EventBuilder Data Processing Addendum
Last Updated November 5, 2020
This Data Processing Addendum (“DPA”) is an addendum to the Customer Terms of Service (“Agreement”) between NW Virtual Partners LLC dba EventBuilder (“EventBuilder”, “we,” “us,” or “our”) and you as the customer (“Customer” or “you”). This DPA takes effect on the date Customer subscribes to use our Services as an EventBuilder Customer, and governs the collection, processing, or receipt of Personal Data by EventBuilder on behalf of the Customer in the course of providing the Services. Terms not defined herein shall have the meaning as set forth in the Agreement. If you have questions or would like to receive a signed copy of this DPA, please contact us at firstname.lastname@example.org.
- “Applicable Laws” means all laws, rules, regulations, and orders applicable to the subject matter herein, including without limitation Data Protection Laws.
- “California Personal Information” means Personal Data that is subject to the protection of the CCPA.
- "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
- "Consumer", "Business", "Sell", and "Service Provider" shall have the meanings given to them in the CCPA.
- “Controller”, “Data Subject”, “Processing”, and “Processor” shall have the meanings given to them in the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council together with any subordinate legislation or regulation implementing the General Data Protection Regulation) or “GDPR.”
- “Controller-to-Processor SCCs” means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010, as may be amended or replaced from time to time by the European Commission.
- “Customer Data” means all Personal Data, including without limitation California Personal Information and European Personal Data, Processed by EventBuilder on behalf of Customer pursuant to the Agreement.
- “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy that apply to the respective Party in its role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and the CCPA; in each case as amended, superseded, or replaced from time to time.
- “Data Subject” means the Consumer or other individual to whom Personal Data relates.
- “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
- "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded, or replaced.
- “Instructions” means the written, documented instructions issued by Customer to EventBuilder, and directing EventBuilder to perform a specific or general action with regard to Personal Data for the purpose of providing the Services to Customer. The Parties agree that the Agreement (including this DPA), together with Customer's use of the Services in accordance with the Agreement, constitute Customer’s complete and final Instructions to EventBuilder in relation to the Processing of Customer Data, and additional Instructions outside the scope of the Instructions shall require prior written agreement between EventBuilder and Customer.
- “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by EventBuilder and/or its Sub-Processors in connection with the provision of the Services. Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- means any entity which provides processing services to EventBuilder in furtherance of EventBuilder’s processing of Customer Data.
- Nature, Purpose, and Subject Matter. The nature, purpose, and subject matter of EventBuilder’s data processing activities performed as part of the Services are set out in the Agreement. The Customer Data that may be processed may relate to Data Subjects, such as the individual attendees associated with Customer who access, download, install, or use the Services (“Attendees”) and Customer’s employees. Categories of Personal Data Processed may include identifiers, sensitive Personal Data, internet activity, commercial information, and any other Personal Data that may be processed pursuant to the Agreement.
- Duration. The term of this DPA shall follow the term of the Agreement. EventBuilder will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
- Processing of Customer Data. EventBuilder shall process Customer Data only for the purposes described in the Agreement (including this DPA) or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by Applicable Law. If EventBuilder is collecting Personal Data from Attendees on behalf of Customer, EventBuilder shall follow Customer’s Instructions regarding such Personal Data collection. EventBuilder shall inform Customer without delay if, in EventBuilder’s opinion, an Instruction violates applicable Data Protection Laws and, where necessary, cease all Processing until Customer issues new Instructions with which EventBuilder is able to comply. If this provision is invoked, EventBuilder will not be liable to Customer under the Agreement for any failure to perform the Services until such time as Customer issues new lawful Instructions.
- Confidentiality. EventBuilder shall ensure that any personnel whom EventBuilder authorizes to Process Customer Data on its behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Customer Data. Additionally, EventBuilder shall take reasonable steps to ensure that, (i) persons employed by EventBuilder, and (ii) other persons engaged to perform on EventBuilder’s behalf, comply with the terms of the Agreement.
