Last Updated: December 31st, 2019
This Data Processing Addendum ("DPA") applies to Organizers that are subject to the EU General Data Protection Regulation (2016/EC/679) or "GDPR"), or equivalent legislation, including any amending or replacement legislation from time to time ("Applicable Data Protection Laws"), which require AddEvent to process Personal Data on their behalf as part of Organizer's use of the Services.
In this DPA references to "you" means the Organizer and references to "we", "us", "our" and "AddEvent" means AddEvent, Inc.
For our customers requiring a signed version of our DPA, you can request it right here.
Request signed DPA
Please fill out the information below to request a signed version of our DPA.
Thank you! Your request has been sent.
Please fill out all fields below.
The terms of this DPA are hereby incorporated in to the AddEvent Terms of Service or any other applicable services agreement between you and AddEvent (the "Agreement").
With respect to provisions regarding Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where Organizer and AddEvent have individually negotiated data processing terms that are different from this DPA and which meet the requirements of Applicable Data Protection Law in full, in which case those negotiated terms will control.
"Data Controller", "Data Processor", "Data Subject", "Processing" and "Personal Data" shall have the meanings ascribed to them in Applicable Data Protection Laws;
"Data Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise Processed; and "Technical and Organizational Security Measures" means security measures implemented by AddEvent appropriate to the type of Personal Data being Processed and the Services being provided by AddEvent to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
1.1 In using AddEvent's Services, for the purposes of Applicable Data Protection Laws, Organizer is a Data Controller of the Personal Data associated with an individual using AddEvent Services to register for an event requiring RSVP, purchase a ticket to attend such Organizer's event ("Consumer") or subscribing to a calendar requiring subscriber to provide custom information prior to subscribing to a calendar. Organizer agrees to Process such Personal Data in accordance with Organizer's obligations under Applicable Data Protection Laws.
1.2 Where AddEvent Processes the Personal Data of Consumers on behalf of Organizer as part of the Services, AddEvent is a Data Processor in performing such Processing and Organizer is the Data Controller. This includes circumstances where AddEvent obtains Personal Data as a result of the provision of its core services (for example, where AddEvent facilitates the transmission of emails to Consumers at the request of Organizers, Processes payments, or provides event reports and tools to enable Organizers to gain insights into the effectiveness of various sales channels).
In respect of some Processing of Consumers' Personal Data, AddEvent may act as a Data Controller, for example, where Consumers have engaged with aspects of AddEvent's Applications beyond those relating to Organizer's event or where Consumers' Personal Data is Processed by AddEvent to conduct research and analysis to enable AddEvent to improve its products and features and provide targeted recommendations.
To the extent that AddEvent Processes Personal Data as a Data Processor on behalf of Organizer, Section 2 of this DPA shall apply, however, when AddEvent is acting as a Data Controller of Consumers' Personal Data, AddEvent's Processing shall not be subject to this DPA.
1.3 Details about the Personal Data to be Processed by AddEvent and the Processing activities to be performed under the Agreement are as follows: (i) duration - as set out in the Agreement; (ii) nature, purpose and subject matter - to enable Organizer to organize and promote events and manage RSVP's, ticketing, calendar subscribers using AddEvent Services; (iii) data categories - name, email address, billing and payment information, information related to events booked and attended, relationship to Organizer and any other Personal Data that Organizer requests of its Consumers; (iv) data subjects - Consumers.
2.1 Whenever AddEvent Processes Personal Data on behalf of Organizer, AddEvent shall:
2.1.1 Process Personal Data only on the documented instructions of Organizer, unless required to do otherwise by applicable law. AddEvent shall inform Organizer of the legal requirement before Processing Personal Data other than in accordance with Organizer's instructions, unless that same law prohibits AddEvent from doing so on important grounds of public interest. AddEvent will notify Organizer if in its opinion an instruction is in breach of Applicable Data Protection Laws. Organizer hereby instructs AddEvent, and AddEvent hereby agrees, to Process Personal Data as necessary to perform AddEvent's obligations under the Agreement and for no other purpose;
2.1.2 Have in place Technical and Organizational Security Measures to protect Personal Data;
2.1.3 Notify Organizer in the event of a Data Security Breach without undue delay and provide co-operation and assistance to Organizer to enable Organizer to comply with its obligations as a Data Controller in relation to data breach notification requirements;
2.1.4 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data;
2.1.5 Impose obligations on its sub-processors that have access to Personal Data that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain fully liable to Organizer for any failure by a sub-processor to fulfil its obligations in relation to the Personal Data;
2.1.6 Provide reasonable assistance to Organizer in responding to rights requests under Applicable Data Protection Laws, complaints, or other communications received from any data protection authority or individual who is the subject of any Personal Data Processed by AddEvent. In the event that a Consumer submits a Personal Data deletion request to AddEvent, Organizer hereby instructs and authorizes AddEvent to delete or anonymize the Consumer's Personal Data on Organizer's behalf;
2.1.7 Upon Organizer's written request, make available to Organizer all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, and allow for and co-operate with any audits. Any on-site audits shall be: (i) permitted only on reasonable advance notice to AddEvent; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means as determined by AddEvent; and
2.1.8 Except for that Personal Data with respect to which AddEvent acts as a Data Controller, return, delete, or destroy (at Organizer's election), the Personal Data and copies thereof, at Organizer's request (unless applicable law requires the storage of such Personal Data).
