Catalate Pricing as a Service Agreement

Last Updated: November 17, 2022

This Catalate Pricing as a Services Agreement (this “Agreement”) is made and entered into as of the date of Partner’s initial Order Form or the date of Partner’s initial use of the Services, whichever is earlier (the “Effective Date”), between Catalate Commerce, Inc., a Delaware corporation (“Catalate”), and the customer using the Services (“Partner”) (each, a “Party,” collectively, the “Parties”) and governs Catalate’s provision of the online services described herein.


1. Definitions.

1.1 “Affiliate” means a person or entity directly or indirectly, controlled by, controlling, or under common control with, a Party.

1.2 “API” means Catalate’s API(s) via which Partners may access Ticket inventory and pricing.

1.3 “Margin Percentage” means Catalate’s fees for providing the Services, calculated as a percentage of the Retail Price. The Order Form lists the Margin Percentages for Tickets sold on the API.

1.4 “Order Form” means this cover sheet and any subsequent order form for additional products or services that has been executed by both parties.

1.5 “Retail Price” means the actual price paid by an End User for a Ticket purchased through the API.

1.6 “Services” means Catalate’s professional consulting, marketing, promotional and online retail services and related Software to allow Partner to promote and sell its products online to prospective End Users, including the API.

1.7 “Software” means software and other source code, object code or underlying structure, ideas, know-how or algorithms used to provide the API and other parts of the Services.

1.8 “Tickets” means entry or use tickets for Partner’s property, and other associated products Partner wishes to sell through the Services;

2. Services; License Grant.

2.1 Partner hereby engages Catalate to provide the Services in accordance with and subject to the terms in Exhibit A.

2.2 During the term and subject to the terms of this Agreement, Catalate grants Partner a limited, revocable, non-exclusive, non-transferable license to access and integrate the API in order to make Ticket inventory available pursuant to Exhibit A.

3. Compensation. Partner shall pay Catalate as set forth on Exhibit A and each Order Form. Retail Prices shall include all applicable taxes, levies, duties, VAT and similar government assessments by any local, state, provincial, federal or foreign jurisdictions (collectively, “Taxes”). Partner shall be solely responsible for the payment of all Taxes associated with Ticket sales. If an applicable tax authority requires Catalate to pay any Taxes that should have been payable by Partner, Catalate will advise Partner in writing, and Partner will promptly reimburse Catalate for the amounts paid.

4. Use of Intellectual Property.

4.1 Catalate retains all right, title and interest in, including any and all intellectual property rights embodied in or associated with the Services and the Catalate trademarks.

4.2 Restrictions. Partner will not, and will not allow its users to (without limitation):

(A) provide the Services to third parties for service bureau or time-sharing purposes or in any other way allow third parties to exploit the Services;

(B) permit any third party to access or use the Services in any other way;

(C) sell, resell, transfer, assign, frame, mirror, or distribute the Services;

(D) introduce software or automated agents or scripts to the Services in order to produce multiple accounts, generate automated searches, requests, or queries, or to strip, scrape, or mine data from the Services;

(E) copy or reverse engineer the software, pricing model or pricing strategies used to provide Services for any reason; or

(F) access the Services in order to build a competitive product or service, to build a product using similar ideas, features, functions or graphics of the Services, or to copy any ideas, features, functions, or graphics of the Services.

5. Security Standards. Partner’s networks, operating systems, web servers, routers and computer systems must be properly configured to industry standards so as to prevent any intrusion or unauthorized disclosure or loss of data. In the event of any breach of security involving the API or other Services, Partner must notify Catalate immediately and work diligently to remedy such security breach as soon as practicable.

6. Acceptable Use. Partner agrees that it and its employees and agents will not use the Services to:

6.1 transmit any material that contains adware, malware, spyware, software viruses, or any other computer code, files, or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment;

6.2 interfere with or disrupt Catalate servers or networks connected to Catalate, or disobey any requirements, procedures, policies, or regulations of networks connected to Catalate;

6.3 attempt to access any other Catalate systems that are not part of the Services; or

6.4 violate any laws, third party rights, or any obligations under this Agreement.

