CATALATE PRICING AS A SERVICES AGREEMENT
Last Updated: July 19, 2021
This Catalate Pricing as a Services Agreement (this “Agreement”) is made and entered into as of the date of Partner’s initial Order Form or the date of Partner’s initial use of the Services, whichever is earlier (the “Effective Date”), between Catalate Commerce, Inc., a Delaware corporation (“Catalate”), and the customer using the Services (“Partner”) (each, a “Party,” collectively, the “Parties”) and governs Catalate’s provision of the online services described herein.
1.1 “Affiliate” means a person or entity directly or indirectly, controlled by, controlling, or under common control with, a Party.
1.2 “API” means Catalate’s API(s) via which Partners may access Ticket inventory and pricing.
1.3 “Margin Percentage” means Catalate’s fees for providing the Services, calculated as a percentage of the Retail Price. The Order Form lists the Margin Percentages for Tickets sold on the API.
1.4 “Order Form” means this cover sheet and any subsequent order form for additional products or services that has been executed by both parties.
1.5 “Retail Price” means the actual price paid by an End User for a Ticket purchased through the API.
1.6 “Services” means Catalate’s professional consulting, marketing, promotional and online retail services and related Software to allow Partner to promote and sell its products online to prospective End Users, including the API.
1.7 “Software” means software and other source code, object code or underlying structure, ideas, know-how or algorithms used to provide the API and other parts of the Services.
1.8 “Tickets” means entry or use tickets for Partner’s property, and other associated products Partner wishes to sell through the Services;
2. Services; License Grant.
2.1 Partner hereby engages Catalate to provide the Services in accordance with and subject to the terms in Exhibit A.
2.2 During the term and subject to the terms of this Agreement, Catalate grants Partner a limited, revocable, non-exclusive, non-transferable license to access and integrate the API in order to make Ticket inventory available pursuant to Exhibit A.
3. Compensation. Partner shall pay Catalate as set forth on Exhibit A and each Order Form. Retail Prices shall include all applicable taxes, levies, duties, VAT and similar government assessments by any local, state, provincial, federal or foreign jurisdictions (collectively, “Taxes”). Partner shall be solely responsible for the payment of all Taxes associated with Ticket sales. If an applicable tax authority requires Catalate to pay any Taxes that should have been payable by Partner, Catalate will advise Partner in writing, and Partner will promptly reimburse Catalate for the amounts paid.
4. Use of Intellectual Property.
4.1 Catalate retains all right, title and interest in, including any and all intellectual property rights embodied in or associated with the Services and the Catalate trademarks.
4.2 Restrictions. Partner will not, and will not allow its users to (without limitation):
(a) provide the Services to third parties for service bureau or time-sharing purposes or in any other way allow third parties to exploit the Services;
(b) permit any third party to access or use the Services in any other way;
(c) sell, resell, transfer, assign, frame, mirror, or distribute the Services;
(d) introduce software or automated agents or scripts to the Services in order to produce multiple accounts, generate automated searches, requests, or queries, or to strip, scrape, or mine data from the Services;
(e) copy or reverse engineer the software, pricing model or pricing strategies used to provide Services for any reason; or
(f) access the Services in order to build a competitive product or service, to build a product using similar ideas, features, functions or graphics of the Services, or to copy any ideas, features, functions, or graphics of the Services.
5. Security Standards. Partner’s networks, operating systems, web servers, routers and computer systems must be properly configured to industry standards so as to prevent any intrusion or unauthorized disclosure or loss of data. In the event of any breach of security involving the API or other Services, Partner must notify Catalate immediately and work diligently to remedy such security breach as soon as practicable.
6. Acceptable Use. Partner agrees that it and its employees and agents will not use the Services to:
6.1 transmit any material that contains adware, malware, spyware, software viruses, or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment;
6.2 interfere with or disrupt Catalate servers or networks connected to Catalate, or disobey any requirements, procedures, policies, or regulations of networks connected to Catalate;
6.3 attempt to access any other Catalate systems that are not part of the Services; or
6.4 violate any laws, third party rights, or any obligations under this Agreement.
