DPA

Data Processing Addendum 

This Data Processing Addendum (including its appendices) (“DPA”) forms part of and is incorporated in the  Agreement between Client and TEVO. As used herein, “Agreement” refers to an agreement or terms of  service, and any associated contractual document between the parties, applicable to software and services  provided by Ticket Evolution Inc. and/or any of its subsidiaries, affiliates and divisions as may change from  time to time (collectively, “TEVO”). As used herein, “Client” refers to the individual or entity subject to the  Agreement.  

This DPA will be effective as of the effective date of the Agreement. To the extent of any conflict or  inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA will  govern.

1. Definitions. For purposes of this DPA:

a. “Data Privacy Laws” means all laws, regulations and other legal requirements means all  applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction  relating to privacy, data protection, data security, breach notification, or the Processing of  Personal Data, including without limitation, to the extent applicable, the California Consumer  Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments  made by the California Privacy Rights Act of 2020 (“CCPA”), other U.S. federal or state privacy  laws (together with the CCPA, “U.S. Privacy Laws”), the General Data Protection Regulation,  Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK  Privacy Act”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of  doubt, each party is only responsible for the Data Privacy Laws applicable to it.

b. “Data Subject” means an identified or identifiable natural person about whom Personal Data  relates.

c. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission  Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the  transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the  European Parliament and of the Council, located at  http://data.europa.eu/eli/dec_impl/2021/914/oj, completed as set forth in this DPA.

d. “Personal Data” includes “personal data,” “personal information,” “personally identifiable  information,” and similar terms, and such terms shall have the same meaning as defined by  applicable Data Privacy Laws, that is Processed in relation to the Agreement.  

e. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration,  unauthorized disclosure of, or access to, Personal Data.  

f. “Process,” “Processed,” and “Processing” mean any operation or set of operations  performed on Personal Data or on sets of Personal Data, whether or not by automated means,  such as collection, recording, organization, creating, structuring, storage, adaptation or  alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise  making available, alignment or combination, restriction, erasure or destruction.

g. “Subprocessor” means any TEVO affiliate or subcontractor engaged by TEVO for the  Processing of Personal Data.

h. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard  Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for-

organisations/documents/4019539/international-data-transfer-DPA.pdf), completed as set  forth in this DPA.

2. Scope. This DPA applies to the Personal Data that TEVO receives from Client, or otherwise Processes  for or on behalf of Client, through the ticket management services that TEVO provides under the  Agreement (the “Services”).

3. Roles of the Parties; Client Responsibilities 

a. Client acknowledges that it is either (i) using the Services as the lawful owner of a physical or  virtual ticket allowing entry into an event (“Ticket”) and, therefore, is considered to be a  “controller” or “business” under Data Privacy Laws and that TEVO is a “processor” or “service  provider” under Data Privacy Laws; or (ii) using the Services as a “processor” or “service  provider” under Data Privacy Laws, in which case TEVO acts as Client’s processor (i.e.  subprocessor) or service provider.

b. Client will comply with all applicable laws, including that it will establish legal bases for its and TEVO’s Processing of Personal Data and obtain any consents required under Data Privacy  Laws for TEVO to Process the Personal Data and provide the Services.

4. Purposes of Processing 

a. TEVO will Process Personal Data solely: (1) to fulfill its obligations to Client under the  Agreement, including this DPA; (2) on Client’s behalf; and (3) in compliance with Data Privacy  Laws. Except as explicitly permitted by Data Privacy Laws, TEVO will:

i. not retain, use, or disclose the Personal Data outside of the direct business relationship  between Client and TEVO except as explicitly permitted by Data Privacy Laws;

ii. not “sell” or “share” any Personal Data, as such terms are defined in applicable U.S.  Privacy Laws, to any third party;

iii. not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified  Personal Data without Client’s express written permission;

iv. not attempt to link, identify, or otherwise create a relationship between Personal Data  and non-Personal Data or any other data without the express authorization of Client;

v. comply with any applicable restrictions under Data Privacy Laws on combining the  Personal Data with personal data that TEVO receives from, or on behalf of, another  person or persons, or that TEVO collects from any interaction between it and any  individual;

vi. provide the same level of protection for the Personal Data as is required under Data  Privacy Laws applicable to Client;  

vii. not otherwise engage in any Processing of the Personal Data that is prohibited or not  permitted by “processors” or “service providers” under Data Privacy Laws; and

viii. promptly notify Client if TEVO determines that (a) it can no longer meet its obligations  under this DPA or Data Privacy Laws; or (b) it has breached this DPA, and shall  cooperate to remediate such breach; or (c) in TEVO’s opinion, an instruction from  Client infringes Data Privacy Laws.