7. Partner Reports. Partner will maintain all records related to its orders processed using the API as required by this Agreement by applicable law. Partner shall send a weekly report of all orders processed using the API to Catalate in a format provided by Catalate. If there is greater than a 5% variance between bookings provided by Partner in a format provided by Catalate and Catalate’s systems, Partner will have two weeks from Catalate’s notice of such variance to amend the API configuration such that the variance is reduced to less than 5%. If the issue is not resolved within the two week period, Catalate will revert strategy to static pricing until the issue is resolved. In order to verify the accuracy of such reports, Catalate may inspect Partner’s records and materials related to this Agreement. Such audits will be conducted during Partner’s normal business hours, upon no less than five days’ prior written notice. Catalate shall be responsible for the audit costs unless the audit reveals an underpayment of 5% or greater, in which case Partner shall pay Catalate’s reasonable expenses of the audit in addition to all fees due.

8. Confidentiality.

8.1 Subject to the limitations set forth in Section 8.2, all information disclosed by one party to the other party during the term of this Agreement, whether in oral, written, graphic or electronic form, shall be deemed to be “Confidential Information”. Confidential Information includes, without limitation, Catalate software used to provide Services, related documentation, specifications, pricing, disclosures in connection with the provision of Services, disclosures made by Partner about its operations, Ticket sales and other non-public metrics, and the terms and conditions of this Agreement. Confidential Information shall remain the sole property of the disclosing party or its licensors.

8.2 Exceptions. Information will not be considered as Confidential Information if the receiving party can establish by documentary evidence that the information is or was: (A) lawfully available to the public through no act or omission of the receiving party; (B) in the receiving party’s lawful possession prior to disclosure by the disclosing party and not obtained either directly or indirectly from the disclosing party; (C) lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (D) independently developed by the receiving party.

8.3 Nondisclosure. The parties agree, during the term and after the termination of this Agreement, to hold each other’s Confidential Information in confidence and not to disclose such information in any form to any third party without the express written consent of the disclosing party, except to employees and consultants performing services for the benefit of the receiving party who are under a written non-disclosure agreement protecting the applicable Confidential Information in a manner no less restrictive than this Agreement. Each party agrees to take all reasonable steps to ensure that Confidential Information is not disclosed or distributed by its employees or agents in violation of this Agreement. A receiving party facing legal action to disclose Confidential Information of the disclosing party shall promptly notify and provide the disclosing party the opportunity to oppose such disclosure or obtain a protective order and shall continue to treat such information as Confidential Information. This Section 9 shall not be construed as granting or conferring any rights to either party by license or otherwise, expressly or implicitly, to any Confidential Information.

8.4 Permitted Third Parties. For the avoidance of doubt, Partner acknowledges and consents to the sharing of its pricing information with Partner’s operating system and other technology partners for the purpose of providing the Services.

9. Term. Unless sooner terminated or otherwise stated in the Order Form, the initial term of this Agreement shall be one year. Thereafter, this Agreement shall automatically renew for successive periods of one year each unless either party notifies the other Party of non-renewal of this Agreement at least 30 days before the end of the then-current term.

10. Termination.

10.1 Catalate may suspend or terminate the Agreement, access to all or any portion of the Services, and/or the licenses granted herein immediately upon notice in the event that Partner uses or permits the use of the Services for any improper or illegal purpose or any purpose not authorized by this Agreement.

10.2 Either party may terminate this Agreement (including all related Order Forms) if the other party: (A) fails to cure any material breach of this Agreement within 30 days after written notice of such breach; (B) ceases operation without a successor; or (C) seeks protection under any bankruptcy, receivership, trust deed, creditors arrangement, composition or comparable proceeding, or if any such proceeding is instituted against such party (and not dismissed within 60 days)).

