Skip to content
Close
Contact Us
Contact Us

Product security shield icon2-1       Digital Ticket Delivery

      Password-less Login

      Custom Content Blocks

Product ticket sharing icon (1)-1      Ticket Sharing

Product patronsafe resale icon2-1      PatronSafe™ Ticket Resale

Product tessitura integration icon2-1      Tessitura Integration

Product Patron Insights growth chart icon-1      Patron Data

     Theaters

opera singer icon_white-1      Operas

Untitled design (25)     Ballets

Museum icon2 (1)-1     Museums, Attractions & Cultural  Institutions

Performing Arts Curtains icon (1)-1     Performing Arts Centers

Orchestra icon (1)-1      Symphony Orchestras

     Pricing

     ROI Calculator

Case Study light bulb icon2-1      Resources

Blog icon-1      Blog

     eNewsletter

     Patron Experience Demo

     Contact Us

      Company

     Press Center

DATA PROCESSING AGREEMENT

TABLE OF CONTENTS
loading...

Data Processing Agreement

Last Modified November 30, 2023

This Data Processing Agreement (“DPA”) forms a part of the legal agreement (“Agreement”) entered into by and between True Tickets, Inc. (“COMPANY”) and the user of the COMPANY Services (“Customer”), collectively the “Parties.” The purpose of the DPA is to ensure such processing is conducted in accordance with applicable Data Protection Laws (defined below).

This DPA is supplemental to the Agreement and sets out the terms that apply when: (i) Personal Data (defined below) is processed by Customer, who acts as Data Controller, under the Agreement; (ii) COMPANY acts as Data Processor of Customer Data; (iii) the Customer wishes to contract the Services as set forth in the Agreement, which imply the processing of Personal Data by the Data Processor. Further details of the Processing are set out in Exhibit A to this DPA.

Customer acknowledges that by agreeing to the Agreement, they are also agreeing to this DPA. To the extent that there are any conflicting provisions between the Agreement and this DPA with regard to the processing of Personal Data, this DPA shall prevail. The effective date of this DPA is the same date that the Customer agreed to the Agreement.

1. Definitions

All capitalized terms not defined in Section 1 of this DPA or otherwise defined in other sections of this DPA, shall have the meanings set forth in the Agreement, GDPR, COMPANY Privacy Policy, or Agreement, as applicable.

1.1. “Sub-Processor” means any person appointed by or on behalf of Data Processor to process Customer Personal Data on behalf of the Customer in connection with the DPA.

1.2. “Customer Data” means all data (including Personal Data) that relates to Customer’s relationship with COMPANY. Customer Data includes any data COMPANY may need to collect for the purpose of managing its relationship with Customer, or as otherwise required by applicable laws and regulations.

1.3. “Data Protection Laws” means all data protection legislation and regulations applicable to the processing of the Customer’s Personal Data under this DPA and the Agreement, including the California Consumer Privacy Act (“CCPA”), Colorado Privacy Act, and other US state privacy laws, including applicable breach notification laws.The terms “processing,” “processor,” and “controller,” and shall have the meanings set forth under applicable Data Protection Laws.

1.4. “Consumer” means an individual that is protected under any applicable Data Protection Law.

1.5. “Personal Data” or any such variation of the term (such as “Personal Information” or “Personally Identifiable Information”) shall have the meaning set forth under applicable Data Protection Laws.

1.6. “Regulator” means any government entity or data protection authority with the legal authority to enforce Data Protection Laws, including state attorneys general and the California Privacy Protection Agency.

1.7. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, stored or otherwise processed by COMPANY.

2. Processing of Customer Data

2.1. COMPANY shall not process Personal Data (i) for purposes other than those set forth in the Agreement, (ii) in a manner inconsistent with the terms and conditions set forth in this DPA or any other documented instructions provided by Customer, or (iii) in violation of Data Protection Laws. Customer hereby instructs COMPANY to process Personal Data in accordance with the foregoing and as part of any processing initiated by Customer in its use of the Services.

