Last Updated: July 26, 2025

This Data Processing Addendum ("Addendum") forms part of the PaySeats Terms and Conditions (the "Main Agreement") between:

1. PaySeats Europe, S.L. ("PaySeats" or "Data Processor"), a company incorporated in Spain.
2. The Organizer ("Client" or "Data Controller"), as defined in the Main Agreement.

This Addendum will apply to the extent that PaySeats processes Personal Data on behalf of the Client in the course of providing the Service, and to the extent that the General Data Protection Regulation (EU) 2016/679 ("GDPR") or other applicable data protection laws govern such processing.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Main Agreement.

• "Data Protection Laws" means all applicable data protection and privacy laws and regulations, including the GDPR.
• "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" shall have the meanings given to them in the GDPR.
• "Sub-processor" means any third party engaged by PaySeats to process Personal Data on behalf of the Client.

2. Processing of Personal Data

2.1. Roles and Responsibilities

The parties acknowledge and agree that with regard to the Processing of Personal Data, the Client is the Data Controller and PaySeats is the Data Processor.

2.2. Controller's Instructions

PaySeats shall only process Personal Data on behalf of and in accordance with the Client’s documented, lawful instructions. The provision of the Service in accordance with the Main Agreement shall be considered a documented instruction.

2.3. Details of Processing

The details of the Processing of Personal Data are specified in Annex 1 of this Addendum.

3. Confidentiality and Security

3.1. Confidentiality

PaySeats shall ensure that all personnel authorized to process Personal Data are subject to strict confidentiality obligations.

3.2. Security Measures

PaySeats shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Such measures are described in Annex 2.

4. Sub-processors

4.1. General Authorization

The Client grants PaySeats a general authorization to engage Sub-processors to provide the Service.

4.2. List and Notification

PaySeats shall maintain an up-to-date list of its Sub-processors, as detailed in Annex 3. PaySeats shall notify the Client of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Client the opportunity to object to such changes.

4.3. Liability

PaySeats shall impose on its Sub-processors data protection obligations equivalent to those set out in this Addendum. PaySeats remains fully liable to the Client for the acts and omissions of its Sub-processors.

5. Data Subject Rights

PaySeats shall, to the extent legally permitted, promptly notify the Client of any requests from a Data Subject to exercise their rights (such as rights of access, rectification, erasure, etc.). PaySeats shall provide the Client with reasonable cooperation and assistance in relation to handling of a Data Subject's request.

6. Personal Data Breach Notification

PaySeats shall notify the Client without undue delay after becoming aware of a Personal Data Breach. PaySeats shall provide the Client with necessary information to allow the Client to meet its obligations to notify supervisory authorities and Data Subjects.

7. Data Protection Impact Assessments (DPIAs)

PaySeats shall provide reasonable assistance to the Client with any Data Protection Impact Assessments and prior consultations with supervisory authorities, as required under Data Protection Laws.

8. Deletion or Return of Data

Upon termination of the Main Agreement, PaySeats shall, at the Client's choice, delete or return all Personal Data to the Client, and delete existing copies unless Union or Member State law requires storage of the data.

9. Audits

PaySeats shall make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client, subject to reasonable advance notice and confidentiality obligations.

10. General Provisions

10.1. Precedence

In the event of a conflict between this Addendum and the Main Agreement, the provisions of this Addendum shall prevail with regard to data protection matters.

10.2. Governing Law

This Addendum shall be governed by the laws of Spain.

ANNEX 1: DETAILS OF PROCESSING

A. Subject Matter and Duration of Processing

Subject Matter: PaySeats will process Personal Data to provide the ticketing platform and related services to the Client, as described in the Main Agreement.

Duration: The duration of the processing will align with the term of the Main Agreement between PaySeats and the Client.

B. Nature and Purpose of Processing

• Providing the Client with tools to create and manage events.
• Processing the sale and issuance of tickets on behalf of the Client.
• Managing attendee lists and transaction data.
• Facilitating communication between the Client and their Attendees.
• Preventing fraud and ensuring the security of the Service.

C. Types of Personal Data Processed

Attendee Data: Full name, email address, phone number, payment information (handled by the Payment Partner), purchased tickets, and event details.

D. Categories of Data Subjects

Attendees: Individuals who purchase tickets or register for the Client’s events through the Service.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

PaySeats will implement, at a minimum, the following security measures:

• Access Control: Strong password policies, two-factor authentication (2FA) for personnel, and principles of least privilege for system access.
• Encryption: Encryption of data in transit (TLS/SSL) and at rest (AES-256) to protect Personal Data.
• System Resilience: Infrastructure hosted on top-tier cloud providers with high availability, redundancy, and disaster recovery plans.
• Network Security: Use of firewalls, intrusion detection systems, and network segmentation to protect the infrastructure.
• Incident Management: An incident response plan to detect, manage, and report Personal Data Breaches promptly and effectively.
• Personnel Training: Regular security and data protection training for all personnel with access to Personal Data.
• Secure Development: Secure Software Development Lifecycle (SDLC) practices to minimize application vulnerabilities.

ANNEX 3: LIST OF SUB-PROCESSORS

The Client authorizes PaySeats to use the types of Sub-processors listed below to provide the Service. A specific, up-to-date list of all Sub-processors is maintained at payseats.com/subprocessors.