This Data Processing Addendum (“DPA”) is an addendum to the Customer Terms of Service (“Agreement”) between NW Virtual Partners LLC dba EventBuilder (“EventBuilder”, “we,” “us,” or “our”) and you as the customer (“Customer”). This DPA governs the collection, processing, or receipt of Personal Data by EventBuilder on behalf of the Customer in the course of providing the Services. Terms not defined herein shall have the meaning as set forth in the Agreement.

EventBuilder has certified to the Data Privacy Framework, which will specifically apply to the transfer of Personal Data from the EU, UK, and Switzerland to the U.S. See Section 15 for details.

This DPA (including the attached Schedules) takes effect on the date Customer subscribes to use our Services as an EventBuilder Customer. Customer may direct any questions or request a signed copy of this DPA by email to privacy@eventbuilder.com.

DPA Structure:

This DPA consists of two parts: (i) the main body of the DPA, and, for Customers with end users in the EEA or UK (ii) Schedules 1 (Transfer Mechanisms for European Data Transfers), 2 (Description of Processing/Transfer), and 3 (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses).
By executing the Agreement, Customer also executes this DPA on behalf of Customer and (to the extent required under applicable Data Protection Laws) in the name and on behalf of Customer’s Authorized Affiliates, if and to the extent EventBuilder processes Personal Data for which such Authorized Affiliates qualify as the Controller.
This DPA has been pre-signed on behalf of EventBuilder. Schedule 2, section 1 has been pre-signed by EventBuilder as the data importer.
For the avoidance of doubt, Customer’s agreement to this DPA via execution of the Agreement shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses including Schedule 2.

1. Definitions.

“Applicable Laws” means all laws, rules, regulations, and orders applicable to the subject matter herein, including without limitation Data Protection Laws.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which (i) is subject to Data Protection Laws and Regulations and (ii) is permitted to use the Services pursuant to the Agreement but has not executed its own agreement with EventBuilder and is not “Customer” as defined under the Agreement. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than fifty percent (50%) of the voting interests of the subject entity.

“California Personal Information” means Personal Data that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018), as amended from time to time, including without limitation California Civil Code Sec. 1798.150 et seq. (also known as the California Privacy Rights Act of 2020 or CPRA).

"Consumer", "Business", "Sell", and "Service Provider" and "Share" shall have the meanings given to them in the CCPA or comparable U.S. state Data Protection Laws, as applicable.

“Controller”, “Data Subject”, “Processing”, and “Processor” shall have the meanings given to them in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation) or “GDPR.”

“Customer Data” means all Personal Data, including without limitation California Personal Information and European Personal Data, Processed by EventBuilder on behalf of Customer pursuant to the Agreement.

“Data Privacy Framework” or “DPF” means, collectively, the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced from time to time. Additionally, the “DPF Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy that apply to the respective Party in its role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and the CCPA, state consumer privacy laws of Colorado, Connecticut, Utah, and Virginia and other federal and state legislation and regulations of the United States; in each case as amended, superseded, or replaced from time to time.

“Data Subject” means the Consumer or other individual to whom Personal Data relates.

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC together with any subordinate legislation or implementing regulation (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iv) other laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, each as amended from time to time and (v) applicable national implementations of (i) through (iv); in each case, as may be amended, superseded, or replaced.

“Instructions” means the written, documented instructions issued by Customer to EventBuilder, and directing EventBuilder to perform a specific or general action with regard to Personal Data for the purpose of providing the Services to Customer. The Parties agree that the Agreement (including this DPA), together with Customer's use of the Services in accordance with the Agreement, constitute Customer’s complete and final Instructions to EventBuilder in relation to the Processing of Customer Data, and additional Instructions outside the scope of the Instructions shall require prior written agreement between EventBuilder and Customer.

“Personal Data" or "Personal Information” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by EventBuilder and/or its Sub-Processors in connection with the provision of the Services. Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

“Security Measures” means the technical and organizational measures employed by EventBuilder to secure Personal Data and as described in Section 11 of Schedule 2.

“Sub-Processor” means any entity which provides processing services to EventBuilder in furtherance of EventBuilder’s processing of Customer Data.

“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 . The SCCs attached to this DPA specifically reference Sections I, II, III and IV (as applicable) in so far as they relate to Module Two (Controller-to-Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by EC Commission Decision of 4 June 2021.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. Nature, Purpose, and Subject Matter.

