Updated: 10/11/2024
This Data Processing Addendum ("DPA") is entered into by and between Customer and Cvent, Inc., on behalf of itself and its wholly-owned subsidiaries (collectively, “Cvent”)(together, the “Parties”), and is incorporated by reference into the underlying Service Agreement or Order Form entered into by the Parties (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Applicable Data Protection Laws.
DATA PROCESSING TERMS
In providing the Services to Customer pursuant to the Agreement, Cvent may process Customer Personal Data on behalf of Customer. Cvent will comply with the provisions in this DPA with respect to its processing of any Customer Personal Data. All capitalized terms not defined herein will have the meaning set forth in the Agreement.
1. DEFINITIONS
1.1 For the purposes of this DPA:
(a) "Affiliate(s)" has the same meaning ascribed to it in the Agreement and, if not defined in the Agreement, the term means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity.
(b) "Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
(c) "Customer" means the non-Cvent party to both the Agreement and this DPA that has access to the Services.
(d) "Data Subject" means the individual to whom Personal Data relates.
(e) “DIFC Addendum” means, as applicable, the document titled “Dubai International Financial Centre – Abbreviated Standard Contractual Clauses” attached hereto as Attachment D, for the purposes of transfers of personal data from a DIFC exporter to a non-DIFC importer.
(f) "Applicable Data Protection Laws" means all laws and regulations, including but not limited to laws and regulations of the State of California, the Commonwealth of Virginia, the European Union, the European Economic Area and their member states, the United Kingdom, Switzerland, and the Dubai International Financial Centre (“DIFC”), applicable to the Processing of Personal Data under the Agreement.
(g) "Cvent" means the Cvent entity that is a party to both the Agreement and this DPA, which may be Cvent, Inc., a company incorporated in the State of Delaware, or a Cvent Affiliate, including but not limited to the following: Cvent Europe Ltd., Cvent Nederland B.V., Cvent Deutschland GmbH, Cvent Australia Pty Limited, Cvent Singapore Pte. Ltd., Cvent FZ-LLC, Cvent India Private Limited.
(h) “Cvent Account Data” means personal data that relates to Cvent’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Cvent Account Data also includes any data Cvent may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
(i) “Cvent Usage Data” means Service usage data collected and processed by Cvent in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
(j) "Personal Data" means any personal data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(k) “Customer Personal Data" means any Personal Data either (i) transmitted by Customer or Customer’s agents through the SaaS Solution pursuant to the provision of the Services provided by Cvent, or (ii) collected by Cvent on behalf of Customer and transmitted into Cvent’s SaaS Solution pursuant to the Services provided by Cvent
(l) “Processing” (including its root word, “Process”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as (without limitation) collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(m) "Processor" means an entity which processes Personal Data on behalf of the Controller.
(n) “Restricted Transfer” means where an Applicable Data Protection Law prohibits a transfer of personal data from an origin country to a destination country outside of the origin country that is not subject to an adequacy determination, or not based on adequacy regulations, or not included on the list of adequate jurisdictions published by the origin country; and subject to any requirement to take additional steps to adequately protect the Personal Data transferred under this Agreement for the transfer to be lawful under the Applicable Data Protection Law.
(o) “Sensitive Personal Data” means personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences, and includes, without limitation, “Sensitive Personal Information”, “Special Category Data”, or any equivalent terms as defined under Applicable Data Protection Laws.
(p) "Sub-processor" means any person appointed by or on behalf of the Processor, or by or on behalf of an existing Sub-processor, to process Personal Data on behalf of Controller.
(q) “Services" means the Software as a Service and associated professional services provided by Cvent to Customer under the Agreement.
(r) “Security Incident" means accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access or use of Customer Personal Data
(s) “EU Standard Contractual Clauses” means, as applicable, contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
(t) “UK International Data Transfer Addendum” or “UK Addendum” means, as applicable, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses executed by and between Customer and Cvent and attached hereto as Attachment B issued by the UK ICO for making Restricted Transfers as defined by the UK ICO.
