When Catalate provides marketing and Ticket fulfillment services for Partners, in some cases Catalate has a direct relationship with End Users and is the controller of Personal Data they provide. In other cases Catalate will act as a processor, processing Personal Data on Partner’s behalf. This Addendum applies to situations where Partner is the controller or processor of Personal Data and Catalate is the processor. The parties agree that this Addendum shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability.


1 Definitions and interpretation. For purposes of this Addendum:


“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
“Agreement” means the agreement between Partner and Catalate to which this Addendum is attached.
“Breach” means a breach of security by Catalate that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Services.
“Controller”, “Processor” and “Data Subject” (whether or not capitalized) have the meanings provided in the GDPR and equivalent meanings under other Data Protection Laws.
“Data Protection Laws” means the General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom Data Protection Act 2018 and GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations and their successors (“CPRA”) and all other data protection and privacy laws and regulations of the United States, the United Kingdom and the EEA applicable to the Processing of Personal Data under the Agreement.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Iceland, Liechtenstein, Norway and Switzerland.
“Personal Data” refers to data processed by the Services on Partner’s behalf that corresponds to the following terms and Data Protection Laws: (a) Personal Data as defined in GDPR in reference to residents of the European Economic Area and the United Kingdom, and (b) Personal Information as defined in the CPRA in reference to California residents, and (c) equivalents terms under other laws applicable to the Services in reference to residents of those jurisdictions.
“SCCs” or “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as (i) approved by European Commission Implementing Decision 2021/914, and (ii) as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
Other capitalized terms used herein have the meanings provided in the Agreement.


2 Global Processing Terms.
2.1 General Processing Conditions. Catalate shall process Personal Data on Partner’s behalf for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Partner, except where otherwise required by applicable law. Catalate may have a separate right to process certain Personal Data: (a) if Catalate receives the same guest Personal Data from multiple sources, and (b) if Catalate has a direct relationship with a data subject and is a controller of that Personal Data. Catalate will promptly inform Partner if it becomes aware that processing requested by Partner infringes Data Protection Laws.
2.2 Compliance. Partner is responsible for ensuring that: (a) its use of the Services complies with Data Protection Laws and with all other applicable laws relating to privacy and data protection; and (b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Catalate for processing in accordance with the Agreement and this DPA. Partner must advise Catalate if its proposed use of the Services would subject Catalate to data protection or privacy obligations under laws or regulations other than the Data Protection Laws. If and when necessary in that situation, the parties may enter into a local implementation addendum governing any provisions of such laws.
2.3 Training. Catalate shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
2.4 Security Incidents. Catalate will notify Partner without undue delay on becoming aware of a Breach, by sending an email to Partner’s principal contact for the Catalate relationship. Further, Catalate undertakes to take all reasonable steps to mitigate the impact of any such Breach and to reasonably cooperate with Partner to enable Partner to comply with its obligations under Data Protection Laws, including by assisting Partner in notifying Data Subjects or regulators of a Breach. Catalate shall not give such notice without the prior written approval of Partner.
2.5 Obligation to Rectify, Update and Restrict Processing of Partner Personal Data. During the term of the Agreement, Catalate shall: (a) ensure that the Personal Data is accurate and, where necessary, kept up to date, in accordance with Partner’s instructions and (b) restrict the processing of Personal Data identified by Partner.
2.6 Obligation to Delete and Return Personal Data. Upon completion of its obligations in relation to processing of Personal Data under the Agreement or upon Partner’s request at any time during the term of the Agreement, Catalate shall, at Partner’s election, either: (a) return all or subsets of the Personal Data in Catalate’s control to Partner; or (b) permanently delete or render the Personal Data unreadable. Notwithstanding the foregoing: Catalate may retain Personal Data: (x) to the extent it has a separate legal right or obligation to do so; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Catalate’s backup policy.
2.7 Audit Rights.
(a) Upon Partner’s written request, Catalate shall provide Partner with a summary of its then-current information security program as relevant to the security and confidentiality of the Personal Data shared during the course of the Agreement.
(b) In addition, Partner may contact Catalate to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Partner and Catalate shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Catalate incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Catalate.
(c) Catalate accepts and agrees that supervisory authorities may request information from Catalate and carry out investigations in the form of data protection audits of Catalate, in accordance with Data Protection Laws.


