EventBuilder Data Processing Addendum
Last Updated: May 11, 2023
Last Reviewed: May 11, 2023
This Data Processing Addendum ("DPA") is an addendum to the Customer Terms of Service ("Agreement") between NW Virtual Partners LLC dba EventBuilder ("EventBuilder," "we," "us," or "our") and you as the customer ("Customer" or "you"). This DPA (including the attached Schedules) takes effect on the date Customer subscribes to use our Services as an EventBuilder Customer, and governs the collection, processing, or receipt of Personal Data by EventBuilder on behalf of the Customer in the course of providing the Services. Terms not defined herein shall have the meaning as set forth in the Agreement. If you have questions or would like to receive a signed copy of this DPA, please contact us at care@eventbuilder.com .
- Definitions
- "Applicable Laws" means all laws, rules, regulations, and orders applicable to the subject matter herein, including without limitation Data Protection Laws.
- "California Personal Information” means Personal Data that is subject to the protection of the CCPA.
- "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
- "CPRA" means California Civil Code Sec. 1798.150 et seq. (also known as the California Privacy Rights Act of 2020).
- "Consumer", "Business", "Sell", and "Service Provider" shall have the meanings given to them in the CCPA.
- "Controller", "Data Subject," "Processing," and "Processor" shall have the meanings given to them in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation) or "GDPR."
- "Customer Data" means all Personal Data, including without limitation California Personal Information and European Personal Data, Processed by EventBuilder on behalf of Customer pursuant to the Agreement.
- "Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy that apply to the respective Party in its role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and the CCPA; in each case as amended, superseded, or replaced from time to time.
- "Data Subject" means the Consumer or other individual to whom Personal Data relates.
- "European Data" means Personal Data that is subject to the protection of European Data Protection Laws.
- "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded, or replaced.
- "Instructions" means the written, documented instructions issued by Customer to EventBuilder, and directing EventBuilder to perform a specific or general action with regard to Personal Data for the purpose of providing the Services to Customer. The Parties agree that the Agreement (including this DPA), together with Customer's use of the Services in accordance with the Agreement, constitute Customer's complete and final Instructions to EventBuilder in relation to the Processing of Customer Data, and additional Instructions outside the scope of the Instructions shall require prior written agreement between EventBuilder and Customer.
- "Personal Data" means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by EventBuilder and/or its Sub-Processors in connection with the provision of the Services. Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- "Sub-processor" means any entity which provides processing services to EventBuilder in furtherance of EventBuilder's processing of Customer Data.
- "Standard Contractual Clauses" or "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj .
- "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.
- Nature, Purpose, and Subject Matter. The nature, purpose, and subject matter of EventBuilder's data processing activities performed as part of the Services are set out in the Agreement. The Customer Data that may be processed may relate to Data Subjects, such as the individual attendees associated with Customer who access, download, install, or use the Services ("Attendees") and Customer's employees. Categories of Personal Data Processed may include identifiers, sensitive Personal Data, internet activity, commercial information, and any other Personal Data that may be processed pursuant to the Agreement.
- Duration. The term of this DPA shall follow the term of the Agreement. EventBuilder will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
- Processing of Customer Data. EventBuilder shall process Customer Data only for the purposes described in the Agreement (including this DPA) or as otherwise agreed within the scope of Customer's lawful Instructions, except where and to the extent otherwise required by Applicable Law. If EventBuilder is collecting Personal Data from Attendees on behalf of Customer, EventBuilder shall follow Customer's Instructions regarding such Personal Data collection. EventBuilder shall inform Customer without delay if, in EventBuilder's opinion, an Instruction violates applicable Data Protection Laws and, where necessary, cease all Processing until Customer issues new Instructions with which EventBuilder is able to comply. If this provision is invoked, EventBuilder will not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer issues new lawful Instructions.
- Confidentiality. EventBuilder shall ensure that any personnel whom EventBuilder authorizes to Process Customer Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Customer Data. Additionally, EventBuilder shall take reasonable steps to ensure that, (i) persons employed by EventBuilder, and (ii) other persons engaged to perform on EventBuilder's behalf, comply with the terms of the Agreement.
- Customer Responsibilities. Within the scope of the Agreement (including this DPA) and in Customer's use of the Services, Customer shall comply with all Applicable Laws, including without limitation all requirements that apply to Customer under Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to EventBuilder. In particular, and without limiting the generality of the foregoing, Customer shall take sole responsibility for: (i) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring Customer has the right to transfer, or provide access to, the Personal Data to EventBuilder for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that Customer’s Instructions to EventBuilder regarding the Processing of Customer Data comply with Applicable Laws; and (v) complying with all Applicable Laws (including Data Protection Laws) applicable to Customer’s use of the Services, including without limitation those relating to providing notice and obtaining consents. Customer shall inform EventBuilder without undue delay if it is not able to comply with this section or applicable Data Protection Laws. For the avoidance of doubt, EventBuilder is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to EventBuilder.
