This Data Processing Addendum, together with its Schedules (the “DPA”) is incorporated into, and is subject to the terms and conditions of, the Master Subscription Agreement (“Agreement”) between Swoogo, LLC (“Swoogo”) and customer entity that is party to the Agreement (“Customer”) (each a “Party”, collectively the “Parties”). Any data protection agreement(s) that may exist between the Parties as of the last signature date of the Agreement are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the Agreement.
Table of Contents
“Customer Personal Data” means any Personal Data Processed by Swoogo (or a Sub-processor) in the course of providing the Services under the Agreement.
“Data Breach” means the actual breach of security leading to the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, acquisition of, or access to Customer Personal Data.
“Data Protection Laws” means all data protection Laws applicable to Swoogo’s processing of Customer Personal Data under the Agreement, including, where applicable, European Data Protection Laws and/or US Data Protection Laws.
“European Data Protection Laws” means all data protection Laws applicable to the European Economic Area and its member states (“EEA”), Switzerland, and the United Kingdom (“UK”), including: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (ii) all relevant European Union member state laws or regulations giving effect or corresponding with the GDPR; (iii) the UK Data Protection Act of 2018 and UK GDPR (“UK Data Protection Laws”); and (iv) the Swiss Federal Act on Data Protection (“FADP”).
“Individual” means an identified or identifiable natural person to whom Personal Data relates under Data Protection Laws.
“Law” or “Laws” means all applicable international, United States federal, country, state, provincial, regional, territorial, local, and other laws, rules, and regulations (including, but not limited to, Data Protection Laws), ordinances, interpretive letters, and other official releases of or by any authority, decrees, orders, and codes (including any requirements for permits, certificates, approvals, and inspections), as the same are promulgated, supplemented, and/or amended from time to time.
“Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Individual or household, and includes “personal information,” “personally identifiable information,” and analogous terms under Data Protection Laws.
“Sensitive Data” means: (i) social security number, passport number, driver’s license number, or similar identifier; (ii) financial account information; (iii) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data revealing sex life or sexual orientation; (iv) a minor’s Personal Data; (v) precise geolocation data; or (vi) health or medical information.
“Services” means Swoogo’s event marketing software.
“Standard Contractual Clauses” means any or all of the following, as applicable: (i) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/914, attached hereto as Schedule D; (ii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/914, attached hereto as Schedule E; (iii) the United Kingdom Information Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0), attached hereto as Schedule F; and/or (iv) Schedule G, modifying Schedule D or Schedule E, as applicable.
“Sub-processor” means any Processor engaged by Swoogo to assist in fulfilling its obligations under the Agreement. Sub-processors exclude an employee, contractor, or consultant of Swoogo.
“US Data Protection Laws” means, only if applicable to the Processing of Customer Personal Data in accordance with the Master Subscription Agreement and/or Order Form(s), the (i) Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018, including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time, including without limitation, effective on January 1, 2023, the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100–1798.199.100 (“CPRA”) (collectively, “CCPA”); (ii) effective on January 1, 2023, the Virginia Consumer Data Protection Act, Va. Code Ann. §§ 59.1-571–59.1-581 (2021), including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“CDPA”); (iii) effective on July 1, 2023, the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq. (2021), including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“CPA”); (iv) effective on December 31, 2023, Utah Consumer Privacy Act, UCA § 13-61-102, including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“UTCPA”); and/or (v) effective on July 1, 2023, the Connecticut Data Privacy Act, P.A. 22-15, including all regulations enacted in connection therewith, as the same may be amended, supplemented, or replaced from time-to-time (“CTDPA”).
The terms “Business”, “Controller”, “Data Subject”, “Member State”, “Processing”, “Processor”, “Sale”, “Service Provider” and “Supervisory Authority” shall have the same meaning assigned to them under Data Protection Laws, and shall be construed accordingly. The term “Controller” is deemed to include “Business,” and the term “Processor” is deemed to include “Service Provider.”
Swoogo is a Processor of Customer Personal Data, acting on behalf of Customer, whether itself a Controller or Processor with respect to Customer Personal Data.