3 EEA- and UK-Specific Processing Terms
3.1 Subprocessors. Partner generally authorizes Catalate’s appointment of certain third party Processors of Personal Data under this Agreement (“Subprocessors”). Catalate confirms that it: (a) has entered (or, for future appointments, will enter) into a written agreement with the Subprocessor incorporating terms which are substantially similar to those set out in this Addendum; and (b) will inform Partner of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Partner the opportunity to object to such changes.
3.2 Transfers Outside the EEA or United Kingdom. Catalate may not transfer Personal Data to, or process such data in, a location outside of the EEA or United Kingdom (as appropriate) without Partner’s prior written consent (in each case a “Transfer”). Without prejudice to the foregoing, Partner consents to Transfers where Catalate has implemented a Transfer solution compliant with Data Protection Laws, which for example may include: (a) where such transfer is subject to an adequacy decision by applicable authorities; (b) Privacy Shield or an equivalent valid Transfer framework; (c) the Standard Contractual Clauses; (d) another appropriate safeguard pursuant to Article 46 of the GDPR; or (e) a derogation pursuant to Article 49 of the GDPR.


4 California-Specific Processing Terms
4.1 Processing in Accordance with California Law. Catalate shall not, within the meaning of the CPRA and with respect to Personal Data to which CPRA applies: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other to provide the Services; (c) retain, use, or disclose Personal Data for a commercial purpose other than providing the Services; or (d) retain, use, or disclose Personal Data outside of the direct business relationship between Partner and Catalate; or (e) combine Personal Data with Personal Data it receives from any other source, including from data subjects themselves, except for business purposes permitted by the CPRA, but in no case may Catalate use Personal Data for Catalate’s advertising or marketing purposes.


5 Governing Law
This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by GDPR, in which case this DPA will be governed by the laws of France.


6 Incorporation of Standard Contractual Clauses
The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
6.1 Module One applies to those transfers in which Partner is the data controller and Catalate is the data controller for limited business contact information concerning Partner‘s individual representatives who provide instructions to Catalate.
6.2 Module Two applies to those transfers in which Partner is the data controller and Catalate is the data processor.
6.3 Module Three applies to those transfers in which Partner is the data processor and Catalate is the sub-processor.
6.4 Clause 7 (Docking Clause) is omitted;
6.5 In Clauses 8.9(b) and 8.9(e) the review and audit provisions in Section 2.7 shall apply.
6.6 In Clause 9(a) (Use of sub-processors) –Option 2 (General Written Authorization) applies in accordance with Section 3.1 above;
6.7 In Clause 11(a) (Redress) – the Optional provision shall NOT apply;
6.8 In Clause 16(b) (Suspension of transfers) if Catalate is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
6.9 In Clause 17 (Governing Law) – the laws of the Republic of France shall govern; and
6.10 In Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of France shall have jurisdiction.
6.11 The information required by Annex I (Description of Processing) is provided on Annex 1 attached hereto.
6.12 The information required by Annex II (Technical and Organizational Security Measures) is provided on Annex 2 attached hereto.


7 Application of SCCs to Transfers from Switzerland
7.1 Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
(a) references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
(b) In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.
8 Application of SCCs to Transfers from the United Kingdom
8.1 Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK GDPR law by the IDTA. The information required by each table of the IDTA is provided as follows:
(a) Table 1 (Identification of Parties): as described in the Agreement and Sections 6.1 – 6.3 above.
(b) Table 2 (Selection of SCCs, Modules and Selected Clauses): The parties agree the IDTA is appended to the SCCs as modified by Section 6. above. Above (Incorporation of Standard Contractual Clauses).
(c) Table 3:
(1) Annex 1A (Identification of Parties): as provided in the Agreement;
(2) Annex 1B (Description of Transfer): Annex 1 attached hereto;
(3) Annex II (Technical and Organizational Security Measures): Annex 2 attached hereto;
(4) Annex III (List of Sub processors): As described in Section 3.1 above.
(d) Table 4 (Effect of Changes to IDTA): When the IDTA changes neither party may end this DPA or the SCCs unless the Agreement is simultaneously terminated.
(e) In Clause 17 of the SCCs (Governing Law) the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of London, England shall have jurisdiction.

Catalate Marketing- und Fulfillment-Dienstleistungsvertrag

Last Updated: November 17, 2022

Diese Catalate Marketing- und Fulfillment-Dienstleistungsvereinbarung (diese "Vereinbarung") gilt ab dem Datum des ersten Bestellformulars des Partners oder dem Datum der ersten Nutzung der Dienstleistungen durch den Partner, je nachdem, was früher eintritt (das "Datum des Inkrafttretens"), zwischen Catalate Commerce, Inc. einer Gesellschaft aus Delaware ("Catalate"), und dem Kunden, der die Dienstleistungen nutzt ("Partner") (jeweils eine "Partei", zusammen die "Parteien") und regelt die Bereitstellung der hierin beschriebenen Online-Dienstleistungen durch Catalate.

In der Erwägung, dass Catalate Marketing- und Werbedienstleistungen sowie Online-Storefronts für den Verkauf von Ticketprodukten anbietet,

, vereinbaren die Parteien nun Folgendes:

Vereinbarung

 Definitions.