- Sub-processors. Customer agrees that EventBuilder may engage Sub-Processors to Process Customer Data. Where EventBuilder engages Sub-Processors, EventBuilder will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. EventBuilder will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause EventBuilder to breach any of its obligations under this DPA. EventBuilder shall maintain on its website a list of current Sub-Processors engaged to Process Customer Data and shall notify Customer of any changes to the Sub-processors list through in-product notifications, email or other means.
- Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EventBuilder shall, in relation to the Customer Data, maintain appropriate technical and organizational Security Measures designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data. In assessing the appropriate level of security, EventBuilder shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach. Upon request, EventBuilder shall provide Customer with a summary of EventBuilder’s security policies applicable to the Services.
- Data Transfers. Customer acknowledges and agrees that EventBuilder may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by EventBuilder in the United States and to other jurisdictions where EventBuilder’s Sub-Processors have operations.
- Personal Data Breaches. EventBuilder will notify Customer without undue delay after EventBuilder becomes aware of any Personal Data Breach involving Customer Data, and will provide timely information relating to such Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, EventBuilder will promptly provide Customer with commercially reasonable assistance as necessary to enable Customer to notify authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.
- Data Subject Requests. As part of the Services, EventBuilder provides Customer and with a number of controls that Customer may use to access, correct, delete, or restrict Personal Data, which Customer may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). To the extent that Customer is unable to independently address a Data Subject Request through the Services, then upon Customer's written request EventBuilder shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Data under the Agreement. Customer shall reimburse EventBuilder for the commercially reasonable costs arising from this assistance. If a Data Subject Request or other communication regarding the Processing of Customer Data under the Agreement is made directly to EventBuilder, EventBuilder will promptly inform Customer. Customer shall be solely responsible for facilitating any such Data Subject Requests or communications involving Personal Data.
- Data Protection Impact Assessment and Prior Consultation. To the extent EventBuilder is required under Data Protection Law, EventBuilder shall (at Customer's expense) provide reasonably requested information regarding EventBuilder's processing of Customer Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
- Deletion or Return of Personal Data. Upon termination or expiration of the Agreement, within 30 days EventBuilder will delete the Customer Data Processed pursuant to this DPA. During such 30-day period, EventBuilder will assist Customer in accessing such Customer Data Processed in accordance with Customer’s reasonable Instructions. The requirements of this section shall not apply to the extent that EventBuilder is required by Applicable Law to retain some or all of the Customer Data, or to Customer Data EventBuilder has archived on back-up systems, which data EventBuilder shall securely isolate and protect from any further Processing and delete in accordance with EventBuilder’s deletion practices.
- Demonstration of Compliance. Upon Customer's written request, EventBuilder shall make available to Customer (on a confidential basis) all information reasonably necessary, and allow for and contribute to audits, to demonstrate EventBuilder's compliance with this DPA, provided that Customer shall not exercise this right more than once per year. Customer shall take all reasonable measures to limit any impact on EventBuilder by combining several information and/or audit requests carried out on behalf of Customer in one single audit.
- European Data. This Section 15 applies only with respect to Processing of European Data by EventBuilder.
- Roles of the Parties. When Processing European Data under the Agreement, the Parties acknowledge and agree that Customer is the Controller and EventBuilder is the Processor.
- Sub-processors. In addition to the provisions of Section 7, within 30 days after posting an updated Sub-Processor List, Customer may object to EventBuilder’s engagement of a new Sub-Processor if Customer can demonstrate that such Sub-Processor’s Processing of European Data does not comply with European Data Protection Laws. If Customer so objects, the Parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, EventBuilder will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
- Data Transfers. In addition to Section 9, for transfers of European Personal Data to EventBuilder for processing by EventBuilder in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing “adequate” data protection, EventBuilder agrees it will: (i) use the form of the Controller-to-Processor SCCs; or (ii) use another transfer mechanism that is approved by the European Commission as valid at the time of the transfer, as applicable. If such data transfers rely on Controller-to-Processor SCCs to enable the lawful transfer of European Personal Data, as set forth in the preceding sentence, the Parties agree that Data Subjects for whom EventBuilder Processes European Personal Data are third-party beneficiaries under the Controller-to-Processor SCCs. If EventBuilder is unable or becomes unable to comply with these requirements, then: (a) EventBuilder shall notify Customer of such inability; and (b) any movement of European Personal Data to a non-EU country requires the prior written consent of Customer.
