Data Processing Agreement

This Data Processing Agreement (“DPA”) sets forth certain of the Parties’ obligations with respect to the protection of Personal Data, in connection with performance or receipt of the Services under the Fourwaves Terms of Service. This DPA is incorporated by reference into the Fourwaves Terms of Service.

A breach by the Parties of their covenants, representations or other undertakings in this DPA shall constitute a breach of and an event of default under the Fourwaves Terms of Service for which the Parties shall have all rights and remedies provided in the Fourwaves Terms of Service.

1. DEFINITIONS

In this DPA, the following terms shall have the meaning ascribed to them. Capitalized terms defined in the Fourwaves Terms of Service shall have the meaning ascribed to them in the Fourwaves Terms of Service.

1.1 "Account Data” means the name, email address and contact information of Fourwaves Member and other information provided by Fourwaves Members that are not associated with a specific Event.

1.2 “Affiliate” as to Customer or Fourwaves, shall mean any corporation, partnership, limited liability company, or other domestic or foreign entity (a) of which a controlling interest is owned directly or indirectly by a Party to the Fourwaves Terms of Service, or (b) controlled by, or under common control with, a Party to the Fourwaves Terms of Service.

1.3 “Data Protection Laws” means any and all applicable laws and regulations, applicable to the processing of Personal Data, as the same may be amended from time to time, including, without limitation, Personal Data Protection and Electronic Document Act (PIPEDA), the General Data Protection Regulation (GDPR Europe and GDPR UK) and the California Consumer Protection Act (CCPA);

1.4 "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom. 

1.5 “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

1.6 "European and UK Data Protection Laws" means data protection laws applicable in Europe and UK, in each case, as may be amended, superseded or replaced.  

1.7 “Fourwaves Members” means individuals that have created an account on the Fourwaves Platform;

1.8 “Participant” means an individual who registers for an Event or who enters information (including by filling an electronic form) on an event website organized by a Customer either through the Fourwaves Platform or otherwise.

1.9 “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined in the applicable Data Protection Laws.

1.10 “Security Incident” (or “Incident”) means  an occurrence that compromises the security, confidentiality or integrity of Confidential Information or the physical, technical, administrative or organizational safeguards put in place by a Party that relate to the protection of the security, confidentiality or integrity of Confidential Information, or  receipt of a complaint in relation to the privacy practices of a Party, a breach or alleged breach of any data protection, privacy or security representations in the Fourwaves Terms of Service or this DPA.

1.11 “Services” means the services provided by Fourwaves described in the Fourwaves Terms of Service;

1.12 “Subprocessor” means any third-Party appointed by a Party to process Personal Data;

1.13 “Supervisory Authority” means any regulatory authority responsible for the enforcement of Data Protection Laws.

2. ROLES OF THE PARTIES

2.1 Fourwaves will act as a separate controller in relation to Account Data.

2.2 Except with regard to Account Data, Fourwaves will act as a processor of Personal Data about Participants.

2.3 The Parties shall each comply with their respective obligations under the Data Protection Laws and as described in their respective privacy policies in respect of their processing of Personal Data.

3. PROCESSING OF PERSONAL DATA

3.1 With respect to Personal Data processed on behalf of Customer:

3.1.1 Fourwaves shall only process such Personal Data on behalf of and in accordance with Customer’s instructions and shall treat such Personal Data as Customer’s Confidential Information.  

3.1.2 Customer instructs Fourwaves to process such Personal Data for the following purposes:

3.1.2.1 Processing solely and exclusively in accordance with the Fourwaves Terms of Service and Fourwaves Privacy Policy and only to the extent necessary to deliver and perform the Services; and

3.1.2.2 Processing to comply with other reasonable instructions provided by Customer from time to time where such instructions are consistent with the terms of the Fourwaves Terms of Service and this DPA.

3.1.3 Fourwaves shall promptly inform Customer if, in its reasonable opinion, it believes that any instruction given by Customer infringes the Data Protection Laws.

3.2 Fourwaves will process Account Data in accordance with applicable Data Protection Laws.

      4. CROSS-BORDER TRANSFERS

      4.1 Each Party shall ensure that any transfer of Personal Data between jurisdictions is authorized by Data Protection Laws.

      4.2 Fourwaves shall not transfer European and UK Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European and UK Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European and UK Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European and UK Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European and UK Data Protection Laws.

      5. SECURITY

      5.1 Fourwaves shall ensure that all such persons or Parties involved in the processing of Personal Data :

      a) have undertaken appropriate training in relation to the Data Protection Laws, security practices, provided access to the policies and procedures comprising the Parties’ information security program, and evaluated in part based on their compliance with the Parties’ information security program;

      b) are subject to confidentiality undertakings (of which a copy shall be provided upon the other Party’s request); and

      c) are subject to user authentication and log on processes when accessing Personal Data.

      5.2 Fourwaves shall keep Personal Data confidential and will instruct its staff and Subprocessors as to the confidentiality of Personal Data.