1.1 “Affiliate” means a person or entity directly or indirectly, controlled by, controlling, or under common control with, a Party.

1.2 “Cloud Store” means certain web sites hosted by Catalate for Partner with Partner-designated branding.

1.3 “Core Products” means single-day, multi-day and multi-pack tickets.

1.4 “End Users” means Partner’s end users who purchase Tickets.

1.5 “Margin Percentage” means Catalate’s fees for providing the Services, calculated as a percentage of the Retail Price. The Order Form lists the Margin Percentages for Tickets sold on the Web Sites.

1.6 “Net Rate” means the amount to be paid to Partner for each Ticket booked through the Services, calculated as the Retail Price, less the Margin Percentage, fees, returns, chargebacks and deductions relating to cancellation, advance purchase, no-show and loyalty program participation policies applicable to a particular category of Tickets.

1.7 “Order Form” means this cover sheet and any subsequent order form for additional products or services that has been executed by both parties.

1.8 “Parity” means that where a Partner sells tickets on site, online through its own website and/or through third party ticket outlets: (a) Partner must offer the same Core Products through Liftopia.com and Cloud Store (if Partner uses Cloud Store to sell Tickets), (b) the ticket prices for Core Products may not be higher than the prices charged by Partner or third party ticket outlets, and (c) the refund and exchange policies and other terms and conditions applicable to Tickets offered through Liftopia.com and Cloud Store are no more restrictive than those applicable to sales made by Partner directly or other third party ticket outlets.

1.9 “Partner Content” means any and all trademarks, service marks, logos, copyright materials, designs, artwork, Retail Prices for the Tickets and any other content provided by Partner to Catalate for inclusion on the Web Sites.

1.10 “Promote” means to use, view, copy, adapt, modify, distribute, license, transfer, publicly display, publicly perform, transmit, stream, broadcast, utilize and otherwise exploit Partner Content, but only in order to provide the Services.

1.11 “Retail Price” means the actual price paid by an End User for a Ticket purchased through the Web Sites. All Tickets made available through Cloud Store shall, at the discretion of Catalate, also be made available on Liftopia.com.

1.12 “Services” means Catalate’s professional consulting, marketing, promotional and online retail services to allow Partner to promote and sell its products online to prospective End Users.

1.13 “Tickets” means entry or use tickets for Partner’s property, and other associated products Partner wishes to sell through the Services;

1.14 “Web Sites” means Liftopia.com and Cloud Store sites.

2. Services.

2.1 Partner hereby engages Catalate to provide the Services to End Users in accordance with and subject to the terms in Exhibit A.

2.2 Partner is solely responsible for determining the Retail Prices for all Tickets. Catalate is Partner’s processing and fulfillment agent for Ticket sales. Catalate does not buy Tickets from Partner or resell them to End Users.

2.3 Ticket and pass insurance are provided by a third party. If Partner has enabled ticket/pass insurance, it is Partner’s responsibility to ensure that guests have properly completed all insurance registration documentation. Catalate will have no responsibility for any failure by insurance carriers to reimburse guests.

3. Customization. Partner shall be responsible for providing any Partner Content required by Catalate for the Web Sites. After receipt of the Partner Content, Catalate will add the Partner Content and Partner’s Ticket inventory to Liftopia.com and provision Cloud Store for Partner’s use.

4. License Rights from Partner. Partner hereby grants to Catalate a worldwide, non-exclusive, royalty-free, right and license (sublicenseable to Catalate marketing affiliates and partners) to Promote Partner Content to prospective End Users through the Web Sites, online web-marketing (including pay-per click, banners and other online advertisements) and email marketing for the benefit of Partner. Catalate runs the online and email marketing campaigns at its own costs and own discretion.

5. Compensation. Catalate shall pay Partner as set forth on Exhibit A and each Order Form. Retail Prices shall include all applicable taxes, levies, duties, VAT and similar government assessments by any local, state, provincial, federal or foreign jurisdictions (collectively, “Taxes”). Partner shall be solely responsible for the payment of all Taxes associated with Ticket sales. If an applicable tax authority requires Catalate to pay any Taxes that should have been payable by Partner, Catalate will advise Partner in writing, and Partner will promptly reimburse Catalate for the amounts paid.

6. Use of Intellectual Property.

6.1 Catalate retains all right, title and interest in, including any and all intellectual property rights embodied in or associated with the Services, Web Sites (but excluding Partner Content contained therein) and the Catalate trademarks. Partner retains all right, title and interest in, including any and all intellectual property rights embodied in or associated with, the Partner Content.

6.2 Restrictions. Partner agrees not to (without limitation):

(a) provide the Services to third parties for service bureau or time-sharing purposes or in any other way allow third parties to exploit the Services or Web Sites;

(b) Dritten den Zugang zu den Diensten oder deren Nutzung auf andere Weise zu ermöglichen;

(c) sell, resell, transfer, assign, frame, mirror, or distribute the Services or Web Sites;

(d) introduce software or automated agents or scripts to the Services or Web Sites in order to produce multiple accounts, generate automated searches, requests, or queries, or to strip, scrape, or mine data from the Services or Web Sites;

(e) copy or reverse engineer the software or pricing strategies used to provide Services or Web Sites for any reason; or

(f) access the Services or Web Sites in order to build a competitive product or service, to build a product using similar ideas, features, functions or graphics of the Services or Web Sites, or to copy any ideas, features, functions, or graphics of the Services or Web Sites.

6.3 A breach of Section 6.2(e) or 6.2(f) would result in irreparable damages, the precise value of which is difficult to calculate. Accordingly as a bargained-for measure of alternative performance under this Agreement in such event, Partner agrees to pay Catalate liquidated damages in an amount equal to three times the total amount paid or payable to Catalate during the twelve months preceding the date Catalate notifies Partner of a breach, or if this Agreement has been in effect for less than one year, $100,000.

7. Security Standards. Partner’s networks, operating systems, web servers, routers and computer systems must be properly configured to industry standards so as to prevent any intrusion or unauthorized disclosure or loss of data. In the event of any breach of security involving Catalate’s APIs or other Services, Partner must notify Catalate immediately and work diligently to remedy such security breach as soon as practicable.

8. Acceptable Use. Partner agrees that it and its employees and agents will not use the Services or Web Sites to:

8.1 transmit any material that contains adware, malware, spyware, software viruses, or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment;

8.2 interfere with or disrupt Catalate servers or networks connected to Catalate, or disobey any requirements, procedures, policies, or regulations of networks connected to Catalate;

8.3 attempt to access any other Catalate systems that are not part of the Services or Web Sites; or

8.4 violate any laws, third party rights, or any obligations under this Agreement.

9. End Users. Partner acknowledges and agrees that all use of the Web Sites by End Users shall be governed by Catalate’s posted privacy policy and any applicable terms and conditions specific to the Reservation Service (“T&Cs”). As used herein, “End User Data” means any and all data and information collected or created by Catalate concerning any person who accesses the Web Sites, including without limitation all personally identifiable information of End Users (such as End Users’ names, addresses, and credit card billing information) collected by Catalate or provided to Catalate by Partner in connection with the Services and/or the Web Sites. Partner shall comply with Catalate’s posted privacy policy and the T&Cs in connection with the use of all End User Data.

10. Confidentiality.

10.1 Subject to the limitations set forth in Section 10.2, all information disclosed by one party to the other party during the term of this Agreement, whether in oral, written, graphic or electronic form, shall be deemed to be “Confidential Information”. Confidential Information includes, without limitation, Catalate software used to provide Services, related documentation, specifications, pricing, disclosures in connection with the provision of Services, disclosures made by Partner about its operations, Ticket sales and other non-public metrics, and the terms and conditions of this Agreement. Confidential Information shall remain the sole property of the disclosing party or its licensors.

10.2 Exceptions. Information will not be considered as Confidential Information if the receiving party can establish by documentary evidence that the information is or was: (a) lawfully available to the public through no act or omission of the receiving party; (b) in the receiving party’s lawful possession prior to disclosure by the disclosing party and not obtained either directly or indirectly from the disclosing party; (c) lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (d) independently developed by the receiving party.

10.3 Nondisclosure. The parties agree, both during the term of this Agreement and for a period of five (5) years (or, as applicable, with respect to Confidential Information that is a trade secret, for an indefinite period and as to Confidential Information constituting personal data for so long as required by applicable law) after its termination, to hold each other’s Confidential Information in confidence and not to disclose such information in any form to any third party without the express written consent of the disclosing party, except to employees and consultants performing services for the benefit of the receiving party who are under a written non-disclosure agreement protecting the applicable Confidential Information in a manner no less restrictive than this Agreement. Each party agrees to take all reasonable steps to ensure that Confidential Information is not disclosed or distributed by its employees or agents in violation of this Agreement. A receiving party facing legal action to disclose Confidential Information of the disclosing party shall promptly notify and provide the disclosing party the opportunity to oppose such disclosure or obtain a protective order and shall continue to treat such information as Confidential Information. This Section 9 shall not be construed as granting or conferring any rights to either party by license or otherwise, expressly or implicitly, to any Confidential Information.

11. Term. Unless sooner terminated or otherwise stated in the Order Form, the initial term of this Agreement shall be one year. Thereafter, this Agreement shall automatically renew for successive periods of one year each unless either party notifies the other Party of non-renewal of this Agreement at least 30 days before the end of the then-current term.

