Data Processing Addendum (DPA) for Processors and Sub-processors
Last Updated: March 6, 2023. To learn more about Eventbrite's Legal Terms, take a look here.
Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Agreement, if applicable. For the purposes of this DPA: 1.1 “Affiliate(s)” means any person or entity that controls, is controlled by, or is under common control with such entity, whether as of the date of the Agreement or thereafter. For purposes of this DPA, “control” means ownership or control, directly or indirectly, of more than 20% of the outstanding voting stock of an entity or otherwise possessing the power to direct the management and policies. 1.2 "Applicable Privacy Laws" means all applicable privacy and data protection laws and regulations anywhere in the world, including, where applicable, Regulation 2016/679/EU (“GDPR”), the EU Directive 2002/58/EC on privacy and electronic communications (in all cases, as amended, superseded or replaced), and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (as amended by the California Privacy Rights Act) and its implementing regulations (“CCPA”). 1.3 "Controller" means the natural or legal person or entity who determines the purposes and means of the processing of Personal Data. Controller is also a “business,” as that term is defined in the CCPA. 1.4 "Data Breach" means a breach of security leading to accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and all other unlawful forms of processing of Eventbrite Data. 1.5 "Eventbrite Data" means any and all data including Personal Data that is provided to Vendor or otherwise collected and/or accessed by Vendor on behalf of Eventbrite and/or its Affiliates in the course of providing the Services under the Agreement. Any Eventbrite Data that is Personal Data is hereby referred to as “Eventbrite Personal Data.” 1.6 “New EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Appendix 1 to this DPA. 1.7 "Personal Data" means any information relating to an identified or identifiable natural person or household; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 1.8 "Processor" means an entity that processes Personal Data on behalf of, and in accordance with the instructions of, a Controller. 1.9 “Sub-processor” means an entity engaged by a Processor who agrees to receive from the Processor Personal Data exclusively intended for the processing activities to be carried out as part of the Services. 1.10 “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time. 1.11 “Vendor” means the individual or entity which has entered into the Agreement with Eventbrite.
2. Role of the Parties and Nature of the Personal Data
2.1 For purposes of this DPA, Eventbrite may act as a Controller, or it may act as a Processor of one of its customers. Vendor therefore acknowledges that it may act as a Processor of Eventbrite or a Sub-processor of Eventbrite. Where Eventbrite acts as a Processor, Eventbrite is obligated contractually and / or under Applicable Privacy Laws to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations placed on Processors in this DPA shall apply to Vendor regardless of whether Vendor acts as a Processor or Sub-processor. 2.2 The Vendor will process Eventbrite personal data under the Agreement in order to [this section will describe the nature, purpose and subject matter of Vendor’s data processing activities under the Agreement]. Personal Data that may be processed may relate to event organizers, attendees, employees, contractors and contacts and may include name, email address, billing and payment information, events booked, organized and attended and any other Personal Data that may be processed pursuant to the Agreement.
3. Vendor’s Compliance
3.1 Vendor warrants and undertakes to process Eventbrite Personal Data only for the limited and specified purposes set out in the Agreement and/or as otherwise lawfully instructed by Eventbrite in writing (email or otherwise), except where otherwise required by applicable law. Vendor will immediately inform Eventbrite if, in its opinion, an instruction is in breach of Applicable Privacy Laws. 3.2 Vendor acknowledges and confirms that it does not receive any Eventbrite Data as consideration for any services or other items that Vendor provides to Eventbrite. Vendor shall not have, derive or exercise any rights or benefits regarding Eventbrite Data. 3.3 Vendor shall comply with all applicable provisions of Applicable Privacy Laws and provide the same level of protection for Eventbrite Data as required of Eventbrite under Applicable Privacy Laws. Vendor will process Eventbrite Data only as necessary to perform Vendor’s obligations under the Agreement, or as otherwise permitted by Applicable Privacy Laws. Without limiting the foregoing, Vendor will not
“sell” or “share” Eventbrite Data, as such terms are defined in the CCPA;
Vendor shall not retain, use, or disclose any such data outside of the direct business relationship between Eventbrite and Vendor unless permitted by Applicable Privacy Laws, or
retain, use or disclose Eventbrite Data for any purpose other than the business purposes specified in this DPA or otherwise permitted by Applicable Privacy Laws.