b. Client retains the right, upon notice, to take reasonable and appropriate steps to stop and  remediate unauthorized use of Personal Data, including any use of Personal Data not expressly  authorized in this DPA.

5. Personal Data Processing Requirements. TEVO will:

a. Ensure that the persons TEVO authorizes to Process the Personal Data are subject to a written  confidentiality agreement covering such data or are under an appropriate statutory obligation  of confidentiality.

b. Assist Client by appropriate technical and organizational measures, insofar as this is possible,  for the fulfillment of Client’s obligation to honor requests by individuals (or their representatives)  to exercise their rights under the Data Privacy Laws (such as rights to access or delete their  Personal Data).

c. Notify Client of (i) any third-party or Data Subject complaints regarding the Processing of  Personal Data; or (ii) any government or Data Subject requests for access to or information  about TEVO’s Processing of Personal Data, unless prohibited by applicable law. If TEVO receives a third-party, Data Subject, or governmental request, TEVO will, subject to legal  obligations, await written instructions from Client on how, if at all, to assist in responding to the  request. TEVO will provide Client with reasonable cooperation and assistance in relation to any  such request.  

d. Assist Client in its performance of a data protection impact assessment of Processing or  proposed Processing of Personal Data, when required by applicable Data Privacy Laws, by  providing Client with access to documentation for the Services. Additional support for data  protection impact assessments will require a statement of work and mutual agreement on fees,  the scope of TEVO’s involvement, and any other terms that the parties deem appropriate.

e. Assist Client in its consultation with regulatory authorities in relation to the Processing or  proposed Processing of Personal Data, including complying with any obligation applicable to  TEVO under Data Privacy Laws to consult with a regulatory authority in relation to TEVO’s Processing or proposed Processing of Personal Data, by providing Client with access to  documentation for the Services. Additional support for consultation with regulators is available  at Client expense and will require a statement of work and mutual agreement on fees, the  scope of TEVO’s involvement, and any other terms that the parties deem appropriate.

6. Subprocessors. TEVO may subcontract the collection or other Processing of Personal Data only in  compliance with Data Privacy Laws and any additional conditions for subcontracting set forth in the  Agreement. Prior to a Subprocessor’s Processing of Personal Data, TEVO will impose contractual  obligations on the Subprocessor that are substantially the same as those imposed on TEVO under this  DPA. A current list of Subprocessors for the services Client obtains under the Agreement is set forth  as Exhibit C. Subject to Client’s registration of an email address to receive notices (to be sent to TEVO  at legal@ticketevolution.com ), TEVO will provide Client with at least fifteen (15) days’ notice of any  new Subprocessor added to the list prior to transferring Personal Data to such new Subprocessor;  provided, however, TEVO may provide a shorter notice period where new Subprocessors are  necessary for security purposes. TEVO remains responsible for its Subprocessors and liable for their  performance under the Agreement and this DPA. This paragraph constitutes Client’s consent to both  TEVO’s use of the Subprocessors and its subprocessing under the EU SCCs and UK SCCs, as  applicable.

7. Security 

a. TEVO will assist Client in ensuring Client’s compliance with the security obligations of the  GDPR and other Data Privacy Laws, as relevant to TEVO’s role in Processing the Personal  Data, taking into account the nature of Processing and the information available to TEVO, by  complying with this Section 7 and, if available in the Services, by providing configurable security  options.

b. To protect the Personal Data, TEVO shall implement appropriate technical and organizational  measures that comply with Exhibit B, without prejudice to TEVO’s right to make future updates  to the measures that do not lower the level of protection of Personal Data.  

c. Client is solely responsible for reviewing the available security documentation and evaluating  for itself whether the Services and related security will meet Client’s needs, including Client’s security obligations under Data Privacy Laws. Client agrees that the security commitments in  this DPA will provide a level of security appropriate to the risk in respect of the Personal Data.

