DATA PROCESSING AGREEMENT

Effective Date: January 11th 2022

The following Data Processing Agreement (“DPA”) forms an integral part of Evvnt’s terms of Service available at www.evvnt.com/terms or, as applicable, the terms and conditions referenced in the statement of work entered into between you and Evvnt (the “Underlying Agreement”). This DPA governs the responsibilities of you and Evvnt with respect to the processing of Client Personal Data (defined below) in the course of your use of the Services.

In the event of a conflict between the terms and conditions of this DPA and the Underlying Agreement, the terms and conditions of this DPA shall supersede and control. All undefined capitalized terms herein shall have the meaning as in the Underlying Agreement.

1. Definitions

For the purposes of this DPA:

“personal data”, “special categories of data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority” shall have the same meanings as in UK Data Protection Legislation and Regulation (EU) 2016/679 of the European Parliament and the Council (also known as “EU General Data Protection Regulation” or “GDPR”), in each case as may be applicable in the circumstances.

“Sub-processor” means any processor engaged by Evvnt or by any other sub-processor of Evvnt, which agrees to receive from Evvnt, or from any other sub-processor of Evvnt, Client Personal Data intended for processing activities to be carried out on behalf of Client and in accordance with its instructions, the terms of this DPA and the terms of the written subcontract.

“CCPA” means the California Consumer Privacy Act of 2018, as amended, and any regulations promulgated thereunder.

“business,” “business purposes,” “commercial purposes,” “collects,” “collected,” “collection,” “consumer,” “de-identified,” “personal information,” “sell,” “selling,” “sale,” “sold,” “service provider” or “third party” shall have the same meaning as in the CCPA, where it is applicable.

“Client Personal Data” means personal data and/or personal information, as applicable, provided to Evvnt in connection with the Services or in the course of Evvnt’s performance of the Services.

“Data Subject” means data subject and/or consumer, as applicable.

“UK Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the United Kingdom including without limitation the UK Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the UK GDPR (which has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018); the UK Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

2. STATUS OF PARTIES; DETAILS OF THE PROCESSING ACTIVITIES

2.1 The parties agree that with respect to the provision of Services, as applicable: (a) as to processing of the personal information, Client is the business and Evvnt is the service provider; and (b) as to processing of the personal data, Client is the controller and Evvnt is the processor.

2.2 The details of the processing activities to be carried out by Evvnt on behalf of the Client under this DPA and in particular the special categories of personal data where applicable, are specified in Schedule 1, which forms an integral part of this DPA.

3. OBLIGATIONS OF EVVNT

3.1 Evvnt agrees:

(a) to process Client Personal Data only: (i) on behalf of Client and/or the applicable business or controller and in accordance with Client’s documented instructions unless otherwise required by UK, European Union or European Member State law or state or Federal U.S. law to which Evvnt is subject; (ii) for the purpose of carrying out the Services or as otherwise instructed by Client; and(iii) in compliance with this DPA.

(b) that it shall not process the personal information other than on Client’s documented instructions in the Underlying Agreement, which include processing to detect data security incidents, protecting against fraudulent or illegal activity, creation of datasets of aggregate consumer information and de-identified information appointing sub-processors, and any other business purpose or operational purpose permissible under the UK Data Protection Legislation and that does not cause Evvnt to lose its service provider status under the CCPA.

(c) that it shall not (i) sell the personal information, (ii) retain, use or disclose the personal information for any purpose other than for providing the Services, or (iii) retain, use, or disclose the personal information outside of the business relationship between Client and Evvnt, except as instructed by the Client;

(d) that if it is legally required to process Client Personal Data otherwise than as instructed by Client, it shall notify Client before such processing occurs, unless the law requiring such processing prohibits Evvnt from notifying Client on an important ground of public interest, in which case it shall notify Client as soon as that law permits it to do so.

(e) that it has implemented and will maintain appropriate technical and organisational measures to protect Client Personal Data against accidental or unlawful destruction or accidental loss, alteration, un-authorised disclosure or access. Having regard to the state of the art and cost of their implementation, the Evvnt agrees that such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of Client Personal Data to be protected.