Vendor shall comply with any applicable restrictions under Applicable Privacy Laws on combining Eventbrite Data with personal data that Vendor receives from, or on behalf of, another person or persons, or that Vendor collects from any interaction between it and any individual. 3.4 Vendor represents and warrants that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Eventbrite Data to or from Vendor to qualify as "selling” or “sharing” personal information under the CCPA. 3.5 Vendor will notify Eventbrite within five (5) business days if Vendor makes a determination that it can no longer meet its obligations under Applicable Privacy Laws. 3.6 Eventbrite shall have the right, upon seven (7) business days’ notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Eventbrite Data by Vendor.
4. International Data Transfers
4.1 Eventbrite authorizes Vendor and its Sub-processors to make international data transfers of Eventbrite Personal Data in accordance with this DPA so long as Applicable Privacy Laws for such transfers are respected.
4.2 EEA Transfers. With respect to Personal Data transferred from the European Economic Area (“EEA”), the New EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA to the extent of conflict. Vendor hereby agrees to enter into the New EU SCCs, which are incorporated into this DPA by this reference and completed as follows:
Where Vendor is acting as Eventbrite’s Processor, Module Two of the New EU SCCs shall apply.
Where Vendor is acting as Eventbrite’s Sub- processor, Module Three of the New EU SCCs shall apply.
For both Modules Two and Three, Eventbrite is the Data Exporter and Vendor is the Data Importer.
If and to the extent an Eventbrite Affiliate relies on the New EU SCCs for the transfer of Eventbrite Data, any references to Eventbrite in this Section include such Eventbrite Affiliate. Where this Section does not explicitly state that it applies to a particular Module of the New EU SCCs, it applies to both Modules.
The Parties agree to the following:
In Clause 7, the optional docking clause will apply;
In Clause 9, Option 2 (General Authorization) will apply and provide for a 30-day advance notice;
In Clause 11, the optional language will not apply;
In Clauses 17 and 18, the Parties choose the law of Ireland and the courts of Ireland.
Annexes. The Parties agree that Annex I, Annex II and to the New EU SCCs shall be completed by Appendix 1 to this DPA.
4.3. Switzerland Transfers. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, (i) references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner; and (ii) as so amended, the New EU SCCs are incorporated herein by reference and shall apply, form a part of this DPA, and take precedence over the rest of this DPA to the extent of conflict.
4.4 UK Transfers. With respect to Eventbrite Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCC Addendum forms part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCC Addendum, unless the United Kingdom issues updates to the UK SCC Addendum, in which case the updated UK SCC Addendum will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCC Addendum. Vendor hereby agrees to enter into the UK SCC Addendum, which is incorporated into this DPA by this reference and completed as follows:
In Table 1, the Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Appendix 1 to this DPA.
In Table 2, the Approved EU SCCs shall be the New EU SCCs as executed by the Parties pursuant to this DPA.
In Table 3, Annex 1A, 1B, and Annex II shall be as set forth in Appendix 1 to this DPA.
In Table 4, either party may end this DPA as set out in Section 19 of the UK SCC Addendum.
4.5 Transfer Assessment. To the extent required under or necessitated by Applicable Privacy Laws and/or guidance issued by data protection regulatory authorities in relevant jurisdictions, Vendor shall conduct a risk assessment of any such international transfer to determine if the level of protection provided under the laws of the recipient country are adequate to protect Eventbrite Data in advance of engaging in any such transfer (“Transfer Assessment”). Depending on the outcome of any such Transfer Assessment, Vendor shall implement additional measures as necessary to ensure the protection of Eventbrite Data, which may include, without limitation, additional contractual protections and security measures. Upon Eventbrite’s reasonable request, Vendor shall provide Eventbrite with a copy of such Transfer Assessment and/or provide Eventbrite with information to enable Eventbrite to complete its own such assessments.
5. Confidentiality and Security
5.1 Vendor shall ensure that any person that it authorizes to process the Eventbrite Data (including Vendor's staff, agents and subcontractors) shall be subject to a duty of confidentiality.
5.2 Vendor shall ensure it implements and maintains throughout the term of the Agreement, or duration of its services to Eventbrite as a Processor or Sub-processor, appropriate technical and organizational measures to protect Eventbrite Data, including protection against Data Breaches. Such measures shall include, at minimum, the measures specified in Annex II of the New EU SCCs, and for clarity, the measures will apply to any and all processing of Eventbrite Data. Vendor shall also assist Eventbrite in meeting Eventbrite’s obligations related to the security of the Eventbrite Personal Data processed by Vendor.
