Guest Experience Solution Terms of Service

6. Proprietary Rights.
1. Customer Data & Customer Materials. You will retain all right, title and interest in and all data delivered by You to Us, including Client Information (“Customer Data”) and all intellectual property rights therein. Nothing in this Agreement will confer to Us any right of ownership or interest in the Customer Data, other than the limited license set forth herein. You agree to provide Us with reasonable access to Your Customer Materials as reasonably necessary for Our provision of Cloud Services You have ordered. “Customer Materials” means Your materials, systems, accounts, personnel and other resources.
   
   
2. Company Intellectual Property. We shall retain all right, title and interest in and to the Company Intellectual Property, and any changes, derivatives, corrections, developments, bug fixes, enhancements, updates and other modifications, improvements thereto, and as between the parties all such rights shall vest in and be assigned to Us. Nothing in this Agreement will confer on You any right of ownership or interest in any Company Intellectual Property, other than the limited license set forth herein. “Company Intellectual Property” means Our proprietary technology, including the Cloud Services and Documentation, websites, software tools, hardware designs, algorithms, software, APIs, user interface designs, architecture, documentation, network designs, know-how, and trade secrets, improvements, materials, methods, processes, formulas, techniques, deliverables and other information developed or otherwise made in whole or part by Us in the performance of the Cloud Services, and all intellectual property rights therein and thereto throughout the world (whether owned by Us or licensed to Us by a third party).
   
   
3. Feedback. We encourage You to provide suggestions, proposals, ideas, recommendations, or other feedback regarding improvements to the Cloud Services and related resources (“Feedback”). To the extent You provide Feedback, You grant Us a non-exclusive, royalty-free, fully paid, sub- licensable, transferable, irrevocable, perpetual, worldwide right and license to make, use, sell, offer for sale, import and otherwise exploit Feedback (including by incorporation of such Feedback into the Cloud Services without restriction), provided that such Feedback does not identify You or Your Users or include any Client Information without Your prior written consent.
   
   
7. Warranty Related to SMS Use in the United States.
1. By signing up to the Platform, You may have the ability to send and receive SMS and other types of messages through the Platform (“Messaging”), and You represent and warrant that You shall (i) receive and will maintain consents from each Client who will receive messages, (ii) maintain procedures for each Client to opt out of participating in Messaging, and once opted-out, You will not re-enroll any Client to Messaging until You have obtained renewed consent from Contact Person to receive Messaging through the Platform, and (iii) comply with all applicable law relating to Messaging in Your use of the Platform, including without limitation, the Telephone Consumer Protection Act and CAN-SPAM. You shall be responsible for compliance with Messaging and related data privacy laws.
   
   
8. Support, Security and Privacy.
1. Support. We shall provide support for the Cloud Services as selected by You, depending upon the applicable plan when You enroll in a Cloud Services. The applicable support policies can be found on the Order Form.
   
   
2. Security. We shall maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Customer Data.
   
   
3. Privacy. We and You undertake to comply with our respective obligations under applicable laws and regulations, including, but not limited to, laws governing privacy and data protection. You acknowledge that We will, and You permit Us to, collect, use, and disclose statistical or aggregate information about You and Your Clients’, Users use of the Cloud Services, including information about the performance of the Cloud Services and other data derived from the use of the Cloud Services, for industry analysis, benchmarking, analytics, marketing, to improve or enhance the Cloud Services, and other business purposes; provided, that all data disclosed will be in statistical or aggregate form only and will not identify You, Affiliates, Clients or Users. We own all right, title, and interest in and to such derived anonymous data; provided, that You retain all of Your right, title, and interest in and to any underlying Customer Data. Customer Data shall be treated in accordance with Our Privacy Policy set forth on Our website for each Cloud Services. We and You agree that the processing of any personal data under the Cloud Services shall be carried out in accordance with the provisions of the DPA, which is incorporated herein by reference, in accordance with the relevant Data Processing Addendum (“DPA”), set forth here, Exhibit B.
   
