Catalate Preisgestaltung als Servicevereinbarung

Last Updated: November 17, 2022

Diese Catalate Pricing as a Services-Vereinbarung (diese "Vereinbarung") wird zum Datum des ersten Bestellformulars des Partners oder zum Datum der ersten Nutzung der Dienste durch den Partner, je nachdem, was früher eintritt (das "Datum des Inkrafttretens"), zwischen Catalate Commerce, Inc. einer Gesellschaft aus Delaware ("Catalate") und dem Kunden, der die Dienste nutzt ("Partner") (jeweils eine "Partei", zusammen die "Parteien"), geschlossen und regelt die Bereitstellung der hier beschriebenen Online-Dienste durch Catalate.

Vereinbarung

1. Definitions.

1.1 “Affiliate” means a person or entity directly or indirectly, controlled by, controlling, or under common control with, a Party.

1.2 “API” means Catalate’s API(s) via which Partners may access Ticket inventory and pricing.

1.3 “Margin Percentage” means Catalate’s fees for providing the Services, calculated as a percentage of the Retail Price. The Order Form lists the Margin Percentages for Tickets sold on the API.

1.4 “Order Form” means this cover sheet and any subsequent order form for additional products or services that has been executed by both parties.

1.5 “Retail Price” means the actual price paid by an End User for a Ticket purchased through the API.

1.6 “Services” means Catalate’s professional consulting, marketing, promotional and online retail services and related Software to allow Partner to promote and sell its products online to prospective End Users, including the API.

1.7 “Software” means software and other source code, object code or underlying structure, ideas, know-how or algorithms used to provide the API and other parts of the Services.

1.8 “Tickets” means entry or use tickets for Partner’s property, and other associated products Partner wishes to sell through the Services;

2. Services; License Grant.

2.1 Partner hereby engages Catalate to provide the Services in accordance with and subject to the terms in Exhibit A.

2.2 Während der Laufzeit und vorbehaltlich der Bedingungen dieses Vertrags gewährt Catalate dem Partner eine begrenzte, widerrufliche, nicht exklusive und nicht übertragbare Lizenz für den Zugriff auf und die Integration der API, um das Ticketinventar gemäß Anhang A verfügbar zu machen.

3. Compensation. Partner shall pay Catalate as set forth on Exhibit A and each Order Form. Retail Prices shall include all applicable taxes, levies, duties, VAT and similar government assessments by any local, state, provincial, federal or foreign jurisdictions (collectively, “Taxes”). Partner shall be solely responsible for the payment of all Taxes associated with Ticket sales. If an applicable tax authority requires Catalate to pay any Taxes that should have been payable by Partner, Catalate will advise Partner in writing, and Partner will promptly reimburse Catalate for the amounts paid.

4. Use of Intellectual Property.

4.1 Catalate behält alle Rechte, Titel und Interessen, einschließlich aller geistigen Eigentumsrechte, die in den Diensten und den Catalate-Marken verkörpert oder mit ihnen verbunden sind.

4.2 Beschränkungen. Der Partner wird seinen Nutzern nicht erlauben (ohne Einschränkung):

(a) die Dienste Dritten für Service-Bureau- oder Time-Sharing-Zwecke zur Verfügung zu stellen oder Dritten in irgendeiner anderen Weise die Nutzung der Dienste zu ermöglichen;

(b) Dritten den Zugang zu den Diensten oder deren Nutzung auf andere Weise zu ermöglichen;

(c) die Dienste zu verkaufen, weiterzuverkaufen, zu übertragen, abzutreten, zu rahmen, zu spiegeln oder zu verbreiten;

(d) Software oder automatisierte Agenten oder Skripte in die Dienste einzuführen, um mehrere Konten zu erstellen, automatisierte Suchvorgänge, Anfragen oder Abfragen zu generieren oder Daten aus den Diensten zu entfernen, abzuschöpfen oder abzubauen;

(e) die Software, das Preismodell oder die Preisstrategien, die für die Erbringung der Dienstleistungen verwendet werden, aus irgendeinem Grund zu kopieren oder zurückzuentwickeln; oder

(f) auf die Dienste zuzugreifen, um ein konkurrierendes Produkt oder eine konkurrierende Dienstleistung zu erstellen, um ein Produkt zu erstellen, das ähnliche Ideen, Merkmale, Funktionen oder Grafiken der Dienste verwendet, oder um Ideen, Merkmale, Funktionen oder Grafiken der Dienste zu kopieren.