The nature, purpose, and subject matter of EventBuilder’s data processing activities performed as part of the Services are set out in the Agreement. The Customer Data that may be processed may relate to Data Subjects, such as the individual attendees associated with Customer who access, download, install, or use the Services (“Attendees”) and Customer’s employees. Categories of Personal Data Processed may include identifiers, sensitive Personal Data, internet activity, commercial information, and any other Personal Data that may be processed pursuant to the Agreement. The Parties agree as follows: (i) EventBuilder only receives and Processes Customer Data on behalf of Customer; (ii) Customer is responsible for limiting Customer’s collection and Processing of Personal Data within the Customer Data to that which is necessary to accomplish the purposes disclosed to Data Subjects and Consumers; and (iii) Customer is solely responsible for giving notice to, informing, and obtaining consent (or establishing other lawful basis) from Data Subjects and Consumers and for providing mechanisms for Data Subjects and Consumers to opt-out or otherwise exercise their privacy rights with respect to the Customer Data as required under applicable Data Protection Laws.

3. Duration.

The term of this DPA shall follow the term of the Agreement. EventBuilder will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

4. Processing of Customer Data.

EventBuilder shall process Customer Data only for the purposes described in the Agreement (including this DPA) or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by Applicable Law. If EventBuilder is collecting Personal Data from Attendees on behalf of Customer, EventBuilder shall follow Customer’s Instructions regarding such Personal Data collection. EventBuilder shall inform Customer without delay if, in EventBuilder’s opinion, an Instruction violates applicable Data Protection Laws and, where necessary, cease all Processing until Customer issues new Instructions with which EventBuilder is able to comply. If this provision is invoked, EventBuilder will not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer issues new lawful Instructions.

5. Confidentiality.

EventBuilder shall ensure that any personnel whom EventBuilder authorizes to Process Customer Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Customer Data. Additionally, EventBuilder shall take reasonable steps to ensure that, (i) persons employed by EventBuilder, and (ii) other persons engaged to perform on EventBuilder’s behalf, comply with the terms of the Agreement.

6. Customer Responsibilities.

Within the scope of the Agreement (including this DPA) and in Customer’s use of the Services, Customer shall comply with all Applicable Laws, including without limitation all requirements that apply to Customer under Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to EventBuilder. In particular, and without limiting the generality of the foregoing, Customer shall take sole responsibility for: (i) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring Customer has the right to transfer, or provide access to, the Personal Data to EventBuilder for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that Customer’s Instructions to EventBuilder regarding the Processing of Customer Data comply with Applicable Laws; and (v) complying with all Applicable Laws (including Data Protection Laws) applicable to Customer’s use of the Services, including without limitation those relating to providing notice and obtaining consents. Customer shall inform EventBuilder without undue delay if it is not able to comply with this section or applicable Data Protection Laws. For the avoidance of doubt, EventBuilder is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to EventBuilder.

7. Sub-Processors.

Customer agrees that EventBuilder may engage Sub-Processors to Process Customer Data. Where EventBuilder engages Sub-Processors, EventBuilder will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. EventBuilder will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause EventBuilder to breach any of its obligations under this DPA. EventBuilder shall maintain on its website a list of current Sub-Processors engaged to Process Customer Data and shall notify Customer of any changes to the Sub-Processors list through in-product notifications, email or other means.

8. Security.

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EventBuilder shall, in relation to the Customer Data, maintain appropriate technical and organizational Security Measures designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data. In assessing the appropriate level of security, EventBuilder shall take account of the risks that are presented by Processing, in particular from a Personal Data Breach. Upon request, EventBuilder shall provide Customer with a summary of EventBuilder’s security policies applicable to the Services.

9. Data Transfers.

Customer acknowledges and agrees that EventBuilder may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Data will be transferred to and processed by EventBuilder in the United States and to other jurisdictions where EventBuilder’s Sub-Processors have operations. Transfers of Personal Data regarding Data Subjects in the EU, UK, or Switzerland to the U.S. or otherwise are additionally subject to the terms in Section 15(d).