- Impact of local laws. As of the Effective Date, EventBuilder has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data prevent EventBuilder from fulfilling its obligations under this DPA. If EventBuilder reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, EventBuilder shall use reasonable efforts to make available to You a change in the Services or recommend a commercially reasonable change to Your configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening You. If EventBuilder is unable to make available such change promptly, You may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by EventBuilder in accordance with the Local Laws by providing written notice. You shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.
- Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to EventBuilder, and Customer does not otherwise have access to the required information, EventBuilder will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.
- California Personal Information. This Section 16 applies only with respect to Processing of California Personal Information by EventBuilder in EventBuilder's capacity as a Service Provider.
- Roles of the Parties. When Processing California Personal Information in accordance with Customer's Instructions, the Parties acknowledge and agree that Customer is a Business and EventBuilder is the Service Provider for the purposes of the CCPA. Additionally, for the purposes of interpreting this DPA with respect to Processing of California Personal Information, the term 'Controller' is replaced with Business and Processor is replaced with Service Provider wherever those terms appear in Sections 2 through 14 and Section 17 of this DPA.
- Responsibilities. The Parties agree that EventBuilder will process Attendees California Personal Information as a Service Provider strictly for the business purpose of performing the Services under the Agreement and as set forth in EventBuilder's Privacy Notice . The Parties agree that EventBuilder shall not: (i) Sell Attendees' California Personal Information; (ii) retain, use, or disclose Attendees’ California Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by the CCPA; or (iii) retain, use, or disclose Attendees' California Personal Information outside of the direct business relationship between Customer and EventBuilder.
- Certification. EventBuilder hereby certifies that it understands and will comply with the restrictions of Section 16(b).
- No CCPA Sale. The Parties agree that Customer does not sell California Personal Information to EventBuilder because, as a Service Provider, EventBuilder may only use California Personal Information for the purposes of providing the Services to Customer.
- General. Customer represents that it is authorized to, and hereby agrees to, enter into and be bound by this DPA for and on behalf of itself and each of its affiliates and subsidiaries, thereby establishing a separate DPA between EventBuilder and Customer and each of Customer's affiliates and subsidiaries subject to the Agreement, as applicable. The limitations of liability set forth in the Agreement shall apply to EventBuilder's liability arising out of or relating to this DPA and the Standard Contractual Clauses (where applicable), taken in the aggregate along with the Agreement and any other agreement between the Parties. In case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected. We periodically update this Agreement. If you are a current Customer, you will be informed of any modification by email, alert on the customer dashboard or portal or by other means.
NW Virtual Partners LLC dba EventBuilder
Lauren Meyer, CEO
privacy@eventbuilder.com
Schedule 1
Transfer Mechanisms for European Data Transfers
STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS
For the purposes of the Standard Contractual Clauses, Customer is the data exporter and EventBuilder is the data importer and the Parties agree to the following:
- Reference to the Standard Contractual Clauses. The relevant provisions contained in the SCCs are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the SCCs are set out in Schedule 2.
- Docking clause. The option under clause 7 shall not apply.
- Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by EventBuilder to Customer only upon Customer's written request.
- Instructions. This DPA and the Agreement are Customer's complete and final documented instructions at the time of signature of the Agreement to EventBuilder for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in Section 4 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the provision of the Services.
- Security of Processing. For the purposes of clause 8.6(a), You are solely responsible for making an independent determination as to whether the technical and organizational measures provided by EventBuilder meet Your security requirements and You agree that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by EventBuilder provide a level of security appropriate to the risk with respect to the Personal Data. For the purposes of clause 8.6(c), personal data breaches will be handled in accordance with Section 10 of this DPA.
- Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 14 of this DPA.
- General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), EventBuilder has Customer's general authorization to engage Sub-processors in accordance with Section 7 of this DPA. EventBuilder shall make available to Customer the current list of Sub-processors in accordance with Section 7 of this DPA. Where EventBuilder enters into Standard Contractual Clauses with a Sub-processor in connection with the provision of the Services, Customer grants EventBuilder authority to provide a general authorization on Customer's behalf for the engagement of Sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.
- Notification of New Sub-processors and Objection Right for new Sub-processors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that EventBuilder may engage new Sub-processors as described in Section 7 of this DPA. EventBuilder shall inform Customer with 30 days advanced notice of any changes to Sub-processors following the procedure provided for in Section 7 of this DPA.
- Complaints - Redress. For the purposes of clause 11, EventBuilder shall inform data subjects on its website of a contact point authorized to handle complaints. EventBuilder shall inform Customer if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. EventBuilder shall not otherwise have any obligation to handle the request (unless otherwise agreed with You). The option under clause 11 shall not apply.