5. Security Standards. Partner’s networks, operating systems, web servers, routers and computer systems must be properly configured to industry standards so as to prevent any intrusion or unauthorized disclosure or loss of data. In the event of any breach of security involving the API or other Services, Partner must notify Catalate immediately and work diligently to remedy such security breach as soon as practicable.

6. Acceptable Use. Partner agrees that it and its employees and agents will not use the Services to:

6.1 jegliches Material zu übermitteln, das Adware, Malware, Spyware, Softwareviren oder andere Computercodes, Dateien oder Programme enthält, die dazu bestimmt sind, die Funktionalität von Computersoftware oder -hardware oder Telekommunikationsgeräten zu unterbrechen, zu zerstören oder einzuschränken;

6.2 die Server von Catalate oder mit Catalate verbundene Netzwerke zu stören oder zu unterbrechen oder Anforderungen, Verfahren, Richtlinien oder Vorschriften von mit Catalate verbundenen Netzwerken zu missachten;

6.3 versuchen, auf andere Catalate-Systeme zuzugreifen, die nicht Teil der Dienste sind; oder

6.4 gegen Gesetze, Rechte Dritter oder Verpflichtungen aus dieser Vereinbarung verstoßen.

7. Partner Reports. Partner will maintain all records related to its orders processed using the API as required by this Agreement by applicable law. Partner shall send a weekly report of all orders processed using the API to Catalate in a format provided by Catalate. If there is greater than a 5% variance between bookings provided by Partner in a format provided by Catalate and Catalate’s systems, Partner will have two weeks from Catalate’s notice of such variance to amend the API configuration such that the variance is reduced to less than 5%. If the issue is not resolved within the two week period, Catalate will revert strategy to static pricing until the issue is resolved. In order to verify the accuracy of such reports, Catalate may inspect Partner’s records and materials related to this Agreement. Such audits will be conducted during Partner’s normal business hours, upon no less than five days’ prior written notice. Catalate shall be responsible for the audit costs unless the audit reveals an underpayment of 5% or greater, in which case Partner shall pay Catalate’s reasonable expenses of the audit in addition to all fees due.

8. Confidentiality.

8.1 Subject to the limitations set forth in Section 8.2, all information disclosed by one party to the other party during the term of this Agreement, whether in oral, written, graphic or electronic form, shall be deemed to be “Confidential Information”. Confidential Information includes, without limitation, Catalate software used to provide Services, related documentation, specifications, pricing, disclosures in connection with the provision of Services, disclosures made by Partner about its operations, Ticket sales and other non-public metrics, and the terms and conditions of this Agreement. Confidential Information shall remain the sole property of the disclosing party or its licensors.

8.2 Exceptions. Information will not be considered as Confidential Information if the receiving party can establish by documentary evidence that the information is or was: (a) lawfully available to the public through no act or omission of the receiving party; (b) in the receiving party’s lawful possession prior to disclosure by the disclosing party and not obtained either directly or indirectly from the disclosing party; (c) lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (d) independently developed by the receiving party.

8.3 Nondisclosure. The parties agree, during the term and after the termination of this Agreement, to hold each other’s Confidential Information in confidence and not to disclose such information in any form to any third party without the express written consent of the disclosing party, except to employees and consultants performing services for the benefit of the receiving party who are under a written non-disclosure agreement protecting the applicable Confidential Information in a manner no less restrictive than this Agreement. Each party agrees to take all reasonable steps to ensure that Confidential Information is not disclosed or distributed by its employees or agents in violation of this Agreement. A receiving party facing legal action to disclose Confidential Information of the disclosing party shall promptly notify and provide the disclosing party the opportunity to oppose such disclosure or obtain a protective order and shall continue to treat such information as Confidential Information. This Section 9 shall not be construed as granting or conferring any rights to either party by license or otherwise, expressly or implicitly, to any Confidential Information.

8.4 Permitted Third Parties. For the avoidance of doubt, Partner acknowledges and consents to the sharing of its pricing information with Partner’s operating system and other technology partners for the purpose of providing the Services.

9. Term. Unless sooner terminated or otherwise stated in the Order Form, the initial term of this Agreement shall be one year. Thereafter, this Agreement shall automatically renew for successive periods of one year each unless either party notifies the other Party of non-renewal of this Agreement at least 30 days before the end of the then-current term.