12. Termination.

12.1 Catalate may suspend or terminate the Agreement, access to all or any portion of the Services, and/or the licenses granted herein immediately upon notice in the event that (a) Catalate determines, or a third party alleges, that any Company Content materially breaches any provision in Section 6 (Use of Intellectual Property), 8 (Acceptable Use), or 9 (End Users) or (b) Partner uses or permits the use of the Services for any improper or illegal purpose or any purpose not authorized by this Agreement.

12.2 Either party may terminate this Agreement (including all related Order Forms) if the other party: (a) fails to cure any material breach of this Agreement within 30 days after written notice of such breach; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors arrangement, composition or comparable proceeding, or if any such proceeding is instituted against such party (and not dismissed within 60 days)).

12.3 Termination is not an exclusive remedy and the exercise by either party of any remedy under this Agreement will be without prejudice to any other remedies it may have under this Agreement, by law, or otherwise.

13. Representations and Warranties. Each Party represents and warrants that it has the right, power and authority to enter into this Agreement and to perform all of its respective obligations under this Agreement, that the person executing or consenting to each Order Form on behalf of a party has been authorized by such party to do so, and that the performance of such obligations shall not conflict with or result in a breach of any agreement to which it is a party or is otherwise bound. Partner represents and warrants that it owns or has the right to use and submit to Catalate all Partner Content it submits to the Services or Web Sites. Catalate represents and warrants that the Services process and store credit or debit card payment information in compliance with the Payment Card Industry Data Security Standards (PCI-DSS).

14. Disclaimer of Warranties. EXCEPT AS OTHERWISE SET FORTH HEREIN, EACH PARTY HEREBY EXPRESSLY DISCLAIMS ALL WARRANTIES, REPRESENTATIONS AND CONDITIONS IN CONNECTION WITH THIS AGREEMENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, OR TITLE. NEITHER PARTY MAKES ANY WARRANTY THAT ITS PRODUCTS AND SERVICES WILL BE CONTINUOUSLY AVAILABLE, ERROR-FREE OR COMPLETELY SECURE, OR THAT ANY DEFECTS WILL BE CORRECTED.

15. Indemnification.

15.1 Partner agrees to defend, indemnify and hold harmless Catalate, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents the (“Catalate Indemnified Parties”) against any and all claims, liabilities, damages, losses, costs, expenses, and fees (including reasonable attorneys’ fees) (“Claims”) brought against Catalate for damages to the extent due to any actual or alleged: (a) bodily injury or damage to tangible property incurred by an End User while on Partner’s premises; (b) claim that Partner Content infringes or misappropriates the intellectual property rights or rights of privacy or publicity of a third party; or (c) improper use or application of the Services or Web Sites, or (d) actions or inactions related to Ticket fulfillment or any other activities occurring after an End User has completed his or her Ticket purchase on the Web Sites.

15.2 Catalate agrees to defend, indemnify and hold harmless Partner, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents (the “Partner Indemnified Parties”) against any and all Claims brought against Partner for damages to the extent due to any actual or alleged: (a) claim that the platform used by Catalate to operate the Services infringes or misappropriates the intellectual property rights or rights of privacy or publicity of a third party; or (b) violation by Catalate of any applicable law, rule or regulation in performing the Services.

15.3 The indemnified Party must notify the other Party promptly in writing of any claim hereunder and provide, at such other Party’s expense, all reasonably necessary assistance, information and authority to allow the other Party to control the defense and settlement of such claim. Each Party reserves the right, at its own expense, to assume the exclusive defense and control of any matter subject to indemnification by such party under this Section 15. The indemnity obligations hereunder shall survive the termination of this Agreement.

16. Limitations of Liability.

16.1 IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY NATURE, SUCH AS, BUT NOT LIMITED TO, LOSS OF REVENUE OR ANTICIPATED PROFITS, LOST PROFITS, OR LOSS OF DATA OR USE, EVEN IF SUCH PARTY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING SHALL APPLY REGARDLESS OF THE NEGLIGENCE OR OTHER FAULT OF ANY PARTY AND REGARDLESS OF WHETHER SUCH LIABILITY ARISES IN CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER THEORY OF LIABILITY.

16.2 EXCEPT FOR A CLAIM FOR INDEMNIFICATION ARISING OUT OF BODILY INJURY OR DAMAGE TO TANGIBLE PROPERTY INCURRED BY AN END USER WHILE ON PARTNER’S PREMISES AND AS DESCRIBED IN SECTION 6.3, IN NO EVENT SHALL THE MAXIMUM AMOUNT OF DAMAGES PAYABLE BY EITHER PARTY FOR ANY BREACH OF THIS AGREEMENT OR ANY DAMAGE OR INJURY RESULTING FROM CATALATE’S PROVISION OF THE SERVICES EXCEED THE FEES PAID BY EITHER PARTY TO THE OTHERMARGIN PERCENTAGES WITHHELD BY CATALATE PURSUANT TO THIS AGREEMENT DURING THE TWELVE MONTHS IMMEDIATELY PRECEDING ANY SUCH CLAIM.

