Last updated: December 22, 2020
This Data Processing Addendum ("DPA") sets forth the terms and conditions related to the privacy, confidentiality and security of Personal Data associated with Services provided by ToneDen, a member of the Eventbrite family, to the Registered User pursuant to the ToneDen Terms of Service (“Terms”) or any other applicable services agreement. In this DPA, references to "you" means the Registered User and references to "we,'' "us," "our" and "ToneDen” means ToneDen, Eventbrite, Inc. and our affiliates.
The terms of this DPA are hereby incorporated into the ToneDen Terms of Service or any other applicable services agreement between you and ToneDen (the "Agreement").
With respect to provisions regarding the Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where the Registered User and ToneDen have individually negotiated data processing terms that are different from this DPA and which meet the requirements of applicable Data Protection Laws in full, in which case those negotiated terms will control. In the event of a conflict between this DPA and the applicable data transfer agreement (if any), the terms of the applicable data transfer agreement will control.
“Controller-to-Processor Standard Contractual Clauses” means the Controller-to-Processor Standard Contractual Clauses in the Annex to the European Commission Decision of February 5, 2010, as may be amended or replaced from time to time by the European Commission.
“Data Protection Laws” means all laws or regulations related to the privacy, confidentiality and security of Personal Data.
“Business,” "Data Controller," "Data Processor," "Data Subject," "Processing," "Personal Data," and “Service Provider” shall have the meanings ascribed to them in applicable Data Protection Laws.
"Data Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data Processed by ToneDen on the Registered User’s behalf as part of the Registered User’s use of the Services.
“Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party, other than to a sub-processor pursuant to Section 2, for monetary or other valuable consideration.
“Services” means any services provided by ToneDen to the Registered User, as defined in the ToneDen Terms of Service of any other applicable services agreement between the Registered User and ToneDen.
"Technical and Organizational Security Measures" means reasonable security measures implemented by ToneDen appropriate to the type of Personal Data being Processed on the Registered User’s behalf and the Services being provided by ToneDen designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
1.1 In using ToneDen Services, the Registered User acts as a Business and is a Data Controller of the Personal Data associated with an individual using ToneDen Services. The Registered User represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such Personal Data from End Users and that the Registered User has the right to share such Personal Data with ToneDen.
1.2 Where ToneDen Processes the Personal Data of End Users on behalf of the Registered User as part of the Services, ToneDen is a Data Processor or Service Provider in performing such Processing and the Registered User is the Data Controller or Business. This includes circumstances where ToneDen obtains Personal Data as a result of the provision of its core services (for example, where ToneDen receives End User personally identifiable information that you input or submit to the Services directly or by providing us with access to your Third Party Accounts or to End User Data that ToneDen collects and receives, on your behalf, from ToneDen Marketing Pages).
To the extent that ToneDen Processes Personal Data as a Data Processor or Service Provider on behalf of the Registered User, Section 2 of this DPA shall apply.
1.3 Details about the Personal Data to be Processed by ToneDen and the Processing activities to be performed under the Agreement are as follows: (i) duration - as set out in the Agreement; (ii) nature, purpose and subject matter - to enable the Registered User to use the ToneDen platform and related advertising services; (iii) data categories - name, email address, information related to events booked and attended, location and any other Personal Data that the Registered User requests of its End Users; (iv) data subjects - End Users.
2.1 Whenever ToneDen Processes Personal Data on behalf of the Registered User, ToneDen shall:
2.1.1 Process Personal Data only on the documented instructions of the Registered User, unless required to do otherwise by applicable law. ToneDen shall inform the Registered User of the legal requirement before Processing Personal Data other than in accordance with the Registered User's instructions, unless that same law prohibits ToneDen from doing so on important grounds of public interest. ToneDen will not retain, use, disclose or Sell Personal Data except as necessary to perform ToneDen’s obligations under the Agreement, or as otherwise permitted by Applicable Law. The Registered User will ensure that its instructions comply with all laws, regulations and rules applicable to the Personal Data, and that ToneDen’s Processing of such Personal Data, pursuant to Registered User’s instructions, will not cause ToneDen to violate any applicable law, regulation or rule, including Data Protection Laws. ToneDen will notify the Registered User if, in its opinion, an instruction is in breach of applicable Data Protection Laws. The Registered User hereby instructs ToneDen, and ToneDen hereby agrees, to Process Personal Data as necessary to perform ToneDen’s obligations under the Agreement and for no other purpose, unless otherwise specified in this DPA or required to comply with the law or other binding governmental order. In the event that this DPA or any actions to be taken or contemplated in performance of this DPA do not or would not satisfy either party’s obligations under applicable Data Protection Laws, the parties shall negotiate in good faith upon an appropriate amendment to this DPA;
2.1.2 Have in place Technical and Organizational Security Measures which include, but are not limited to:
