cloud hosting services

Azure

 United States

 Server hosting services

Heroku

 United States

 Cloud hosting services

Equinix

 United States

 Server hosting services

Rackspace

United States

 Server hosting services