Appendix C - Data Processing Addendum

1. Definitions

1.1. In this DPA:

{{bullet-points-1}}

2. Scope and applicability

2.1 This DPA applies to Processing of Organizer Personal Data by Swapcard for the use of Swapcard Solutions.

‍

2.2 The subject matter, nature and purpose of the Processing, the types of Organizer Personal Data and categories of Data Subjects are set out in Appendix 1.

‍

2.3 Organizer is a Controller and appoints Swapcard as a Processor. Organizer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers, and Organizer’s privacy policy or applicable document will govern the Organizer’s processing of data.

‍

2.4 If Organizer is a Processor on behalf of other Controller(s), then Organizer is: the single point of contact for Swapcard; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); guarantees all necessary authorizations from and information to Data Subjects have been duly provided; and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.

‍

2.5 Organizer acknowledges that Swapcard may Process Personal Data relating to the operation, support, or use of Swapcard Solutions for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with applicable law. Organizer acknowledges that once the Event is over, Swapcard will retain Attendee’s Personal Data for them to continue accessing the Platform, including for them to keep engaging with exhibitors or other attendees and, should they attend another event, to suggest upcoming activities or exhibitors they might be interested in. Swapcard is the Controller for such Processing and will Process such data in accordance with Data Protection Laws. Such Processing shall not be subject to the terms of this DPA.

3. Instructions

3.1 When acting as a Processor, Swapcard will Process Organizer Personal Data to provide Swapcard Solutions and Professional Services and in accordance with Organizer’s documented instructions.

‍
3.2 The Controller’s instructions are documented in this DPA, the T&Cs and Organizer’s use of Swapcard Solutions.

‍
3.3 Organizer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Swapcard may charge a reasonable fee to comply with any additional instructions.

‍
3.4 Unless prohibited by applicable law, Swapcard will inform Organizer if Swapcard is subject to a legal obligation that requires Swapcard to Process Organizer Personal Data in contravention of Organizer’s documented instructions.

4. Personnel‍

Company will ensure that all personnel authorized to Process Client Personal Data are subject to an obligation of confidentiality.

5. Security and Personal Data Breaches

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Swapcard will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2.

‍
5.2 Organizer acknowledges that the security measures in Appendix 2 are appropriate in relation to the risks associated with Organizer’s intended Processing, and will notify Swapcard prior to any intended Processing for which Swapcard’s security measures may not be appropriate.

‍
5.3 Swapcard will notify Organizer without undue delay after becoming aware of a Personal Data Breach involving Organizer Personal Data. If Swapcard’s notification is delayed, it will be accompanied by reasons for the delay.

6. Subprocessing

6.1 Organizer hereby authorizes Swapcard to engage Subprocessors. A list of Swapcard’s current Subprocessors is included in Appendix 0.

‍
6.2 Swapcard will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.

‍
6.3 Swapcard will notify Organizer prior to any intended change to Subprocessors. Organizer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Swapcard’s notification of the intended change. Organizer and Swapcard will work together in good faith to address Organizer’s objection. If Swapcard chooses to retain the Subprocessor, Swapcard will inform Organizer at least thirty (30) days before authorizing the Subprocessor to Process Organizer Personal Data, and Organizer may immediately discontinue using the relevant parts of Swapcard Solutions and may terminate them within thirty (30) days.

7. Assistance

7.1 Taking into account the nature of the Processing, and the information available to Swapcard, Swapcard will assist Organizer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Organizer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; reasonably conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

‍
7.2 Swapcard will maintain records of Processing of Organizer Personal Data in accordance with Data Protection Law.

‍
7.3 Swapcard may charge a reasonable fee for assistance under this Section 7. If Swapcard is at fault, Swapcard and Organizer shall each bear their own costs related to assistance.

8. Audit

8.1 Upon reasonable prior request, Swapcard must make available to Organizer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once a year by Organizer and performed by an independent auditor as agreed upon by Organizer and Swapcard. The foregoing shall only extend to those documents and facilities relevant and material to the processing of Organizer Personal Data, and shall be conducted during normal business hours and in a manner that causes minimal disruption. During such audit, the independent auditor shall not be authorized to access Swapcard's business secrets, its strategic information or information that Swapcard has undertaken to keep confidential. Swapcard may oppose any measure of control that would be likely to give the independent auditor access to such information without Organizer being able to make any claim in this respect.

‍
8.2 Swapcard will inform Organizer if Swapcard believes that Organizer’s instruction under Section 8.1 infringes Data Protection Law. Swapcard may suspend the audit or inspection, or withhold requested information until Swapcard has modified or confirmed the lawfulness of the instructions in writing.

‍
8.3 Swapcard and Organizer each bear their own costs related to an audit.

9. International Data Transfers

9.1 Organizer hereby authorizes Swapcard to perform International Data Transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 9.2.

‍
9.2 By signing this DPA, Organizer and Swapcard conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Organizer; the “data importer” is Swapcard; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the country in which Organizer is established; Appendix 1 and Appendix 2 to the Standard Contractual Clauses, are Appendix 1 and 2 to this DPA respectively; and the optional indemnification clause is struck.

‍
9.3 If Swapcard’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Swapcard’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Organizer and Swapcard will work together in good faith to reasonably resolve such non-compliance.

10. Notifications

Organizer will send all notifications, requests and instructions under this DPA to Swapcard’s Data Protection Officer via email to legal@swapcard.com. Swapcard will send all notifications under this DPA to Organizer’s contact indicated in the Subscription Form or any other contact communicated to Swapcard when subscription to the Swapcard Solutions

11. Liability

Subject to any limitation of liability set out in the T&Cs, to the extent permitted by applicable law, where Swapcard has paid damages or fines, Swapcard is entitled to claim back from Organizer that part of the compensation, damages or fines, corresponding to Organizer’s part of responsibility for the damages or fines.

12. Termination and Return or Deletion

12.1 This DPA is terminated upon termination of the Agreement.

‍
12.2 Organizer may request return of Organizer Personal Data up to ninety (90) days after termination of the Agreement. Organizer acknowledges and agrees that Swapcard is authorized to retain Attendee’s Personal Data for a period of three (3) years after the last log in by the Attendee to process it as provided under Section 2.5, or for a longer period if required under applicable law. Organizer may request the deletion of Organizer Personal Data relating to a specific Data Subject if Organizer provides Swapcard with proof that the Data Subject has expressly consented to such deletion and acknowledged that he or she understands that such deletion would result in him or her not being able to access Swapcard Solutions s described in Section 2.5.

13. Applicable law and Jurisdiction

This DPA is governed by the laws of the T&Cs. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts indicated in the T&Cs.

14. Invalidity and Severability

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

‍

‍

‍

Appendix 0 - Subprocessors

‍

‍

‍

Appendix 1 - Description of the Processing

1. Data Subjects

The Organizer Personal Data Processed concern the following categories of Data Subjects (please specify):

2. Categories of Organizer Personal Data

The Organizer Personal Data Processed concern the following categories of data (please specify):

3. Sensitive Data

The Organizer Personal Data Processed concern the following special categories of data (please specify):

4. Processing operations

The Organizer Personal Data will be subject to the following basic Processing activities (please specify):

‍

‍

‍

Appendix 2 - Security Measures

Swapcard will implement the following types of security measures:

1. Physical access control managed by AWS

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Organizer Personal Data are Processed, include:

• Establishing security areas, restriction of access paths; 
• Establishing access authorizations for employees and third parties;
• Access control system (ID reader, magnetic card, chip card); 
• Key management, card-keys procedures;
• Door locking (electric door openers etc.);
• Security staff, janitors;
• Surveillance facilities, video/CCTV monitor, alarm system; and
• Securing decentralized data processing equipment and personal computers.

2. Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

• User identification and authentication procedures;
• ID/password security procedures (special characters, minimum length, change of password);
• Automatic blocking (e.g. password or timeout);
• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;

3. Data access control

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Organizer Personal Data in accordance with their access rights, and that Organizer Personal Data cannot be read, copied, modified or deleted without authorization, include:

• Internal policies and procedures;
• Control authorization schemes;
• Differentiated access rights (profiles, roles, transactions and objects); 
• Monitoring and logging of accesses;
• Reports of access;
• Access procedure;
• Change procedure;
• Deletion procedure; and
• Encryption.

4. Disclosure control

Technical and organizational measures to ensure that Organizer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Organizer Personal Data are disclosed, include:

• Encryption/tunneling;
• Logging; and
• Transport security.

5. Entry control

Technical and organizational measures to monitor whether Organizer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

• Logging and reporting systems.

6. Availability control

Technical and organizational measures to ensure that Organizer Personal Data are protected against accidental destruction or loss (physical/logical) include:

• Backup procedures;
• Mirroring of hard disks (e.g. RAID technology);
• Uninterruptible power supply (UPS);
• Remote storage;
• Anti-virus/firewall systems; and
• Disaster recovery plan.

7. Separation control

Technical and organizational measures to ensure that Organizer Personal Data collected for different purposes can be Processed separately include:

• Separation of databases by environment;
• Segregation of functions (production/testing); and
• Procedures for storage, amendment, deletion, transmission of data for different purposes.

‍

‍

‍

Exhibit B2 - California Data Processing Addendum

This addendum (“Addendum”) is pursuant to the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (“CCPA”), forms part of the DPA and prevails over any conflicting terms of the T&Cs.

1. Definitions

For the purposes of this Addendum–

• The capitalized terms used in this Addendum and not otherwise defined in this Addendum shall have the definitions set forth in the CCPA and the T&Cs.

2. Governing Law

Notwithstanding anything in the T&Cs to the contrary, this Addendum will be governed by the laws of the United States and the State of California, without reference to conflict of laws principles that would result in the application of another jurisdiction’s law.

3. Roles and Scope

• This Addendum applies only to the processing of Personal Information provided by Organizer to, or which is Collected on behalf of Organizer by, Swapcard to provide Swapcard Solutions to Organizer pursuant to the T&Cs or to perform a Business Purpose (“Organizer Personal Information”).
• Organizer is a Business and appoints Swapcard as a Service Provider to process Organizer Personal Information on its behalf.

4. Restrictions on Processing

• Except as otherwise permitted by the CCPA or Section 3.2 of this Addendum, Swapcard is prohibited from (i) retaining, using, or disclosing Organizer Personal Information for any purpose other than for the specific purpose of performing the Swapcard Solutions specified in the T&Cs for Organizer and (ii) further Collecting, Selling, or using Organizer Personal Information except as necessary to perform the Swapcard Solutions. 
• Organizer acknowledges that Swapcard may process Personal Information relating to the operation, support, or use of the Swapcard Solutions for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Organizer acknowledges that once the Swapcard Solutions provided by Swapcard to Organizer are fully executed, Swapcard will retain Organizer Personal Information in order to provide individuals with its own services, including to allow individuals to keep engaging with exhibitors or other attendees and, should they attend another event, to suggest upcoming activities or exhibitors they might be interested in. Swapcard is a Business for such processing and Organizer represents and warrants that it will comply with the CCPA when providing Personal Information to Swapcard in that context. Such Processing shall not be subject to the terms of this Addendum.  

5. Consumer Rights

Swapcard shall provide commercially reasonable assistance to Organizer for the fulfillment of Organizer’s obligations to respond to CCPA-related Consumer rights requests regarding Organizer Personal Information.

6. CCPA Exemption

Notwithstanding any provision to the contrary of the T&Cs or this Addendum, the terms of this Addendum shall not apply to Swapcard’s processing of Attendee’s Personal Information that is exempt from the CCPA, including under Cal. Civ. Code 1798.145(a).