Data Processing Addendum Processors And Sub Processors

This Data Processing Addendum (“DPA”) shall govern any services provided to, Inc. and its Affiliates (“”) by you (“you,” “your,” or “Vendor”) as a Processor or Sub-processor (as defined below) (the “Services”). You and shall each be referred to herein as a “Party” and together as “Parties. This DPA supplements, is incorporated into, and will remain in effect for the term of any agreement between the Parties, including but not limited to any executed or click-through agreement or, if applicable,’s API Terms of Use (the “Agreement”), the duration of Services, or the processing of Data, whichever is later (the “Term”). The Parties agree as follows:
NOTE: To learn more about’s Legal Terms, take a look here.
1. Definitions.
Capitalised terms used but not defined in this DPA shall have the same meanings as set out in the Agreement, if applicable. For the purposes of this DPA:

1.1 In these Terms references to “you” means the Organiser or developer working on behalf of an organiser who has a client account with us for the promotion of their events or bookings  and references to “we”, “us”, “our” and “Flame Concepts Ltd” or “Flame” or “Flame Concepts” or “” means Flame Concepts Ltd and any owned and managed services you have with us (or our sites) owned and managed us including and not limited to or .   Flame Concepts Ltd is Registered in England and Wales 7994559 at Arkle House, 31 Lonsdale Street, Carlisle, CA1 1BJ with a trading address of Unit 5D Lakeland Business Park, Cockermouth, Cumbria, CA13 0QT.

1.2 “Affiliate(s)” means any person or entity that controls, is controlled by, or is under common control with such entity, whether as of the date of the Agreement or thereafter. For purposes of this DPA, “control” means ownership or control, directly or indirectly, of more than 20% of the outstanding voting stock of an entity or otherwise possessing the power to direct the management and policies.

1.3 “Applicable Privacy Laws” means all applicable privacy and data protection laws and regulations anywhere in the world, including, where applicable, the EU Data Protection Directive 95/46/EC, the EU Directive 2002/58/EC on privacy and electronic communications, and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) (in all cases, as amended, superseded or replaced).

1.4 “Controller” means the natural or legal person or entity who determines the purposes and means of the processing of Personal Data.

1.5 “Data Breach” means a breach of security leading to accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and all other unlawful forms of processing of Data.

1.6 “ Data” means any and all data including Personal Data that is provided to Vendor or otherwise collected and/or accessed by Vendor on behalf of and/or its Affiliates in the course of providing the Services under the Agreement. Any Data that is Personal Data is hereby referred to as “ Personal Data”.

1.7 “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

1.8 “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Privacy Shield (as may be amended, superseded or replaced), details of which can be found at

1.9 “Processor” means an entity that processes Personal Data on behalf of, and in accordance with the instructions of, a Controller.

1.10 “SCCs” means the standard contractual clauses available at as up-dated or replaced from time to time.

1.11 “Sub-processor” means an entity engaged by a Processor who agrees to receive from the Processor Personal Data exclusively intended for the processing activities to be carried out as part of the Services.

1.12 “Vendor”, “Organiser”, means the individual or entity which has entered into the Agreement with

2. Role of the Parties and Nature of the Personal Data.
2.1 For purposes of this DPA, may act as a Controller, or it may act as a Processor of one of its customers. Vendor therefore acknowledges that it may act as a Processor of or a Sub-processor of Where acts as a Processor, is obligated contractually and / or under Applicable Privacy Laws to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations placed on Processors in this DPA shall apply to Vendor regardless of whether Vendor acts as a Processor or Sub-processor.

2.2. The nature, purpose and subject matter of Vendor’s data processing activities performed as part of the Services are set out in the Agreement. The Personal Data that may be processed may relate to event organisers, attendees, employees, contractors and contacts and may include name, email address, billing and payment information, events booked, organised and attended and any other Personal Data that may be processed pursuant to the Agreement.
3. Vendor’s Compliance.
3.1 Vendor warrants and undertakes to process Personal Data only for the limited and specified purposes set out in the Agreement and/or as otherwise lawfully instructed by in writing (email or otherwise), except where otherwise required by applicable law. Vendor will immediately inform if, in its opinion, an instruction is in breach of Applicable Privacy Laws.