2.2 Organizer hereby consents to AddEvent's current sub-processors (i.e. those listed on AddEvent's website on the Effective Date of this DPA, as well as those listed on AddEvent's website as of the Effective Date of the Agreement) ("Current Sub-Processors") to Process Personal Data on its behalf.
2.3 Organizer hereby consents to AddEvent appointing additional and replacement sub-processors ("Replacement Sub-Processors") to Process Personal Data on its behalf. AddEvent shall: (i) give notice to Organizer of the identity of Replacement Sub-Processors via AddEvent's website (Organizer is responsible for regularly checking and reviewing AddEvent's website for any such changes and AddEvent's website shall be the sole means of AddEvent communicating any such changes); and (ii) give Organizer the opportunity to object to such changes that take place after the Effective Date of the Agreement, in accordance with the terms that follow in Section 2.4 of this DPA.
For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with the terms herein, and shall not apply in relation to Current Sub-Processors.
2.4 Organizer shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of AddEvent posting the changes on its website. Organizer shall send its objection to firstname.lastname@example.org with the subject line 'Objection to Replacement Sub-Processor'.
Provided that Organizer's objection: (i) concerns the Replacement Sub-Processor's ability to allow AddEvent to materially comply with its data protection obligations under this DPA; and (ii) includes sufficient detail to support its objection and provide specific examples, AddEvent will then use commercially reasonable efforts to review and respond to Organizer's objection within thirty (30) days of receipt of Organizer's objection with AddEvent's determined method of accommodation. If AddEvent does not view the objection as providing sufficient supporting detail, the objection shall be deemed invalid and AddEvent has no further obligations.
If AddEvent determines in its sole discretion that it cannot reasonably accommodate Organizer's objection, upon notice from AddEvent, Organizer may choose to terminate the Agreement by providing written notice to AddEvent, and complying with the terms herein, which shall be Organizer's sole and exclusive remedy. Without limiting the generality of the foregoing, Organizer's termination right under this Section 2.4 will be deemed an additional termination right of Organizer under the "Term and Termination" Section of the Agreement (if any) and if exercised will be deemed a termination pursuant to such Section. Such written notice must be sent to email@example.com and must specifically reference this Section 2.4 of the DPA. The day AddEvent receives an Organizer's written termination notice under this Section 2.4 will be referred to as the "Objection Date" in this DPA. Should Organizer choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this Section 2 shall relieve Organizer from any of its payment and/or repayment obligations to AddEvent under the Agreement. Without limiting AddEvent's other rights and remedies, if Organizer terminates the Agreement pursuant to this Section 2.4, then Organizer will immediately pay to AddEvent (1) all amounts accruing and owed to AddEvent, including, without limitation, obligations to pay and/or repay AddEvent for Fees, Sponsorship Payments, Advances, and/or advance payments of Event Registration Fees, as such terms are defined in the Agreement and only to the extent applicable to Organizer, (2) if the Agreement includes a minimum number of tickets Organizer must sell, a minimum amount of Event Registration Fees or AddEvent Services Fees that must be processed (each such sales or processing threshold, a "Minimum Threshold"), and/or a requirement to pay AddEvent the portion of Service Fees AddEvent would have received had a Minimum Threshold been met, then Organizer agrees to pay AddEvent an amount equal to (x) the amount that AddEvent would have received in Service Fees had the Minimum Threshold been met in each year of the term up to the date of such termination (with such Minimum Threshold prorated as to any partial year of the Term), less (y) the amount that AddEvent actually received in Service Fees attributable to Organizer's sales during the Term up to the date of such termination; and (3) 80% of the anticipated Fees AddEvent would have earned during the remainder of the Term had the Agreement not been terminated with respect to (x) events on sale on the Site as of the Objection Date, and (y) any future events contemplated under the Agreement intended to go live in the ninety (90) days following the Objection Date.