7. Partner Reports. Partner will maintain all records related to its orders processed using the API as required by this Agreement by applicable law. Partner shall send a weekly report of all orders processed using the API to Catalate in a format provided by Catalate. If there is greater than a 5% variance between bookings provided by Partner in a format provided by Catalate and Catalate’s systems, Partner will have two weeks from Catalate’s notice of such variance to amend the API configuration such that the variance is reduced to less than 5%. If the issue is not resolved within the two week period, Catalate will revert strategy to static pricing until the issue is resolved. In order to verify the accuracy of such reports, Catalate may inspect Partner’s records and materials related to this Agreement. Such audits will be conducted during Partner’s normal business hours, upon no less than five days’ prior written notice. Catalate shall be responsible for the audit costs unless the audit reveals an underpayment of 5% or greater, in which case Partner shall pay Catalate’s reasonable expenses of the audit in addition to all fees due.
8.1 Subject to the limitations set forth in Section 8.2, all information disclosed by one party to the other party during the term of this Agreement, whether in oral, written, graphic or electronic form, shall be deemed to be “Confidential Information”. Confidential Information includes, without limitation, Catalate software used to provide Services, related documentation, specifications, pricing, disclosures in connection with the provision of Services, disclosures made by Partner about its operations, Ticket sales and other non-public metrics, and the terms and conditions of this Agreement. Confidential Information shall remain the sole property of the disclosing party or its licensors.
8.2 Exceptions. Information will not be considered as Confidential Information if the receiving party can establish by documentary evidence that the information is or was: (a) lawfully available to the public through no act or omission of the receiving party; (b) in the receiving party’s lawful possession prior to disclosure by the disclosing party and not obtained either directly or indirectly from the disclosing party; (c) lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (d) independently developed by the receiving party.
8.3 Nondisclosure. The parties agree, during the term and after the termination of this Agreement, to hold each other’s Confidential Information in confidence and not to disclose such information in any form to any third party without the express written consent of the disclosing party, except to employees and consultants performing services for the benefit of the receiving party who are under a written non-disclosure agreement protecting the applicable Confidential Information in a manner no less restrictive than this Agreement. Each party agrees to take all reasonable steps to ensure that Confidential Information is not disclosed or distributed by its employees or agents in violation of this Agreement. A receiving party facing legal action to disclose Confidential Information of the disclosing party shall promptly notify and provide the disclosing party the opportunity to oppose such disclosure or obtain a protective order and shall continue to treat such information as Confidential Information. This Section 9 shall not be construed as granting or conferring any rights to either party by license or otherwise, expressly or implicitly, to any Confidential Information.
8.4 Permitted Third Parties. For the avoidance of doubt, Partner acknowledges and consents to the sharing of its pricing information with Partner’s operating system and other technology partners for the purpose of providing the Services.
9. Term. Unless sooner terminated or otherwise stated in the Order Form, the initial term of this Agreement shall be one year. Thereafter, this Agreement shall automatically renew for successive periods of one year each unless either party notifies the other Party of non-renewal of this Agreement at least 30 days before the end of the then-current term.
10.1 Catalate may suspend or terminate the Agreement, access to all or any portion of the Services, and/or the licenses granted herein immediately upon notice in the event that Partner uses or permits the use of the Services for any improper or illegal purpose or any purpose not authorized by this Agreement.
10.2 Either party may terminate this Agreement (including all related Order Forms) if the other party: (a) fails to cure any material breach of this Agreement within 30 days after written notice of such breach; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors arrangement, composition or comparable proceeding, or if any such proceeding is instituted against such party (and not dismissed within 60 days)).
10.3 Termination is not an exclusive remedy and the exercise by either party of any remedy under this Agreement will be without prejudice to any other remedies it may have under this Agreement, by law, or otherwise.
