91��Ƭ��

• Overview and Definitions.

• 1. Applicability of DPA and scope of data processing activities.

• 2. Data processing clauses.

• 3. Cross-Border Transfers.

Overview and Definitions.

The terms of this DPA are hereby incorporated into the 91��Ƭ�� Terms of Service, Privacy Policy or any other applicable services agreement between you and 91��Ƭ�� (the "Agreement").

With respect to provisions regarding Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where Organizer and 91��Ƭ�� have individually negotiated data processing terms that are different from this DPA and which meet the requirements of applicable Data Protection Laws in full, in which case those negotiated terms will control.

“CCPA” means the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and associated regulations.

“Data Protection Laws” means all applicable laws or regulations related to the privacy, confidentiality and security of Personal Data.

“Business,” "Data Controller," "Data Processor," "Data Subject," "Processing," "Personal Data," and “Service Provider” shall have the meanings ascribed to them in applicable Data Protection Laws.

"Data Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data Processed by 91��Ƭ�� on Organizer’s behalf as part of Organizer’s use of the Services.

“New EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

“Services” means any services provided by 91��Ƭ�� to Organizer, as defined in the 91��Ƭ�� Terms of Service of any other applicable services agreement between Organizer and 91��Ƭ��.

"Technical and Organizational Security Measures" means reasonable security measures implemented by 91��Ƭ�� appropriate to the type of Personal Data being Processed on Organizer’s behalf and the Services being provided by 91��Ƭ�� designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.

“UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time.

1. Applicability of DPA and scope of data processing activities.

1.1 In using 91��Ƭ��'s Services, Organizer acts as a Business and is a Data Controller of the Personal Data associated with an individual using 91��Ƭ�� Services, or on whose behalf an individual is using 91��Ƭ�� Services, to register for or purchase a ticket to attend such Organizer's event ("Consumer"). Organizer represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such Personal Data from the Consumer and Organizer has the right to share such Personal Data with 91��Ƭ��.

1.2 Where 91��Ƭ�� Processes the Personal Data of Consumers on behalf of Organizer as part of the Services, 91��Ƭ�� is a Data Processor or Service Provider in performing such Processing and Organizer is the Data Controller or Business. This includes circumstances where 91��Ƭ�� obtains Personal Data as a result of the provision of its core ticketing services (for example, where 91��Ƭ�� facilitates the transmission of emails to Consumers at the request of Organizers, processes payments, or provides event reports and tools to enable Organizers to gain insights into the effectiveness of various sales channels).

In respect of some processing of Consumers' Personal Data, 91��Ƭ�� may act as a Data Controller or Business, for example, where Consumers have engaged with aspects of 91��Ƭ��'s Applications beyond those relating to Organizer's event or where Consumers' Personal Data is Processed by 91��Ƭ�� to conduct research and analysis to enable 91��Ƭ�� to improve its products and features and provide targeted recommendations. With regard to such processing, 91��Ƭ�� is an independent Data Controller and not a joint Data Controller with Organizer.

To the extent that 91��Ƭ�� processes Personal Data as a Data Processor or Service Provider on behalf of Organizer, Section 2 of this DPA shall apply, however, when 91��Ƭ�� is acting as a Business or Data Controller of Consumers' Personal Data, 91��Ƭ��'s processing shall not be subject to this DPA.

1.3 Details about the Personal Data to be processed by 91��Ƭ�� and the Processing activities to be performed under the Agreement are as follows: (i) duration - as set out in the Agreement; (ii) nature, purpose and subject matter - to enable Organizer to organize and promote events and manage ticketing using 91��Ƭ�� Services; (iii) data categories - name, email address, billing and payment information, information related to events booked and attended, relationship to Organizer and any other Personal Data that Organizer requests of its Consumers; (iv) data subjects - Consumers.

2. Data processing clauses.

2.1 Whenever 91��Ƭ�� processes Personal Data on behalf of Organizer, 91��Ƭ�� shall:

2.1.1 Process Personal Data only on the documented instructions of Organizer, unless required to do otherwise by applicable law. 91��Ƭ�� shall inform Organizer of the legal requirement before processing Personal Data other than in accordance with Organizer's instructions, unless that same law prohibits 91��Ƭ�� from doing so on important grounds of public interest. Organizer will ensure that its instructions comply with all laws, regulations and rules applicable to the Personal Data, and that 91��Ƭ��’s processing of such Personal Data will not cause 91��Ƭ�� to violate any applicable law, regulation or rule, including Data Protection Laws. 91��Ƭ�� will notify Organizer, if in its opinion, an instruction is in breach of applicable Data Protection Laws. Organizer hereby instructs 91��Ƭ��, and 91��Ƭ�� hereby agrees, to process Personal Data as necessary to perform 91��Ƭ��'s obligations under the Agreement and for no other purpose, unless otherwise specified in this DPA or required to comply with the law or other binding governmental order. In the event that this DPA or any actions to be taken or contemplated in performance of this DPA do not or would not satisfy either party’s obligations under applicable Data Protection Laws, the parties shall negotiate in good faith upon an appropriate amendment to this DPA;

2.1.2 Comply with all applicable provisions of Data Protection Laws and provide the same level of protection for Personal Data as required of Organizer under Data Protection Laws.�� 91��Ƭ�� will process Personal Data only as necessary to perform 91��Ƭ��’s obligations under the Agreement, or as otherwise permitted by Data Protection Laws. Without limiting the foregoing, 91��Ƭ�� will not (i) “sell” or “share” the Personal Data, as such terms are defined in the CCPA; (ii) 91��Ƭ�� shall not retain, use, or disclose any such data outside of the direct business relationship between Organizer and 91��Ƭ�� unless permitted by Data Protection Laws, or (iii) retain, use or disclose Personal Data for any purpose other than the business purposes specified in this DPA or otherwise permitted by Data Protection Laws.�� 91��Ƭ�� shall comply with any applicable restrictions under Data Protection Laws on combining Personal Data with personal data that 91��Ƭ�� receives from, or on behalf of, another person or persons, or that 91��Ƭ�� collects from any interaction between it and any individual.

2.1.3 Have in place Technical and Organizational Security Measures which include, but are not limited to, the measures described here:��;

2.1.4 Notify Organizer in the event of a Data Security Breach without undue delay, unless otherwise prohibited by law or otherwise instructed by a law enforcement or data protection authority. In the event of any Data Security Breach, 91��Ƭ��, in its sole discretion, may provide data breach notification to affected data subjects directly.��Where 91��Ƭ�� does not provide such notification, 91��Ƭ�� shall provide reasonable assistance, where required by applicable Data Protection Laws and at Organizer’s request, to enable Organizer to comply with its data breach obligations as a Data Controller or Business;

2.1.5 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data of Consumers Processed by 91��Ƭ�� on Organizer’s behalf;

2.1.6 Impose obligations on its sub-processors that have access to Personal Data of Consumers Processed by 91��Ƭ�� on Organizer’s behalf that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain fully liable to Organizer for any failure by a sub-processor to fulfill its obligations in relation to such Personal Data;

2.1.7 Provide reasonable assistance to Organizer in responding to individual rights requests or other communications received under applicable Data Protection Laws from any applicable data protection authority or Consumer who is the subject of any Personal Data processed by 91��Ƭ�� on Organizer’s behalf. In the event that a Consumer submits a Personal Data deletion request to 91��Ƭ��, Organizer hereby instructs and authorizes 91��Ƭ�� to delete or anonymize the Consumer's Personal Data on Organizer's behalf.�� Where necessary, Organizer shall inform 91��Ƭ�� of any other individual rights request that 91��Ƭ�� must comply with, and provide the information necessary for 91��Ƭ�� to comply with the request.;

2.1.8 Upon Organizer's written request, make available to Organizer all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, provide reasonable assistance with privacy and data protection impact assessments and related consultations of data protection authorities, and allow for and co-operate with any audits. Any on-site audits shall be: (i) permitted only on reasonable advance notice to 91��Ƭ��; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means; and

2.1.9 Except for that Personal Data with respect to which 91��Ƭ�� acts as a Data Controller or Business, return, delete, or destroy (at Organizer's election) the Personal Data of Consumers processed on Organizer’s behalf and copies thereof, at Organizer's request (unless applicable law requires the storage of such Personal Data).

2.2 Organizer hereby consents and authorizes 91��Ƭ�� to disclose or transfer Personal Data to, or allow access to Personal Data by, 91��Ƭ��'s����(i.e. those listed on 91��Ƭ��'s website on the Effective Date of this DPA or the Agreement, whichever is later) ("Current Sub-Processors") to process Personal Data on Organizer’s behalf.

2.3 Organizer hereby consents to 91��Ƭ�� appointing additional and replacement sub-processors ("Replacement Sub-Processors") to process Personal Data on Organizer’s behalf. 91��Ƭ�� shall��give notice to Organizer of the identity of intended Replacement Sub-Processors (i) via��email��where Organizer has opted in to receive such email notifications and (ii) by updating 91��Ƭ��'s website (Organizer is responsible for regularly checking and reviewing 91��Ƭ��'s website for any such changes).��Organizers interested in receiving��email notice of Replacement Sub-Processors must opt in and subscribe using this����(Organizer is solely responsible for ensuring its contact information remains accurate). 91��Ƭ�� shall also give the Organizer the opportunity to object to such changes that take place after the Effective Date of the Agreement, in accordance with the terms that follow in Section 2.4 of this DPA.

For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with the terms herein, and shall not apply in relation to Current Sub-Processors.

2.4 Organizer shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of 91��Ƭ�� posting the changes on its website. Organizer shall send its objection to��privacy@eventbrite.com��with the subject line 'Objection to Replacement Sub-Processor'.

Provided that Organizer's objection: (i) concerns the Replacement Sub-Processor's ability to allow 91��Ƭ�� to materially comply with its data protection obligations under this DPA; and (ii) includes sufficient detail to support its objection and provides specific examples, 91��Ƭ�� will then use commercially reasonable efforts to review and respond to Organizer's objection within thirty (30) days of receipt of Organizer's objection with 91��Ƭ��'s determined method of accommodation.