10.3 Termination is not an exclusive remedy and the exercise by either party of any remedy under this Agreement will be without prejudice to any other remedies it may have under this Agreement, by law, or otherwise.

11. Representations and Warranties. Each Party represents and warrants that it has the right, power and authority to enter into this Agreement and to perform all of its respective obligations under this Agreement, that the person executing or consenting to each Order Form on behalf of a party has been authorized by such party to do so, and that the performance of such obligations shall not conflict with or result in a breach of any agreement to which it is a party or is otherwise bound. Catalate represents and warrants that the Services process and store credit or debit card payment information in compliance with the Payment Card Industry Data Security Standards (PCI-DSS).


13. Indemnification.

13.1 Partner agrees to defend, indemnify and hold harmless Catalate, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents the (“Catalate Indemnified Parties”) against any and all claims, liabilities, damages, losses, costs, expenses, and fees (including reasonable attorneys’ fees) (“Claims”) brought against Catalate for damages to the extent due to any actual or alleged improper use or application of the Services.

13.2 Catalate agrees to defend, indemnify and hold harmless Partner, its Affiliates, successors, assigns, members, shareholders, officers, directors and agents (the “Partner Indemnified Parties”) against any and all Claims brought against Partner for damages to the extent due to any actual or alleged: (A) claim that the platform used by Catalate to operate the Services infringes or misappropriates the intellectual property rights or rights of privacy or publicity of a third party; or (B) violation by Catalate of any applicable law, rule or regulation in performing the Services.

13.3 The indemnified Party must notify the other Party promptly in writing of any claim hereunder and provide, at such other Party’s expense, all reasonably necessary assistance, information and authority to allow the other Party to control the defense and settlement of such claim. Each Party reserves the right, at its own expense, to assume the exclusive defense and control of any matter subject to indemnification by such party under this Section 13. The indemnity obligations hereunder shall survive the termination of this Agreement.

14. Limitations of Liability.



15. Modification of Reservation Service Programs. Catalate may add, delete or otherwise modify any of the Services, provided that Catalate will notify Partner of any material modification that results in degradation of the Services.

16. Force Majeure. Neither Catalate nor Partner will be liable for any delay or failure in performance under this Agreement due to any cause beyond its reasonable control.

17. Governing Law, Jurisdiction and Venue. This Agreement and all matters or issues related to this Agreement shall be governed by and construed under the laws of the State of California without application of principles of conflicts of laws. Each of the Parties irrevocably and unconditionally agrees that any legal proceeding arising out of or relating to this Agreement may be brought in the United States District Court for the Northern District of California, or, if that court lacks jurisdiction, in any court of competent jurisdiction in San Francisco County; and (b) consents to the jurisdiction of each such court in any proceeding. In the event of any action, suit or proceeding related to this Agreement, the prevailing party, in addition to its rights and remedies otherwise available, shall be entitled to receive reimbursement of reasonable attorneys’ fees and expenses and court costs.

18. Assignment. Partner may not assign or sublicense, by operation of law or otherwise, this Agreement or any duties, rights or obligations under this Agreement without Catalate’s prior written consent; provided that either party may assign this Agreement to its Affiliate or its successor in the event of a merger, acquisition or sale of all or substantially all of the assets of such party. Any other purported assignment shall be void. Subject to the foregoing, this Agreement shall be binding upon and inure to the benefit of the Parties and their respective successors and permitted assigns.

19. Severability; No Waiver. If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, then such provision shall be construed, as nearly as possible, to reflect the intentions of the Parties with the other provisions remaining in full force and effect. The failure of either Party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision, unless such waiver is in writing and is executed by the Party against whom such waiver is claimed.

20. Notices. Any notice required or permitted under this Agreement shall be given in writing and shall be deemed delivered when: (A) verified by written receipt if sent by personal courier, overnight courier, or postal mail; or (B) confirmed or replied to by the recipient if sent by email. Notices shall be delivered to each Party at its respective address specified in this Agreement, or at such other address as such Party may specify by written notice to the other.