Customer shall only provide Swoogo with Customer Personal Data as specified in the Agreement, Order Form(s), and this DPA. Customer represents and warrants that it complies and will continue to comply with the obligations applicable to it under Data Protection Laws with respect to Customer Personal Data – including ensuring that any necessary Individual notices with respect to and consents to the Processing conducted by Swoogo are obtained and for ensuring that a record of such notices and/or consents is maintained – and will not issue Processing instructions to Swoogo in violation of applicable Law. Customer has the sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquires Personal Data and shares Personal Data with Swoogo. Customer will use the Services in compliance with all applicable Laws.
Swoogo shall Process Customer Personal Data, as described in Schedule A (Details of Customer Personal Data Processing) pursuant to Customer’s documented instructions in accordance with the Agreement and this DPA, or as required by applicable Law, including, but not limited to, Data Protection Laws, in which case Swoogo will notify the Controller of the legal requirement before Processing, unless that Law prohibits such information on important grounds of public interest. The Agreement, this DPA, and the Standard Contractual Clauses (if applicable) constitute Customer’s complete and final instructions to Swoogo for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately in writing and be consistent with this DPA. Swoogo shall notify Customer without unreasonable delay after Swoogo makes a determination that it can no longer meet its obligations under Data Protection Laws.
Customer shall ensure that Swoogo’s Processing of Customer Personal Data in accordance with Customer’s instructions will not cause Swoogo to violate applicable Law, including Data Protection Laws. Where Swoogo considers that an instruction infringes Data Protection Laws, it shall immediately inform Customer. If Customer fails to remedy such infringing instruction within thirty (30) calendar days after receipt of the notification, Swoogo may terminate the Agreement without liability to Customer.
Where Customer acts as a Processor on behalf of a third-party Controller, Customer warrants that its Processing instructions as set out in the Agreement and this DPA, including authorizations to Swoogo for the appointment of Sub-processors, have been authorized by the relevant Controller. Customer shall serve as the point of contact for Swoogo and Swoogo need not interact directly with any third-party Controller other than through regular provision of the Services to the extent required under the Agreement. Customer is responsible for providing all notifications and/or seeking appropriate authorizations from the relevant Controller.
Customer shall not provide (or cause to be provided) any Sensitive Data for Processing under the Agreement. If any Sensitive Data is incidentally or accidentally provided to Swoogo, Swoogo will treat such data in the same way that it treats Customer Personal Data under this DPA. Customer agrees that Swoogo will have no liability whatsoever for Sensitive Data transferred by Customer to Swoogo.
Swoogo may aggregate, deidentify, and/or anonymize Customer Personal Data in accordance with Data Protection Laws to use such data for Swoogo’s own internal analytics purposes. Customer agrees to allow Swoogo to irreversibly anonymize personal data in accordance with Applicable Data Protection Law (“Customer Anonymized Data”) to use such Customer Anonymized Data for the improvement of Swoogo’s own products and services. Swoogo will: (i) take reasonable measures to ensure that the information cannot be associated with a consumer or household; (ii) contractually obligate any recipients of the information to comply with Data Protection Laws; (iii) publicly commit to maintain and use the information in anonymized form and not to attempt to re-identify the information, except that Swoogo may attempt to reidentify the information solely for the purpose of determining whether its anonymization processes satisfy the requirements of Data Protection Laws.
To the extent US Data Protection Laws apply to the Processing of Customer Personal Data, Swoogo is prohibited from (i) selling or sharing (as such terms are defined under Data Protection Laws) Personal Data Swoogo receives from, or on behalf of, Customer; (ii) retaining, using, or disclosing the Personal Data received from, or on behalf of, Customer, unless expressly permitted by Data Protection Laws, (a) for any purposes other than those specified in the Agreement or the DPA, (b) for any commercial purpose other than the business purposes specified in the Agreement and DPA, including in the servicing of a different customer, (c) outside the direct business relationship between the Swoogo and Customer. Swoogo shall Process Personal Data only for the limited and specified business purpose(s) set forth within this Agreement and DPA; and (iii) combining the personal information that Swoogo receives from, or on behalf of, Customer with Personal Data that Swoogo receives from, or on behalf of, another customer, or collects from Swoogo’s own interaction with the consumer, provided that Swoogo may combine personal information to perform certain business purposes as defined in regulations adopted under the CCPA. Notwithstanding the foregoing, Swoogo may use, disclose, or retain Customer Personal Data to: (i) to detect data security incidents or to protect against fraudulent or illegal activity; (ii) to comply with applicable Laws; or (iii) to defend legal claims or comply with a law enforcement investigation; or (iv) retain and employ a Sub-processor in accordance with this DPA. Swoogo certifies it shall comply with these restrictions.