If 91��Ƭ�� determines in its sole discretion that it cannot reasonably accommodate Organizer's objection, upon notice from 91��Ƭ��, Organizer may choose to terminate the Agreement by providing written notice to 91��Ƭ��, and complying with the terms herein, which shall be Organizer's sole and exclusive remedy. Without limiting the generality of the foregoing, Organizer's termination right under this Section 2.4 will be deemed an additional termination right of Organizer under the "Term and Termination" Section of the Agreement (if any) and if exercised will be deemed a termination pursuant to such Section. Such written notice must be sent to��legal@eventbrite.com��and must specifically reference this Section 2.4 of the DPA. The day 91��Ƭ�� receives an Organizer's written termination notice under this Section 2.4 will be referred to as the "Objection Date" in this DPA. Should Organizer choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this Section 2 shall relieve Organizer from any of its payment and/or repayment obligations to 91��Ƭ�� under the Agreement.

Without limiting 91��Ƭ��'s other rights and remedies, if Organizer terminates the Agreement pursuant to this Section 2.4, then Organizer will immediately pay to 91��Ƭ�� (1) all amounts accruing and owed to 91��Ƭ��, including, without limitation, obligations to pay and/or repay 91��Ƭ�� for Fees, Sponsorship Payments, Advances, and/or Advance payments of Event Registration Fees, as such terms are defined in the Agreement and only to the extent applicable to Organizer, (2) if the Agreement includes a minimum number of tickets Organizer must sell, a minimum amount of Event Registration Fees or 91��Ƭ�� Services Fees that must be processed (each such sales or processing threshold, a "Minimum Threshold"), and/or a requirement to pay 91��Ƭ�� the portion of Service Fees 91��Ƭ�� would have received had a Minimum Threshold been met, then Organizer agrees to pay 91��Ƭ�� an amount equal to (x) the amount that 91��Ƭ�� would have received in Service Fees had the Minimum Threshold been met in each year of the term up to the date of such termination (with such Minimum Threshold prorated as to any partial year of the Term), less (y) the amount that 91��Ƭ�� actually received in Service Fees attributable to Organizer's sales during the Term up to the date of such termination; and (3) 80% of the anticipated Fees 91��Ƭ�� would have earned during the remainder of the Term had the Agreement not been terminated with respect to (x) events on sale on the Site as of the Objection Date, and (y) any future events contemplated under the Agreement intended to go live in the ninety (90) days following the Objection Date.

2.5 91��Ƭ�� hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them. 91��Ƭ�� will notify Organizer if 91��Ƭ�� makes a determination that it can no longer meet its obligations under Data Protection Laws.

2.6 Organizer shall have the right, upon fourteen (14) business days’ notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by 91��Ƭ��.

3. Cross-Border Transfers.

3.1 Organizer agrees that 91��Ƭ�� may transfer Personal Data of Consumers to various locations in connection with providing the Services. Transfers will be made in accordance with legally enforceable transfer mechanisms where required by applicable Data Protection Laws. 91��Ƭ��’s exclusive transfer mechanism for data exported from the European Economic Area, United Kingdom and Switzerland is the use of��, which have been pre-signed by 91��Ƭ�� for Organizer compliance records. To make transfers from the United Kingdom, 91��Ƭ�� has also incorporated the UK SCC Addendum in section 3.2 of this DPA.

3.2 UK Transfers. With respect to 91��Ƭ�� Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCC Addendum forms part of this DPA and take precedence over the rest of this DPA as set forth in��the UK SCC Addendum, unless the United Kingdom issues updates to the UK SCC Addendum, in which case the updated UK SCC Addendum will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCC Addendum. Organizer hereby agrees to enter into the UK SCC Addendum, which is incorporated into this DPA by this reference and completed as follows:

1. In Table 1, the Parties’ details shall be the Parties as set forth in Annex I of the����as executed by the Parties pursuant to this DPA.

2. In Table 2, the Approved EU SCCs shall be the����as executed by the Parties pursuant to this DPA.

3. In Table 3, Annex 1A and Annex 1B shall be as set forth in Annex I of the����as executed by the Parties pursuant to this DPA.

4. Table 3, Annex II shall be as set forth in Annex II of the����as executed by the Parties pursuant to this DPA.

5. In Table 4, either party may end this DPA as set out in Section 19 of the UK SCC Addendum.

3.3. Switzerland Transfers. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, (i) references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner; and (ii) as so amended, the New EU SCCs are incorporated herein by reference and shall apply, form a part of this DPA, and take precedence over the rest of this DPA to the extent of conflict.

3.4.��EEA Transfers. With respect to Personal Data transferred from the European Economic Area, the����incorporated herein shall apply and form part of this DPA. In the event of a conflict between any provision of the New EU SCCs and any provision of this DPA, the New EU SCCs will control to the extent of conflicts.