10. Termination.

10.1 Catalate ist berechtigt, den Vertrag, den Zugang zu allen oder einem Teil der Dienste und/oder die hierin gewährten Lizenzen mit sofortiger Wirkung auszusetzen oder zu kündigen, wenn der Partner die Dienste für einen unzulässigen oder rechtswidrigen oder durch diesen Vertrag nicht genehmigten Zweck nutzt oder die Nutzung gestattet.

10.2 Jede Partei kann diese Vereinbarung (einschließlich aller zugehörigen Bestellformulare) kündigen, wenn die andere Partei: (a) eine wesentliche Verletzung dieser Vereinbarung nicht innerhalb von 30 Tagen nach schriftlicher Benachrichtigung über eine solche Verletzung behebt; (b) den Betrieb ohne einen Nachfolger einstellt; oder (c) Schutz im Rahmen eines Konkurs-, Konkursverwaltungs-, Treuhand-, Gläubigervergleichs-, Vergleichsverfahrens oder eines vergleichbaren Verfahrens beantragt oder wenn ein solches Verfahren gegen die betreffende Partei eingeleitet (und nicht innerhalb von 60 Tagen abgewiesen) wird.)

10.3 Die Kündigung ist kein ausschließlicher Rechtsbehelf, und die Ausübung eines Rechtsbehelfs durch eine der Parteien im Rahmen dieser Vereinbarung lässt alle anderen Rechtsbehelfe, die ihr im Rahmen dieser Vereinbarung, nach dem Gesetz oder anderweitig zustehen, unberührt.

11. Representations and Warranties. Each Party represents and warrants that it has the right, power and authority to enter into this Agreement and to perform all of its respective obligations under this Agreement, that the person executing or consenting to each Order Form on behalf of a party has been authorized by such party to do so, and that the performance of such obligations shall not conflict with or result in a breach of any agreement to which it is a party or is otherwise bound. Catalate represents and warrants that the Services process and store credit or debit card payment information in compliance with the Payment Card Industry Data Security Standards (PCI-DSS).

12. Disclaimer of Warranties. EXCEPT AS OTHERWISE SET FORTH HEREIN, CATALATE HEREBY EXPRESSLY DISCLAIMS ALL WARRANTIES, REPRESENTATIONS AND CONDITIONS IN CONNECTION WITH THIS AGREEMENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, OR TITLE. CATALATE DOES NOT MAKE ANY WARRANTY THAT THE SERVICES WILL BE CONTINUOUSLY AVAILABLE, ERROR-FREE OR COMPLETELY SECURE, OR THAT ANY DEFECTS WILL BE CORRECTED.

13. Indemnification.

13.1 Partner agrees to defend, indemnify and hold harmless Catalate, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents the (“Catalate Indemnified Parties”) against any and all claims, liabilities, damages, losses, costs, expenses, and fees (including reasonable attorneys’ fees) (“Claims”) brought against Catalate for damages to the extent due to any actual or alleged improper use or application of the Services.

13.2 Catalate agrees to defend, indemnify and hold harmless Partner, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents (the “Partner Indemnified Parties”) against any and all Claims brought against Partner for damages to the extent due to any actual or alleged: (a) claim that the platform used by Catalate to operate the Services infringes or misappropriates the intellectual property rights or rights of privacy or publicity of a third party; or (b) violation by Catalate of any applicable law, rule or regulation in performing the Services.

13.3 Die entschädigte Partei muss die andere Partei unverzüglich schriftlich von einem Anspruch gemäß diesem Abschnitt unterrichten und auf Kosten der anderen Partei alle vernünftigerweise erforderliche Unterstützung, Informationen und Befugnisse bereitstellen, damit die andere Partei die Verteidigung und Beilegung eines solchen Anspruchs kontrollieren kann. Jede Partei behält sich das Recht vor, auf eigene Kosten die ausschließliche Verteidigung und Kontrolle einer Angelegenheit zu übernehmen, die gemäß diesem Abschnitt 13 der Entschädigung durch die jeweilige Partei unterliegt. Die Entschädigungsverpflichtungen nach diesem Abschnitt bleiben auch nach Beendigung dieses Abkommens bestehen.