8. Personal Data Breach Notification. TEVO will comply with the Personal Data Breach-related obligations directly applicable to it under the GDPR and other Data Privacy Laws. Taking into account  the nature of Processing and the information available to TEVO, TEVO will assist Client in complying  with those obligations applicable to Client by informing Client of a confirmed Personal Data Breach  without undue delay.

9. Data Transfers 

a. Client agrees and will ensure that Client and its affiliates are entitled to transfer the Personal  Data to TEVO so that TEVO and its Subprocessors may lawfully Process the Personal Data in  accordance with the Agreement and this DPA.

b. Client authorizes TEVO and its Subprocessors to make international transfers of the Personal  Data in accordance with Data Privacy Laws and this DPA.

c. To the extent legally required, by entering into this DPA, Client and TEVO are deemed to have  signed the EU SCCs, which form part of this DPA and (except as described in Section 9(d) and  (e) below) will be deemed completed as follows:  

i. Module 2 of the EU SCCs applies to transfers of Personal Data from Client (as a  controller) to TEVO (as a processor) and Module 3 of the EU SCCs applies to transfers  of Personal Data from Client (as a processor) to TEVO (as a sub-processor);

ii. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;

iii. Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the parties select Option  2 (General written authorization);

iv. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that  data subjects be permitted to lodge a complaint with an independent dispute resolution  body shall not be deemed to be included;

v. Under Clause 17 of Modules 2 and 3 (Governing law), the parties choose Option 1 (the  law of an EU Member State that allows for third-party beneficiary rights). The parties  select the law of Ireland;

vi. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the parties  select the courts of Ireland;  

vii. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in  Exhibit A of this DPA;  

viii. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the parties  shall follow the rules for identifying such authority under Clause 13 and, to the extent  legally permissible, select the Irish Data Protection Commission.

ix. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed  with Exhibit B of this DPA; and

x. Annex III of Modules 2 and 3 (List of subprocessors) is not applicable as the parties  have chosen General Authorization under Clause 9.

d. To the extent legally required, by entering into this DPA, the parties are deemed to be signing  the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as  set forth in the UK SCCs. The Tables within the UK SCCs are deemed completed as follows:

i. Table 1: The parties’ details shall be the parties and their affiliates to the extent any  of them is involved in such transfer, and the Key Contact shall be the contacts set forth  in the Agreement.

ii. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as  executed by the parties and completed in Section 9(c) of this DPA.

iii. Table 3: Annexes I and II are set forth in Exhibits A and B below, respectively. Annex  III is inapplicable.

iv. Table 4: Either party may end this DPA as set out in Section 19 of the UK SCCs. v. By entering into this DPA, the parties are deemed to be signing the UK SCCs.

e. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this  DPA as set forth in Section 9(c) of this DPA, but with the following differences to the extent  required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as  references to the FADP insofar as the data transfers are subject exclusively to the FADP and  not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about  identifiable legal entities until the entry into force of revisions to the FADP that eliminate this  broader scope; (3) term “member state” in EU SCCs shall not be interpreted in such a way as  to exclude data subjects in Switzerland from the possibility of suing for their rights in their place  of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4)  the relevant supervisory authority is the Swiss Federal Data Protection and Information  Commissioner (for transfers subject to the FADP and not the GDPR), or both such  Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and  GDPR apply, respectively).

10. Return or Destruction 

a. TEVO will, at the choice of Client, return to Client and/or destroy all Personal Data after the  end of the provision of services relating to Processing except to the extent applicable law  requires storage of the Personal Data.

b. Nothing will oblige TEVO to delete Personal Data from files created for security, backup and  business continuity purposes sooner than required by TEVO’s data retention processes. If  Client requires earlier deletion of such Personal Data, and such deletion is commercially  feasible, Client must first pay TEVO’s reasonable charges for such deletion, which may include  costs for business interruptions associated with such a request.

11. Audits 

a. TEVO will allow for and contribute to audits, including inspections, conducted by Client or  another auditor mandated by Client, as follows:

i. If the requested audit scope is addressed in an ISO or similar audit report issued by a  third party auditor within the prior twelve (12) months and TEVO provides such report  to Client confirming there are no known material changes in the controls audited, Client agrees to accept the findings presented in the third party audit report in lieu of  requesting an audit of the same controls covered by the report.  

ii. In the event an audit report is not provided, any audit, whether by Client or a third party, must be limited to no more than once per twelve (12) month period, and Client will (i)  conduct the audit only on an agreed date during normal business hours (9:00 am – 5:00 pm local time); (ii) limit its audit to only one business day; and (iii) pay TEVO’s  then-current audit fee.  

iii. If a third party is to conduct the audit, Client will provide at least thirty (30) days’  advance notice. The third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). TEVO will not  unreasonably withhold its consent to a third-party auditor requested by Client, unless  such third-party auditor is a competitor or another customer of TEVO’s Any third-party  auditor must execute a written confidentiality agreement acceptable to TEVO.

iv. Client must promptly provide TEVO with the results of any audit, including any third party audit report. All such results and reports, and any other information obtained  during the audit (other than Client’s Personal Data) is confidential information of TEVO.

b. Nothing herein will require TEVO to disclose or make available:  

i. any data of any other customer of TEVO;

ii. TEVO’s internal accounting or financial information;

iii. any trade secret of TEVO;

iv. any information that, in TEVO’s reasonable opinion, could (i) compromise the security  of TEVO systems or premises; or (ii) cause TEVO to breach its obligations under  applicable law or its security and/or privacy obligations to Client or any third party; or

v. any information sought for any reason other than the good faith fulfilment of Client’s  obligations under the Standard Contractual Clauses or Data Privacy Laws.

c. In addition, to the extent required by Data Privacy Laws, including where mandated by Client’s Supervisory Authority, Client or Client’s Supervisory Authority may perform, at Client’s  expense, a broader audit, including inspections of the data center facility that Processes  Personal Data. TEVO will contribute to such audits by providing Client or Client’s Supervisory

Authority with the information and assistance reasonably necessary to conduct the audit,  including any relevant records of Processing activities applicable to the Services.

d. Client must provide TEVO with any audit reports generated in connection with this DPA, unless  prohibited by applicable law. Client may use the audit reports only for the purposes of meeting  Client’s regulatory audit requirements and/or confirming compliance with the terms of this DPA.

Exhibit A 

Annex I to the EU SCCS 

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data exporter(s):  

Name: The data exporter is Client.  

Activities relevant to the data transferred under these SCCs: The data exporter is a user of the data  importer’s Services pursuant to their underlying Agreement. The data exporter acts as a controller with  respect to its own personal data. To the extent permitted by the Agreement, the exporter also is permitted  to use the contracted Services as a processor on behalf of third parties.

Signature and date: The Parties agree that execution of the Agreement shall constitute execution of these  SCCs by both parties.  

Data importer(s):

Name: The data importer is TEVO.  

Activities relevant to the data transferred under these SCCs: The data importer is the provider of Services  to the data exporter and its customers pursuant to their underlying Agreement. The data importer acts as  the data exporter’s processor.  

Signature and date: The parties agree that execution of the Agreement shall constitute execution of these  SCCs by both parties.

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred:  

The data subjects whose Personal Data Client provides to TEVO for Processing under the Agreement,  which could consist of buyers of Tickets residing in the European Economic Area, the United Kingdom, and Switzerland.  

Categories of personal data transferred:  

The personal data transferred concern the following categories of data (please specify):  

Personal Data provided by Client to TEVO for Processing under the Agreement, which could consist of any  Personal Data associated with the purchase or sale of Tickets.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into  consideration the nature of the data and the risks involved, such as for instance strict purpose  limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional  security measures:

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous  basis):

Continuous.

Nature of the processing:  

Data importer’s Processing activities shall be limited to those discussed in the Agreement and the DPA. Purpose(s) of the data transfer and further processing:  

The objective of the transfer and further processing of Personal Data by TEVO is to provide services to  the Client, which may include, ticket management and data management.

The period for which the personal data will be retained, or, if that is not possible, the criteria used  to determine that period:  

Personal Data will be retained for the period of time necessary to provide the Services to Client under the  Agreement, the DPA, and/or in accordance with applicable legal requirements.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the  processing:  

Same as above to the extent such information is provided to subprocessors for purposes of providing the  Services.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

To the extent legally permissible, the Competent Supervisory Authority is the Irish Data Protection  Commission.