(f) to take reasonable steps to ensure that its personnel who have access to the Client Personal Data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.

(g) that it will, as required by applicable law, notify Client about: (i) any instruction which, in its opinion, infringes applicable law; and (ii) any actual, confirmed security breach, unauthorized access, misappropriation, loss, damage or other compromise of the security, confidentiality, or integrity of Client Personal Data processed by Evvnt or a Sub-processor (“Security Breach”).

(h) that within a reasonable time following discovery of any Security Breach, it shall: (i) take reasonable steps to mitigate the harm to Data Subjects and prevent any further Security Breach; and (ii) provide Client with cooperation and assistance in relation to any notifications that Client is required to make as a result of the Security Breach.

(i) to assist Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of theUK GDPR taking into account the nature of processing and the information available to Evvnt.

(j) to forward to the Client a Data Subject request under the UK Data Protection Legislation;

(k) to assist Client in complying with a request from a Data Subject by providing functionality through the Services for Client to fulfill the request itself; and

(l) to make available to Client all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, upon terms mutually agreeable to the parties.

4. SUBPROCESSORS

Evvnt maintains a list of Sub-processors posted at the following URL: https://evvnt.com/infrastructure-sub-processors/ . The URL also includes a link where Client can subscribe for updates on the Evvnt Sub-processors and if subscribed, Client will receive email notification about Evvnt Sub-processor changes. If Client does not object to the engagement of a new Sub-processor within fourteen (14) days of the aforesaid notice, such new Sub-processor will be deemed to have been accepted by Client.

5. ALLOCATION OF COSTS

Each party shall perform its obligations under this DPA at its own cost.

6. RETURN OR DELETION OF CLIENT PERSONAL DATA

Evvnt will enable Client to delete any Client Personal Data through the functionalities of Services at any time during the term of the Agreement. Alternatively, upon written request of Client, Evvnt will securely destroy all Client Personal Data for Client. Notwithstanding the foregoing, Evvnt may prevent Client’s deletion of, or decline to return or destroy any Client Personal Data, if applicable law prevents Evvnt or Sub-processor from doing so.

7. INTERNATIONAL DATA TRANSFERS

Any transfer of personal data made pursuant to this DPA from the European Economic Area or the United Kingdom shall, be undertaken by Evvnt only under the following conditions:

a. Except as UK Data Protection Legislation permits otherwise, Client and Evvnt shall enter into Standard Contractual Clauses (“SCC”) in order to comply with UK Data Protection Legislation (where the Client is the entity exporting Personal Data to Evvnt outside the EEA or UK). The parties will complete all relevant details in, and execute, the SCC and take all other actions required to legitimise the transfer. ( “SCC” means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, as adapted for the UK, or such alternative clauses as may be approved by the European Commission or by the UK from time to time)

b. If Client consents to the appointment by Evvnt of a subcontractor located outside the EEA or UK, then Client authorises Evvnt to enter into an SCC in the same form with the subcontractor in the Client’s name and on its behalf. Evvnt will make the executed SCC available to the Client on request.

All Customer personal data generated in connection to your Event shall be used only in accordance with this DPA or else as a data subject may expressly give informed consent or as otherwise permitted under UK Data Protection Legislation.

Evvnt is dedicated to providing a high quality and secure service to its customers. We are fully PCI DSS compliant and adhere to the EU Data Protection Directive and UK Data Protection Legislation. Evvnt is registered under the Data Protection Act in the United Kingdom, our ICO notification number is: ZA754675.

8. Miscellaneous

8.1 The limitations and exclusions of liability set forth in the Services Agreement shall apply to this DPA, subject to the GDPR and UK Data Protection Legislation.

8.2 In the event of inconsistencies between the provisions of this DPA and other agreements between the parties, the provisions of this DPA shall prevail. In cases of doubt, this DPA shall prevail, in particular, where it cannot be clearly established whether a clause relates to a party’s data protection obligations.

