CATALATE MARKETING AND FULFILLMENT SERVICES AGREEMENT

Last Updated: January 8th, 2021

This Catalate Marketing and Fulfillment Services Agreement (this “Agreement”) is effective as of the date of Partner’s initial Order Form or the date of Partner’s initial use of the Services, whichever is earlier (the “Effective Date”), between Catalate Commerce, Inc., a Delaware corporation (“Catalate”), and the customer using the Services (“Partner”) (each, a “Party,” collectively, the “Parties”) and governs Catalate’s provision of the online services described herein.

Whereas, Catalate provides marketing and promotional services as well as online storefronts for the sale of ticket products,

Now Therefore, the parties agree as follows:

 Definitions.

1.1 “Affiliate” means a person or entity directly or indirectly, controlled by, controlling, or under common control with, a Party.

1.2 “Cloud Store” means certain web sites hosted by Catalate for Partner with Partner-designated branding.

1.3 “Core Products” means single-day, multi-day and multi-pack tickets.

1.4 “End Users” means Partner’s end users who purchase Tickets.

1.5 “Margin Percentage” means Catalate’s fees for providing the Services, calculated as a percentage of the Retail Price. The Order Form lists the Margin Percentages for Tickets sold on the Web Sites.

1.6 “Net Rate” means the amount to be paid to Partner for each Ticket booked through the Services, calculated as the Retail Price, less the Margin Percentage, fees, returns, chargebacks and deductions relating to cancellation, advance purchase, no-show and loyalty program participation policies applicable to a particular category of Tickets.

1.7 “Order Form” means this cover sheet and any subsequent order form for additional products or services that has been executed by both parties.

1.8 “Parity” means that where a Partner sells tickets on site, online through its own website and/or through third party ticket outlets: (a) Partner must offer the same Core Products through Liftopia.com and Cloud Store (if Partner uses Cloud Store to sell Tickets), (b) the ticket prices for Core Products may not be higher than the prices charged by Partner or third party ticket outlets, and (c) the refund and exchange policies and other terms and conditions applicable to Tickets offered through Liftopia.com and Cloud Store are no more restrictive than those applicable to sales made by Partner directly or other third party ticket outlets.

1.9 “Partner Content” means any and all trademarks, service marks, logos, copyright materials, designs, artwork, Retail Prices for the Tickets and any other content provided by Partner to Catalate for inclusion on the Web Sites.

1.10 “Promote” means to use, view, copy, adapt, modify, distribute, license, transfer, publicly display, publicly perform, transmit, stream, broadcast, utilize and otherwise exploit Partner Content, but only in order to provide the Services.

1.11 “Retail Price” means the actual price paid by an End User for a Ticket purchased through the Web Sites. All Tickets made available through Cloud Store shall, at the discretion of Catalate, also be made available on Liftopia.com.

1.12 “Services” means Catalate’s professional consulting, marketing, promotional and online retail services to allow Partner to promote and sell its products online to prospective End Users.

1.13 “Tickets” means entry or use tickets for Partner’s property, and other associated products Partner wishes to sell through the Services;

1.14 “Web Sites” means Liftopia.com and Cloud Store sites.

2. Services.

2.1 Partner hereby engages Catalate to provide the Services to End Users in accordance with and subject to the terms in Exhibit A.

2.2 Partner is solely responsible for determining the Retail Prices for all Tickets. Catalate is Partner’s processing and fulfillment agent for Ticket sales. Catalate does not buy Tickets from Partner or resell them to End Users.

3. Customization. Partner shall be responsible for providing any Partner Content required by Catalate for the Web Sites. After receipt of the Partner Content, Catalate will add the Partner Content and Partner’s Ticket inventory to Liftopia.com and provision Cloud Store for Partner’s use.