2.1.3 Notify the Registered User in the event of a Data Security Breach without undue delay, unless otherwise prohibited by law or otherwise instructed by a law enforcement or data protection authority. In the event of any Data Security Breach, ToneDen shall provide reasonable assistance, where required by applicable Data Protection Laws and at the Registered User’s request, to enable the Registered User to comply with its obligations as a Data Controller or Business in relation to data breach notification requirements;
2.1.4 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data of End Users Processed by ToneDen on the Registered User’s behalf;
2.1.5 Impose obligations on its sub-processors that have access to Personal Data of End Users Processed by ToneDen on the Registered User’s behalf that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain fully liable to the Registered User for any failure by a sub-processor to fulfill its obligations in relation to such Personal Data;
2.1.6 Provide reasonable assistance to the Registered User in responding to individual rights requests or other communications received under applicable Data Protection Laws from any applicable data protection authority or End User who is the subject of any Personal Data Processed by ToneDen on the Registered User’s behalf. In the event that an End User submits a Personal Data deletion request to ToneDen, the Registered User hereby instructs and authorizes ToneDen to delete or anonymize the End User’sPersonal Data on the Registered User’s behalf;
2.1.7 Upon the Registered User’s written request, make available to the Registered User all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, provide reasonable assistance with privacy and data protection impact assessments and related consultations of data protection authorities, and allow for and co-operate with any audits. Any on-site audits shall be: (i) permitted only on reasonable advance notice to ToneDen; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means; and
2.1.8 Return, delete, or destroy (at the Registered User’s election) the Personal Data of End Users Processed on the Registered User’s behalf and copies thereof, at the Registered User’s request (unless applicable law requires the storage of such Personal Data).
2.2 The Registered User hereby consents and authorizes ToneDen to disclose or transfer Personal Data to, or allow access to Personal Data by, ToneDen’s current sub-processors ("Current Sub-Processors") to Process Personal Data on Registered User’s behalf.
2.3 The Registered User hereby consents to ToneDen appointing additional and replacement sub-processors ("Replacement Sub-Processors") to Process Personal Data on the Registered User’s behalf. ToneDen shall: (i) give notice to the Registered User of the identity of Replacement Sub-Processors via ToneDen’s website (the Registered User is responsible for regularly checking and reviewing ToneDen’s website for any such changes and ToneDen’s website shall be the sole means of ToneDen communicating any such changes); and (ii) give the Registered User the opportunity to object to such changes that take place after the Effective Date of the Agreement, in accordance with the terms that follow in Section 2.4 of this DPA.
For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with the terms herein, and shall not apply in relation to Current Sub-Processors.
2.4 The Registered User shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of ToneDen posting the changes on its website. The Registered User shall send its objection to firstname.lastname@example.org with the subject line “Objection to Replacement Sub-Processor.”
Provided that the Registered User’s objection: (i) concerns the Replacement Sub-Processor's ability to allow ToneDen to materially comply with its data protection obligations under this DPA; and (ii) includes sufficient detail to support its objection and provides specific examples, ToneDen will then use commercially reasonable efforts to review and respond to the Registered User’s objection within thirty (30) days of receipt of the Registered User’s objection with ToneDen’s determined method of accommodation.
If ToneDen determines in its sole discretion that it cannot reasonably accommodate the Registered User’s objection, upon notice from ToneDen, the Registered User may choose to terminate the Agreement by providing written notice to ToneDen, and complying with the terms herein, which shall be the Registered User’s sole and exclusive remedy. Without limiting the generality of the foregoing, the Registered User’s termination right under this Section 2.4 will be deemed an additional termination right of the Registered User under the "Termination" Section of the Agreement (if any) and if exercised will be deemed a termination pursuant to such Section. Such written notice must be sent to email@example.com and must specifically reference this Section 2.4 of the DPA. The day ToneDen receives a Registered User’s written termination notice under this Section 2.4 will be referred to as the "Objection Date" in this DPA. Should the Registered User choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this Section 2 shall relieve Registered User from any of its payment obligations to ToneDen under the Agreement.
Without limiting ToneDen’s other rights and remedies, if the Registered User terminates the Agreement pursuant to this Section 2.4, then the Registered User will immediately pay to ToneDen all amounts accruing and owed to ToneDen.
3.1 The Registered User agrees that ToneDen may transfer Personal Data of End Users to various locations in connection with providing the Services. Transfers will be made in accordance with legally enforceable transfer mechanisms where required by applicable Data Protection Laws.
3.2 For Registered Users located in the European Economic Area/United Kingdom/Switzerland and with respect to EU personal data that a Registered User holds as a data controller, ToneDen agrees that it will be bound by the Controller-to-Processor Standard Contractual Clauses. For Registered Users located in Argentina, transfers of applicable Personal Data of Consumers outside of Argentina will be governed by the Argentine Model Clauses (Controller to Processor), hereby incorporated by reference.