6.1 Vendor shall notify Eventbrite of any Sub-processors it uses in respect of Eventbrite Personal Data and provide Eventbrite with ten (10) business days to object. In the event Eventbrite objects to a Sub-processor, Vendor will use commercially reasonable efforts to make available to Eventbrite a change in the Services or recommend a commercially reasonable change to Eventbrite’s configuration or use of the Services to avoid processing of Eventbrite Data by the objected-to subprocessor without unreasonably burdening Eventbrite. If Vendor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate without penalty the processing of Eventbrite Data and/or the Agreement with respect only to those services which cannot be provided by Eventbrite without the use of the objected-to new subprocessor by providing written notice to the other Party. 6.2 Vendor shall also:
ensure that any Sub-processor is contractually bound in writing to provide at least the same level of protection as is required by this DPA and complies with Applicable Privacy Laws;
be fully responsible for, and liable to Eventbrite for acts and omissions of any Sub-processor as if they were Vendor’s own act or omission; and
provide Eventbrite with details of any Sub-processors appointed, on request.
6.3 After this initial notification, Vendor shall provide Eventbrite with at least thirty (30) days’ written notice of new subprocessors before authorizing such subprocessor(s) to process Eventbrite Data. Eventbrite may object to Vendor’s use of a new subprocessor by notifying Vendor within ten (10) business days after receipt of Vendor’s notice. In the event Eventbrite objects to a new subprocessor, the procedure for resolving objections set forth in Section 6.1 shall apply.
7. Cooperation and Data Subjects Rights
Vendor will provide all assistance reasonably required by Eventbrite to enable Eventbrite to:
respond to, comply with or otherwise resolve any rights request, question or complaint received by Eventbrite (or an Eventbrite customer) from:
any living individual whose Personal Data is processed by Vendor on behalf of Eventbrite; or
any applicable formally designated data protection authority
comply with (and demonstrate compliance with) its obligations under Applicable Privacy Laws. In the event that any such request, question or complaint under this Section 8 is made directly to Vendor, Vendor shall inform Eventbrite providing full details of the same.
conduct privacy and data protection impact assessments and related consultations of data protection authorities.
In the event that any such request, question or complaint under this Section 8 is made directly to Vendor, Vendor shall inform Eventbrite providing full details of the same. Where necessary, Eventbrite shall inform Vendor of any other individual rights request that Vendor must comply with, and provide the information necessary for Vendor to comply with the request.
On reasonable prior written notice, Vendor agrees to provide Eventbrite (or its appointed auditors) with all information Eventbrite deems reasonably necessary for Eventbrite to audit Vendor's compliance with the requirements of this DPA, including completion of audit questionnaires, provision of security policies and summaries of assessments of compliance with any industry standards (such as ISO 27001, SSAE 16 SOC II), penetration testing and vulnerability scans.
9. Data Breach
In the event of a Data Breach, Vendor will:
9.1 Promptly notify Eventbrite without undue delay (and latest within 48 hours of becoming aware of the Data Breach) and provide Eventbrite with a reasonably detailed description of the Data Breach, the type of data that was the subject of the Data Breach and the identity of each affected person as soon as such information can be collected or otherwise becomes available, as well as any other information that Eventbrite may reasonably request relating to the Data Breach; and
9.2 Promptly (and latest beginning within 48 hours of discovery of the Data Breach) investigate the Data Breach, make reasonable efforts to mitigate the effects and harm of the Data Breach in accordance with its obligations under Section 5 (Confidentiality and Security) above, and provide any other assistance that Eventbrite may reasonably request relating to the Data Breach.
10. Deletion or Return of Data
Upon termination or expiry of this DPA, Vendor shall (at Eventbrite's election) destroy or return to Eventbrite all Eventbrite Data (including all copies of Eventbrite Data) in its possession or control (including any Eventbrite Data subcontracted to a third party for processing), unless any applicable law requires Vendor to retain Eventbrite Data.
Vendor will indemnify, keep indemnified and hold harmless Eventbrite, its clients, officers, directors, employees, agents, representatives and Affiliates (each an "Indemnified Party") from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Vendor's non-compliance with the requirements of this DPA.
Except for the changes made by this DPA, the Agreement and/or any other agreements related to the Services remain unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Agreement or other agreements between the parties, this DPA controls and takes precedence. Appendix 1
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union].