2.2. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Data Protection Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause COMPANY to be in breach of the Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to COMPANY by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to COMPANY regarding the processing of such Personal Data. Customer shall not provide or make available to COMPANY any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services and shall indemnify COMPANY from all claims and losses in connection therewith.

2.3. CCPA. If applicable, the Parties acknowledge that their relationship under the CCPA is governed by the CCPA Addendum.

3. Deletion or Return of Customer Data

3.1. Following completion of the Services, at Customer’s choice, COMPANY shall securely delete Customer Data (including Content), unless further storage of such Customer Data is required or authorized by applicable Data Protection Laws. If return or destruction is impracticable or prohibited by law, rule, or regulation, COMPANY shall take measures to block such Customer Data from any further processing (except to the extent necessary for its continued hosting or processing required by law, rule, or regulation) and shall continue to appropriately preserve the confidentiality of the Customer Data remaining in its possession, custody, or control. By agreeing to this DPA, Customer authorizes COMPANY, in accordance with this agreement, to delete information when not reasonably needed for COMPANY’s Services.

4. Data Processor Personnel and Confidentiality

4.1. COMPANY shall take commercially reasonable steps to ensure that: (i) persons employed by COMPANY; and (ii) other persons engaged at COMPANY’s place of business who may have access to the Customer Data (including Content), are aware of and comply with the terms set forth in this DPA, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Data, as necessary for the purposes of the Agreement.

5. Security of Customer Data; Security Incidents

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, COMPANY shall maintain reasonable technical and organizational security measures to ensure a level of security appropriate to the risk of processing Personal Data.

5.2. COMPANY shall notify Customer without undue delay upon becoming aware of a Security Incident affecting Customer Data and will provide Customer with sufficient information to allow the Customer to meet any obligations to notify, report, or inform Consumers and Regulators of the Security Incident under the Data Protection Laws.

5.3. COMPANY shall cooperate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation, and remediation of each such Security Incident. The obligations described in 5.1 and 5.2 do not apply to Security Incidents experienced by Customer, nor does compliance with such obligations acknowledge liability on the part of COMPANY.

6. Sub-Processing of Customer Data

6.1. Customer acknowledges and agrees that COMPANY may (1) engage or delegate Sub-Processors to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. For purposes of this Section, Customer consents to COMPANY engaging Sub-Processors reasonably required to assist COMPANY for the purposes of providing the Services.

6.2. COMPANY shall provide Customer with a list of Sub-Processors (the "List") upon written request. The List can be obtained by contacting COMPANY at info@true-tickets.com. COMPANY will also notify the Data Controller of any changes in Sub-Processors in accordance with the procedure for modifying the Agreement as described in Section 9(i) therein. Customer may object to the modification of Sub-Processors used by COMPANY by sending a written notice to COMPANY at [insert contact email]. However, Customer acknowledges that certain Sub-Processors are essential to providing the Services, and that objecting to the use of a Sub-Processor may prevent COMPANY from offering the Services to Customer.

7. Consumer Rights

7.1. Taking into account the nature of the Processing, COMPANY shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Consumer rights under the Data Protection Laws.

7.2. COMPANY shall:

7.2.1. promptly notify Customer if it receives a request from a Consumer under any Data Protection Law in respect to Customer Data.

7.2.2. advise the Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Consumer Requests for deletion, opt-outs, or withdrawal of consent to processing of any Personal Data are communicated to COMPANY, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.

7.2.3. ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Customer is subject, in which case COMPANY shall to the extent permitted by applicable laws inform Customer of that legal requirement before COMPANY responds to the request.

8. Recordkeeping, Audits, and Data Protection Impact Assessments

8.1. COMPANY shall maintain records sufficient to demonstrate its compliance with its obligations under this DPA.

8.2. COMPANY shall, taking into account the nature of the processing and the information available to COMPANY, provide Customer with reasonable cooperation and assistance where necessary for Customer to:

8.2.1. Comply with its obligations under Data Protection Laws to conduct a data protection impact assessment and/or to demonstrate such compliance, provided that Customer does not otherwise have access to the relevant information.