4. License Rights from Partner. Partner hereby grants to Catalate a worldwide, non-exclusive, royalty-free, right and license (sublicenseable to Catalate marketing affiliates and partners) to Promote Partner Content to prospective End Users through the Web Sites, online web-marketing (including pay-per click, banners and other online advertisements) and email marketing for the benefit of Partner. Catalate runs the online and email marketing campaigns at its own costs and own discretion.

5. Compensation. Catalate shall pay Partner as set forth on Exhibit A and each Order Form. Retail Prices shall include all applicable taxes, levies, duties, VAT and similar government assessments by any local, state, provincial, federal or foreign jurisdictions (collectively, “Taxes”). Partner shall be solely responsible for the payment of all Taxes associated with Ticket sales. If an applicable tax authority requires Catalate to pay any Taxes that should have been payable by Partner, Catalate will advise Partner in writing, and Partner will promptly reimburse Catalate for the amounts paid.

6. Use of Intellectual Property.

6.1 Catalate retains all right, title and interest in, including any and all intellectual property rights embodied in or associated with the Services, Web Sites (but excluding Partner Content contained therein) and the Catalate trademarks. Partner retains all right, title and interest in, including any and all intellectual property rights embodied in or associated with, the Partner Content.

6.2 Restrictions. Partner agrees not to (without limitation):

(a) provide the Services to third parties for service bureau or time-sharing purposes or in any other way allow third parties to exploit the Services or Web Sites;

(b) permit any third party to access or use the Services in any other way;

(c) sell, resell, transfer, assign, frame, mirror, or distribute the Services or Web Sites;

(d) introduce software or automated agents or scripts to the Services or Web Sites in order to produce multiple accounts, generate automated searches, requests, or queries, or to strip, scrape, or mine data from the Services or Web Sites;

(e) copy or reverse engineer the software or pricing strategies used to provide Services or Web Sites for any reason; or

(f) access the Services or Web Sites in order to build a competitive product or service, to build a product using similar ideas, features, functions or graphics of the Services or Web Sites, or to copy any ideas, features, functions, or graphics of the Services or Web Sites.

6.3 A breach of Section 6.2(e) or 6.2(f) would result in irreparable damages, the precise value of which is difficult to calculate. Accordingly as a bargained-for measure of alternative performance under this Agreement in such event, Partner agrees to pay Catalate liquidated damages in an amount equal to three times the total amount paid or payable to Catalate during the twelve months preceding the date Catalate notifies Partner of a breach, or if this Agreement has been in effect for less than one year, $100,000.

7. Security Standards. Partner’s networks, operating systems, web servers, routers and computer systems must be properly configured to industry standards so as to prevent any intrusion or unauthorized disclosure or loss of data. In the event of any breach of security involving Catalate’s APIs or other Services, Partner must notify Catalate immediately and work diligently to remedy such security breach as soon as practicable.

8. Acceptable Use. Partner agrees that it and its employees and agents will not use the Services or Web Sites to:

8.1 transmit any material that contains adware, malware, spyware, software viruses, or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment;

8.2 interfere with or disrupt Catalate servers or networks connected to Catalate, or disobey any requirements, procedures, policies, or regulations of networks connected to Catalate;

8.3 attempt to access any other Catalate systems that are not part of the Services or Web Sites; or

8.4 violate any laws, third party rights, or any obligations under this Agreement.

9. End Users. Partner acknowledges and agrees that all use of the Web Sites by End Users shall be governed by Catalate’s posted privacy policy and any applicable terms and conditions specific to the Reservation Service (“T&Cs”). As used herein, “End User Data” means any and all data and information collected or created by Catalate concerning any person who accesses the Web Sites, including without limitation all personally identifiable information of End Users (such as End Users’ names, addresses, and credit card billing information) collected by Catalate or provided to Catalate by Partner in connection with the Services and/or the Web Sites. Partner shall comply with Catalate’s posted privacy policy and the T&Cs in connection with the use of all End User Data.