(u) “U.S. Privacy Law Service Provider Addendum” means Attachment E, for the purposes of conveying contractual requirements for Service Providers or Processors processing Consumer data under applicable U.S. state consumer data privacy regulations in effect at the time of execution of this DPA.
(v) “Switzerland Addendum” means, as applicable, the document titled “Switzerland – Addendum to the EU SCC’s” attached hereto as Attachment C, for the purposes of amending and adapting the EU SCCs for use under the Swiss Data Protection Act (“Swiss DPA”).
2. APPLICABILITY OF DPA
1.1 Applicability. This DPA and its attachments will apply only to the extent Customer or Cvent are subject to the Applicable Data Protection Laws. The processing of Personal Information subject to United States consumer privacy laws will be carried out in accordance with the terms set forth in Attachment E: U.S. Privacy Law Addendum.
3. ROLES AND RESPONSIBILITIES
1.1 Parties' Roles. Customer, as Controller, appoints Cvent as a Processor to process the Customer Personal Data on Customer's behalf. In some circumstances Customer may be a Processor, in which case Customer appoints Cvent as Customer's Sub-processor, which shall not change the obligations of either Customer or Cvent under this DPA, as Cvent will remain a Processor with respect to the Customer in such event. However, the Customer will notify and keep Cvent updated on whether Cvent acts, in relation to specific processing activities, as a Processor or a Sub-processor, and if the latter is the case on the identity of the actual Controller.
1.2 Purpose Limitation. Cvent shall process Customer Personal Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Customer (including with regard to transfers of Customer Personal Data to a third country), unless Cvent is required to process Customer Personal Data by the Applicable Data Protection Laws to which Cvent is subject to (in such a case, Cvent shall inform the Customer of that legal requirement before processing, unless applicable law prohibits such information). The Customer's instructions may be specific or of a general nature as set out in this DPA or as otherwise notified by the Customer to Cvent from time to time and not for Cvent's own purposes. Cvent may refrain from execution of the Customer's instruction if it notifies the Customer immediately that, in Cvent's opinion, an instruction for the processing of Customer Personal Data given by the Customer infringes Applicable Data Protection Laws. The purpose of this Section 3.2. is only to determine the scope and the purposes of processing of Customer Personal Data by Cvent and nothing in this DPA will be deemed an obligation of Cvent to accept any instructions of the Customer other than provided under the Agreement.
1.3 Training. Cvent shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Customer Personal Data.
1.4 Compliance. Customer, irrespective of the Customer's role as a Controller or a Processor, shall be responsible for ensuring that, in connection with its content, Customer Personal Data and the Services:
(a) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Laws;
(b) it has, and will continue to have, the right to transfer, or provide access to, the Customer Personal Data to Cvent for processing in accordance with the terms of the Agreement and this DPA;
(c) Customer shall provide all required notices and appropriate disclosures to all Data Subjects regarding Customer and Cvent’s processing and transfer of Personal Data, and shall obtain all necessary rights and lawful consents from Data Subjects to permit processing by Customer for the purposes of fulfilling Customer’s purposes under the Agreement; and
(d) Customer’s use of Cvent Services in connection with the distribution of Content and/or Processing of Sensitive Personal Data of a Data Subject must be in compliance with all Applicable Data Protection Laws and Regulations, including obtaining any explicit consent from Data Subjects whose Personal Data is provided to Cvent for Processing, where necessary.
1.5 If Customer uses the Services to process any categories of Personal Data not expressly covered by this DPA, Customer acts at its own risk and Cvent shall not be responsible for any potential compliance deficits related to such use.
1.6 Cvent employees’/contractors’ Personal Data. Where Cvent discloses Cvent employees’/contractors’ Personal Data to the Customer or a Cvent employee/contractor provides Personal Data directly to Customer, which the Customer processes to manage its use of the Services, Customer shall process that Personal Data in accordance with its privacy policies and applicable privacy laws, in particular Applicable Data Protection Laws. Such disclosures shall be made by Cvent only where lawful for the purposes of contract management, service management or security purposes.