8.3 Should any provision or condition of this DPA be held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. Such an invalidity, unlawfulness or un-enforceability shall have no effect on the other provisions and conditions of this DPA to the maximum extent permitted by law. The provision or condition affected shall be construed either: (a) to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the Parties’ intentions, or if that is not possible, (ii) as if the invalid, unlawful or unenforceable part had never been contained in this DPA.

8.4 Any amendments to this DPA shall only be effective in they are made in writing duly signed by authorized representatives of the parties hereto.

8.5 The total liability of each of Controller and Processor (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Addendum, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Terms of Service.

Schedule 1

Details of the processing activities

This Schedule forms part of the DPA.

Data subjects

The personal data concerns the following categories of data subjects (please specify):

Personal Data relevant to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Prospects, customers, business partners and Suppliers of Controller (who are natural persons)
Employees or contact persons of Controller’s prospects, customers, business partners and Suppliers
Employees, consultants, agents, advisors, freelancers of Controller (who are natural persons)
Controller’s users authorized by Controller to use the Services
Attendees of Controller’s events

Categories of data

The personal data concerns the following categories of data (please specify):

Personal Data relevant to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

First and last name
Title
Position
Employer
Contact information (company, email, phone, physical business address)
ID data
Device data
Professional life data
Personal life data
Connection data
Localization data

Special categories of data (if appropriate)

The personal data concerns the following special categories of data (please specify):
None. The personal data processed will not include sensitive personally identifiable information, including information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, government issued identification numbers, health or medical records, financial information and criminal records, or any payment information.

Processing operations

The personal data will be subject to the following basic processing activities (please specify):

Processing to perform the Services pursuant to the Agreement.

Duration

The personal data will be processed by Evvnt for the duration of the Services.

Risk Management

A Risk Management Framework (RMF) is a structured approach to identifying, assessing, prioritizing, and mitigating risks within an organization or a specific system or technology, such as Evvnt ticketing technology. Here’s a general overview of the methodology and process used to assess risk in the context of Evvnt’s Event Commerce Platform Technology:

1. Establish the Context:
– Define the scope of the risk assessment, including the boundaries of the Event Commerce Platform Technology system.
– Identify stakeholders and their concerns.

2. Risk Identification:
– Identify potential risks associated with Event Commerce Platform Technology. These may include technical, operational, financial, legal, and reputational risks.
– Involve relevant stakeholders, including technical experts, security personnel, and business analysts, to identify risks comprehensively.

3. Risk Assessment:
– Evaluate the impact and likelihood of each identified risk. This can be done using qualitative (e.g., low, medium, high) or quantitative (e.g., numerical scales) methods.
– Prioritize risks based on their severity and potential impact on the organization and its stakeholders.

4. Risk Mitigation and Control:
– Develop and implement strategies to mitigate or control identified risks. These strategies may include:
– Implementing security measures to protect against cyber threats.
– Establishing redundancy and backup systems to ensure system availability.
– Developing disaster recovery and business continuity plans.
– Ensuring compliance with relevant legal and regulatory requirements.
– Assign responsibility for implementing risk mitigation measures.

5. Risk Monitoring and Reporting:
– Continuously monitor the effectiveness of risk mitigation strategies.
– Establish key performance indicators (KPIs) and thresholds to trigger risk responses.
– Regularly report on the status of risks to stakeholders and management.

6. Documentation and Record-Keeping:
– Maintain detailed records of the risk assessment process, including identified risks, assessments, mitigation strategies, and monitoring activities.
– Ensure documentation is easily accessible for auditing and reporting purposes.

7. Review and Update:
– Periodically review and update the risk assessment and mitigation strategies. Risks evolve, so it’s essential to stay proactive.

8. Communication and Training:
– Ensure that relevant stakeholders are aware of the identified risks and the strategies in place to mitigate them.
– Provide training to staff involved in risk management to ensure they understand their roles and responsibilities.

9. Third-Party Risk Management:
– Assess and manage risks associated with third-party vendors, suppliers, or partners that may have access to Event Commerce Platform Technology.

10. Compliance and Regulatory Considerations:
– Stay informed about relevant industry standards, regulations, and best practices related to ticketing technology and data protection.
– Ensure compliance with data protection regulations if personal data is involved.