8.2.2. Cooperate and/or consult with any supervisory authority where necessary and where required by Data Protection Laws.

8.2.3. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance provided by COMPANY.

9. Miscellaneous

9.1. Except as expressly modified by the terms of this DPA, all the terms and conditions of the Agreement will remain in full force and effect and apply to the terms described in this DPA. To the extent there is any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA will govern with respect to the subject matter hereof.

9.2. This DPA and the Agreement constitute the entire agreement between the Parties with respect to the subject matter hereof and merge all prior and contemporaneous communications. The Agreement will not be further modified except by a written agreement dated subsequent to the effective date and signed on behalf of the Parties.

9.3. This DPA shall remain in effect as long the Agreement remains in effect.

 

Exhibit A

CCPA Addendum

To the extent applicable, this CCPA addendum (“Addendum”) regulates the processing of Personal Information of California residents pursuant to the CCPA by the Company under the Agreement and the DPA. To the extent that there is any inconsistency between this Addendum and the Agreement or the DPA with regard to the processing of Personal Information regulated under the CCPA, this Addendum shall control.

1. Definitions 

Any capitalized term in this Addendumthat is not otherwise defined in the DPA shall have the meaning given to that term in the CCPA.

2. Representations and Warranties

2.1. COMPANY represents and warrants that it is a Service Provider or Contractor for the purposes of the services it provides to Customer pursuant to the DPA and the Agreement.

3. COMPANY Processing of Customer Data (including Personal Data)

3.1. COMPANY shall process Personal Data it receives pursuant to the Agreement only for the limited and specified purposes of providing the agreed upon services to Customer (as outlined in Exhibit A) and is prohibited from using Personal Data for any other purpose.

3.2. COMPANY shall comply with all applicable sections of the CCPA, including by providing the same level of protection to Personal Data as required by Customer under the law.

3.3. COMPANY agrees that Customer has the right to take reasonable and appropriate steps to ensure that COMPANY uses Personal Data that it receives from or processes on behalf of Customer in a manner consistent with Customer’s obligations under the CCPA.

3.4. COMPANY agrees that Customer has the right to take reasonable and appropriate steps to stop and remediate COMPANY’s unauthorized use of Personal Data.

3.5. COMPANY shall notify Customer as soon as possible after COMPANY determines that it can no longer meet its obligations under the CCPA.

3.6. If COMPANY engages Sub-Processors in relation to providing services to Customer pursuant to the Agreement, COMPANY shall have a contract with the Sub-Processor that complies with the CCPA and has the same restrictions on the processing of Personal Data as outlined in this Addendum.

4. Restrictions on COMPANY’s Use of Personal Data

4.1. COMPANY shall not Sell or Share Personal Data it receives from or processes on behalf of Customer, for purposes outside of those outlined in the DPA and exhibits incorporated by reference in the DPA.

4.2. COMPANY shall not retain, use, or disclose Personal Data it receives from or processes on behalf of Customer for any purpose (including any Commercial Purpose) other than for the purposes specified in the Agreement, DPA, and except as otherwise permitted by the CCPA.

4.3. COMPANY shall not retain, use, or disclose Personal Data it receives from or processes on behalf of Customer outside of the direct business relationship between COMPANY and Customer, except as otherwise permitted under the CCPA.

4.4. COMPANY shall not combine the Personal Data it receives from or processes on behalf of Customer with Personal Data it receives from or on behalf of another person or which it collects from its own interaction with another individual, provided that COMPANY may combine Personal Data to perform any Business Purpose, such as to analyze how users interact with Services, or as otherwise permitted under the CCPA.

5. Consumer Requests

5.1. Customer agrees to: (i) inform COMPANY of any consumer request made pursuant to the CCPA that they must assist Customer to comply with and (ii) provide the information necessary for COMPANY to comply with the request.