14. Limitations of Liability.

14.1 UNTER KEINEN UMSTÄNDEN HAFTET EINE PARTEI GEGENÜBER DER ANDEREN PARTEI FÜR BESONDERE, INDIREKTE SCHÄDEN, FOLGESCHÄDEN ODER STRAFSCHADENSERSATZ JEGLICHER ART, WIE Z.B. ENTGANGENE EINNAHMEN ODER ERWARTETE GEWINNE, ENTGANGENE GEWINNE, DATEN- ODER NUTZUNGSVERLUSTE, AUCH WENN DIE PARTEI AUF DIE MÖGLICHKEIT SOLCHER SCHÄDEN HINGEWIESEN WURDE. DAS VORSTEHENDE GILT UNABHÄNGIG VON DER FAHRLÄSSIGKEIT ODER EINEM ANDEREN VERSCHULDEN EINER PARTEI UND UNABHÄNGIG DAVON, OB EINE SOLCHE HAFTUNG AUS VERTRAG, FAHRLÄSSIGKEIT, UNERLAUBTER HANDLUNG, VERSCHULDENSUNABHÄNGIGER HAFTUNG ODER EINER ANDEREN HAFTUNGSTHEORIE RESULTIERT.

14.2 IN KEINEM FALL ÜBERSTEIGT DER HÖCHSTBETRAG DES SCHADENSERSATZES, DER VON EINER DER PARTEIEN FÜR EINE VERLETZUNG DIESER VEREINBARUNG ODER FÜR EINEN SCHADEN ODER EINE VERLETZUNG, DIE AUS DER ERBRINGUNG DER DIENSTLEISTUNGEN DURCH CATALATE RESULTIEREN, ZU ZAHLEN IST, DIE GEBÜHREN, DIE DER PARTNER WÄHREND DER ZWÖLF MONATE, DIE EINEM SOLCHEN ANSPRUCH UNMITTELBAR VORAUSGEHEN, GEMÄSS DIESER VEREINBARUNG AN CATALATE GEZAHLT HAT.

15. Modification of Reservation Service Programs. Catalate may add, delete or otherwise modify any of the Services, provided that Catalate will notify Partner of any material modification that results in degradation of the Services.

16. Force Majeure. Neither Catalate nor Partner will be liable for any delay or failure in performance under this Agreement due to any cause beyond its reasonable control.

17. Governing Law, Jurisdiction and Venue. This Agreement and all matters or issues related to this Agreement shall be governed by and construed under the laws of the State of California without application of principles of conflicts of laws. Each of the Parties irrevocably and unconditionally agrees that any legal proceeding arising out of or relating to this Agreement may be brought in the United States District Court for the Northern District of California, or, if that court lacks jurisdiction, in any court of competent jurisdiction in San Francisco County; and (b) consents to the jurisdiction of each such court in any proceeding. In the event of any action, suit or proceeding related to this Agreement, the prevailing party, in addition to its rights and remedies otherwise available, shall be entitled to receive reimbursement of reasonable attorneys’ fees and expenses and court costs.

18. Assignment. Partner may not assign or sublicense, by operation of law or otherwise, this Agreement or any duties, rights or obligations under this Agreement without Catalate’s prior written consent; provided that either party may assign this Agreement to its Affiliate or its successor in the event of a merger, acquisition or sale of all or substantially all of the assets of such party. Any other purported assignment shall be void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.

19. Severability; No Waiver. If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, then such provision shall be construed, as nearly as possible, to reflect the intentions of the Parties with the other provisions remaining in full force and effect. The failure of either Party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision, unless such waiver is in writing and is executed by the Party against whom such waiver is claimed.

20. Notices. Any notice required or permitted under this Agreement shall be given in writing and shall be deemed delivered when: (a) verified by written receipt if sent by personal courier, overnight courier, or postal mail; or (b) confirmed or replied to by the recipient if sent by email. Notices shall be delivered to each Party at its respective address specified in this Agreement, or at such other address as such Party may specify by written notice to the other.

21. No Agency or Third Party Beneficiary. Partner and Catalate are independent contractors, and nothing in this Agreement (including use of the defined term “Partner”) shall be construed to create a partnership, joint venture, franchise, or agency relationship between Partner and Catalate. Neither Party has any authority to enter into agreements of any kind on behalf of the other Party. Catalate and Partner agree that there should be no third party beneficiary to this Agreement, including, but is not limited to, End Users.