10.1 Personnel
Swoogo shall ensure that any persons authorized to Process Customer Personal Data by Swoogo have committed themselves to confidentiality, and that such person shall only have access to Customer Personal Data to the extent necessary to perform their job duties.
10.2 Security Measures
Swoogo shall implement and maintain, for the Customer Personal Data, appropriate technical and organizational measures to ensure a level of security appropriate to the risk and shall take all measures required pursuant to Article 32 of the GDPR, as set forth in more detail in Schedule B (the “Security Measures”). Customer is responsible for reviewing the Security Measures and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under applicable Laws, including Data Protection Laws. Customer agrees and acknowledges that Swoogo may update or modify the Security Measures, provided that such updates or modifications do not materially degrade the security of the Services provided to Customer. Notwithstanding any other provision herein, at all times, Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data, including any Processing of Customer Personal Data not authorized by this DPA. Without limiting the foregoing, Swoogo will provide the same level of protection to Customer Personal Data as is required under Data Protection Laws applicable to Customer.
10.3 PCI
As a service provider under the Payment Card Industry Data Security Standard (PCI DSS), Swoogo will maintain PCI DSS compliance for as long as it processes, stores, or impacts the security of any cardholder data within their environment.
10.4 Data Breach
Upon becoming aware of a Data Breach, Swoogo shall, to the extent permitted by Law, notify Customer without undue delay and, where feasible, within twenty-four (24) hours, and in any event within seventy-two (72) hours, of becoming aware of the Data Breach. Swoogo will provide Customer with information relating to the Data Breach as it becomes known or as reasonably requested by Customer to enable Customer to comply with its obligations under Data Protection Laws. After becoming aware of a Data Breach, Swoogo will take reasonable steps to contain, investigate, and mitigate the Data Breach. Swoogo’s notification of or response to a Data Breach under this section will not be construed as an acknowledgement by Swoogo of any fault or liability with respect to the Data Breach.
10.5 Customer Security Obligations
Customer agrees that it is responsible for its own secure use of the Services, including, but not limited to, securing account credentials and protecting Customer Personal Data in transit.
10.6 Supplemental Measures
If the Standard Contractual Clauses apply to the Processing and transfer of Customer Personal Data, in connection with Clause 14 of the Standard Contractual Clauses, Swoogo agrees as follows:
10.6.1 Swoogo shall promptly notify Customer in the event that Swoogo, or Swoogo becomes aware that it or any of its Sub-processors, received a request from the government of any country that includes, or may include, access to Customer Personal Data, including, but not limited to, a request under the Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”), the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (“USA FREEDOM Act”), the Clarifying Effective Overseas Use of Data Act (“CLOUD Act”), the Foreign Intelligence Surveillance Act of 1978 (“FISA”), or any similar legislation of any jurisdiction (“Disclosure Request”).
10.6.2
In connection with Clause 15 of the Standard Contractual Clauses, in the event that such a Disclosure Request is made, Swoogo shall:
(i) If, by Law, Swoogo is permitted to inform Customer of the Disclosure Request, then provide reasonable assistance as Customer requires in connection with the Disclosure Request, including in connection with the initiation of legal proceedings by Customer;
(ii) If, by Law, Swoogo is not permitted to inform Customer of the Disclosure Request, then, Swoogo shall either: (a) inform Customer that it is no longer able to provide the Services, or (b) to the extent permitted by Law, commence any potential legal proceeding against the initiator of the Disclosure Request so as to resist the disclosure of the information requested in the Disclosure Request, and shall include Customer in such proceedings where permitted by Law; and
(iii) Have a continuing obligation to provide further information to Customer as any additional details become available.