10. Confidentiality.

10.1 Subject to the limitations set forth in Section 10.2, all information disclosed by one party to the other party during the term of this Agreement, whether in oral, written, graphic or electronic form, shall be deemed to be “Confidential Information”. Confidential Information includes, without limitation, Catalate software used to provide Services, related documentation, specifications, pricing, disclosures in connection with the provision of Services, disclosures made by Partner about its operations, Ticket sales and other non-public metrics, and the terms and conditions of this Agreement. Confidential Information shall remain the sole property of the disclosing party or its licensors.

10.2 Exceptions. Information will not be considered as Confidential Information if the receiving party can establish by documentary evidence that the information is or was: (a) lawfully available to the public through no act or omission of the receiving party; (b) in the receiving party’s lawful possession prior to disclosure by the disclosing party and not obtained either directly or indirectly from the disclosing party; (c) lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (d) independently developed by the receiving party.

10.3 Nondisclosure. The parties agree, both during the term of this Agreement and for a period of five (5) years (or, as applicable, with respect to Confidential Information that is a trade secret, for an indefinite period and as to Confidential Information constituting personal data for so long as required by applicable law) after its termination, to hold each other’s Confidential Information in confidence and not to disclose such information in any form to any third party without the express written consent of the disclosing party, except to employees and consultants performing services for the benefit of the receiving party who are under a written non-disclosure agreement protecting the applicable Confidential Information in a manner no less restrictive than this Agreement. Each party agrees to take all reasonable steps to ensure that Confidential Information is not disclosed or distributed by its employees or agents in violation of this Agreement. A receiving party facing legal action to disclose Confidential Information of the disclosing party shall promptly notify and provide the disclosing party the opportunity to oppose such disclosure or obtain a protective order and shall continue to treat such information as Confidential Information. This Section 9 shall not be construed as granting or conferring any rights to either party by license or otherwise, expressly or implicitly, to any Confidential Information.

11. Term. Unless sooner terminated or otherwise stated in the Order Form, the initial term of this Agreement shall be one year. Thereafter, this Agreement shall automatically renew for successive periods of one year each unless either party notifies the other Party of non-renewal of this Agreement at least 30 days before the end of the then-current term.

12. Termination.

12.1 Catalate may suspend or terminate the Agreement, access to all or any portion of the Services, and/or the licenses granted herein immediately upon notice in the event that (a) Catalate determines, or a third party alleges, that any Company Content materially breaches any provision in Section 6 (Use of Intellectual Property), 8 (Acceptable Use), or 9 (End Users) or (b) Partner uses or permits the use of the Services for any improper or illegal purpose or any purpose not authorized by this Agreement.

12.2 Either party may terminate this Agreement (including all related Order Forms) if the other party: (a) fails to cure any material breach of this Agreement within 30 days after written notice of such breach; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors arrangement, composition or comparable proceeding, or if any such proceeding is instituted against such party (and not dismissed within 60 days)).

12.3 Termination is not an exclusive remedy and the exercise by either party of any remedy under this Agreement will be without prejudice to any other remedies it may have under this Agreement, by law, or otherwise.

13. Representations and Warranties. Each Party represents and warrants that it has the right, power and authority to enter into this Agreement and to perform all of its respective obligations under this Agreement, that the person executing or consenting to each Order Form on behalf of a party has been authorized by such party to do so, and that the performance of such obligations shall not conflict with or result in a breach of any agreement to which it is a party or is otherwise bound. Partner represents and warrants that it owns or has the right to use and submit to Catalate all Partner Content it submits to the Services or Web Sites. Catalate represents and warrants that the Services process and store credit or debit card payment information in compliance with the Payment Card Industry Data Security Standards (PCI-DSS).

14. Disclaimer of Warranties. EXCEPT AS OTHERWISE SET FORTH HEREIN, EACH PARTY HEREBY EXPRESSLY DISCLAIMS ALL WARRANTIES, REPRESENTATIONS AND CONDITIONS IN CONNECTION WITH THIS AGREEMENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, OR TITLE. NEITHER PARTY MAKES ANY WARRANTY THAT ITS PRODUCTS AND SERVICES WILL BE CONTINUOUSLY AVAILABLE, ERROR-FREE OR COMPLETELY SECURE, OR THAT ANY DEFECTS WILL BE CORRECTED.

15. Indemnification.

15.1 Partner agrees to defend, indemnify and hold harmless Catalate, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents the (“Catalate Indemnified Parties”) against any and all claims, liabilities, damages, losses, costs, expenses, and fees (including reasonable attorneys’ fees) (“Claims”) brought against Catalate for damages to the extent due to any actual or alleged: (a) bodily injury or damage to tangible property incurred by an End User while on Partner’s premises; (b) claim that Partner Content infringes or misappropriates the intellectual property rights or rights of privacy or publicity of a third party; or (c) improper use or application of the Services or Web Sites, or (d) actions or inactions related to Ticket fulfillment or any other activities occurring after an End User has completed his or her Ticket purchase on the Web Sites.

15.2 Catalate agrees to defend, indemnify and hold harmless Partner, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents (the “Partner Indemnified Parties”) against any and all Claims brought against Partner for damages to the extent due to any actual or alleged: (a) claim that the platform used by Catalate to operate the Services infringes or misappropriates the intellectual property rights or rights of privacy or publicity of a third party; or (b) violation by Catalate of any applicable law, rule or regulation in performing the Services.

15.3 The indemnified Party must notify the other Party promptly in writing of any claim hereunder and provide, at such other Party’s expense, all reasonably necessary assistance, information and authority to allow the other Party to control the defense and settlement of such claim. Each Party reserves the right, at its own expense, to assume the exclusive defense and control of any matter subject to indemnification by such party under this Section 15. The indemnity obligations hereunder shall survive the termination of this Agreement.

16. Limitations of Liability.

16.1 IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY NATURE, SUCH AS, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, LOST PROFITS, OR LOSS OF DATA OR USE, EVEN IF SUCH PARTY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING SHALL APPLY REGARDLESS OF THE NEGLIGENCE OR OTHER FAULT OF ANY PARTY AND REGARDLESS OF WHETHER SUCH LIABILITY ARISES IN CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER THEORY OF LIABILITY.

16.2 EXCEPT FOR A CLAIM FOR INDEMNIFICATION ARISING OUT OF BODILY INJURY OR DAMAGE TO TANGIBLE PROPERTY INCURRED BY AN END USER WHILE ON PARTNER’S PREMISES AND AS DESCRIBED IN SECTION 6.3, IN NO EVENT SHALL THE MAXIMUM AMOUNT OF DAMAGES PAYABLE BY EITHER PARTY FOR ANY BREACH OF THIS AGREEMENT OR ANY DAMAGE OR INJURY RESULTING FROM CATALATE’S PROVISION OF THE SERVICES EXCEED THE FEES PAID BY EITHER PARTY TO THE OTHERMARGIN PERCENTAGES WITHHELD BY CATALATE PURSUANT TO THIS AGREEMENT DURING THE TWELVE MONTHS IMMEDIATELY PRECEDING ANY SUCH CLAIM.

17. Modification of Reservation Service Programs. Catalate may add, delete or otherwise modify any of the Services, provided that Catalate will notify Partner of any material modification that results in degradation of the Services.

18. Force Majeure. Neither Catalate nor Partner will be liable for any delay or failure in performance under this Agreement due to any cause beyond its reasonable control.

19. Governing Law, Jurisdiction and Venue. This Agreement and all matters or issues related to this Agreement shall be governed by and construed under the laws of the State of California without application of principles of conflicts of laws. Each of the Parties irrevocably and unconditionally agrees that any legal proceeding arising out of or relating to this Agreement may be brought in the United States District Court for the Northern District of California, or, if that court lacks jurisdiction, in any court of competent jurisdiction in San Francisco County; and (b) consents to the jurisdiction of each such court in any proceeding.

20. Assignment. Partner may not assign or sublicense, by operation of law or otherwise, this Agreement or any duties, rights or obligations under this Agreement without Catalate’s prior written consent; provided that either party may assign this Agreement to its Affiliate or its successor in the event of a merger, acquisition or sale of all or substantially all of the assets of such party. Any other purported assignment shall be void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.

21. Severability; No Waiver. If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, then such provision shall be construed, as nearly as possible, to reflect the intentions of the Parties with the other provisions remaining in full force and effect. The failure of either Party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision, unless such waiver is in writing and is executed by the Party against whom such waiver is claimed.

22. Notices. Any notice required or permitted under this Agreement shall be given in writing and shall be deemed delivered when: (a) verified by written receipt if sent by personal courier, overnight courier, or postal mail; or (b) confirmed or replied to by the recipient if sent by email. Notices shall be delivered to each Party at its respective address specified in this Agreement, or at such other address as such Party may specify by written notice to the other.

23. No Agency or Third Party Beneficiary. Partner and Catalate are independent contractors, and nothing in this Agreement (including use of the defined term “Partner”) shall be construed to create a partnership, joint venture, franchise, or agency relationship between Partner and Catalate. Neither Party has any authority to enter into agreements of any kind on behalf of the other Party. Catalate and Partner agree that there should be no third party beneficiary to this Agreement, including, but is not limited to, End Users.

24. Miscellaneous. This Agreement, along with the attached Exhibits, constitutes the entire agreement of the Parties with respect to its subject matter, superseding all prior or contemporaneous oral and written communications, proposals, negotiations, representations, understandings, courses of dealing, agreements, contracts, and the like between the Parties in such respect, except that terms on an Order Form will supersede comparable provisions in this Agreement for the period stated in the Order Form. The section headings in this Agreement are for convenience only and have no legal or contractual effect. This Agreement: (a) may be executed in any number of counterparts, each of which, when executed by both Parties to this Agreement shall be deemed to be an original, and all of which counterparts together shall constitute one and the same instrument; and (b) may not be amended or modified by Partner unless such amendment or modification is in writing signed by both Parties. The terms of any sections that, by their nature, are intended to extend beyond termination shall survive termination of this Agreement for any reason.

EXHIBIT A

CATALATE SERVICES

Promotion

a. Marketing and Promotional Services. Catalate will work with Partner to develop digital marketing and promotional strategies to prospective End Users. This may include strategic consulting as well as management of digital promotion efforts such as keyword advertising of Partner’s tickets and related keywords. Catalate may promote Ticket inventory directly and through affiliates such as TripAdvisor and Yelp.

b. Ticket Inventory. Partner shall make Ticket inventory, and the associated Retail Prices, as applicable, available through the online interface to the Web Sites that may be made available to Partner by Catalate (the “Extranet”), and Catalate shall present such Tickets on the Web Sites. Partner agrees to honor and provide to each End User the goods and services applicable to each Ticket sold through the Services. The Parties acknowledge that Catalate bears no risk for failure to sell any Tickets and that nothing in this Agreement constitutes a sale of Tickets from Partner to Catalate.