10. Personal Data Breaches.

EventBuilder will notify Customer without undue delay after EventBuilder becomes aware of any Personal Data Breach involving Customer Data, and will provide timely information relating to such Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, EventBuilder will promptly provide Customer with commercially reasonable assistance as necessary to enable Customer to notify authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.

11. Data Subject Requests.

As part of the Services, EventBuilder provides Customer with a number of controls that Customer may use to access, correct, delete, or restrict Personal Data, which Customer may use to assist in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). Customer will instruct Data Subjects and Consumers that access the Services through Customer to submit any Data Subject Requests or other inquiries to Customer and will provide appropriate mechanisms for opt-out and exercise of such rights. To the extent that Customer is unable to independently address a Data Subject Request through the Services, then upon Customer's written request EventBuilder shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Data under the Agreement. Customer shall reimburse EventBuilder for the commercially reasonable costs arising from this assistance. If a Data Subject Request or other communication regarding the Processing of Customer Data under the Agreement is made directly to EventBuilder, EventBuilder will promptly inform Customer. Customer shall be solely responsible for facilitating any such Data Subject Requests or communications involving Personal Data.

12. Data Protection Impact Assessment and Prior Consultation.

To the extent EventBuilder is required under Data Protection Law, EventBuilder shall (at Customer's expense) provide reasonably requested information regarding EventBuilder's processing of Customer Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

13. Deletion or Return of Personal Data.

Upon termination or expiration of the Agreement, within 30 days EventBuilder will delete the Customer Data Processed pursuant to this DPA. During such 30-day period, EventBuilder will assist Customer in accessing such Customer Data Processed in accordance with Customer’s reasonable Instructions. The requirements of this section shall not apply to the extent that EventBuilder is required by Applicable Law to retain some or all of the Customer Data, or to Customer Data EventBuilder has archived on back-up systems, which data EventBuilder shall securely isolate and protect from any further Processing and delete in accordance with EventBuilder’s deletion practices.

14. Demonstration of Compliance.

EventBuilder shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA as set forth in this Section 14. Upon Customer's written request and at reasonable intervals, EventBuilder shall make available to Customer (on a confidential basis) all information reasonably necessary, and allow for and contribute to audits by Customer or Customer’s third-party auditor, to demonstrate EventBuilder’s (and, upon specific written request, EventBuilder’s Sub-Processors') compliance with this DPA, provided that Customer shall act reasonably, in good faith, and in a proportional manner and Customer shall not exercise this right more than once per year. Customer shall take all reasonable measures to limit any impact on EventBuilder by combining several information and/or audit requests carried out on behalf of Customer in one single audit. Before any audit may commence, Customer and EventBuilder shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by or on behalf of EventBuilder.

15. European Data.

This Section 15 applies only with respect to Processing of European Data by EventBuilder.

When Processing European Data under the Agreement, the Parties acknowledge and agree that Customer is the Controller and EventBuilder is the Processor.

EventBuilder has certified to the Data Privacy Framework with respect to the transfer of European Data from the EU, UK, and Switzerland. In compliance with the DPF, (a) EventBuilder will use the Data Privacy Framework to lawfully receive European Data in the United States and will Process European Data for the limited and specific purposes contemplated by this DPA; (b) EventBuilder will provide the level of protection to European Data as required by the DPF; (c) Customer may take reasonable and appropriate steps to ensure that EventBuilder Processes European Data in a manner consistent with the DPF; (d) EventBuilder will notify Customer if EventBuilder determines that it can no longer meet these obligations; (e) upon notice, and subject this DPA, EventBuilder will take reasonable and appropriate steps to stop and remediate unauthorized Processing; and (f) upon request and as required by law, provide a summary or a representative copy of the relevant privacy provisions of this DPA and the Agreement to the United States Department of Commerce.