      5.3 Fourwaves shall implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk and shall take all measures required pursuant to applicable Data Protection Law. In assessing the appropriate level of security, each Party shall take account in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

      6. SECURITY INCIDENT MANAGEMENT

      6.1 Fourwaves will promptly notify Customer of any actual, suspected or alleged Security Incident involving Personal Data about Participants. Upon identification of a Security Incident involving Personal Data about Participants, each Party shall:

      a) Cooperate fully with the other Party in investigating and responding to the Security Incident.

      b) Identify Personal Data about Participants affected.

      c) Immediately take steps to contain the Security Incident and preserve evidence for any necessary investigation.

      d) Complete a thorough forensic investigation of the Security Incident, consistent with industry best practices, and share with the other Party the results of all investigations, which shall include, but not be limited to: (1) a full description of the circumstances surrounding the Security Incident; (2) a description of the evidence reviewed and analysis completed;  (3) identification of the Security Incident’s root cause, if determined; and (4) a determination of whether any Confidential Information was accessed or acquired without authorization.

      e) Permit the other Party, or its designated agent, to conduct an investigation, during normal business hours upon prior written notice, and in a manner that does not unduly interfere with business operations, of the Security Incident, at the investigating Party’s sole cost and expense.

      f) Cooperate with the other Party as reasonably necessary to facilitate compliance with any applicable laws and regulations.

      7. SUBPROCESSING

      7.1 Fourwaves may engage Subprocessors to process Personal Data under its control in accordance with the requirements of applicable Data Protection Laws. Fourwaves will notify Customer of any change in Subprocessors. The current list of Fourwaves Subprocessors is accessible here.

      7.2 Fourwaves will allow Customer to reasonably object to the engagement of new Sub-Processors processing European Data within 30 days of notification. Where Customer object to the appointment of a new Sub-Processor, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either forego the appointment of the new Sub-Processor, ensure that no Customer Data is Processed by such new Sub-Processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

      7.3 For the purposes of Clause 9(c) of the Standard Contractual Clauses, Customer acknowledges that Sub-Processor agreements may be subject to confidentiality obligations. Fourwaves shall use reasonable efforts to require any Sub-Processor to permit the disclosure of the Sub-Processor agreement to Customer and shall provide (on a confidential basis) all information reasonably available for disclosure.

      8. AUDIT

      8.1 Upon request, each Party shall provide the other Party with all documentation and records to demonstrate its compliance with this DPA and with Data Protection Laws with respect to its processing of Personal Data on behalf of the other Party.

      8.2 Except as otherwise expressly stated herein, the Parties shall have no obligation to agree to an audit by the other Party with respect to their own processing of Personal Data when acting as a controller.

      8.3 Fourwaves will provide reasonable assistance to the Customer with data protection impact assessments, and dealings with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws. Customer acknowledges that such assistance will be provided only to the extent needed to comply with European Data Protection  Laws.

      9. DATA SUBJECT RIGHTS

      9.1 Each Party shall cooperate with the other, to the extent reasonably requested, in relation to:

      a) any requests from individuals whose Personal Data is processed by either Party;

      b) any other communication from a data subject or individual concerning the processing of their Personal Data; and

      c) any communication from a Supervisory Authority concerning the processing of Personal Data, or compliance with the Data Protection Laws.

      9.2 Fourwaves will promptly refer to Customer any inquiry regarding Personal Data except where such inquiry only concerns Account Data.

      9.3 Fourwaves may respond directly to inquiries by a data subject seeking to remove his/her personal data from the Platform. Fourwaves will use reasonable efforts to notify the affected Customers.

      10. DELETION OR RETURN OF PERSONAL DATA

      10.1 Upon request by Customer, Fourwaves shall, with respect to Personal Data processed as a processor for Customer:

      a) return a complete copy of such Personal Data to the other Party by secure file transfer and securely wipe all other copies of such Personal processed by the receiving Party or any authorized Subprocessor; or

      b) securely wipe all copies such , and in each case provide written certification to the disclosing Party that it has complied fully with this Section 10.

      10.2 Fourwaves will have no obligation to provide Account Data to the Customer or to delete Account Data.

      11. INDEMNIFICATION

      11.1 Each Party agrees to indemnify, defend and hold harmless the other Party, and its officers, directors, employees, sublicensees, and agents from and against any and all claims, losses, demands, liabilities, damages, settlements, expenses and costs (including without limitation attorneys’ fees and costs), and any and all threatened claims, losses, demands, liabilities, damages, settlements, expenses and costs, arising from or based on allegations of, (a) any Security Incident caused by the indemnifying Party’s wrongful act or negligence, (b) any breach of this DPA by the indemnifying Party or (c) any failure of the indemnifying Party to comply any applicable Data Protection Laws. For purposes of certainty, this Section shall not be limited by any provisions of the Fourwaves Terms of Service, including without limitation Force Majeure, liability caps, or limitation on liability.

      11.2 Neither Party shall have any obligation to indemnify the other Party hereunder for a claim based on such other Party’s or such other Party’s representatives or employees’ fault or negligent action or omission.

      12. MISCELLANEOUS

      12.1 Any obligation imposed by this DPA in relation to the processing of Personal Data, including but not limited to indemnification hereunder, shall survive any termination or expiration of this DPA and the Fourwaves Terms of Service.

      12.2 With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including but not limited to the Fourwaves Terms of Service, the provisions of this DPA shall prevail with regard to the protection of Personal Data.

      12.3 Compliance by each Party with the provisions of this DPA will be at no additional cost to the other Party except where expressly provided herein.

      12.4 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

      12.5 If Customer is located in Europe or if European Data is processed by Fourwaves under this DPA, this DPA shall be governed by the laws applicable in France and any dispute regarding this DPA shall be brought exclusively before the French courts. Otherwise, this DPA is governed by the laws applicable to the Fourwaves Terms of Service and disputes regarding this DPA shall be handled as set forth in the Fourwaves Terms of Service.