- Customer Responsibilities. Within the scope of the Agreement (including this DPA) and in Customer’s use of the Services, Customer shall comply with all Applicable Laws, including without limitation all requirements that apply to Customer under Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to EventBuilder. In particular, and without limiting the generality of the foregoing, Customer shall take sole responsibility for: (i) the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring Customer has the right to transfer, or provide access to, the Personal Data to EventBuilder for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that Customer’s Instructions to EventBuilder regarding the Processing of Customer Data comply with Applicable Laws; and (v) complying with all Applicable Laws (including Data Protection Laws) applicable to Customer’s use of the Services, including without limitation those relating to providing notice and obtaining consents. Customer shall inform EventBuilder without undue delay if it is not able to comply with this section or applicable Data Protection Laws. For the avoidance of doubt, EventBuilder is not responsible for compliance with any Data Protection Laws applicable to Customer or Customer's industry that are not generally applicable to EventBuilder.
- Sub-Processors. Customer agrees that EventBuilder may engage Sub-Processors to Process Customer Data. Where EventBuilder engages Sub-Processors, EventBuilder will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. EventBuilder will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause EventBuilder to breach any of its obligations under this DPA. EventBuilder shall maintain on its website a list of current Sub-Processors engaged to Process Customer Data and shall notify Customer of any changes to the Sub-processors list through in-product notifications, email or other means.
- Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EventBuilder shall, in relation to the Customer Data, maintain appropriate technical and organizational security measures designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Customer Data. In assessing the appropriate level of security, EventBuilder shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach. Upon request, EventBuilder shall provide Customer with a summary of EventBuilder’s security policies applicable to the Services.
- Data Transfers. Customer acknowledges and agrees that EventBuilder may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Agreement, and in particular that Personal Data will be transferred to and Processed by EventBuilder in the United States and to other jurisdictions where EventBuilder’s Sub-Processors have operations.
- Personal Data Breaches. EventBuilder will notify Customer without undue delay after EventBuilder becomes aware of any Personal Data Breach involving Customer Data, and will provide timely information relating to such Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, EventBuilder will promptly provide Customer with commercially reasonable assistance as necessary to enable Customer to notify authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws.
- Data Subject Requests. As part of the Services, EventBuilder provides Customer and with a number of controls that Customer may use to access, correct, delete, or restrict Personal Data, which Customer may use to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws ("Data Subject Requests"). To the extent that Customer is unable to independently address a Data Subject Request through the Services, then upon Customer’s written request EventBuilder shall provide reasonable assistance to Customer to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Data under the Agreement. Customer shall reimburse EventBuilder for the commercially reasonable costs arising from this assistance. If a Data Subject Request or other communication regarding the Processing of Customer Data under the Agreement is made directly to EventBuilder, EventBuilder will promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer shall be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
- Data Protection Impact Assessment and Prior Consultation. To the extent EventBuilder is required under Data Protection Law, EventBuilder shall (at Customer's expense) provide reasonably requested information regarding EventBuilder’s processing of Customer Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
- Deletion or Return of Personal Data. Upon termination or expiration of the Agreement, within 30 days EventBuilder will delete the Customer Data Processed pursuant to this DPA. During such 30-day period, EventBuilder will assist Customer in accessing such Customer Data Processed in accordance with Customer’s reasonable Instructions. The requirements of this section shall not apply to the extent that EventBuilder is required by Applicable Law to retain some or all of the Customer Data, or to Customer Data EventBuilder has archived on back-up systems, which data EventBuilder shall securely isolate and protect from any further Processing and delete in accordance with EventBuilder’s deletion practices.
- Demonstration of Compliance. Upon Customer's written request, EventBuilder shall make available to Customer (on a confidential basis) all information reasonably necessary, and allow for and contribute to audits, to demonstrate EventBuilder’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year. Customer shall take all reasonable measures to limit any impact on EventBuilder by combining several information and/or audit requests carried out on behalf of Customer in one single audit.