22. Miscellaneous. This Agreement, along with the attached Exhibits, constitutes the entire agreement of the Parties with respect to its subject matter, superseding all prior or contemporaneous oral and written communications, proposals, negotiations, representations, understandings, courses of dealing, agreements, contracts, and the like between the Parties in such respect, except that terms on an Order Form will supersede comparable provisions in this Agreement for the period stated in the Order Form. The section headings in this Agreement are for convenience only and have no legal or contractual effect. This Agreement: (a) may be executed in any number of counterparts, each of which, when executed by both Parties to this Agreement shall be deemed to be an original, and all of which counterparts together shall constitute one and the same instrument; and (b) may not be amended or modified by Partner unless such amendment or modification is in writing signed by both Parties. The terms of any sections that, by their nature, are intended to extend beyond termination shall survive termination of this Agreement for any reason.

API
Die API ermöglicht es Dritten, auf den Ticketbestand zuzugreifen und ihn in anderen Umgebungen zu verkaufen (z. B. in einer anderen E-Commerce-Engine, in der Umgebung von Unterkünften, in nativen mobilen Apps, in anderen Vertriebskanälen von Dritten usw.). Mit der API kann ein Partner auf Ticketpreise, Bestandsmenge und Verfügbarkeit zugreifen und Bestellungen im Catalate-System erstellen. Die Bestandsverwaltung und -analyse erfolgt innerhalb des Systems von Catalate.
Endbenutzer-Transaktionen. Catalate stellt Ticketpreise nur über die API zur Verfügung und ist nicht für den Ticketverkauf, die Zahlungsabwicklung, die Ticketabwicklung oder andere Aspekte der verkauften Tickets verantwortlich, es sei denn, die Parteien haben etwas anderes schriftlich vereinbart. Der Partner ist für die Interaktionen mit seinen Kunden nach dem Kauf verantwortlich. Catalate übernimmt keine Haftung für die Handlungen oder Unterlassungen des Partners in Bezug auf solche Interaktionen.
Bezahlung. Die Gebühren von Catalate für die Nutzung der API werden auf jedem Bestellformular angegeben. Sofern hierin nichts anderes vorgesehen ist, sind alle Gebühren nicht stornierbar und nicht erstattungsfähig, und der Partner zahlt alle Gebühren innerhalb von 30 Tagen nach Erhalt der Rechnung von Catalate. Nicht bezahlte Beträge unterliegen einer Finanzierungsgebühr von 1,5 % pro Monat auf den ausstehenden Saldo oder dem gesetzlich zulässigen Höchstbetrag, je nachdem, welcher Betrag niedriger ist, zuzüglich aller Inkassokosten. Ohne Einschränkung seiner sonstigen Rechtsmittel kann Catalate die Dienste bei Nichtzahlung der Gebühren aussetzen.

When Catalate provides marketing and Ticket fulfillment services for Partners, in some cases Catalate has a direct relationship with End Users and is the controller of Personal Data they provide. In other cases Catalate will act as a processor, processing Personal Data on Partner’s behalf. This Addendum applies to situations where Partner is the controller or processor of Personal Data and Catalate is the processor. The parties agree that this Addendum shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability.
1 Definitions and interpretation. For purposes of this Addendum:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
“Agreement” means the agreement between Partner and Catalate to which this Addendum is attached.
“Breach” means a breach of security by Catalate that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Services.
“Controller”, “Processor” and “Data Subject” (whether or not capitalized) have the meanings provided in the GDPR and equivalent meanings under other Data Protection Laws.
“Data Protection Laws” means the General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom Data Protection Act 2018 and GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations and their successors (“CPRA”) and all other data protection and privacy laws and regulations of the United States, the United Kingdom and the EEA applicable to the Processing of Personal Data under the Agreement.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Iceland, Liechtenstein, Norway and Switzerland.
“Personal Data” refers to data processed by the Services on Partner’s behalf that corresponds to the following terms and Data Protection Laws: (a) Personal Data as defined in GDPR in reference to residents of the European Economic Area and the United Kingdom, and (b) Personal Information as defined in the CPRA in reference to California residents, and (c) equivalents terms under other laws applicable to the Services in reference to residents of those jurisdictions.
“SCCs” or “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as (i) approved by European Commission Implementing Decision 2021/914, and (ii) as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
Other capitalized terms used herein have the meanings provided in the Agreement.
2 Global Processing Terms.
2.1 General Processing Conditions. Catalate shall process Personal Data on Partner’s behalf for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Partner, except where otherwise required by applicable law. Catalate may have a separate right to process certain Personal Data: (a) if Catalate receives the same guest Personal Data from multiple sources, and (b) if Catalate has a direct relationship with a data subject and is a controller of that Personal Data. Catalate will promptly inform Partner if it becomes aware that processing requested by Partner infringes Data Protection Laws.
2.2 Compliance. Partner is responsible for ensuring that: (a) its use of the Services complies with Data Protection Laws and with all other applicable laws relating to privacy and data protection; and (b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Catalate for processing in accordance with the Agreement and this DPA. Partner must advise Catalate if its proposed use of the Services would subject Catalate to data protection or privacy obligations under laws or regulations other than the Data Protection Laws. If and when necessary in that situation, the parties may enter into a local implementation addendum governing any provisions of such laws.
2.3 Training. Catalate shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
2.4 Security Incidents. Catalate will notify Partner without undue delay on becoming aware of a Breach, by sending an email to Partner’s principal contact for the Catalate relationship. Further, Catalate undertakes to take all reasonable steps to mitigate the impact of any such Breach and to reasonably cooperate with Partner to enable Partner to comply with its obligations under Data Protection Laws, including by assisting Partner in notifying Data Subjects or regulators of a Breach. Catalate shall not give such notice without the prior written approval of Partner.
2.5 Obligation to Rectify, Update and Restrict Processing of Partner Personal Data. During the term of the Agreement, Catalate shall: (a) ensure that the Personal Data is accurate and, where necessary, kept up to date, in accordance with Partner’s instructions and (b) restrict the processing of Personal Data identified by Partner.
2.6 Obligation to Delete and Return Personal Data. Upon completion of its obligations in relation to processing of Personal Data under the Agreement or upon Partner’s request at any time during the term of the Agreement, Catalate shall, at Partner’s election, either: (a) return all or subsets of the Personal Data in Catalate’s control to Partner; or (b) permanently delete or render the Personal Data unreadable. Notwithstanding the foregoing: Catalate may retain Personal Data: (x) to the extent it has a separate legal right or obligation to do so; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Catalate’s backup policy.
2.7 Audit Rights.
(a) Upon Partner’s written request, Catalate shall provide Partner with a summary of its then-current information security program as relevant to the security and confidentiality of the Personal Data shared during the course of the Agreement.
(b) In addition, Partner may contact Catalate to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Partner and Catalate shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Catalate incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Catalate.
(c) Catalate accepts and agrees that supervisory authorities may request information from Catalate and carry out investigations in the form of data protection audits of Catalate, in accordance with Data Protection Laws.
3 EEA- and UK-Specific Processing Terms
3.1 Subprocessors. Partner generally authorizes Catalate’s appointment of certain third party Processors of Personal Data under this Agreement (“Subprocessors”). Catalate confirms that it: (a) has entered (or, for future appointments, will enter) into a written agreement with the Subprocessor incorporating terms which are substantially similar to those set out in this Addendum; and (b) will inform Partner of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Partner the opportunity to object to such changes.
3.2 Transfers Outside the EEA or United Kingdom. Catalate may not transfer Personal Data to, or process such data in, a location outside of the EEA or United Kingdom (as appropriate) without Partner’s prior written consent (in each case a “Transfer”). Without prejudice to the foregoing, Partner consents to Transfers where Catalate has implemented a Transfer solution compliant with Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by applicable authorities; (b) Privacy Shield or an equivalent valid Transfer framework; (c) the Standard Contractual Clauses; (d) another appropriate safeguard pursuant to Article 46 of the GDPR; or (e) a derogation pursuant to Article 49 of the GDPR.
4 California-Specific Processing Terms
4.1 Processing in Accordance with California Law. Catalate shall not, within the meaning of the CPRA and with respect to Personal Data to which CPRA applies: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other to provide the Services; (c) retain, use, or disclose Personal Data for a commercial purpose other than providing the Services; or (d) retain, use, or disclose Personal Data outside of the direct business relationship between Partner and Catalate; or (e) combine Personal Data with Personal Data it receives from any other source, including from data subjects themselves, except for business purposes permitted by the CPRA, but in no case may Catalate use Personal Data for Catalate’s advertising or marketing purposes.
5 Governing Law
This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by GDPR, in which case this DPA will be governed by the laws of France.
6 Incorporation of Standard Contractual Clauses
The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
6.1 Module One applies to those transfers in which Partner is the data controller and Catalate is the data controller for limited business contact information concerning Partner‘s individual representatives who provide instructions to Catalate.
6.2 Module Two applies to those transfers in which Partner is the data controller and Catalate is the data processor.
6.3 Module Three applies to those transfers in which Partner is the data processor and Catalate is the sub-processor.
6.4 Clause 7 (Docking Clause) is omitted;
6.5 In Clauses 8.9(b) and 8.9(e) the review and audit provisions in Section 2.7 shall apply.
6.6 In Clause 9(a) (Use of sub-processors) –Option 2 (General Written Authorization) applies in accordance with Section 3.1 above;
6.7 In Clause 11(a) (Redress) – the Optional provision shall NOT apply;
6.8 In Clause 16(b) (Suspension of transfers) if Catalate is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
6.9 In Clause 17 (Governing Law) – the laws of the Republic of France shall govern; and
6.10 In Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of France shall have jurisdiction.
6.11 The information required by Annex I (Description of Processing) is provided on Annex 1 attached hereto.
6.12 The information required by Annex II (Technical and Organizational Security Measures) is provided on Annex 2 attached hereto.
7 Application of SCCs to Transfers from Switzerland
7.1 Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
(a) references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
(b) In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.
8 Application of SCCs to Transfers from the United Kingdom
8.1 Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK GDPR law by the IDTA. The information required by each table of the IDTA is provided as follows:
(a) Table 1 (Identification of Parties): as described in the Agreement and Sections 6.1 – 6.3 above.
(b) Table 2 (Selection of SCCs, Modules and Selected Clauses): The parties agree the IDTA is appended to the SCCs as modified by Section 6. above. Above (Incorporation of Standard Contractual Clauses).
(c) Table 3:
(1) Annex 1A (Identification of Parties): as provided in the Agreement;
(2) Annex 1B (Description of Transfer): Annex 1 attached hereto;
(3) Annex II (Technical and Organizational Security Measures): Annex 2 attached hereto;
(4) Annex III (List of Sub processors): As described in Section 3.1 above.
(d) Table 4 (Effect of Changes to IDTA): When the IDTA changes neither party may end this DPA or the SCCs unless the Agreement is simultaneously terminated.
(e) In Clause 17 of the SCCs (Governing Law) the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of London, England shall have jurisdiction.

Die von Catalate im Rahmen des Vertrags durchgeführten Datenverarbeitungsaktivitäten können wie folgt beschrieben werden:

Categories of data subjects whose personal data is transferred

Die Verarbeitung durch Catalate betrifft Mitarbeiter von Partnern und Endbenutzer.

Categories of personal data transferred

Catalate verarbeitet die folgenden Kategorien personenbezogener Daten über betroffene Personen: Vor- und Nachname, E-Mail-Adresse, Telefon und andere identifizierende Informationen für Endnutzer sowie deren Zahlungsinformationen, wenn sie Tickets kaufen.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous

Nature of the processing

Catalate wird personenbezogene Daten verarbeiten, um die im Vertrag genannten Dienstleistungen zu erbringen.

Purpose(s) of the data transfer and further processing

Catalate will transfer Personal Data to provide the Services identified in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

During the term of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subprocessors referenced in Section 3.1 provide portions of the platform used by Catalate to provide the Services

Beschreibung der technischen und organisatorischen Sicherheitsmaßnahmen, die Catalate in Übereinstimmung mit dem Datenschutzgesetz getroffen hat:

Richtlinienkontrolle

Catalate muss eine dokumentierte Informationssicherheitspolitik unterhalten, die mindestens dem aktuellsten Standard der NIST 800-Serie für Informationssicherheitsmanagementsysteme entspricht. Catalate muss sicherstellen, dass alle Mitarbeiter, die direkt oder indirekt an der Erbringung des Genehmigten Zwecks beteiligt sind, seine Informationssicherheitspolitik und entsprechende Schulungen erhalten. Catalate muss Kontrollen implementieren, um die Einhaltung seiner Informationssicherheitspolitik fortlaufend zu überwachen.

Zugangskontrolle im physikalischen Sinne

Catalate ergreift angemessene Maßnahmen, um zu verhindern, dass unbefugte Personen Zugang zu Datenverarbeitungssystemen für die Verarbeitung und/oder Nutzung personenbezogener Daten erhalten, indem sie physische Kontrollen durchführen, einschließlich:

  • ein Zutrittskontrollsystem (ID-Leser, Magnetkarte, Chipkarte);
  • Tasten;
  • Sicherheitspersonal, Hausmeister; und
  • Überwachungseinrichtungen (Alarmanlage, Closed Circuit Television (CCTV) Monitor)

Zugriffskontrolle auf das IT-System

Catalate ergreift angemessene Maßnahmen, um die unbefugte Nutzung von Datenverarbeitungssystemen durch Implementierung zu verhindern:

  • Passwortverfahren (inkl. Sonderzeichen, Mindestlänge, häufiges Ändern von Passwörtern);
  • Benutzerauthentifizierungsschlüssel
  • Segmentierung der Ressourcen nach Rollen
  • automatische Sperrung (z. B. Passwort oder Timeout); und
  • Unternehmensweite Nutzung der 1Password-Anwendung.