   
9. Fees and Payment Terms.
   
1. You shall pay all Fees associated with Your use of the Cloud Services as set forth on our Order Form (“Fees”). “Subscription Term” means the subscription period You contract for Your use of the Cloud Services as set forth in the applicable Order Form.
1. Order Forms: Except as set forth in the applicable Order Form, You will pay all Fees associated with an Order Form in accordance with the following: (a) Fees are invoiced in advance for annual, pre-paid plans; (b) the first invoice will coincide with the Subscription Start Date (as defined in the Order Form); (c) payment will be due within fifteen (15) days from the date of the invoice. Once accepted by Us, Your order is non-cancellable and nonrefundable except as provided in this Agreement, and the Subscription Term as set forth in the Order Form is a continuous and non-divisible commitment for the entire duration of the Subscription Term. The Order Form is incorporated in this Agreement by reference. Capitalized terms used herein but not defined shall have the meaning set forth in the Order Form. In the event of a conflict between an Order Form and this Agreement, the terms of the Order Form shall supersede the terms of this Agreement. ii. You are responsible for keeping all account information accurate and up to date, including payment card, bank account information address, and account contact information. You hereby represent that You have the right to provide Us with Your payment card information and authorize Us to charge the payment card for all Fees. You agree to pay all charges incurred by Users of Your credit card, debit card, or other payment methods used in connection with a purchase or transaction or other monetary transaction interaction with the Cloud Services at the prices in effect when such charges are incurred. All Fees are payable in United States dollars and are non-cancelable and non-refundable except as otherwise set forth herein. You shall be responsible for paying all sales, use, value added or other taxes, except for taxes based on Our income. For unpaid payments, not properly disputed, We may without waiving or prejudicing any other rights or remedies available to Us, a) charge the lesser of 1% per month or the maximum rate permitted by applicable law, b) suspend the Cloud Services immediately until Your Fees is brought current, and/or c) where applicable, automatically accelerate all remaining payments such that the total Fees under the order become immediately due and payable. You will reimburse any costs or expenses (including, but not limited to, reasonable attorneys’ fees) incurred by Us to collect any amount that is not paid when due, and not properly disputed. If You are paying by a payment card, and if Your payment card is declined for any installment, beginning five (5) days after the unsuccessful charge, We may suspend the Cloud Services immediately until Your payment is brought current. If a PO number is required by You in order for an invoice to be paid, then You must provide such a number by emailing Accounting@sojern.com within three (3) days of execution of an order form. However, You agree that a failure to provide a PO does not relieve You of Your obligations to pay Your Fees.
   
   
2. You will notify Us in writing in the event You have a good faith dispute as to Fees or taxes payable by You under this Agreement by emailing Accounting@Sojern.com. You will provide such notice to Us prior to the due date of the invoice containing such Fees or taxes due that are in dispute and the parties will work together to resolve the applicable dispute promptly. You will pay all amounts that are determined to be payable by resolution of the dispute (by adversarial proceedings, agreement or otherwise) within ten (10) days following such resolution.

10. Confidentiality.
    
1. Definition of Confidential Information. As used herein, “Confidential Information” means all confidential information disclosed by a party to this Agreement (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Your Confidential Information shall include Contact Information and any ancillary information, such as account information, and alert priorities. Confidential Information shall not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was or becomes known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party as evidenced by written records, or (iii) is independently developed by the Receiving Party without use of the Disclosing Party’s Confidential Information.
   
   
2. Protection of Confidential Information. Receiving Party shall not disclose the Disclosing Party’s Confidential Information to any third party except as permitted by this Agreement. Receiving Party shall only use the Disclosing Party’s Confidential Information to fulfill its obligations under this Agreement. Receiving Party shall use the same degree of care to protect the confidentiality of the Confidential Information that it uses to protect its own confidential and proprietary information (but in no event less than reasonable care). Receiving Party may disclose Confidential Information to its employees, consultants and agents who reasonably need to know such Confidential Information for purposes of this Agreement, provided that Receiving Party shall ensure that such employees, consultants and agents are bound by obligations of confidentiality substantially the same as the obligations in this Section. Receiving Party shall be liable for any disclosures of Confidential Information by its employees, consultants and agents in violation of this Section.
   