 

Ticket Purchases

End Users may purchase Tickets for Partner properties via the Web Site. The following terms are applicable to such purchases.

c. Cancellations and Refunds. Partner may, at its discretion, issue refunds and cancellations to End Users through the Extranet, provided that all such refunds and cancellations shall comply with the applicable policies and terms and conditions posted on the Web Site at the time the Tickets were purchased. Catalate reserves the right to not refund applicable processing fees associated with such refunds or cancellations and reserves the right to charge a refund fee up to the Margin Percentage if greater than 3% of purchases are cancelled. Subject to the terms and conditions of this Agreement, Catalate hereby grants to Partner a nonexclusive, limited license to access and use the Extranet, solely as necessary to enable Partner to issue refunds to End Users, upload and make available Ticket information on the Web Sites, and view data related to the transactions completed through the Web Sites.

d. End User Transactions. In its capacity as processing and fulfillment agent, Catalate shall solely control the terms related to, and the processing of, Ticket sales. Partner will be responsible for post-purchasing interactions with End Users, including completion by End Users of written or electronic waivers End Users must sign before receiving Tickets, and all post-sale interactions with End Users. Catalate will have no liability for Partner’s actions or failures to act with regard to such interactions.

e. Payment. Within 30 days after the 1st of each month, Catalate shall pay to Partner the Net Rate for all Tickets purchased and not refunded by End Users during that period. Certain payment processors may distribute payments at different intervals and may require a reserve balance to be kept in Partner’s account. Those terms will be identified on each Order Form. Catalate may withhold from payments any amounts due from Partner to Catalate. Partner shall provide 15 days prior written notice to Catalate in the event of a change of ownership or any change in the payment information for a given Ticket. If an End User requests additional tickets or additional discounts directly from Partner, whether upon arrival or otherwise, then any such sale shall constitute an agreement between Partner and such End User separate and apart from any purchase on the Web Sites. Catalate assumes no responsibility for such changes or additions, and Partner shall be solely responsible for collecting and resolving any charges associated with such changes or additions.

Exhibit B

Data Processing Addendum

When Catalate provides marketing and Ticket fulfillment services for Partners, in some cases Catalate has a direct relationship with End Users and is the controller of Personal Data they provide. In other cases Catalate will act as a processor, processing Personal Data on Partner’s behalf. This Addendum applies to situations where Partner is the controller of Personal Data and Catalate is the processor. The parties agree that this Addendum shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability.

1. Definitions and interpretation

For purposes of this Addendum:

Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party;

Agreement” means the agreement between Partner and Catalate to which this Addendum is attached;

Breach” means a breach of security by Catalate that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Services;

Controller”, “Processor” and “Data Subject” (whether or not capitalized) have the meanings provided in the GDPR and equivalent meanings under other Data Protection Laws.

Data Protection Laws” means the General Data Protection Regulation 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”) and all other data protection and privacy laws and regulations of the United States and the EEA applicable to the Processing of Personal Data under the Agreement.

EEA” means the European Economic Area, which constitutes the member states of the European Union and Iceland, Liechtenstein, Norway, Switzerland and the United Kingdom.

Personal Data” refers to data processed by the Services that corresponds to the following terms and Data Protection Laws: (a) Personal Data as defined in GDPR in reference to residents of the European Economic Area, and (b) Personal Information as defined in the CCPA in reference to California residents, and (c) equivalents terms under other laws applicable to the Services in reference to residents of those jurisdictions.

Other capitalized terms used herein have the meanings provided in the Agreement.

2. Global Processing Terms.

 

2.1 General Processing Conditions. Catalate shall process Personal Data on Partner’s behalf for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Partner, except where otherwise required by applicable law. Catalate may have a separate right to process certain Personal Data: (a) if Catalate receives the same guest Personal Data from multiple sources, and (b) if Catalate has a direct relationship with a data subject and is a controller of that Personal Data. Catalate will promptly inform Partner if it becomes aware that processing requested by Partner infringes Data Protection Laws.

 

2.2 Compliance. Partner is responsible for ensuring that: (a) its use of the Services complies with Data Protection Laws and with all other applicable laws relating to privacy and data protection; and (b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Catalate for processing in accordance with the Agreement and this DPA. Partner must advise Catalate if its proposed use of the Services would subject Catalate to data protection or privacy obligations under laws or regulations other than the Data Protection Laws. If and when necessary in that situation, the parties may enter into a local implementation addendum governing any provisions of such laws.

 

2.3 Training. Catalate shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.

 

2.4 Security Incidents. Catalate will notify Partner without undue delay on becoming aware of a Breach, by sending an email to Partner’s principal contact for the Catalate relationship. Further, Catalate undertakes to take all reasonable steps to mitigate the impact of any such Breach and to reasonably cooperate with Partner to enable Partner to comply with its obligations under Data Protection Laws, including by assisting Partner in notifying Data Subjects or regulators of a Breach. Catalate shall not give such notice without the prior written approval of Partner.

 

2.5 Obligation to Rectify, Update and Restrict Processing of Partner Personal Data. During the term of the Agreement, Catalate shall: (a) ensure that the Personal Data is accurate and, where necessary, kept up to date, in accordance with Partner’s instructions and (b) restrict the processing of Personal Data identified by Partner.

 

2.6 Obligation to Delete and Return Personal Data. Upon completion of its obligations in relation to processing of Personal Data under the Agreement or upon Partner’s request at any time during the term of the Agreement, Catalate shall, at Partner’s election, either: (a) return all or subsets of the Personal Data in Catalate’s control to Partner; or (b) permanently delete or render the Personal Data unreadable. Notwithstanding the foregoing: Catalate may retain Personal Data: (x) to the extent it has a separate legal right or obligation to do so; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Catalate’s backup policy.

 

2.7 Audit Rights.

(a) Upon Partner’s written request, Catalate shall provide Partner with a summary of its then-current information security program as relevant to the security and confidentiality of the Personal Data shared during the course of the Agreement.

(b) In addition, Partner may contact Catalate to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Partner and Catalate shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Catalate incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Catalate.

(c) Catalate accepts and agrees that supervisory authorities may request information from Catalate, and carry out investigations in the form of data protection audits of Catalate, in accordance with Data Protection Laws.

3. EEA-Specific Processing Terms

 

3.1 Subprocessors. Partner generally authorizes Catalate’s appointment of certain third party Processors of Personal Data under this Agreement (“Subprocessors”). Catalate confirms that it: (a) has entered (or, for future appointments, will enter) into a written agreement with the Subprocessor incorporating terms which are substantially similar to those set out in this Addendum; and (b) will inform Partner of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Partner the opportunity to object to such changes.

 

3.2 Transfers Outside the EEA. Catalate may not transfer Personal Data to, or process such data in, a location outside of the EEA without Partner’s prior written consent (in each case a “Transfer”). Without prejudice to the foregoing, Partner consents to Transfers outside of the EEA where Catalate has implemented a Transfer solution compliant with Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the recipient of Personal Data is certified under a valid EU-US or Swiss-US framework (including any duly adoptedsuccessor to Privacy Shield); (c) the unchanged European Commission-approved controller to processor Standard Contractual Clauses (without optional clauses) set out at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm as of the date of this DPA or any successor thereto adopted in accordance with GDPR (“SCCs”), which are incorporated by reference into this DPA, where Partner will be regarded as the Data Exporter and Catalate will be regarded as the Data Importer; (d) another appropriate safeguard pursuant to Article 46 of the GDPR applies; or (e) a derogation pursuant to Article 49 of the GDPR. Appendices 1 and 2 of this DPA correspond to Appendices 1 and 2 of the SCCs. Provisions of this DPA will supersede the SCCs to the extent of any conflict.

 

4. California-Specific Processing Terms

 

4.1 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Catalate will not “sell” (as defined in the CCPA) any Personal Data; and (b) Catalate will not collect, share or use any Personal Data except as necessary to perform services for Partner.

 

5. Governing Law

This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by GDPR, in which case this DPA will be governed by the laws of France.

ANNEX 1: DESCRIPTION OF DATA PROCESSING

The data processing activities carried out by Catalate under the Agreement may be described as follows:

1. Subject matter

The subject matter of this agreement concerns the provision by Catalate of data processing services connected with the provision of the Services.