In addition to the provisions of Section 7, within 30 days after posting an updated Sub-Processor List, Customer may object to EventBuilder’s engagement of a new Sub-Processor if Customer can demonstrate that such Sub-Processor’s Processing of European Data does not comply with European Data Protection Laws. If Customer so objects, the Parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, EventBuilder will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

In addition to Section 9, for transfers of European Personal Data to EventBuilder for processing by EventBuilder in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing “adequate” data protection, EventBuilder will complete such transfers will complete such transfers in reliance on the Data Privacy Framework. If the Data Privacy Framework is invalidated or does not cover a given transfer of European Data by EventBuilder, EventBuilder agrees it will complete such transfers according to: (i) for Personal Data from the European Economic Area, the Controller-to-Processor SCCs set forth in Schedules 1 and 2; (ii) for Personal Data from the United Kingdom (and Gibraltar), the International Data Transfer Addendum set forth in Schedule 3; or (iii) another transfer mechanism that is valid at the time of the transfer, as applicable. If such data transfers rely on Controller-to-Processor SCCs to enable the lawful transfer of European Personal Data, as set forth in the preceding sentence, the Parties agree that Data Subjects for whom EventBuilder Processes European Personal Data are third-party beneficiaries under the Controller-to-Processor SCCs. If EventBuilder is unable or becomes unable to comply with these requirements, then: (a) EventBuilder shall notify Customer of such inability; and (b) any movement of European Personal Data to a non-EU country requires the prior written consent of Customer.

As of the Effective Date, EventBuilder has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of Personal Data prevent EventBuilder from fulfilling its obligations under this DPA. If EventBuilder reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data (“Local Laws”) prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, EventBuilder shall use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Your configuration or use of the Services to facilitate compliance with the Local Laws without unreasonably burdening You. If EventBuilder is unable to make available such change promptly, Customer may terminate the applicable Order Form(s) and suspend the transfer of Personal Data in respect only to those Services which cannot be provided by EventBuilder in accordance with the Local Laws by providing written notice. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination for such terminated Services.

To the extent that the required information is reasonably available to EventBuilder, and Customer does not otherwise have access to the required information, EventBuilder will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.

16. California Personal Information.

This Section 16 applies only with respect to Processing of California Personal Information by EventBuilder in EventBuilder’s capacity as a Service Provider.

When Processing California Personal Information in accordance with Customer's Instructions, the Parties acknowledge and agree that Customer is a Business and EventBuilder is the Service Provider for the purposes of the CCPA. Additionally, for the purposes of interpreting this DPA with respect to Processing of California Personal Information, the term “Controller” is replaced with “Business” and “Processor” is replaced with “Service Provider” wherever those terms appear in Sections 2 through 14 and Section 17 of this DPA.

The Parties agree that EventBuilder will process Attendees’ California Personal Information as a Service Provider strictly for the business purpose of performing the Services under the Agreement and as set forth in EventBuilder’s Privacy Notice.

The Parties agree that EventBuilder shall not: (i) Sell or Share Attendees’ California Personal Information; (ii) retain, use, or disclose Attendees’ California Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by the CCPA; or (iii) retain, use, or disclose Attendees’ California Personal Information outside of the direct business relationship between Customer and EventBuilder.

EventBuilder hereby certifies that it understands and will comply with the restrictions of Section 16(b).

The Parties agree that Customer does not sell California Personal Information to EventBuilder because, as a Service Provider, EventBuilder may only use California Personal Information for the purposes of providing the Services to Customer.

17. Limitations of Liability.

Except as specifically provided in the SCCs, this DPA forms part of the Agreement and all activities under this DPA remain subject to the applicable limitations of liability set forth in the Agreement. For the avoidance of doubt, EventBuilder’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA. Additionally, Customer agrees that any regulatory fines or penalties incurred by Customer in relation to the Customer Data that arise as a result of, or in connection with, Customer's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce EventBuilder’s liability under the Agreement as if it were liability to Customer under the Agreement.

18. General.

Customer represents that it is authorized to, and hereby agrees to, enter into and be bound by this DPA for and on behalf of itself and each of its affiliates and subsidiaries, thereby establishing a separate DPA between EventBuilder and Customer and each of Customer’s affiliates and subsidiaries subject to the Agreement, as applicable. The limitations of liability set forth in the Agreement shall apply to EventBuilder’s liability arising out of or relating to this DPA and the Standard Contractual Clauses (where applicable), taken in the aggregate along with the Agreement and any other agreement between the Parties. In case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected. We periodically update this Agreement. Current Customers will be informed of any modification by email, alert on the customer dashboard or portal or by other means.