21. No Agency or Third Party Beneficiary. Partner and Catalate are independent contractors, and nothing in this Agreement (including use of the defined term “Partner”) shall be construed to create a partnership, joint venture, franchise, or agency relationship between Partner and Catalate. Neither Party has any authority to enter into agreements of any kind on behalf of the other Party. Catalate and Partner agree that there should be no third party beneficiary to this Agreement, including, but is not limited to, End Users.

22. Miscellaneous. This Agreement, along with the attached Exhibits, constitutes the entire agreement of the Parties with respect to its subject matter, superseding all prior or contemporaneous oral and written communications, proposals, negotiations, representations, understandings, courses of dealing, agreements, contracts, and the like between the Parties in such respect, except that terms on an Order Form will supersede comparable provisions in this Agreement for the period stated in the Order Form. The section headings in this Agreement are for convenience only and have no legal or contractual effect. This Agreement: (A) may be executed in any number of counterparts, each of which, when executed by both Parties to this Agreement shall be deemed to be an original, and all of which counterparts together shall constitute one and the same instrument; and (B) may not be amended or modified by Partner unless such amendment or modification is in writing signed by both Parties. The terms of any sections that, by their nature, are intended to extend beyond termination shall survive termination of this Agreement for any reason.

The API allows third-parties to access ticket inventory and sell it in other environments (e.g. another e-commerce engine, lodging environment, native mobile apps, other third party distribution channels, etc.). With the API, a Partner can access ticket prices, inventory quantity and availability as well as create orders in the Catalate system. Inventory management and analysis is done within Catalate’s system.
End User Transactions. Catalate will provide Ticket prices via the API only and will not be responsible for Ticket sales, payment processing, Ticket fulfilment or any other aspects of Tickets sold unless otherwise agreed upon between the parties in writing. Partner will be responsible for post-purchasing interactions with its customers. Catalate will have no liability for Partner’s actions or failures to act with regard to such interactions.
Payment. Catalate’s fees for use of the API will be provided on each Order Form. Except as otherwise provided herein all fees are noncancelable and nonrefundable and Partner will pay all fees within 30 days from receipt of Catalate’s invoice. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection. Without limiting its other remedies, Catalate may suspend Services for nonpayment of fees.