Zugriffskontrolle auf Daten Controller Daten

Catalate stellt sicher, dass die zur Nutzung des Datenverarbeitungssystems berechtigten Personen nur Zugriff auf die Daten haben, für die sie zugriffsberechtigt sind, und dass personenbezogene Daten während der Verarbeitung, Nutzung und nach der Aufzeichnung durch die Implementierung nicht unbefugt gelesen, kopiert, verändert und/oder entfernt werden können:

  • differenzierte Zugriffsrechte (Profile, Rollen, Transaktionen und Objekte);
  • Berichte über verwendete Zugriffe;
  • Zugriffsebenen und Zugriffskontrollen;
  • Verfahren zur Änderungskontrolle; und
  • Prüfpfade.

Übertragungssteuerung

Catalate stellt sicher, dass personenbezogene Daten bei der elektronischen Übertragung oder beim Transport nicht unbefugt gelesen, kopiert, verändert oder entfernt werden können. Zu diesem Zweck wird Catalate implementieren:

  • Verschlüsselung/Tunneling (VPN = Virtual Private Network);
  • Login/Passwort-Zugriffskontrolle;
  • Protokollierung; und
  • tls-Transportsicherheit.

Eingangssteuerung

Catalate stellt sicher, dass es möglich ist, nachträglich zu prüfen und festzustellen, ob und von wem personenbezogene Daten in Datenverarbeitungssysteme eingegeben, verändert oder aus diesen entfernt wurden:

  • Protokollierungs- und Berichtssysteme; und
  • rollengerechter Zugriff und Berechtigungen.

Job-Steuerung

Catalate stellt sicher, dass personenbezogene Daten, die im Auftrag des Partners verarbeitet werden, unter strikter Einhaltung der Anweisungen des Partners verarbeitet werden und verpflichtet seine Mitarbeiter, die Anweisungen des Partners zu befolgen und personenbezogene Daten ausschließlich gemäß den Anweisungen des Partners zu verarbeiten.

Verfügbarkeitskontrolle

Catalate stellt sicher, dass Persönliche Daten in angemessener Weise gegen versehentliche Zerstörung oder Verlust geschützt werden, indem es diese implementiert:

  • Sicherungsverfahren;
  • Spiegelung von Festplatten, z. B. RAID-Technologie;
  • Unterbrechungsfreie Stromversorgung (USV);
  • Remote-Speicher;
  • Firewall-Systeme; und
  • Notfallwiederherstellungsplan.

Trennungssteuerung

Catalate stellt sicher, dass personenbezogene Daten, die für unterschiedliche Zwecke erhoben wurden, durch die Umsetzung getrennt verarbeitet werden können:

  • Funktionstrennung (Produktion/Test);
  • Aufzeichnung der Zustimmung des Partners und des Umfangs der Zustimmung für alle direkt an Catalate übermittelten Daten

Management von Sicherheitsvorfällen

Catalate muss einen angemessenen Prozess für das Management von Sicherheitsvorfällen implementieren, der sich an den besten Praktiken der Branche orientiert und mindestens Folgendes erfordert

  • sofortige Untersuchung aller Sicherheitsvorfälle;
  • Benachrichtigung des Partners innerhalb des in diesem Addendum angegebenen Zeitrahmens; und
  • dem Partner und/oder seinem benannten Vertreter jeden angemessenen Zugang zu den Systemen, Daten und Protokollen von Catalate zu gewähren, der für das Verständnis der Umstände des Sicherheitsvorfalls erforderlich ist.

Zugriffskontrollen:

Das Catalate-Büro ist mit einem Wachmann am Gebäudeeingang und Schlüsselkarten an der Tür zum Gebäude und der Tür zum Büro gesichert.

Die Catalate-Dienste werden auf AWS gehostet. Der gesamte Zugriff auf AWS erfolgt über eine Multi-Faktor-Authentifizierung. Catalate aktiviert MFA auch, wo möglich, für den Zugriff auf andere genutzte Cloud-Ressourcen.