11. Representations and Warranties. Each Party represents and warrants that it has the right, power and authority to enter into this Agreement and to perform all of its respective obligations under this Agreement, that the person executing or consenting to each Order Form on behalf of a party has been authorized by such party to do so, and that the performance of such obligations shall not conflict with or result in a breach of any agreement to which it is a party or is otherwise bound. Catalate represents and warrants that the Services process and store credit or debit card payment information in compliance with the Payment Card Industry Data Security Standards (PCI-DSS).
12. Disclaimer of Warranties. EXCEPT AS OTHERWISE SET FORTH HEREIN, CATALATE HEREBY EXPRESSLY DISCLAIMS ALL WARRANTIES, REPRESENTATIONS AND CONDITIONS IN CONNECTION WITH THIS AGREEMENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, OR TITLE. CATALATE DOES NOT MAKE ANY WARRANTY THAT THE SERVICES WILL BE CONTINUOUSLY AVAILABLE, ERROR-FREE OR COMPLETELY SECURE, OR THAT ANY DEFECTS WILL BE CORRECTED.
13.1 Partner agrees to defend, indemnify and hold harmless Catalate, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents the (“Catalate Indemnified Parties”) against any and all claims, liabilities, damages, losses, costs, expenses, and fees (including reasonable attorneys’ fees) (“Claims”) brought against Catalate for damages to the extent due to any actual or alleged improper use or application of the Services.
13.2 Catalate agrees to defend, indemnify and hold harmless Partner, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents (the “Partner Indemnified Parties”) against any and all Claims brought against Partner for damages to the extent due to any actual or alleged: (a) claim that the platform used by Catalate to operate the Services infringes or misappropriates the intellectual property rights or rights of privacy or publicity of a third party; or (b) violation by Catalate of any applicable law, rule or regulation in performing the Services.
13.3 The indemnified Party must notify the other Party promptly in writing of any claim hereunder and provide, at such other Party’s expense, all reasonably necessary assistance, information and authority to allow the other Party to control the defense and settlement of such claim. Each Party reserves the right, at its own expense, to assume the exclusive defense and control of any matter subject to indemnification by such party under this Section 13. The indemnity obligations hereunder shall survive the termination of this Agreement.
14. Limitations of Liability.
14.1 IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY NATURE, SUCH AS, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, LOST PROFITS, OR LOSS OF DATA OR USE, EVEN IF SUCH PARTY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING SHALL APPLY REGARDLESS OF THE NEGLIGENCE OR OTHER FAULT OF ANY PARTY AND REGARDLESS OF WHETHER SUCH LIABILITY ARISES IN CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER THEORY OF LIABILITY.
14.2 IN NO EVENT SHALL THE MAXIMUM AMOUNT OF DAMAGES PAYABLE BY EITHER PARTY FOR ANY BREACH OF THIS AGREEMENT OR ANY DAMAGE OR INJURY RESULTING FROM CATALATE’S PROVISION OF THE SERVICES EXCEED THE FEES PAID BY PARTNER TO CATALATE PURSUANT TO THIS AGREEMENT DURING THE TWELVE MONTHS IMMEDIATELY PRECEDING ANY SUCH CLAIM.
15. Modification of Reservation Service Programs. Catalate may add, delete or otherwise modify any of the Services, provided that Catalate will notify Partner of any material modification that results in degradation of the Services.
16. Force Majeure. Neither Catalate nor Partner will be liable for any delay or failure in performance under this Agreement due to any cause beyond its reasonable control.
17. Governing Law, Jurisdiction and Venue. This Agreement and all matters or issues related to this Agreement shall be governed by and construed under the laws of the State of California without application of principles of conflicts of laws. Each of the Parties irrevocably and unconditionally agrees that any legal proceeding arising out of or relating to this Agreement may be brought in the United States District Court for the Northern District of California, or, if that court lacks jurisdiction, in any court of competent jurisdiction in San Francisco County; and (b) consents to the jurisdiction of each such court in any proceeding.