- European Data. This Section 15 applies only with respect to Processing of European Data by EventBuilder.
- Roles of the Parties. When Processing European Data under the Agreement, the Parties acknowledge and agree that Customer is the Controller and EventBuilder is the Processor.
- Sub-Processors. In addition to the provisions of Section 7, within 30 days after posting an updated Sub-Processor List, Customer may object to EventBuilder’s engagement of a new Sub-Processor if Customer can demonstrate that such Sub-Processor’s Processing of European Data does not comply with European Data Protection Laws. If Customer so objects, the Parties will discuss Customer's concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, EventBuilder will, at its sole discretion, either not appoint the new Sub-Processor, or permit Customer to suspend or terminate the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
- Data Transfers. In addition to Section 9, for transfers of European Personal Data to EventBuilder for processing by EventBuilder in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing “adequate” data protection, EventBuilder agrees it will: (i) use the form of the Controller-to-Processor SCCs; or (ii) provide at least the same level of privacy protection for European Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks, as applicable. If such data transfers rely on Controller-to-Processor SCCs to enable the lawful transfer of European Personal Data, as set forth in the preceding sentence, the Parties agree that Data Subjects for whom EventBuilder Processes European Personal Data are third-party beneficiaries under the Controller-to-Processor SCCs. If EventBuilder is unable or becomes unable to comply with these requirements, then: (a) EventBuilder shall notify Customer of such inability; and (b) any movement of European Personal Data to a non-EU country requires the prior written consent of Customer.
- Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to EventBuilder, and Customer does not otherwise have access to the required information, EventBuilder will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.
- California Personal Information. This Section 16 applies only with respect to Processing of California Personal Information by EventBuilder in EventBuilder’s capacity as a Service Provider.
- Roles of the Parties. When Processing California Personal Information in accordance with Customer's Instructions, the Parties acknowledge and agree that Customer is a Business and EventBuilder is the Service Provider for the purposes of the CCPA. Additionally, for the purposes of interpreting this DPA with respect to Processing of California Personal Information, the term “Controller” is replaced with “Business” and “Processor” is replaced with “Service Provider” wherever those terms appear in Sections 2 through 14 and Section 17 of this DPA.
- The Parties agree that EventBuilder will process Attendees’ California Personal Information as a Service Provider strictly for the business purpose of performing the Services under the Agreement and as set forth in EventBuilder’s Privacy Notice. The Parties agree that EventBuilder shall not: (i) Sell Attendees’ California Personal Information; (ii) retain, use, or disclose Attendees’ California Personal Information for a commercial purpose other than for such business purpose or as otherwise permitted by the CCPA; or (iii) retain, use, or disclose Attendees’ California Personal Information outside of the direct business relationship between Customer and EventBuilder.
- EventBuilder hereby certifies that it understands and will comply with the restrictions of Section 16(b).
- No CCPA Sale. The Parties agree that Customer does not sell California Personal Information to EventBuilder because, as a Service Provider, EventBuilder may only use California Personal Information for the purposes of providing the Services to Customer.
- Customer represents that it is authorized to, and hereby agrees to, enter into and be bound by this DPA for and on behalf of itself and each of its affiliates and subsidiaries, thereby establishing a separate DPA between EventBuilder and Customer and each of Customer’s affiliates and subsidiaries subject to the Agreement, as applicable. The limitations of liability set forth in the Agreement shall apply to EventBuilder’s liability arising out of or relating to this DPA and the Standard Contractual Clauses (where applicable), taken in the aggregate along with the Agreement and any other agreement between the Parties. In case of any conflict or inconsistency with the terms of the Agreement, this DPA shall take precedence over the terms of the Agreement to the extent of such conflict or inconsistency. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected. We periodically update this Agreement. If you are a current Customer, you will be informed of any modification by email, alert on the customer dashboard or portal or by other means.
NW Virtual Partners LLC dba EventBuilder