3.2 Subject to Section 5 of this DPA, where Vendor processes Personal Data originating from the EEA, the UK and/or Switzerland, and Vendor transfers such Personal Data to a country not deemed by the European Commission as providing adequate protection for Personal Data, Vendor warrants and agrees to: (i) comply with its obligations under Applicable Privacy Laws; and (ii) provide at least the same level of protection to Personal Data as is required by the Privacy Shield Principles and/or as may otherwise reasonably require, in accordance with Applicable Privacy Laws, to ensure an adequate level of protection for Personal Data. Vendor agrees to notify promptly in writing of its inability to meet its obligations under this Section 3.2 and to take all reasonable and appropriate measures to remedy any non-compliance and/or cease processing Personal Data, as determined by in its sole discretion. Where Vendor has not certified to the Privacy Shield Framework Principles, Vendor warrants and agrees to: (i) the SCCs, which are hereby incorporated into this DPA; and (ii) implement the technical and organisational security measures specified in Appendix 1 before processing the Personal Data.
4. Confidentiality and Security.
4.1 Vendor shall ensure that any person that it authorises to process the Data (including Vendor’s staff, agents and subcontractors) shall be subject to a duty of confidentiality.

4.2 Vendor shall ensure it implements and maintains throughout the term of the Agreement, or duration of its services to as a Processor or Sub-processor, appropriate technical and organisational measures to protect Data, including protection against Data Breaches. Where Vendor is Privacy Shield certified, in accordance with Section 3 of this DPA, such measures shall, at a minimum, include at least the same level of privacy protection as is required by the Privacy Shield Principles.
5. Sub-processing.
Vendor shall notify of any Sub-processors it uses in respect of Personal Data, and Vendor shall: (i) ensure that any Sub-processor is contractually bound in writing to provide at least the same level of protection as is required by this DPA and complies with Applicable Privacy Laws; (ii) be fully responsible for, and liable to for acts and omissions of any Sub-processor as if they were Vendor’s own act or omission; and (ii) provide with details of any Sub-processors appointed, on request.
6. Cooperation and Data Subjects Rights.
Vendor will provide all assistance reasonably required by to enable to: (i) respond to, comply with or otherwise resolve any rights request, question or complaint received by (or an customer) from: (a) any living individual whose Personal Data is processed by Vendor on behalf of; or (b) any applicable formally designated data protection authority; and (ii) comply with (and demonstrate compliance with) its obligations under Applicable Privacy Laws. In the event that any such request, question or complaint under this Section 5 is made directly to Vendor, Vendor shall inform providing full details of the same.
7. Audit.
On reasonable prior written notice, Vendor agrees to provide (or its appointed auditors) with all information deems reasonably necessary for to audit Vendor’s compliance with the requirements of this DPA, including completion of audit questionnaires, provision of security policies and summaries of assessments of compliance with any industry standards (such as ISO 27001, SSAE 16 SOC II), penetration testing and vulnerability scans.
Any costs relating to any such audits will be born by the Vendor and any such request will be responded to in a reasonable timeframe, no more than 30 days.  Any delay or issues identified or not rectified or the audit not responded to would constitute a breach of the Terms of Service and could lead to an immediate suspension of service(s) being provided by
Any requested audit by the Vendor will be responded to by and any additional costs beyond the provision beyond the outline of processes and copies of policies, all administrative and legal costs will be met by the Vendor.
8. Data Breach.
In the event of a Data Breach, Vendor will take only the following actions (unless authorised by

8.1 promptly notify without undue delay (and latest within 48 hours of becoming aware of the Data Breach) and provide with a reasonably detailed description of the Data Breach, the type of data that was the subject of the Data Breach and the identity of each affected person as soon as such information can be collected or otherwise becomes available, as well as any other information that may reasonably request relating to the Data Breach; and

8.2 promptly (and latest beginning within 48 hours of becoming aware of the Data Breach) investigate the Data Breach, make reasonable efforts to mitigate the effects and harm of the Data Breach in accordance with its obligations under Section 3 (Confidentiality and Security) above, and provide any other assistance that may reasonably request relating to the Data Breach.
9. Deletion or Return of Data.
Upon termination or expiry of this DPA, Vendor shall (at’s election) destroy or return to all Data (including all copies of Data) in its possession or control (including any Data subcontracted to a third party for processing), unless any applicable law requires Vendor to retain Data.
10. Indemnity
Vendor will indemnify, keep indemnified and hold harmless, its clients, officers, directors, employees, agents, representatives and Affiliates (each an “Indemnified Party”) from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Vendor’s non-compliance with the requirements of this DPA.
11. Miscellaneous
Except for the changes made by this DPA, the Agreement and/or any other agreements related to the Services remain unchanged and in full force and effect.

With respect to provisions regarding processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where you and have individually negotiated data processing terms that are different from this DPA and which meet the requirements of Applicable Privacy Laws in full, in which case those negotiated terms will control.
Appendix 1
Technical and Organisation Security Measures Requirement.

References to ‘data importer’ in this Appendix 1 means the Vendor.

Policies for information security: The data importer agrees to implement a set of policies for information security that are defined, approved by management, published and communicated to employees and relevant external parties.

Review of the policies for information security: The data importer agrees to ensure that the policies for information security are reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Information security awareness, education and training: The data importer will ensure all employees of the organisation and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organisational policies and procedures, as relevant for their job function.

Acceptable use of assets: The data importer will ensure rules for the acceptable use of information and of assets associated with information and information processing facilities are identified, documented and implemented.

Classification of information: The data importer will ensure all information assets are classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
Disposal of media: The data importer will ensure all media is disposed of securely when no longer required, using formal procedures.

Access control policy: The data importer will ensure an access control policy is established, documented and reviewed based on business and information security requirements.

Policy on the use of cryptographic controls: The data importer will ensure a policy on the use of cryptographic controls for protection of information has been developed and implemented.

Physical security perimeter: The data importer will ensure that security perimeters are defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

Physical entry controls: The data importer will ensure secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access.

Secure disposal or re-use of equipment: The data importer will ensure all items of equipment containing storage media are verified to ensure that any sensitive data and licenced software has been removed or securely overwritten prior to disposal or re-use.

Controls against malware: The data importer will implement detection, prevention and recovery controls to protect against malware, combined with appropriate user awareness.

Information backup: The data importer will implement a backup policy to define the organisation’s requirements for backup of information, software and systems.

Management of technical vulnerabilities: The data importer will action technical vulnerabilities mitigation, to reduce exposure to such vulnerabilities and ensure appropriate measures are taken to address the associated risk.

Information systems audit controls: The data importer will implement carefully planned and agreed upon audit requirements and activities involving verification of operational systems to minimize disruptions to business processes.

Network controls: The data importer will ensure Networks are managed and controlled to protect information in systems and applications and ensure groups of information services, users and information systems are appropriately segregated.

Electronic messaging: The data importer will ensure information involved in electronic messaging will be appropriately protected.

Confidentiality or non-disclosure agreements: The data importer will ensure requirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information are identified, regularly reviewed and documented.

Securing application services on public networks: The data importer will ensure information involved in application services passing over public networks is protected from fraudulent activity, contract dispute and unauthorised disclosure and modification.

Secure system engineering principles: The data importer will ensure principles for engineering secure systems are be established, documented, maintained and applied to any information system implementation efforts.

System security and acceptance testing: The data importer will ensure testing of security functionality is carried out during development and that acceptance testing programs and related criteria are established for new information systems, upgrades and new versions. The data importer will ensure test data is selected carefully, protected and controlled.

Reporting and responding to information security events: The data importer will ensure Information security events are reported through appropriate management channels as quickly as possible and will ensure information security incidents are responded to in accordance with the documented procedures.

Planning information security continuity: The data importer will determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.