- Liability. EventBuilder's liability under clause 12(b) shall be limited to actual and proven damage caused by EventBuilder's Processing of Personal Data on Customer's behalf as a Processor where EventBuilder has not complied with its obligations under the GDPR specifically directed to Processors, or where EventBuilder has acted outside of or contrary to Customer's lawful Instructions, as specified in Article 82 GDPR.
- Supervision. Clause 13 shall apply as follows:
- Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
- Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and have appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
- Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The Data Protection Commission of Ireland, 21 Fitzwilliam Square South, Dublin, 2 D02 RD28, Ireland shall act as competent supervisory authority.
- Where Customer is established in the United Kingdom or fall within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as competent supervisory authority.
- Where You are established in Switzerland or fall within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.
- Notification of Government Access Requests. For the purposes of clause 15.1(a), EventBuilder shall notify Customer only, and not the Data Subject(s), in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.
- Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.
- Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Venue section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
- Appendix. The Appendix shall be completed as follows:
- The contents of section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses
- The contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to the Standard Contractual Clauses
- The contents of section 10 of Schedule 2 shall form Annex I.C to the Standard Contractual Clauses
- The contents of section 11 of Schedule 2 to this Exhibit shall form Annex II to the Standard Contractual Clauses.
- Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws"), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the Data Protection Laws and Regulations of the United Kingdom (“UK Data Protection Laws") or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
- Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Schedule 2
Description of Processing/Transfer
- LIST OF PARTIES
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union
Name: Customer as identified in subscription
Address: Customer’s address listed in subscription
Role: For the purposes of the Standard Contractual Clauses, Customer is a Controller.
Activities relevant to the data transferred under these clauses: Provision of the Services pursuant to the Agreement (including the DPA).
Contact person's name, position, and contact details: Customer’s designated point of contact listed at registration
Signature: By agreeing to the Agreement and the DPA, Customer agrees to this Schedule 2, effective as of the date of the Agreement.
Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection
Name: NW Virtual Partners LLC dba EventBuilder
Address: 915 Broadway St, #250, Vancouver, WA 98660
Role: For the purposes of the Standard Contractual Clauses, EventBuilder is a Processor.
Contact person's name, position, and contact details:
Lauren Meyer, CEO
Signature:
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in Customer's sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Individual event attendees associated with Customer who access, download, install, or use the Services
- Customer's employees
- Other end users granted access to the Services by Customer
You may submit Personal Data to the Services, the extent of which is determined and controlled by You in Your sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Identifiers
- Sensitive Personal Data
- Internet activity
- Commercial information
The parties do anticipate the transfer of sensitive Personal Data only to the extent that Customer instructs EventBuilder to process such data pursuant to the Agreement.
5. FREQUENCY OF THE TRANSFERData is transferred on a continuous basis depending on Customer’s use of the Services.
6. NATURE OF THE PROCESSINGThe nature of the Processing is the provision of the Services pursuant to the Agreement
7. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSINGEventBuilder will Process Personal Data as necessary to provide the Services pursuant to the Agreement and as further instructed by Customer in Customer's use of the Services.
8. DURATION OF PROCESSINGSubject to Section 3 of the DPA, EventBuilder will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
9. SUB-PROCESSOR TRANSFERSSub-processor(s) will Process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to section 5 of this DPA, the Sub-processor(s) will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Identities of the Sub-processors used for the provision of the Services and their country of location are available to Customer upon request.
10. COMPETENT SUPERVISORY AUTHORITY- Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
- Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.
- Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland shall act as the competent supervisory authority.
- Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority.
- Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations
In addition to the administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data described in the DPA and EventBuilder’s Privacy Notice, EventBuilder also had implemented the following technical and organizational measures:
- Security Standards: EventBuilder has implemented and maintains technical and organizational measures that meet or exceed ISO 27001 and ISO 27701standards.
- Outsourced processing: EventBuilder hosts the Services in a secure environment using outsourced cloud infrastructure providers.
- Physical and environmental security: Physical and environmental security controls of infrastructure providers used by EventBuilder are audited for ISO 27001 and ISO 27701 compliance.
- Authentication: EventBuilder implements a uniform password policy and multifactor authentication for customer products.
- Intrusion detection and prevention: EventBuilder implements industry standard intrusion detection and prevention software to identify and prevent attacks against publicly available network services.
- Penetration testing: EventBuilder completes penetration tests at least annually using industry recognized third-party penetration testing service providers.
- Employee access: A subset of EventBuilder’s employees have access to Customer Data via controlled interfaces. Employees are granted access by role. Employee roles are reviewed at least once per year.
- Encryption: EventBuilder encrypts data in transit using SSL/TLS and at rest using AES-256 on the database for all systems.
- Security incidents: EventBuilder maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated and appropriate resolution steps are identified and documented. For any confirmed incidents, EventBuilder will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.