17. Modification of Reservation Service Programs. Catalate may add, delete or otherwise modify any of the Services, provided that Catalate will notify Partner of any material modification that results in degradation of the Services.

18. Force Majeure. Neither Catalate nor Partner will be liable for any delay or failure in performance under this Agreement due to any cause beyond its reasonable control.

19. Governing Law, Jurisdiction and Venue. This Agreement and all matters or issues related to this Agreement shall be governed by and construed under the laws of the State of California without application of principles of conflicts of laws. Each of the Parties irrevocably and unconditionally agrees that any legal proceeding arising out of or relating to this Agreement may be brought in the United States District Court for the Northern District of California, or, if that court lacks jurisdiction, in any court of competent jurisdiction in San Francisco County; and (b) consents to the jurisdiction of each such court in any proceeding. In the event of any action, suit or proceeding related to this Agreement, the prevailing party, in addition to its rights and remedies otherwise available, shall be entitled to receive reimbursement of reasonable attorneys’ fees and expenses and court costs.

20. Assignment. Partner may not assign or sublicense, by operation of law or otherwise, this Agreement or any duties, rights or obligations under this Agreement without Catalate’s prior written consent; provided that either party may assign this Agreement to its Affiliate or its successor in the event of a merger, acquisition or sale of all or substantially all of the assets of such party. Any other purported assignment shall be void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.

21. Severability; No Waiver. If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, then such provision shall be construed, as nearly as possible, to reflect the intentions of the Parties with the other provisions remaining in full force and effect. The failure of either Party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision, unless such waiver is in writing and is executed by the Party against whom such waiver is claimed.

22. Notices. Any notice required or permitted under this Agreement shall be given in writing and shall be deemed delivered when: (a) verified by written receipt if sent by personal courier, overnight courier, or postal mail; or (b) confirmed or replied to by the recipient if sent by email. Notices shall be delivered to each Party at its respective address specified in this Agreement, or at such other address as such Party may specify by written notice to the other.

23. No Agency or Third Party Beneficiary. Partner and Catalate are independent contractors, and nothing in this Agreement (including use of the defined term “Partner”) shall be construed to create a partnership, joint venture, franchise, or agency relationship between Partner and Catalate. Neither Party has any authority to enter into agreements of any kind on behalf of the other Party. Catalate and Partner agree that there should be no third party beneficiary to this Agreement, including, but is not limited to, End Users.

24. Miscellaneous. This Agreement, along with the attached Exhibits, constitutes the entire agreement of the Parties with respect to its subject matter, superseding all prior or contemporaneous oral and written communications, proposals, negotiations, representations, understandings, courses of dealing, agreements, contracts, and the like between the Parties in such respect, except that terms on an Order Form will supersede comparable provisions in this Agreement for the period stated in the Order Form. The section headings in this Agreement are for convenience only and have no legal or contractual effect. This Agreement: (a) may be executed in any number of counterparts, each of which, when executed by both Parties to this Agreement shall be deemed to be an original, and all of which counterparts together shall constitute one and the same instrument; and (b) may not be amended or modified by Partner unless such amendment or modification is in writing signed by both Parties. The terms of any sections that, by their nature, are intended to extend beyond termination shall survive termination of this Agreement for any reason.

Werbung
a. Marketing- und Werbedienstleistungen. Catalate wird mit dem Partner zusammenarbeiten, um digitale Marketing- und Werbestrategien für potenzielle Endnutzer zu entwickeln. Dies kann sowohl strategische Beratung als auch das Management digitaler Werbemaßnahmen umfassen, wie z.B. Keyword-Advertising für die Tickets des Partners und verwandte Keywords. Catalate kann das Ticketinventar direkt und über verbundene Unternehmen wie TripAdvisor und Yelp bewerben.
b. Ticketinventar. Der Partner stellt das Ticketinventar und gegebenenfalls die zugehörigen Verkaufspreise über die Online-Schnittstelle zu den Websites zur Verfügung, die dem Partner von Catalate zur Verfügung gestellt werden kann (das Extranet"), und Catalate präsentiert diese Tickets auf den Websites. Der Partner erklärt sich damit einverstanden, die für jedes über die Dienste verkaufte Ticket geltenden Waren und Dienstleistungen zu honorieren und jedem Endnutzer zur Verfügung zu stellen. Die Parteien erkennen an, dass Catalate kein Risiko für den Nichtverkauf von Tickets trägt und dass nichts in diesem Vertrag einen Verkauf von Tickets vom Partner an Catalate darstellt.

Ticket Purchases
End Users may purchase Tickets for Partner properties via the Web Site. The following terms are applicable to such purchases.
c. Cancellations and Refunds. Partner may, at its discretion, issue refunds and cancellations to End Users through the Extranet, provided that all such refunds and cancellations shall comply with the applicable policies and terms and conditions posted on the Web Site at the time the Tickets were purchased. Catalate reserves the right to not refund applicable processing fees associated with such refunds or cancellations and reserves the right to charge a refund fee up to the Margin Percentage if greater than 3% of purchases are cancelled. Subject to the terms and conditions of this Agreement, Catalate hereby grants to Partner a nonexclusive, limited license to access and use the Extranet, solely as necessary to enable Partner to issue refunds to End Users, upload and make available Ticket information on the Web Sites, and view data related to the transactions completed through the Web Sites.
d. End User Transactions. In its capacity as processing and fulfillment agent, Catalate shall solely control the terms related to, and the processing of, Ticket sales. Partner will be responsible for post-purchasing interactions with End Users, including completion by End Users of written or electronic waivers End Users must sign before receiving Tickets, and all post-sale interactions with End Users. Catalate will have no liability for Partner’s actions or failures to act with regard to such interactions.
e. Payment. Within 30 days after the 1st of each month, Catalate shall pay to Partner the Net Rate for all Tickets purchased and not refunded by End Users during that period. Certain payment processors may distribute payments at different intervals and may require a reserve balance to be kept in Partner’s account. Those terms will be identified on each Order Form. Catalate may withhold from payments any amounts due from Partner to Catalate. Partner shall provide 15 days prior written notice to Catalate in the event of a change of ownership or any change in the payment information for a given Ticket. If an End User requests additional tickets or additional discounts directly from Partner, whether upon arrival or otherwise, then any such sale shall constitute an agreement between Partner and such End User separate and apart from any purchase on the Web Sites. Catalate assumes no responsibility for such changes or additions, and Partner shall be solely responsible for collecting and resolving any charges associated with such changes or additions.
f. Payment processing rate subject to change with 30 days notice from Catalate. Modifications would only reflect the following: a) an increase or decrease in published interchange or other similar rates from Visa, MasterCard or other payment types, and/or b) a significantly above average rate of international purchases to Partner. 

Die von Catalate im Rahmen des Vertrags durchgeführten Datenverarbeitungsaktivitäten können wie folgt beschrieben werden:

Die von Catalate im Rahmen des Vertrags durchgeführten Datenverarbeitungsaktivitäten können wie folgt beschrieben werden:

Categories of data subjects whose personal data is transferred

Die Verarbeitung durch Catalate betrifft Mitarbeiter von Partnern und Endbenutzer.

Categories of personal data transferred

Catalate verarbeitet die folgenden Kategorien personenbezogener Daten über betroffene Personen: Vor- und Nachname, E-Mail-Adresse, Telefon und andere identifizierende Informationen für Endnutzer sowie deren Zahlungsinformationen, wenn sie Tickets kaufen.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).Continuous

Nature of the processing

Catalate wird personenbezogene Daten verarbeiten, um die im Vertrag genannten Dienstleistungen zu erbringen.

Purpose(s) of the data transfer and further processing

Catalate will transfer Personal Data to provide the Services identified in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

During the term of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subprocessors referenced in Section 3.1 provide portions of the platform used by Catalate to provide the Services

Beschreibung der technischen und organisatorischen Sicherheitsmaßnahmen, die Catalate in Übereinstimmung mit dem Datenschutzgesetz getroffen hat:

Richtlinienkontrolle

Catalate muss eine dokumentierte Informationssicherheitspolitik unterhalten, die mindestens dem aktuellsten Standard der NIST 800-Serie für Informationssicherheitsmanagementsysteme entspricht. Catalate muss sicherstellen, dass alle Mitarbeiter, die direkt oder indirekt an der Erbringung des Genehmigten Zwecks beteiligt sind, seine Informationssicherheitspolitik und entsprechende Schulungen erhalten. Catalate muss Kontrollen implementieren, um die Einhaltung seiner Informationssicherheitspolitik fortlaufend zu überwachen.