When Catalate provides marketing and Ticket fulfillment services for Partners, in some cases Catalate has a direct relationship with End Users and is the controller of Personal Data they provide. In other cases Catalate will act as a processor, processing Personal Data on Partner’s behalf. This Addendum applies to situations where Partner is the controller or processor of Personal Data and Catalate is the processor. The parties agree that this Addendum shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability.
1 Definitions and interpretation. For purposes of this Addendum:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
“Agreement” means the agreement between Partner and Catalate to which this Addendum is attached.
“Breach” means a breach of security by Catalate that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by the Services.
“Controller”, “Processor” and “Data Subject” (whether or not capitalized) have the meanings provided in the GDPR and equivalent meanings under other Data Protection Laws.
“Data Protection Laws” means the General Data Protection Regulation 2016/679 (“GDPR”), the United Kingdom Data Protection Act 2018 and GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act, its associated regulations and their successors (“CPRA”) and all other data protection and privacy laws and regulations of the United States, the United Kingdom and the EEA applicable to the Processing of Personal Data under the Agreement.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Iceland, Liechtenstein, Norway and Switzerland.
“Personal Data” refers to data processed by the Services on Partner’s behalf that corresponds to the following terms and Data Protection Laws: (A) Personal Data as defined in GDPR in reference to residents of the European Economic Area and the United Kingdom, and (B) Personal Information as defined in the CPRA in reference to California residents, and (C) equivalents terms under other laws applicable to the Services in reference to residents of those jurisdictions.
“SCCs” or “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as (i) approved by European Commission Implementing Decision 2021/914, and (ii) as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
Other capitalized terms used herein have the meanings provided in the Agreement.
2 Global Processing Terms.
2.1 General Processing Conditions. Catalate shall process Personal Data on Partner’s behalf for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Partner, except where otherwise required by applicable law. Catalate may have a separate right to process certain Personal Data: (A) if Catalate receives the same guest Personal Data from multiple sources, and (B) if Catalate has a direct relationship with a data subject and is a controller of that Personal Data. Catalate will promptly inform Partner if it becomes aware that processing requested by Partner infringes Data Protection Laws.
2.2 Compliance. Partner is responsible for ensuring that: (A) its use of the Services complies with Data Protection Laws and with all other applicable laws relating to privacy and data protection; and (B) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Catalate for processing in accordance with the Agreement and this DPA. Partner must advise Catalate if its proposed use of the Services would subject Catalate to data protection or privacy obligations under laws or regulations other than the Data Protection Laws. If and when necessary in that situation, the parties may enter into a local implementation addendum governing any provisions of such laws.
2.3 Training. Catalate shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
2.4 Security Incidents. Catalate will notify Partner without undue delay on becoming aware of a Breach, by sending an email to Partner’s principal contact for the Catalate relationship. Further, Catalate undertakes to take all reasonable steps to mitigate the impact of any such Breach and to reasonably cooperate with Partner to enable Partner to comply with its obligations under Data Protection Laws, including by assisting Partner in notifying Data Subjects or regulators of a Breach. Catalate shall not give such notice without the prior written approval of Partner.
2.5 Obligation to Rectify, Update and Restrict Processing of Partner Personal Data. During the term of the Agreement, Catalate shall: (A) ensure that the Personal Data is accurate and, where necessary, kept up to date, in accordance with Partner’s instructions and (B) restrict the processing of Personal Data identified by Partner.
2.6 Obligation to Delete and Return Personal Data. Upon completion of its obligations in relation to processing of Personal Data under the Agreement or upon Partner’s request at any time during the term of the Agreement, Catalate shall, at Partner’s election, either: (A) return all or subsets of the Personal Data in Catalate’s control to Partner; or (B) permanently delete or render the Personal Data unreadable. Notwithstanding the foregoing: Catalate may retain Personal Data: (x) to the extent it has a separate legal right or obligation to do so; and (y) in backup systems until the backups have been overwritten or expunged in accordance with Catalate’s backup policy.
2.7 Audit Rights.
(A) Upon Partner’s written request, Catalate shall provide Partner with a summary of its then-current information security program as relevant to the security and confidentiality of the Personal Data shared during the course of the Agreement.
(B) In addition, Partner may contact Catalate to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Personal Data. Before the commencement of any such on-site audit, Partner and Catalate shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Catalate incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Catalate.