   
3. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law or governmental authority to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure. The Receiving Party shall limit any disclosure of Confidential Information pursuant to this Section to the extent strictly necessary to comply with the applicable request by such governmental entity. Any disclosure of Confidential Information pursuant to this Section shall not affect the confidential treatment of such disclosed Confidential Information.
   
   
4. Remedies. Receiving Party agrees that a breach of this Section may result in immediate and irreparable harm to the Disclosing Party that money damages alone may be inadequate to compensate. Therefore, in the event of such a breach, the Disclosing Party will be entitled to seek equitable relief, including but not limited to a temporary restraining order, temporary injunction or permanent injunction without the posting of a bond or other security.
   
   
11. Indemnification.
    
1. By Us. We shall defend, indemnify and hold You harmless from and against all claims, losses and damages (including reasonable attorneys’ fees) made by a third party against You that the Cloud Services infringes that third party’s intellectual property rights, except to the extent such a claim arises from Your misuse of the Cloud Services. If We believe that any portion of a Cloud Services may be subject to such a claim, then We may, at Our sole option and expense, procure for You the right to continue using the Cloud Services, modify or replace the infringing portions of the Cloud Services to allow for continued use, or if these alternatives are not commercially reasonable, refund any unused, prepaid Fees and terminate this Agreement. Notwithstanding the foregoing, Our indemnification obligations set forth in this Section 12(a) do not apply to, and We will have no obligation to You for, any claim that arises from (i) modifications to the Cloud Services by anyone other than Us or a third-party expressly instructed on Our behalf, (ii) modifications to the Cloud Services based upon specifications furnished by You (iii) You and/or any of Your Users’ or Clients use of the Cloud Services other than as specified in this Agreement, the Order Form or in the applicable Documentation, (iv) use of the Cloud Services in conjunction with third-party software, hardware, data or any other combination other than that expressly approved by Us, or (v) any combination of the foregoing. THIS SECTION 11 STATES OUR ENTIRE LIABILITY FOR INFRINGEMENT RELATING TO THE SUBJECT MATTER OF THIS AGREEMENT AND SHALL NOT APPLY DURING ANY TRIAL PERIOD. As a condition to being indemnified You shall promptly notify Us of any claim and allow Us sole control of the defense and settlement of the claim.
   
   
2. By You. You agree to defend, indemnify and hold Us harmless from and against all claims, losses and damages, suits, government investigations, fines, actions, damages, settlements, losses, liabilities, costs and expenses (including reasonable attorneys’ fees) for any breach of Your representations, warranties and covenants set forth in Sections 7 and 8 (Warranty Related to SMS Use in the United States and Support, Security and Privacy) above.
   
   
3. Indemnification Procedures. As a condition to being indemnified under this Section 11, the party seeking indemnification shall: (i) promptly notify the indemnifying party of the claim; (ii) allow the indemnifying party sole control of the defense and settlement of such claim; and (iii) provide assistance, at the indemnifying party’s expense, in defending or settling the claim. The indemnifying party shall keep the indemnified party informed of and consult with the indemnified party in connection with the progress of such litigation or settlement, and not settle any such claim in a manner that does not unconditionally release the indemnified party without the indemnified party’s written consent, not to be unreasonably withheld or delayed.
   
   
12. Limited Warranties; Disclaimers
    
1. Platform. We warrant that the Platform will perform in accordance with the Cloud Services Level Agreement (SLA) set forth here, as Exhibit A, however, that the sole remedy for breach of this warranty or failure of the Cloud Services to perform shall be as set forth in that SLA.
   
   
2. Professional Cloud Services. We warrant to You that the Professional Cloud Services will be performed in a competent and workmanlike manner in accordance with accepted industry practices and the terms and conditions herein. However, if You do not provide Us timely access to Your Customer Materials in Our performance of Professional Cloud Services, then Our performance will be excused until You do so. Your exclusive remedy for breach of this warranty is to notify Us in writing within thirty (30) days of the non-conforming Cloud Services. Upon receipt of such notice, at Our option, We will either use commercially reasonable efforts to re-perform the Professional Cloud Services in conformance with these warranty requirements or will terminate the affected Professional Cloud Services and will refund You the prorated amount of Fees for the unperformed and non-conforming Professional Cloud Services. This Section sets forth Your exclusive rights and remedies and Our sole liability in connection with the performance of Professional Cloud Services.
   