10.6.3 When transferring Customer Personal Data, Swoogo shall use encryption certified against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard. All emails between Customer and Swoogo shall utilize Transport Layer Security (TLS). Swoogo will encrypt all Customer Personal Data that resides on Swoogo’s system, services, backups, or other information systems, including Customer Personal Data that resides on systems and service of any third party with which Swoogo has subcontracted to store electronic data. Swoogo shall encrypt at rest using solutions that are certified against U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and verify that the encryption keys and any keying material are stored with Swoogo rather than the third party storing the electronic data.
10.6.4 In the event that Customer Personal Data could be transferred to a mobile device, tablet, or laptop, Swoogo will implement, monitor, and maintain encryption and information leakage prevention tools using solutions that are certified against the U.S. Federal Information Processing Standard 140-2, Level 2, or equivalent industry standard, and verify that the encryption keys and keying material are not stored with any associated data.
Customer shall inform Swoogo of any Individual request pursuant to Data Protection Laws that Swoogo must comply with and provide the information necessary for Swoogo to comply with the request. The Services provide Customer with a number of self-service features, which Customer may use to respond to Individual requests as required (or as required of the third-party Controller) by Data Protection Laws. Only to the extent that it is not possible to respond using the self-service features, Swoogo shall provide reasonable assistance to Customer to enable Customer (or its third-party Controller) to respond to Individual rights requests under Data Protection Laws. In the event Swoogo receives a request directly from an Individual, Swoogo shall direct the Individual to submit the request directly to Customer. If required to respond under Laws to which Swoogo is subject, Swoogo shall, to the extent permitted by such Laws, inform Customer of that legal requirement before it responds to the request.
12.1 Authorized Sub-processors
Customer hereby grants Swoogo general authorization to engage Sub-processors in accordance with the provisions of this Section 12. Customer hereby approves the Sub-processors currently engaged by Swoogo and listed on Schedule C. Before engaging a new Sub-processor, Swoogo shall notify Customer fourteen (14) calendar days in advance of engaging any new Sub-processor to provide Customer with the opportunity to object to engaging the new Sub-processor on reasonable data protection grounds. If within fourteen (14) calendar days of receipt of such notice, Customer notifies Swoogo in writing of any objections, Swoogo will use commercially reasonable efforts to change the provision of the Services in a manner that avoids the use of the proposed Sub-processor. Where such a change cannot be made, notwithstanding anything in the Agreement, Customer may, by written notice to Swoogo, terminate any Order Form(s) to the extent it relates to the Services that require use of the proposed Sub-processor.
12.2 Sub-processor Obligations
Swoogo shall enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA and compliant with Data Protection Laws. Swoogo will remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Swoogo to breach any of its obligations under this DPA. Swoogo, upon request, shall use reasonable efforts to provide Customer with copies of its Sub-processor agreements, provided that it may redact confidential or other information it is legally or contractually prohibited from disclosing to Customer.
13.1 Customer Authorization
Customer acknowledges and authorizes Swoogo (and its Sub-processors) to transfer and Process Customer Personal Data to and in the United States and elsewhere in the world that Swoogo processes Customer Personal Data. Swoogo shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
13.2 European Data Transfers
To the extent legally required, with respect to transfers of Customer Personal Data protected by European Data Protection Laws, the Parties agree to abide by and Process Customer Personal Data in accordance with the applicable Standard Contractual Clauses, and by signing the Agreement the Parties are deemed to have signed such Standard Contractual Clauses. To the extent legally required, with respect to transfers of Customer Personal Data subject to the GDPR, Schedule D available at [https://swoogo.events/legal/dpa-schedule-d/] and incorporated herein, shall apply if Customer is a Controller under the GDPR, and Schedule E available at [https://swoogo.events/legal/dpa-schedule-e/] and incorporated herein, shall apply if Customer is a Processor under the GDPR. To the extent legally required, with respect to transfers of Customer Personal Data subject to the UK Data Protection Laws, Schedule D or Schedule E (as applicable) as modified by Schedule F available at [https://swoogo.events/legal/dpa-schedule-f/] and incorporated herein, shall apply. To the extent legally required, with respect to transfers of Customer Personal Data subject to the Swiss Federal Act on Data Protection, Schedule D or Schedule E (as applicable) as modified by Schedule G available at [https://swoogo.events/legal/dpa-schedule-g/] and incorporated herein, shall apply. The Standard Contractual Clauses are incorporated into and form an integral part of this DPA. To the extent that Standard Contractual Clauses are subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties will cooperate in good faith to implement any additional measures that may reasonably be required to lawfully support the transfer. In the event of a conflict between the DPA, the Agreement, and Schedule D, Schedule E, Schedule F, or Schedule G (as applicable), the applicable Schedule(s) shall prevail.