(C) Catalate accepts and agrees that supervisory authorities may request information from Catalate and carry out investigations in the form of data protection audits of Catalate, in accordance with Data Protection Laws.
3 EEA- and UK-Specific Processing Terms
3.1 Subprocessors. Partner generally authorizes Catalate’s appointment of certain third party Processors of Personal Data under this Agreement (“Subprocessors”). Catalate confirms that it: (A) has entered (or, for future appointments, will enter) into a written agreement with the Subprocessor incorporating terms which are substantially similar to those set out in this Addendum; and (B) will inform Partner of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Partner the opportunity to object to such changes.
3.2 Transfers Outside the EEA or United Kingdom. Catalate may not transfer Personal Data to, or process such data in, a location outside of the EEA or United Kingdom (as appropriate) without Partner’s prior written consent (in each case a “Transfer”). Without prejudice to the foregoing, Partner consents to Transfers where Catalate has implemented a Transfer solution compliant with Data Protection Laws, which for example may include: (A) where such transfer is subject to an adequacy decision by applicable authorities; (B) Privacy Shield or an equivalent valid Transfer framework; (C) the Standard Contractual Clauses; (D) another appropriate safeguard pursuant to Article 46 of the GDPR; or (E) a derogation pursuant to Article 49 of the GDPR.
4 California-Specific Processing Terms
4.1 Processing in Accordance with California Law. Catalate shall not, within the meaning of the CPRA and with respect to Personal Data to which CPRA applies: (A) sell or share Personal Data; (B) retain, use, or disclose Personal Data for any purpose other to provide the Services; (C) retain, use, or disclose Personal Data for a commercial purpose other than providing the Services; or (D) retain, use, or disclose Personal Data outside of the direct business relationship between Partner and Catalate; or (E) combine Personal Data with Personal Data it receives from any other source, including from data subjects themselves, except for business purposes permitted by the CPRA, but in no case may Catalate use Personal Data for Catalate’s advertising or marketing purposes.
5 Governing Law
This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by GDPR, in which case this DPA will be governed by the laws of France.
6 Incorporation of Standard Contractual Clauses
The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
6.1 Module One applies to those transfers in which Partner is the data controller and Catalate is the data controller for limited business contact information concerning Partner‘s individual representatives who provide instructions to Catalate.
6.2 Module Two applies to those transfers in which Partner is the data controller and Catalate is the data processor.
6.3 Module Three applies to those transfers in which Partner is the data processor and Catalate is the sub-processor.
6.4 Clause 7 (Docking Clause) is omitted;
6.5 In Clauses 8.9(b) and 8.9(e) the review and audit provisions in Section 2.7 shall apply.
6.6 In Clause 9(A) (Use of sub-processors) –Option 2 (General Written Authorization) applies in accordance with Section 3.1 above;
6.7 In Clause 11(A) (Redress) – the Optional provision shall NOT apply;
6.8 In Clause 16(B) (Suspension of transfers) if Catalate is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;
6.9 In Clause 17 (Governing Law) – the laws of the Republic of France shall govern; and
6.10 In Clause 18 (Choice of forum and jurisdiction) – the courts of the Republic of France shall have jurisdiction.
6.11 The information required by Annex I (Description of Processing) is provided on Annex 1 attached hereto.
6.12 The information required by Annex II (Technical and Organizational Security Measures) is provided on Annex 2 attached hereto.
7 Application of SCCs to Transfers from Switzerland
7.1 Personal Data transfers from Switzerland will be governed by the SCCs as conformed to Swiss law as follows:
(A) references to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to Switzerland, the Swiss Federal Data Protection Act, and the Swiss Federal Data Protection and Information Commissioner; and
(B) In Clause 17 (Governing Law) the laws of Switzerland shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of Switzerland shall have jurisdiction.
8 Application of SCCs to Transfers from the United Kingdom
8.1 Personal Data transfers from the United Kingdom will be governed by the SCCs as conformed to UK GDPR law by the IDTA. The information required by each table of the IDTA is provided as follows:
(A) Table 1 (Identification of Parties): as described in the Agreement and Sections 6.1 – 6.3 above.
(B) Table 2 (Selection of SCCs, Modules and Selected Clauses): The parties agree the IDTA is appended to the SCCs as modified by Section 6. above. Above (Incorporation of Standard Contractual Clauses).
(C) Table 3:
(1) Annex 1A (Identification of Parties): as provided in the Agreement;
(2) Annex 1B (Description of Transfer): Annex 1 attached hereto;
(3) Annex II (Technical and Organizational Security Measures): Annex 2 attached hereto;
(4) Annex III (List of Sub processors): As described in Section 3.1 above.
(d) Table 4 (Effect of Changes to IDTA): When the IDTA changes neither party may end this DPA or the SCCs unless the Agreement is simultaneously terminated.
(e) In Clause 17 of the SCCs (Governing Law) the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction) the courts of London, England shall have jurisdiction.