   
3. EXCEPT FOR THE FOREGOING, WE PROVIDE THE Cloud Services AND DOCUMENTATION “AS IS” WITHOUT ANY WARRANTY WHATSOEVER AND HEREBY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THAT THE Cloud Services WILL BE FREE FROM ERRORS OR VIRUSES, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, FITNESS FOR A PARTICULAR PURPOSE, RELIABILITY, ACCURACY, SECURITY OF DATA, OR ACHIEVEMENT OF RESULTS.
   
   
4. WE DO NOT WARRANT, ENDORSE, GUARANTEE, OR ASSUME RESPONSIBILITY FOR ANY PRODUCT, CLOUD SERVICES OR CONTENT ADVERTISED OR OFFERED BY A THIRD PARTY THROUGH THE Cloud Services OR ANY HYPERLINKED WEBSITE, CLOUD SERVICES OR CONTENT, AND WE SHALL NOT BE A PARTY TO, LIABLE FOR NOR DO WE IN ANY WAY MONITOR, ANY TRANSACTION BETWEEN YOU AND THIRD-PARTY PROVIDERS OF OTHER PRODUCTS OR Cloud Services.

1. Definitions.
   
1. “Client” means the individual clients of the Customer who have consented to receive the messages at the election of the Customer from VenueLytics’s Cloud Services.
   
   
2. “Client Information” means the names, email addresses, and telephone numbers of Customers Clients.
   
   
3. “Delivery Service '' means a third-party service provider used to send messages to Client, for example a telephone service, messaging (e.g., What’s App), push notification provider (e.g., Google, Apple), SMS provider, or email provider.
   
   
4. “Client Outreach” means messages sent to a Client with their Client Information by the Customer through the Cloud Service, which is triggered upon the requirements set by the Customer. The Customer must configure the Cloud Service and supply the Client Information in accordance with the Documentation.
   
   
5. “Cloud Services” means VenueLytics’s cloud-based guest engagement and management platform purchased by the Customer.
   
   
2. Service Commitment.
1. VenueLytics will use commercially reasonable efforts to meet the following service level commitments for the stated functions from the VenueLytics Cloud Service:
1. Platform Application SLA: VenueLytics’s ability to provide basic acknowledgement and resolution functionality via our web, mobile application for Client Outreach and other services will be available 99.9% of the time during any calendar month.
   
   
2. VenueLytics is not responsible for failures caused by factors not in VenueLytics’s control including but not limited to failures caused by:
1. Problems beyond or outside of the VenueLytics Cloud Service including (i) Customer’s own telecommunications, Delivery Service or internet service providers, email domain server availability or mobile push notification providers; (ii) a Force Majeure Event; or (iii) intentional or accidental filtering of network traffic by national governments, carriers or regulatory bodies; or iv). that result from Maintenance of which VenueLytics has provided a minimum seventy- two hours notice for. “Force Majeure Event” means (i) compliance with any act, order, demand or request of any government, governmental authority, or government agency; (ii) labor disputes, work stoppages or slowdowns of any kind; (iii) fires or hurricane, earthquake, flood and other natural disasters or fires; (iv) war, rebellion, act of terrorism, or civil disorder; (v) systemic internet issues or any other act or omission of any telecommunication or services provider; (vi) any other cause beyond VenueLytics’s reasonable control. “Maintenance” means scheduled Unavailability of the VenueLytics Platform. Maintenance will be no greater than an average of four (4) hours per month or a maximum of forty-eight hours (48) per year and will not exceed seven (7) hours in any calendar month.
   
   
2. Issues that arise from VenueLytics’s suspension or termination of Customer’s right to use the Service as allowed or required by the Agreement, Acceptable Use Policy, government or court orders, or other agreements.
   
   
3. Customer Responsibilities. Customer will (i) configure and use the Cloud Service correctly in accordance with the Documentation. VenueLytics’s ability to meet its obligations in this SLA are dependent upon Customer performing its responsibilities.
   
   
4. Service Credits.
1. If VenueLytics fails to meet the SLA set forth herein, Customer may receive a service credit. Customer will be eligible for a credit toward future fees owed to VenueLytics for the VenueLytics Cloud Service. The Service Credit is calculated as ten percent (10%) of the fees paid for or attributable to the month when the alleged SLA breach occurred.
   
   
2. Service Credits are subject to the following:
1. Customer must submit a written Service Credit request to their Customer Service Representative within fifteen (15) days of occurrence of the alleged SLA breach. Customer must include reasonable evidence that they were affected by the alleged SLA breach.
   
   
2. *Service Credits are not cumulative, that is, there shall only be a single Service Credits given for all Delivery Failures with a single cause.
   
   
3. Service Credits are capped at a maximum of thirty percent (30%) of total fees paid for or attributable to the calendar month when the alleged SLA breach occurred.
   
   
4. Customers who are past due on any payments owed to VenueLytics are not eligible to receive Service Credits.
   
   
5. Service Credits cannot be exchanged for cash. Service Credits don’t entitle customer to a refund or any other payment from VenueLytics.
   
   
3. THIS SERVICE LEVEL AGREEMENT SETS FORTH CUSTOMER’S SOLE AND EXCLUSIVE REMEDY FOR ANY FAILURE OF SERVICE AVAILABILITY OR NON- PERFORMANCE OR FAILURE TO CONTACT THE DESIGNATED PERSONNEL.

1.1 In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise;

1. “Addendum Effective Date” means the effective date of the Agreement.
   
   
2. “Agreement” means the agreement under which VenueLytics has agreed to provide services to Customer entered into by and between the Parties.
   
   
3. “Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement, including, without limitation, GDPR and the CCPA (as and where applicable).
   
   
4. “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and any binding regulations promulgated thereunder.
   
   
5. “Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the CCPA.
   
   
6. “Customer Personal Data” means any Personal Data Processed by VenueLytics or its Sub-Processors on behalf of Customer to perform the Services under the Agreement (including, for the avoidance of doubt, any such Personal Data comprised within Customer Data).
   
   
7. “Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
   
   
8. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
   
   
9. “EEA” means the European Economic Area.
   
   
10. “GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
    
    
11. “Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar term defined in Applicable Data Protection Laws.
    
    
12. “Personal Data Breach” means a breach of VenueLytics’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data in VenueLytics’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
    
    
13. “Personnel” means a person’s employees, agents, consultants or contractors.
    
    
14. “Process” and inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    
    
15. “Processor” means the entity that Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the CCPA.
    
    
16. “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
    
    
17. “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
    
    
18. “Service Data” means any data relating to the use, support and/or operation of the Services, which is collected directly by VenueLytics from and/or about users of the Services and/or Customer’s use of the Service for use for its own purposes (certain of which may constitute Personal Data).
    
    
19. “Services” means those services and activities to be supplied to or carried out by or on behalf of VenueLytics for Customer pursuant to the Agreement.
    
    
20. “Sub-Processor” means any third party appointed by or on behalf of VenueLytics to Process Customer Personal Data.
    
    
21. “Supervisory Authority” means any entity with the authority to enforce Applicable Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
    
    
22. “UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.
    

7. DATA SUBJECT RIGHTS

7.1 VenueLytics, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests. If VenueLytics receives a Data Subject Request, Customer will be responsible for responding to any such request.

7.2 VenueLytics shall:

1. promptly notify Customer if it receives a Data Subject Request; and
   
   
2. not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Applicable Data Protection Laws.
   
   

8. PERSONAL DATA BREACH

8.1 VenueLytics shall notify Customer without undue delay upon VenueLytics’s discovering a Personal Data Breach affecting Customer Personal Data. VenueLytics shall provide Customer with information (insofar as such information is within VenueLytics’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by VenueLytics) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. VenueLytics’s notification of or response to a Personal Data Breach shall not be construed as VenueLytics’s acknowledgement of any fault or liability with respect to the Personal Data Breach.

8.2 VenueLytics shall reasonably co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.

8.3 Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.