18. Assignment. Partner may not assign or sublicense, by operation of law or otherwise, this Agreement or any duties, rights or obligations under this Agreement without Catalate’s prior written consent; provided that either party may assign this Agreement to its Affiliate or its successor in the event of a merger, acquisition or sale of all or substantially all of the assets of such party. Any other purported assignment shall be void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.
19. Severability; No Waiver. If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, then such provision shall be construed, as nearly as possible, to reflect the intentions of the Parties with the other provisions remaining in full force and effect. The failure of either Party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision, unless such waiver is in writing and is executed by the Party against whom such waiver is claimed.
20. Notices. Any notice required or permitted under this Agreement shall be given in writing and shall be deemed delivered when: (a) verified by written receipt if sent by personal courier, overnight courier, or postal mail; or (b) confirmed or replied to by the recipient if sent by email. Notices shall be delivered to each Party at its respective address specified in this Agreement, or at such other address as such Party may specify by written notice to the other.
21. No Agency or Third Party Beneficiary. Partner and Catalate are independent contractors, and nothing in this Agreement (including use of the defined term “Partner”) shall be construed to create a partnership, joint venture, franchise, or agency relationship between Partner and Catalate. Neither Party has any authority to enter into agreements of any kind on behalf of the other Party. Catalate and Partner agree that there should be no third party beneficiary to this Agreement, including, but is not limited to, End Users.
22. Miscellaneous. This Agreement, along with the attached Exhibits, constitutes the entire agreement of the Parties with respect to its subject matter, superseding all prior or contemporaneous oral and written communications, proposals, negotiations, representations, understandings, courses of dealing, agreements, contracts, and the like between the Parties in such respect, except that terms on an Order Form will supersede comparable provisions in this Agreement for the period stated in the Order Form. The section headings in this Agreement are for convenience only and have no legal or contractual effect. This Agreement: (a) may be executed in any number of counterparts, each of which, when executed by both Parties to this Agreement shall be deemed to be an original, and all of which counterparts together shall constitute one and the same instrument; and (b) may not be amended or modified by Partner unless such amendment or modification is in writing signed by both Parties. The terms of any sections that, by their nature, are intended to extend beyond termination shall survive termination of this Agreement for any reason.
The API allows third-parties to access ticket inventory and sell it in other environments (e.g. another e-commerce engine, lodging environment, native mobile apps, other third party distribution channels, etc.). With the API, a Partner can access ticket prices, inventory quantity and availability as well as create orders in the Catalate system. Inventory management and analysis is done within Catalate’s system.
End User Transactions. Catalate will provide Ticket prices via the API only and will not be responsible for Ticket sales, payment processing, Ticket fulfilment or any other aspects of Tickets sold unless otherwise agreed upon between the parties in writing. Partner will be responsible for post-purchasing interactions with its customers. Catalate will have no liability for Partner’s actions or failures to act with regard to such interactions.
Payment. Catalate’s fees for use of the API will be provided on each Order Form. Except as otherwise provided herein all fees are noncancelable and nonrefundable and Partner will pay all fees within 30 days from receipt of Catalate’s invoice. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection. Without limiting its other remedies, Catalate may suspend Services for nonpayment of fees.
DATA PROCESSING ADDENDUM
Catalate may act as a processor, processing Personal Data on Partner’s behalf. This Addendum applies to situations where Partner is the controller of Personal Data and Catalate is the processor. The parties agree that this Addendum shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability.
1. Definitions and interpretation
For purposes of this Addendum:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party;
“Agreement” means the agreement between Partner and Catalate to which this Addendum is attached;
“Breach” means a breach of security by Catalate that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Services;
“Controller”, “Processor” and “Data Subject” (whether or not capitalized) have the meanings provided in the GDPR and equivalent meanings under other Data Protection Laws.