The data processing activities carried out by Catalate under the Agreement may be described as follows:

Categories of data subjects whose personal data is transferred

Catalate’s processing concerns Partner personnel and End Users.

Categories of personal data transferred

Catalate will process the following categories of Personal Data about data subjects: first and last name, email address, telephone and other identifying information for End Users, and their payment information when they purchase Tickets.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).


Nature of the processing

Catalate will process Personal Data to provide the Services identified in the Agreement.

Purpose(s) of the data transfer and further processing

Catalate will transfer Personal Data to provide the Services identified in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

During the term of the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subprocessors referenced in Section 3.1 provide portions of the platform used by Catalate to provide the Services

Description of the technical and organisational security measures implemented by Catalate in accordance with Data Protection Law:

Policy Control

Catalate shall maintain a documented information security policy that, at a minimum, conforms to the most updated NIST 800 series Information Security Management System standard.  Catalate shall ensure its information security policy and any appropriate training, therefore, is provided to all staff involved directly or indirectly in the provision of the Approved Purpose.  Catalate shall implement controls to monitor on an ongoing basis compliance with its information security policy.

Access Control in a Physical Sense

Catalate shall take reasonable measures to prevent unauthorized persons from gaining access to data processing systems for processing and/or using Personal Data by implementing physical controls including:

  • an access control system (ID reader, magnetic card, chip card);
  • keys;
  • security staff, janitors; and
  • surveillance facilities (alarm system, Closed Circuit Television (CCTV) monitor)

Access Control to the IT System

Catalate shall take reasonable measures to prevent data processing systems from being used without authorization by implementing:

  • password procedures (incl. special characters, minimum length, frequent change of passwords);
  • user authentication keys
  • segmentation of resources by role
  • automatic blocking (e.g. password or timeout); and
  • company-wide use of 1Password application.

Access control to Data Controller Data

Catalate shall ensure that persons authorized to use the data processing system have only access to the data, which they are authorized to access, and that Personal Data cannot be read, copied, altered and/or removed without authorization during processing, use and after recording by implementing:

  • differentiated access rights (profiles, roles, transactions and objects);
  • reports on access used;
  • access levels and access controls;
  • change control procedures; and
  • audit trails.

Transmission Control

Catalate shall ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transfer or transport. To this end Catalate shall implement:

  • encryption/tunneling (VPN = Virtual Private Network);
  • login/password access control;
  • logging; and
  • tls transport security.

Input control

Catalate shall ensure that it is possible after the fact to check and ascertain whether Personal Data has been entered into, altered or removed from data processing systems and if so, by whom by implementing:

  • logging and reporting systems; and
  • role aligned access and entitlements.

Job control

Catalate shall ensure that Personal Data processed on behalf of Partner is processed strictly in compliance with the Partner’s instructions requiring its employees to obey the instructions of Partner and to process Personal Data exclusively in compliance with Partner’s instructions.

Availability control

Catalate shall ensure that Personal Data is reasonably protected against accidental destruction or loss by implementing:

  • backup procedures;
  • mirroring of hard disks, e.g. RAID technology;
  • uninterruptible power supply (UPS);
  • remote storage;
  • firewall systems; and
  • disaster recovery plan.

Separation Control

Catalate shall ensure that Personal Data collected for different purposes can be processed separately by implementing:

  • segregation of functions (production/testing);
  • record of Partner consent and scope of consent for any data provided directly to Catalate

Security Incident Management

Catalate shall implement an appropriate security incident management process aligned with industry best practices, requiring, at minimum:

  • prompt investigation of any Security Incidents;
  • notification of Partner within the timeframe specified in this Addendum; and
  • provision to Partner and/or its designated representative with all reasonable access to Catalate’s systems, data, and logs as necessary for the purpose of understanding the circumstances of the Security Incident.

Access controls:

Catalate office is secured with a guard at the building entrance and key cards at the door to the building and door to the office.

Catalate services are hosted on AWS. All access to AWS is via multi factor authentication. Catalate also enables MFA where possible to access other cloud resources in use.