Upon termination or expiration of the Agreement, Swoogo shall (at Customer’s election), delete or return to Customer all Customer Personal Data in its possession or control, except to the extent Swoogo is required or authorized to retain such Customer Personal Data by applicable Law, or to the extent that Customer Personal Data resides in backup archives. If Customer Personal Data resides in backup archives, Swoogo shall delete such Customer Personal Data in accordance with Swoogo’s standard retention and deletion policies and protect the Customer Personal Data from any further Processing. In all cases, Swoogo shall continue to apply this DPA to such Customer Personal Data for as long as it is retained by Swoogo. The Parties agree that the certification of deletion requirement in the Standard Contractual Clauses (if applicable) shall be provided to Customer upon Customer’s written request.
To the extent required by Data Protection Laws, Swoogo, taking into account the nature of the Processing and the information available to Swoogo, will provide reasonable assistance to Customer to carry out and document data protection impact assessments under Article 35 of the GDPR and data protection assessments under the CDPA and CTDPA, and prior consultations with Supervisory Authorities under Article 36 of the GDPR, upon Customer’s written request.
16.1 Assistance
Swoogo shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and/or Data Protection Laws and allow for and contribute to audits, including inspections, by Customer (or its authorized representative) in order to assess compliance with this DPA and/or Data Protection Laws.
16.2 Audit
Swoogo shall allow Customer and Customer’s authorized representatives to conduct audits or inspections to ensure compliance with the terms of this DPA and Data Protection Laws. To request an audit or inspection, Customer shall notify Swoogo at least three (3) weeks in advance of the proposed audit or inspection date and Customer and Swoogo will mutually agree upon the scope and timing of the audit or inspection. Any audit or inspection must be conducted during Swoogo’s regular business hours and is subject to reasonable confidentiality procedures. In addition, audits and inspections, including scans and penetration tests, must be conducted by pre-approved entities only, and shall be limited to once per year unless a Data Breach has occurred, or unless authorized in advance in writing by Swoogo, or unless otherwise required by Data Protection Laws. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit and Customer shall be responsible and fully liable for the actions and omissions of its personnel and authorized representatives while on Swoogo’s premises and/or inspecting Swoogo’s systems and facilities.
Subject to Section 12 of the Standard Contractual Clauses (as applicable), each party’s liability, taken together in the aggregate, arising out of or relating to this DPA, shall be subject to the exclusions and limitations of liability set forth in the Agreement. No provision of this DPA shall be deemed to waive or limit the rights of any Individuals or Supervisory Authorities under applicable Data Protection Laws.
18.1 Parties
No one other than Customer or Swoogo (or its successors or permitted assignees) shall have any right to enforce any of the terms of this DPA.
18.2 Severability
Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible; or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
18.3 Survival
The obligations set forth herein will survive termination of the Agreement and DPA for as long as Swoogo Processes Customer Personal Data.
18.4 Jurisdiction and Governing Law
The Parties hereby submit to the choice of law and jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
18.5 Precedence
In the event of a conflict between the terms of this DPA and the Master Subscription Agreement with respect to the subject matter herein, the following order of precedence shall apply: (i) the Standard Contractual Clauses (if applicable); (ii) this DPA; and (iii) the Master Subscription Agreement.
18.6 Changes in Data Protection Laws
If any amendment is required for this DPA as a result of a change in applicable Data Protection Laws, then either Party may provide written notice to the other Party of that change in Law. The Parties will discuss and negotiate in good faith any necessary variations to the Agreement or this DPA to address such changes. If either Party gives notice under this Section 18.6, the Parties shall without undue delay discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable.