Help Centre
Data Processing Addendum (DPA) for Processors and Sub-processors
Last Updated: March 6, 2023. To learn more about Eventbrite's Legal Terms, take a look here.
In this article
- Overview
- 1. Definitions
- 2. Role of the Parties and Nature of the Personal Data
- 3. Vendor’s Compliance
- 4. International Data Transfers
- 5. Confidentiality and Security
- 6. Sub-processing
- 7. Cooperation and Data Subjects Rights
- 8. Audit
- 9. Data Breach
- 10. Deletion or Return of Data
- 11. Indemnity
- 12. Miscellaneous
- ANNEX I
- ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Overview
This Data Processing Agreement (“DPA”) shall govern any services provided to Eventbrite, Inc. and its Affiliates (“Eventbrite”) by you (“you,” “your,” or “Vendor”) as a Processor or Sub-processor (as defined below) (the “Services”). You and Eventbrite shall each be referred to herein as a “Party” and together as “Parties”. This DPA supplements, is incorporated into, and will remain in effect for the term of any agreement between the Parties, including but not limited to any executed or click-through agreement or, if applicable, Eventbrite’s API Terms of Use (the “Agreement”), the duration of Services, or the processing of Eventbrite Data, whichever is later (the “Term”). Without limiting the generality of the foregoing, the subject matter, nature, and purpose of the processing under this DPA is the provision of the Services under the Agreement, and the categories of personal data and categories of data subjects are those necessary to provide the Services under the Agreement, as described more fully in the Agreement. The Parties agree as follows:
1. Definitions
Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Agreement, if applicable. For the purposes of this DPA: 1.1 “Affiliate(s)” means any person or entity that controls, is controlled by, or is under common control with such entity, whether as of the date of the Agreement or thereafter. For purposes of this DPA, “control” means ownership or control, directly or indirectly, of more than 20% of the outstanding voting stock of an entity or otherwise possessing the power to direct the management and policies. 1.2 "Applicable Privacy Laws" means all applicable privacy and data protection laws and regulations anywhere in the world, including, where applicable, Regulation 2016/679/EU (“GDPR”), the EU Directive 2002/58/EC on privacy and electronic communications (in all cases, as amended, superseded or replaced), and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (as amended by the California Privacy Rights Act) and its implementing regulations (“CCPA”). 1.3 "Controller" means the natural or legal person or entity who determines the purposes and means of the processing of Personal Data. Controller is also a “business,” as that term is defined in the CCPA. 1.4 "Data Breach" means a breach of security leading to accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and all other unlawful forms of processing of Eventbrite Data. 1.5 "Eventbrite Data" means any and all data including Personal Data that is provided to Vendor or otherwise collected and/or accessed by Vendor on behalf of Eventbrite and/or its Affiliates in the course of providing the Services under the Agreement. Any Eventbrite Data that is Personal Data is hereby referred to as “Eventbrite Personal Data.” 1.6 “New EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, completed as set forth in Appendix 1 to this DPA. 1.7 "Personal Data" means any information relating to an identified or identifiable natural person or household; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 1.8 "Processor" means an entity that processes Personal Data on behalf of, and in accordance with the instructions of, a Controller. 1.9 “Sub-processor” means an entity engaged by a Processor who agrees to receive from the Processor Personal Data exclusively intended for the processing activities to be carried out as part of the Services. 1.10 “UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time. 1.11 “Vendor” means the individual or entity which has entered into the Agreement with Eventbrite.
2. Role of the Parties and Nature of the Personal Data
2.1 For purposes of this DPA, Eventbrite may act as a Controller, or it may act as a Processor of one of its customers. Vendor therefore acknowledges that it may act as a Processor of Eventbrite or a Sub-processor of Eventbrite. Where Eventbrite acts as a Processor, Eventbrite is obligated contractually and / or under Applicable Privacy Laws to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations placed on Processors in this DPA shall apply to Vendor regardless of whether Vendor acts as a Processor or Sub-processor. 2.2 The Vendor will process Eventbrite personal data under the Agreement in order to [this section will describe the nature, purpose and subject matter of Vendor’s data processing activities under the Agreement]. Personal Data that may be processed may relate to event organizers, attendees, employees, contractors and contacts and may include name, email address, billing and payment information, events booked, organized and attended and any other Personal Data that may be processed pursuant to the Agreement.
3. Vendor’s Compliance
3.1 Vendor warrants and undertakes to process Eventbrite Personal Data only for the limited and specified purposes set out in the Agreement and/or as otherwise lawfully instructed by Eventbrite in writing (email or otherwise), except where otherwise required by applicable law. Vendor will immediately inform Eventbrite if, in its opinion, an instruction is in breach of Applicable Privacy Laws. 3.2 Vendor acknowledges and confirms that it does not receive any Eventbrite Data as consideration for any services or other items that Vendor provides to Eventbrite. Vendor shall not have, derive or exercise any rights or benefits regarding Eventbrite Data. 3.3