Zugangskontrolle im physikalischen Sinne

Catalate ergreift angemessene Maßnahmen, um zu verhindern, dass unbefugte Personen Zugang zu Datenverarbeitungssystemen für die Verarbeitung und/oder Nutzung personenbezogener Daten erhalten, indem sie physische Kontrollen durchführen, einschließlich:

  • ein Zutrittskontrollsystem (ID-Leser, Magnetkarte, Chipkarte);
  • Tasten;
  • Sicherheitspersonal, Hausmeister; und
  • Überwachungseinrichtungen (Alarmanlage, Closed Circuit Television (CCTV) Monitor)

Zugriffskontrolle auf das IT-System

Catalate ergreift angemessene Maßnahmen, um die unbefugte Nutzung von Datenverarbeitungssystemen durch Implementierung zu verhindern:

  • Passwortverfahren (inkl. Sonderzeichen, Mindestlänge, häufiges Ändern von Passwörtern);
  • Benutzerauthentifizierungsschlüssel
  • Segmentierung der Ressourcen nach Rollen
  • automatische Sperrung (z. B. Passwort oder Timeout); und
  • Unternehmensweite Nutzung der 1Password-Anwendung.

Zugriffskontrolle auf Daten Controller Daten

Catalate stellt sicher, dass die zur Nutzung des Datenverarbeitungssystems berechtigten Personen nur Zugriff auf die Daten haben, für die sie zugriffsberechtigt sind, und dass personenbezogene Daten während der Verarbeitung, Nutzung und nach der Aufzeichnung durch die Implementierung nicht unbefugt gelesen, kopiert, verändert und/oder entfernt werden können:

  • differenzierte Zugriffsrechte (Profile, Rollen, Transaktionen und Objekte);
  • Berichte über verwendete Zugriffe;
  • Zugriffsebenen und Zugriffskontrollen;
  • Verfahren zur Änderungskontrolle; und
  • Prüfpfade.

Übertragungssteuerung

Catalate stellt sicher, dass personenbezogene Daten bei der elektronischen Übertragung oder beim Transport nicht unbefugt gelesen, kopiert, verändert oder entfernt werden können. Zu diesem Zweck wird Catalate implementieren:

  • Verschlüsselung/Tunneling (VPN = Virtual Private Network);
  • Login/Passwort-Zugriffskontrolle;
  • Protokollierung; und
  • tls-Transportsicherheit.

Eingangssteuerung

Catalate stellt sicher, dass es möglich ist, nachträglich zu prüfen und festzustellen, ob und von wem personenbezogene Daten in Datenverarbeitungssysteme eingegeben, verändert oder aus diesen entfernt wurden:

  • Protokollierungs- und Berichtssysteme; und
  • rollengerechter Zugriff und Berechtigungen.

Job-Steuerung

Catalate stellt sicher, dass personenbezogene Daten, die im Auftrag des Partners verarbeitet werden, unter strikter Einhaltung der Anweisungen des Partners verarbeitet werden und verpflichtet seine Mitarbeiter, die Anweisungen des Partners zu befolgen und personenbezogene Daten ausschließlich gemäß den Anweisungen des Partners zu verarbeiten.

Verfügbarkeitskontrolle

Catalate stellt sicher, dass Persönliche Daten in angemessener Weise gegen versehentliche Zerstörung oder Verlust geschützt werden, indem es diese implementiert:

  • Sicherungsverfahren;
  • Spiegelung von Festplatten, z. B. RAID-Technologie;
  • Unterbrechungsfreie Stromversorgung (USV);
  • Remote-Speicher;
  • Firewall-Systeme; und
  • Notfallwiederherstellungsplan.

Trennungssteuerung

Catalate stellt sicher, dass personenbezogene Daten, die für unterschiedliche Zwecke erhoben wurden, durch die Umsetzung getrennt verarbeitet werden können:

  • Funktionstrennung (Produktion/Test);
  • Aufzeichnung der Zustimmung des Partners und des Umfangs der Zustimmung für alle direkt an Catalate übermittelten Daten

Management von Sicherheitsvorfällen

Catalate muss einen angemessenen Prozess für das Management von Sicherheitsvorfällen implementieren, der sich an den besten Praktiken der Branche orientiert und mindestens Folgendes erfordert

  • sofortige Untersuchung aller Sicherheitsvorfälle;
  • Benachrichtigung des Partners innerhalb des in diesem Addendum angegebenen Zeitrahmens; und
  • dem Partner und/oder seinem benannten Vertreter jeden angemessenen Zugang zu den Systemen, Daten und Protokollen von Catalate zu gewähren, der für das Verständnis der Umstände des Sicherheitsvorfalls erforderlich ist.

Zugriffskontrollen:

Das Catalate-Büro ist mit einem Wachmann am Gebäudeeingang und Schlüsselkarten an der Tür zum Gebäude und der Tür zum Büro gesichert.

Die Catalate-Dienste werden auf AWS gehostet. Der gesamte Zugriff auf AWS erfolgt über eine Multi-Faktor-Authentifizierung. Catalate aktiviert MFA auch, wo möglich, für den Zugriff auf andere genutzte Cloud-Ressourcen.