NW Virtual Partners LLC dba EventBuilder

Lauren Meyer, CEO
privacy@eventbuilder.com

Schedule 1

Transfer Mechanisms for European Data Transfers

STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

EventBuilder has certified to the Data Privacy Framework with respect to the transfer of European Data from the EU, UK, and Switzerland. EventBuilder will use the Data Privacy Framework to lawfully transfer European Data from the EU, UK, or Switzerland to the United States. If the Data Privacy Framework is invalidated or does not cover a given transfer of European Data, EventBuilder shall transfer such data according to the Controller-to-Processor SCCs in this Schedule 1 and Schedule 2.

For the purposes of the Standard Contractual Clauses, Customer is the data exporter and EventBuilder is the data importer and the Parties agree to the following:

1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the SCCs are incorporated by reference and are an integral part of this DPA. The information required for the purposes of the Appendix to the SCCs are set out in Schedule 2. If and to the extent an Authorized Affiliate relies on the Controller-to-Processor SCCs for the transfer of Personal Data, any references to “Customer” in this Schedule, include such Authorized Affiliate. Where this Schedule 1 does not explicitly mention Controller-to-Processor SCCs, it applies to them.

2. Docking clause. The option under clause 7 shall not apply.

3. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clause 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by EventBuilder to Customer only upon Customer’s written request.

4. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to EventBuilder for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by Customer to Process Personal Data are set out in Section 4 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the provision of the Services.

5. Security of Processing. For the purposes of clause 8.6(a), Customer is solely responsible for making an independent determination as to whether the technical and organizational measures provided by EventBuilder meet Customer’s security requirements and Customer agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to individuals) the security measures and policies implemented and maintained by EventBuilder provide a level of security appropriate to the risk with respect to the Personal Data. For the purposes of clause 8.6(c), Personal Data Breaches will be handled in accordance with Section 10 of this DPA.

6. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 14 of this DPA.

7. General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), EventBuilder has Customer’s general authorization to engage Sub-processors in accordance with Section 7 of this DPA. EventBuilder shall make available to Customer the current list of Sub-processors in accordance with Section 7 of this DPA. Where EventBuilder enters into Standard Contractual Clauses with a Sub-processor in connection with the provision of the Services, Customer grants EventBuilder authority to provide a general authorization on Customer’s behalf for the engagement of sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.

8. Notification of New Sub-Processors and Objection Right for new Sub-Processors. Pursuant to clause 9(a), Customer acknowledges and expressly agrees that EventBuilder may engage new Sub-Processors as described in Section 7 of this DPA. EventBuilder shall inform Customer with 30 days advance notice of any changes to Sub-Processors following the procedure provided for in Section 7 of this DPA.

9. Complaints - Redress. For the purposes of clause 11, EventBuilder shall inform Data Subjects on its website of a contact point authorized to handle complaints. EventBuilder shall inform Customer if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to Customer. EventBuilder shall not otherwise have any obligation to handle the request (unless otherwise agreed with Customer). The option under clause 11 shall not apply.

10. Liability. EventBuilder’s liability under clause 12(b) shall be limited to actual and proven damage caused by EventBuilder’s Processing of Personal Data on Customer’s behalf as a Processor where EventBuilder has not complied with its obligations under the GDPR specifically directed to Processors, or where EventBuilder has acted outside of or contrary to Customer’s lawful Instructions, as specified in Article 82 GDPR.

11. Supervision. Clause 13 shall apply as follows:

1. Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
2. Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and have appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
3. Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The Data Protection Commission of 21 Fitzwilliam Square South, Dublin, 2 D02 RD28, Ireland shall act as competent supervisory authority.
4. Where Customer is established in the United Kingdom or fall within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as competent supervisory authority.
5. Where Customer is established in Switzerland or fall within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

12. Notification of Government Access Requests. For the purposes of clause 15.1(a), EventBuilder shall notify Customer and, where possible, the Data Subject promptly, in case of government access requests. Where Data Subject notification is not possible, EventBuilder shall inform Customer via the notification to Customer.

13. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement. If the Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Ireland; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.

14. Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Governing Law section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) Ireland; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.

15. Appendix. The Appendix shall be completed as follows:

The contents of section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses.

The contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to the Standard Contractual Clauses.

The contents of section 10 of Schedule 2 shall form Annex I.C to the Standard Contractual Clauses.

The contents of section 11 of Schedule 2 to this Exhibit shall form Annex II to the Standard Contractual Clauses.

16. Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws"), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the UK GDPR or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK GDPR or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.

17. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

Schedule 2

Description of Processing/Transfer

1. LIST OF PARTIES

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

Name: Customer as identified in subscription

Address: Customer’s address listed in subscription

Role: For the purposes of the Standard Contractual Clauses, Customer is a Controller.

Activities relevant to the data transferred under these clauses: Provision of the Services pursuant to the Agreement (including the DPA).

Contact person's name, position, and contact details: Customer’s designated point of contact listed at registration

Signature: By agreeing to the Agreement and the DPA, Customer agrees to this Schedule 2, effective as of the date of the Agreement.

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

Name: NW Virtual Partners LLC dba EventBuilder

Address: 915 Broadway St, #250, Vancouver, WA 98660

Role: For the purposes of the Standard Contractual Clauses, EventBuilder is a Processor.

Contact person's name, position, and contact details:

Lauren Meyer, CEO

privacy@eventbuilder.com

Signature:
LaurenCEOSignature

2. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED

EventBuilder may process Personal Data on behalf of Customer via the Services, which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Individual event attendees associated with Customer who access, download, install, or use the Services
Customer's employees
Other end users granted access to the Services by Customer

3. CATEGORIES OF PERSONAL DATA TRANSFERRED

EventBuilder may process Personal Data on behalf of the customer via the Services, which may include, but is not limited to the following categories of Personal Data:

Identifiers
Sensitive Personal Data
Internet activity
Commercial information

4. SENSITIVE DATA TRANSFERRED

The parties do anticipate the transfer of sensitive Personal Data only to the extent that Customer instructs EventBuilder to process such data pursuant to the Agreement.

5. FREQUENCY OF THE TRANSFER

Data is transferred on a continuous basis depending on Customer’s use of the Services.

6. NATURE OF THE PROCESSING

The nature of the Processing is the provision of the Services pursuant to the Agreement.

7. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING

EventBuilder will Process Personal Data as necessary to provide the Services pursuant to the Agreement and as further instructed by Customer in Customer’s use of the Services.

8. DURATION OF PROCESSING

Subject to Section 3 of the DPA, EventBuilder will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

9. SUB-PROCESSOR TRANSFERS

Sub-processor(s) will Process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to Section 7 of this DPA, the Sub-processor(s) will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Identities of the Sub-processors used for the provision of the Services and their country of location are available to Customer upon request.

10. COMPETENT SUPERVISORY AUTHORITY

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland shall act as the competent supervisory authority.
Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of UK Data Protection Laws and Regulations, the Information Commissioner's Office shall act as the competent supervisory authority.
Where the data exporter is established in Switzerland or falls within the territorial scope of application of Swiss Data Protection Laws and Regulations, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

11. TECHNICAL AND ORGANISATIONAL MEASURES

In addition to the administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data described in the DPA and EventBuilder’s Privacy Notice, EventBuilder also had implemented the following technical and organizational measures:

Security Standards: EventBuilder has implemented and maintains technical and organizational measures that meet or exceed ISO 27001 and ISO 27701standards. Details available at EventBuilder's Legal, Privacy, and Certifications Hub.
Outsourced processing: EventBuilder hosts the Services in a secure environment using outsourced cloud infrastructure providers.
Authentication: EventBuilder implements a uniform password policy and multifactor authentication for customer products.
Penetration testing: EventBuilder completes penetration tests at least annually using industry recognized third-party penetration testing service providers.
Employee access: A subset of EventBuilder’s employees have access to Customer Data via controlled interfaces. Employees are granted access by role. Employee roles are reviewed at least once per year.
Encryption: EventBuilder encrypts data in transit using SSL/TLS and at rest using AES-256 on the database for all systems.
Security incidents: EventBuilder maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated and appropriate resolution steps are identified and documented. For any confirmed incidents, EventBuilder will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

Schedule 3

International Data Transfer Addendum

To the EU Commission Standard Contractual Clauses

To Be Issued by the Commissioner Under S119A(1) Data Protection Act 2018

EventBuilder has certified to the Data Privacy Framework with respect to the transfer of European Data from the EU, UK, and Switzerland. EventBuilder will use the Data Privacy Framework to lawfully transfer European Data from the EU, UK, or Switzerland to the United States. If the Data Privacy Framework is invalidated or does not cover a given transfer of European Data, EventBuilder shall transfer such data according to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK Addendum) in this Schedule 3.