Exhibit B 

Information Security

1. TEVO has agreed to employ appropriate technical and organizational measures to protect against  unauthorized or unlawful processing of Personal Data and against accidental loss or destruction  of, or damage to, Personal Data (“Information Security Program”).

2. TEVO’s Information Security Program includes specific security requirements for its personnel and  all subcontractors or agents who have access to Client Personal Data (“Data Personnel”). TEVO’s  security requirements covers the following areas:

a. Information Security Policies and Standards. TEVO will maintain information security  policies, standards and procedures. These policies, standards, and procedures shall be  kept up to date, and revised whenever relevant changes are made to the information  systems that use or store Client Personal Data. These policies, standards, and procedures  shall be designed and implemented to:

i. Prevent unauthorized persons from gaining physical access to Client Personal  Data Processing systems (e.g. physical access controls);

ii. Prevent Client Personal Data Processing systems from being used without  authorization (e.g. logical access control);

iii. Ensure that Data Personnel gain access only to such Client Personal Data as they  are entitled to access (e.g. in accordance with their access rights) and that, in the  course of Processing or use and after storage, Client Personal Data cannot be  read, copied, modified or deleted without authorization (e.g. data access controls);

iv. Ensure that Client Personal Data cannot be read, copied, modified or deleted  without authorization during electronic transmission, transport or storage, and that  the recipients of any transfer of Client Personal Data by means of data  transmission facilities can be established and verified (e.g. data transfer controls);

and

v. Ensure that all systems that Process Client Personal Data are the subject of a  vulnerability management program that includes without limitation internal and  external vulnerability scanning with risk rating findings and formal remediation  plans to address any identified vulnerabilities.

b. Physical Security. TEVO will maintain commercially reasonable security systems at all  TEVO sites at which an information system that uses or stores Client Personal Data is  located (“Processing Locations”) and will reasonably restrict access to such Processing  Locations.

c. Organizational Security. TEVO will maintain information security policies and procedures  addressing:

i. Data Disposal. Procedures for when media are to be disposed or reused have  been implemented to prevent any subsequent retrieval of any Client Personal Data  stored on media before they are withdrawn from the TEVO’s inventory or control.

ii. Data Minimization. Procedures for when media are to leave the premises at which

the files are located as a result of maintenance operations have been implemented  to prevent undue retrieval of Client Personal Data stored on media.

iii. Data Classification. Policies and procedures to classify sensitive information  assets, clarify security responsibilities, and promote awareness for all employees  have been implemented and are maintained.

iv. Incident Response. All Client Personal Data security incidents are managed in  accordance with appropriate incident response procedures.

d. Network Security. TEVO maintains commercially reasonable information security policies  and procedures addressing network security.

e. Access Control (Governance).

i. TEVO governs access to information systems that Process Client Personal Data.

ii. Only authorized TEVO staff can grant, modify or revoke access to an information  system that Processes Client Personal Data.

iii. TEVO implements commercially reasonable physical and technical safeguards to  create and protect passwords.

f. Virus and Malware Controls. TEVO protects Client Personal Data from malicious code and  will install and maintain anti-virus and malware protection software on any system that  handles Client Personal Data.

g. Personnel.

i. TEVO has implemented and maintains a security awareness program to train all  employees about their security obligations. This program includes training about  data classification obligations, physical security controls, security practices, and  security incident reporting.

ii. Data Personnel strictly follow established security policies and procedures.  Disciplinary process is applied if Data Personnel fail to adhere to relevant policies  and procedures.

iii. TEVO shall take reasonable steps to ensure the reliability of any employee, agent  or contractor who may Process Client Personal Data.

h. Business Continuity. TEVO implements disaster recovery and business resumption plans.  Business continuity plans are tested and updated regularly to ensure that they are up to  date and effective.

Exhibit C

Subprocessor

Country of Jurisdiction

Brief Description of Processing

Amazon Web Services, Inc.

United States

Cloud hosting services

Azure

United States

Server hosting services

Heroku

United States

Cloud hosting services

Equinix

United States

Server hosting services