Name: Eventbrite, Inc.
Address: 95 Third Street, 2nd Floor, San Francisco, California, 94103 USA
Contact person’s name, position and contact details: As provided under the Agreement between data exporter and data importer.
Activities relevant to the data transferred under these Clauses: Transferring and accessing the data and any other activities related to receipt of the Services described under the Agreement.
Signature and date: The data exporter’s signature to the DPA and date of that signature shall constitute the signature and date for this Appendix.
Role (controller/processor): For purposes of Module 1 of the Standard Contractual Clauses, data exporter is the Data Controller. For purposes of Module 2 of the Standard Contractual Clauses, data exporter is the Processor.
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]. Data exporter’s name, address, and contact person information shall be as set out under the Agreement between the data exporter and data importer.
Activities relevant to the data transferred under these Clauses: Processing in order to provide the Services to COMPANY as described in the Agreement between data exporter and data importer, including as described under the DPA and its appendices.
Signature and date: The data importer’s signature to the DPA and date of that signature shall constitute the signature and date for this Appendix.
Role (controller/processor): Processor.
В. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Event organizers, attendees, employees, contractors and contacts
Categories of personal data transferred
Name, email address, billing and payment information, events booked, organized and attended and any other Personal Data that may be processed pursuant to the Agreement
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuously, for the length of the Agreement between the parties.
Nature of the processing
Personal data will be processed for purposes of fulfilling Vendor’s obligations to Eventbrite under the Agreement and the DPA.
Purpose(s) of the data transfer and further processing
For Vendor to provide the Services to Eventbrite pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal data shall be retained for the length of time necessary to provide the Services under the Agreement, or as otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Vendor’s sub-processors will process personal data to assist Vendor in providing the Services pursuant to the Agreement, for as long as needed for Vendor to provide the Services.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be the Irish Data Protection Authority
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Policies for information security: The data importer agrees to implement a set of policies for information security that are defined, approved by management, published and communicated to employees and relevant external parties. Review of the policies for information security: The data importer agrees to ensure that the policies for information security are reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. Information security awareness, education and training: The data importer will ensure all employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. Acceptable use of assets: The data importer will ensure rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented and implemented. Classification of information: The data importer will ensure all information assets are classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. Disposal of Media: The data importer will ensure all media is disposed of securely when no longer required, using formal procedures.Access control policy: The data importer will ensure an access control policy is established, documented and reviewed based on business and information security requirements. Policy on the use of cryptographic controls: The data importer will ensure a policy on the use of cryptographic controls for protection of information has been developed and implemented. Physical security perimeter: The data importer will ensure that security perimeters are defined and used to protect areas that contain either sensitive or critical information and information processing facilities. Physical entry controls: The data importer will ensure secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Secure disposal or re-use of equipment: The data importer will ensure all items of equipment containing storage media are verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. Controls against malware: The data importer will implement detection, prevention and recovery controls to protect against malware, combined with appropriate user awareness. Information backup: The data importer will implement a backup policy to define the organization's requirements for backup of information, software and systems. Management of technical vulnerabilities: The data importer will action technical vulnerabilities mitigation, to reduce exposure to such vulnerabilities and ensure appropriate measures are taken to address the associated risk. Information systems audit controls: The data importer will implement carefully planned and agreed upon audit requirements and activities involving verification of operational systems to minimize disruptions to business processes. Network controls: The data importer will ensure Networks are managed and controlled to protect information in systems and applications and ensure groups of information services, users and information systems are appropriately segregated. Electronic messaging: The data importer will ensure information involved in electronic messaging will be appropriately protected. Confidentiality or non-disclosure agreements: The data importer will ensure requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information are identified, regularly reviewed and documented. Securing application services on public networks: The data importer will ensure information involved in application services passing over public networks is protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. Secure system engineering principles: The data importer will ensure principles for engineering secure systems are be established, documented, maintained and applied to any information system implementation efforts. System security and acceptance testing: The data importer will ensure testing of security functionality is carried out during development and that acceptance testing programs and related criteria are established for new information systems, upgrades and new versions. The data importer will ensure test data is selected carefully, protected and controlled. Reporting and responding to information security events: The data importer will ensure Information security events are reported through appropriate management channels as quickly as possible and will ensure information security incidents are responded to in accordance with the documented procedures. Planning information security continuity: The data importer will determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
Still have questions?