Part 1: Tables

Table 1: Parties

Start Date: Effective Date of the Agreement

The Parties	Exporter (who sends the Restricted Transfer)	Importer (who receives the Restricted Transfer)
Parties' Details	NW Virtual Partners LLC dba EventBuilder 915 Broadway St, #250, Vancouver, WA 98660	Customer as identified in the subscription.
Key Contact	Lauren Meyer, CEO privacy@eventbuilder.com	Customer’s contact information as identified in the subscription.
Signature	By executing the DPA, EventBuilder also executes all Schedules thereto.	By executing the DPA, Customer also executes all Schedules thereto.

Table 2: Selected SCCs, Modules and Selected Clauses

SCCs (EU)

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information.

EU Standard Contractual Clauses sections I, II, III, and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).

Clause 7 (Docking clause): The docking clause shall not apply.

Clause 11 (Option): The option under clause 11 shall not apply.

Clause 9(a) (Prior Authorisation or General Authorisation): EventBuilder has Customer’s general authorisation to engage Sub-Processors in accordance with Section 7 of this DPA. Where EventBuilder enters into the EU P-to-P Transfer Clauses with a Sub-Processor in connection with the provision of the Services, Customer grants EventBuilder authority to provide a general authorisation on its behalf for the engagement of sub-processors by Sub-Processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such sub-processors.

Clause 9(a) (Time Period): EventBuilder shall make available to Customer the current list of Sub-Processors in accordance with Section 7 of the DPA.

EventBuilder shall inform Customer of any changes to Sub-Processors as required by applicable Data Protection Laws.

Is Personal Data received from the Importer combined with Personal Data collected by the Exporter? Yes, as described in the EventBuilder Privacy Notice and the Agreement (including the DPA).

Table 3: Appendix Information

"Appendix Information" means the information that must be provided for the selected modules and which for this Addendum is set out in:

Annex 1A: List of Parties: See Table 1 to this Schedule 3.
Annex 1B: Description of Transfer: See Schedule 2.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Schedule 2, Section 11.
Annex III: List of Sub-Processors (Modules 2 and 3 only): See Schedule 1.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 18? Neither Party except as provided in Section 3 of the DPA.

Part 2: Mandatory Clauses

Entering into this Addendum

1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.

2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.

Interpretation of this Addendum

3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:

Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the SCCs (EU) (see Schedules 1 and 2).
SCCs (EU): The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information: As set out in Table 3.
Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO: The Information Commissioner.
Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
UK: The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws: as defined in Section 1.l of the DPA.

4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.

5. If the provisions included in the SCCs (EU) amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.

6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws apply.

7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.

8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

Hierarchy

9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.

10. Where there is any inconsistency or conflict between the Approved Addendum and the SCCs (EU) (as applicable), the Approved Addendum overrides the SCCs (EU), except where (and in so far as) the inconsistent or conflicting terms of the SCCs (EU) provides greater protection for data subjects, in which case those terms will override the Approved Addendum.

11. Where this Addendum incorporates the SCCs (EU) which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts the SCCs (EU).

Incorporation of and Changes to the EU SCCs

12. This Addendum incorporates the SCCs (EU) which are amended to the extent necessary so that:

together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
Sections 9 to 11 override Clause 5 (Hierarchy) of the SCCs (EU); and
this Addendum (including the SCCs (EU) incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.

13. Unless the Parties have agreed to alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.

14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.

15. The following amendments to the SCCs (EU) (for the purpose of Section 12) are made:

References to the “Clauses” means this Addendum, incorporating the SCCs (EU);
In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
References to Regulation (EU) 2018/1725 are removed;
References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
Clause 13(a) and Part C of Annex I are not used;
The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales”;
Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10, and 11.

16. Amendments to this Addendum

The Parties may agree to change Clauses 17 and/or 18 of the SCCs (EU) to refer to the laws and/or courts of Scotland or Northern Ireland.
If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
From time to time, the ICO may issue a revised Approved Addendum which: (i) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or (ii) reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.

17. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in: (a) its direct costs of performing its obligations under the Addendum; and/or (b) its risk under the Addendum, and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.

18. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.

19. Alternative Part 2 Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Data Processing Addendum

Skip to section