“Data Protection Laws” means the General Data Protection Regulation 2016/679 (“GDPR”), the California Consumer Privacy Act (“CCPA”) and all other data protection and privacy laws and regulations of the United States and the EEA applicable to the Processing of Personal Data under the Agreement.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Iceland, Liechtenstein, Norway, Switzerland and the United Kingdom.
“Personal Data” refers to data processed by the Services that corresponds to the following terms and Data Protection Laws: (a) Personal Data as defined in GDPR in reference to residents of the European Economic Area, and (b) Personal Information as defined in the CCPA in reference to California residents, and (c) equivalents terms under other laws applicable to the Services in reference to residents of those jurisdictions.
Other capitalized terms used herein have the meanings provided in the Agreement.
2. Global Processing Terms.
2.1 General Processing Conditions. Catalate shall process Personal Data on Partner’s behalf for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Partner, except where otherwise required by applicable law. Catalate may have a separate right to process certain Personal Data: (a) if Catalate receives the same guest Personal Data from multiple sources, and (b) if Catalate has a direct relationship with a data subject and is a controller of that Personal Data. Catalate will promptly inform Partner if it becomes aware that processing requested by Partner infringes Data Protection Laws.
2.2 Compliance. Partner is responsible for ensuring that: (a) its use of the Services complies with Data Protection Laws and with all other applicable laws relating to privacy and data protection; and (b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Catalate for processing in accordance with the Agreement and this DPA. Partner must advise Catalate if its proposed use of the Services would subject Catalate to data protection or privacy obligations under laws or regulations other than the Data Protection Laws. If and when necessary in that situation, the parties may enter into a local implementation addendum governing any provisions of such laws.
2.3 Training. Catalate shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
2.4 Security Incidents. Catalate will notify Partner without undue delay on becoming aware of a Breach, by sending an email to Partner’s principal contact for the Catalate relationship. Further, Catalate undertakes to take all reasonable steps to mitigate the impact of any such Breach and to reasonably cooperate with Partner to enable Partner to comply with its obligations under Data Protection Laws, including by assisting Partner in notifying Data Subjects or regulators of a Breach. Catalate shall not give such notice without the prior written approval of Partner.
2.5 Obligation to Rectify, Update and Restrict Processing of Partner Personal Data. During the term of the Agreement, Catalate shall: (a) ensure that the Personal Data is accurate and, where necessary, kept up to date, in accordance with Partner’s instructions and (b) restrict the processing of Personal Data identified by Partner.
2.6 Obligation to Delete and Return Personal Data. Upon completion of its obligations in relation to processing of Personal Data under the Agreement or upon Partner’s request at any time during the term of the Agreement, Catalate shall, at Partner’s election, either: (a) return all or subsets of the Personal Data in Catalate’s control to Partner; or (b) permanently delete or render the Personal Data unreadable. Notwithstanding the foregoing: Catalate may retain Personal Data: (x) to the extent it has a separate legal right or obligation to do so; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Catalate’s backup policy.
2.7 Audit Rights.
(a) Upon Partner’s written request, Catalate shall provide Partner with a summary of its then-current information security program as relevant to the security and confidentiality of the Personal Data shared during the course of the Agreement.
(b) In addition, Partner may contact Catalate to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Partner and Catalate shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Catalate incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Catalate.
(c) Catalate accepts and agrees that supervisory authorities may request information from Catalate, and carry out investigations in the form of data protection audits of Catalate, in accordance with Data Protection Laws.
3. EEA-Specific Processing Terms
3.1 Subprocessors. Partner generally authorizes Catalate’s appointment of certain third party Processors of Personal Data under this Agreement (“Subprocessors”). Catalate confirms that it: (a) has entered (or, for future appointments, will enter) into a written agreement with the Subprocessor incorporating terms which are substantially similar to those set out in this Addendum; and (b) will inform Partner of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Partner the opportunity to object to such changes.
3.2 Transfers Outside the EEA. Catalate may not transfer Personal Data to, or process such data in, a location outside of the EEA without Partner’s prior written consent (in each case a “Transfer”). Without prejudice to the foregoing, Partner consents to Transfers outside of the EEA where Catalate has implemented a Transfer solution compliant with Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the recipient of Personal Data is certified under a valid EU-US or Swiss-US framework (including any duly adoptedsuccessor to Privacy Shield); (c) the unchanged European Commission-approved controller to processor Standard Contractual Clauses (without optional clauses) set out at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm as of the date of this DPA or any successor thereto adopted in accordance with GDPR (“SCCs”), which are incorporated by reference into this DPA, where Partner will be regarded as the Data Exporter and Catalate will be regarded as the Data Importer; (d) another appropriate safeguard pursuant to Article 46 of the GDPR applies; or (e) a derogation pursuant to Article 49 of the GDPR. Appendices 1 and 2 of this DPA correspond to Appendices 1 and 2 of the SCCs. Provisions of this DPA will supersede the SCCs to the extent of any conflict.
4. California-Specific Processing Terms
4.1 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Catalate will not “sell” (as defined in the CCPA) any Personal Data; and (b) Catalate will not collect, share or use any Personal Data except as necessary to perform services for Partner.
5. Governing Law
This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by GDPR, in which case this DPA will be governed by the laws of France.
ANNEX 1: DESCRIPTION OF DATA PROCESSING
The data processing activities carried out by Catalate under the Agreement may be described as follows:
1. Subject matter
The subject matter of this agreement concerns the provision by Catalate of data processing services connected with the provision of the Services.
Catalate shall process Personal Data during the term of the Agreement and not thereafter except if specifically instructed to do so by Partner.
3. Nature and purpose
Catalate will process Personal Data to provide the Services identified in the Agreement.
4. Data categories
Catalate will process the following categories of Personal Data about data subjects: first and last name, email address, telephone and other identifying information for End Users, and their payment information when they purchase Tickets.
5. Data subjects
Catalate’s processing concerns Partner personnel and End Users.
ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Description of the technical and organisational security measures implemented by Catalate in accordance with Data Protection Law:
Catalate shall maintain a documented information security policy that, at a minimum, conforms to the most updated NIST 800 series Information Security Management System standard. Catalate shall ensure its information security policy and any appropriate training, therefore, is provided to all staff involved directly or indirectly in the provision of the Approved Purpose. Catalate shall implement controls to monitor on an ongoing basis compliance with its information security policy.
Access Control in a Physical Sense
Catalate shall take reasonable measures to prevent unauthorized persons from gaining access to data processing systems for processing and/or using Personal Data by implementing physical controls including:
Access Control to the IT System
Catalate shall take reasonable measures to prevent data processing systems from being used without authorization by implementing:
Access control to Data Controller Data
Catalate shall ensure that persons authorized to use the data processing system have only access to the data, which they are authorized to access, and that Personal Data cannot be read, copied, altered and/or removed without authorization during processing, use and after recording by implementing:
Catalate shall ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport. To this end Catalate shall implement:
Catalate shall ensure that it is possible after the fact to check and ascertain whether Personal Data has been entered into, altered or removed from data processing systems and if so, by whom by implementing:
Catalate shall ensure that Personal Data processed on behalf of Partner is processed strictly in compliance with the Partner’s instructions requiring its employees to obey the instructions of Partner and to process Personal Data exclusively in compliance with Partner’s instructions.
Catalate shall ensure that Personal Data is reasonably protected against accidental destruction or loss by implementing:
Catalate shall ensure that Personal Data collected for different purposes can be processed separately by implementing:
Security Incident Management
Catalate shall implement an appropriate security incident management process aligned with industry best practices, requiring, at minimum:
Catalate office is secured with a guard at the building entrance and key cards at the door to the building and door to the office.
Catalate services are hosted on AWS. All access to AWS is via multi factor authentication. Catalate also enables MFA where possible to access other cloud resources in use.