8.4 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Applicable Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies VenueLytics, where permitted by applicable laws, Customer agrees to:

1. notify VenueLytics in advance; and
   
   
2. in good faith, consult with VenueLytics and consider any clarifications or corrections VenueLytics may reasonably recommend or request to any such notification, which: (i) relate to VenueLytics’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
   
   

9. RETURN AND DELETION

9.1 Subject to section 9.2, in the event of termination of the Agreement, VenueLytics shall, at the choice of the Customer, delete or irreversibly anonymize all Customer Personal Data processed for the Services, or return all such Customer Personal Data to Customer.

9.2 VenueLytics may retain Customer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that VenueLytics shall:

1. maintain the confidentiality of all such Customer Personal Data; and
   
   
2. Process the Customer Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.
   
   

11. CUSTOMER’S RESPONSIBILITIES

11. 1 Customer agrees that, without limiting VenueLytics’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Services, including

1. making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data;
   
   
2. securing the account authentication credentials, systems and devices Customer uses to access the Services;
   
   
3. securing Customer’s systems and devices that VenueLytics uses to provide the Services; and
   
   
4. backing up Customer Personal Data.

11.2 Customer shall ensure:

1. that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by VenueLytics of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws; and
   
   
2. that all Data Subjects have
   
   
1. been presented with all required notices and statements and
   
   
2. provided all required consents, in each case
   
   

(i) and (ii) relating to the Processing by VenueLytics of Customer Personal Data. Customer, upon request by VenueLytics, will provide proof that any required consents have been obtained by the Customer.

11.3 Customer agrees that the Service, the Security Measures, and VenueLytics’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.

11.4 Customer shall not provide or otherwise make available to VenueLytics any Customer Personal Data that contains any

1. Social Security numbers or other government-issued identification numbers;
   
   
2. protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
   
   
3. health insurance information;
   
   
4. biometric information;
   
   
5. passwords to any online accounts;
   
   
6. credentials to any financial accounts;
   
   
7. tax return data;
   
   
8. any payment card information subject to the Payment Card Industry Data Security Standard;
   
   
9. Personal Data of children under 13 years of age;
   
   
10. data relating to criminal convictions and offenses; and/or
    
    
11. any other information that falls within any special or sensitive categories of personal data (as defined in Applicable Data Protection Laws) (together, “Restricted Data”).
    
    

12. LIABILITY

The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 12 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).

13. SERVICE DATA

13.1 Customer acknowledges that VenueLytics may collect, use and disclose Service Data for its own business purposes, such as:

1. for accounting, tax, billing, audit, and compliance purposes;
   
   
2. to provide, improve, develop, optimise and maintain the Services;
   
   
3. to investigate fraud, spam, wrongful or unlawful use of the Services; and/or
   
   
4. as otherwise permitted or required by applicable law.
   
   

13.2 In respect of any such Processing described in Section 13.1, VenueLytics:

1. Independently determines the purposes and means of such Processing;
   
   
2. shall comply with Applicable Data Protection Laws (if and as applicable in the context);
   
   
3. shall Process such Service Data as described in VenueLytics’s relevant privacy notices/policies, as updated from time to time; and
   
   
4. where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.
   
   

13.3 For the avoidance of doubt, this DPA shall not apply to VenueLytics’s collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Customer Personal Data.

15. INCORPORATION AND PRECEDENCE

15.1 This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.

15.2 In the event of any conflict or inconsistency between:

1. this DPA and the Agreement, this DPA shall prevail; or
   
   
2. any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

CUSTOMER / 'DATA EXPORTER' DETAILS

Annex 2
European Annex

1. populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and
   
   
2. entered into by the Parties and incorporated by reference into this DPA.

1. varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and
   
   
2. entered into by the Parties and incorporated by reference into this DPA.

1. any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
   
   
2. another transfer mechanism, other than the SCCs, that enables the lawful transfer of Customer Personal Data to VenueLytics under this DPA in compliance with Chapter V of the GDPR.

1. Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
   
   
2. Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.

1. In Clause 9, OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 6.3 of the DPA; and


2. In Clause 11, the optional language is not used and is deleted.


3. In Clause 17, OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and


4. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

1. Customer being ‘data exporter’; and


2. VenueLytics being ‘data importer’.

1. Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
   
   
1. Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
   
   
2. Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
   
   
2. Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.
   

Annex 3
California Annex

Annex 4
Security Measures

Annex 5
Sub-Processor List