2. Duration

Catalate shall process Personal Data during the term of the Agreement and not thereafter except if specifically instructed to do so by Partner.

3. Nature and purpose

Catalate will process Personal Data to provide the Services identified in the Agreement.

4. Data categories

Catalate will process the following categories of Personal Data about data subjects: first and last name, email address, telephone and other identifying information for End Users, and their payment information when they purchase Tickets.

5. Data subjects

Catalate’s processing concerns Partner personnel and End Users.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Description of the technical and organisational security measures implemented by Catalate in accordance with Data Protection Law:

Policy Control

Catalate shall maintain a documented information security policy that, at a minimum, conforms to the most updated NIST 800 series Information Security Management System standard. Catalate shall ensure its information security policy and any appropriate training, therefore, is provided to all staff involved directly or indirectly in the provision of the Approved Purpose. Catalate shall implement controls to monitor on an ongoing basis compliance with its information security policy.

Access Control in a Physical Sense

Catalate shall take reasonable measures to prevent unauthorized persons from gaining access to data processing systems for processing and/or using Personal Data by implementing physical controls including:

  • an access control system (ID reader, magnetic card, chip card);
  • keys;
  • security staff, janitors; and
  • surveillance facilities (alarm system, Closed Circuit Television (CCTV) monitor)

Access Control to the IT System

Catalate shall take reasonable measures to prevent data processing systems from being used without authorization by implementing:

  • password procedures (incl. special characters, minimum length, frequent change of passwords);
  • user authentication keys
  • segmentation of resources by role
  • automatic blocking (e.g. password or timeout); and
  • company-wide use of 1Password application.

Access control to Data Controller Data

Catalate shall ensure that persons authorized to use the data processing system have only access to the data, which they are authorized to access, and that Personal Data cannot be read, copied, altered and/or removed without authorization during processing, use and after recording by implementing:

  • differentiated access rights (profiles, roles, transactions and objects);
  • reports on access used;
  • access levels and access controls;
  • change control procedures; and
  • audit trails.

Transmission Control

Catalate shall ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport. To this end Catalate shall implement:

  • encryption/tunneling (VPN = Virtual Private Network);
  • login/password access control;
  • logging; and
  • tls transport security.

Input control

Catalate shall ensure that it is possible after the fact to check and ascertain whether Personal Data has been entered into, altered or removed from data processing systems and if so, by whom by implementing:

  • logging and reporting systems; and
  • role aligned access and entitlements.

Job control

Catalate shall ensure that Personal Data processed on behalf of Partner is processed strictly in compliance with the Partner’s instructions requiring its employees to obey the instructions of Partner and to process Personal Data exclusively in compliance with Partner’s instructions.

Availability control

Catalate shall ensure that Personal Data is reasonably protected against accidental destruction or loss by implementing:

  • backup procedures;
  • mirroring of hard disks, e.g. RAID technology;
  • uninterruptible power supply (UPS);
  • remote storage;
  • firewall systems; and
  • disaster recovery plan.

Separation Control

Catalate shall ensure that Personal Data collected for different purposes can be processed separately by implementing:

  • segregation of functions (production/testing);
  • record of Partner consent and scope of consent for any data provided directly to Catalate

Security Incident Management

Catalate shall implement an appropriate security incident management process aligned with industry best practices, requiring, at minimum:

  • prompt investigation of any Security Incidents;
  • notification of Partner within the timeframe specified in this Addendum; and
  • provision to Partner and/or its designated representative with all reasonable access to Catalate’s systems, data, and logs as necessary for the purpose of understanding the circumstances of the Security Incident.

Access controls:

Catalate office is secured with a guard at the building entrance and key cards at the door to the building and door to the office.

Catalate services are hosted on AWS. All access to AWS is via multi factor authentication. Catalate also enables MFA where possible to access other cloud resources in use.