4. SECURITY
4.1 Security. Cvent shall implement appropriate technical and organisational measures designed to protect the Customer Personal Data from a Security Incident and in accordance with Cvent's security standards as set forth in the Agreement as well as with Applicable Data Protection Laws (including Article 32 of the GDPR). Cvent will also, taking into account the nature of processing and the information available to Cvent, assist the Customer in ensuring its compliance with the obligations pursuant to Article 32 of the GDPR.
4.2 Confidentiality of Processing. Cvent shall ensure that any person that it authorizes to process the Customer Personal Data (including its staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
4.3 Security Incidents. Upon becoming aware of a confirmed Security Incident, Cvent shall notify Customer without undue delay and shall provide such timely information as Customer may reasonably require to enable Customer to fulfil any data breach reporting obligations under Applicable Data Protection Laws. Cvent will take steps to identify and remediate the cause of such Security Incident and to minimize its possible harm. For the avoidance of doubt, Security Incidents will not include unsuccessful attempts to, or activities that do not, compromise the security of Customer Personal Data including, without limitation, unsuccessful log in attempts, denial of service attacks and other attacks on firewalls or networked systems.
5. DATA TRANSFERS
5.1 In relation to any Restricted Transfers, the transfer mechanisms listed below shall apply to any transfers of Customer Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, the United Kingdom, Switzerland, and Dubai International Financial Centre to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Data Protection Laws:
5.1.1 Transfers from the EU: EU Standard Contractual Clauses (available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914#d1e32-37-1), completed as follows:
a) Module Two (Controller to Processor) will apply;
b) in Clause 7, the optional docking clause will apply;
c) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in this DPA;
d) in Clause 11, the optional language will not apply;
e) Annexes I, II, and III of the SCCs shall be deemed completed with the information set out in Attachment A, Annexes I, II, and III to this DPA;
f) in Clause 17, Option 1 will apply, and the SCCs will be governed by Irish law; and
g) in Clause 18(b), disputes shall be resolved before the courts of Ireland.
5.1.2 Transfers from the UK: UK Addendum attached as Attachment B.
5.1.3 Transfers from Switzerland: Switzerland Addendum attached as Attachment C
5.1.4 Transfers from the Dubai International Financial Centre: DIFC Addendum attached as Attachment D.
5.1.5 Cvent’s Participation in the EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework
5.2 In the event that EU authorities or courts, UK Information Commissioner’s Office, or Swiss Federal Data Protection and Information Commissioner (FDPIC) determine that any of the transfer mechanisms above is no longer an appropriate basis for transfers, Cvent and Customer shall promptly take all steps reasonably necessary to demonstrate adequate protection for the Customer Personal Data, using another approved mechanism. Nothing in this DPA modifies or affects any commission or supervisory authority's or Data Subject's rights under the EU Standard Contractual Clauses, UK Addendum or Switzerland Addendum (or any such other approved mechanism).
5.3 Sub-Processors. Customer agrees that Cvent may engage Cvent Affiliates and third parties as Sub-processors to process the Customer Personal Data on Cvent's behalf. Cvent shall provide a mechanism for Customer to subscribe to receive notifications at the following website: https://www.cvent.com/uk/gdpr/cvents-affiliates-and-subprocessors.shtml, which shall include a list of Sub-Processors that are currently engaged by Cvent to carry out specific processing activities on behalf of the Customer. Cvent will inform Customer of any new Sub-processor engaged during the term of the Agreement by updating the Sub-processor List. If Customer reasonably believes that the appointment of a new Sub-processor will have a material adverse effect on Cvent’s ability to comply with Applicable Data Protection Laws and Regulations as a Processor, then Customer may notify Cvent in writing via the website within 10 days after receipt of notice of change. Notwithstanding the other provisions in this section, Cvent may add or replace a Sub-Processor if it is necessary to ensure continuity of service, data integrity, or recovery in case of emergency, except as prohibited by Applicable Data Protection Laws. Cvent shall impose on such Sub-processors data protection terms that protect the Customer Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. Where the Standard Contractual Clauses are applicable, Cvent shall ensure data transfers are protected through appropriate mechanisms, such as by entering into Standard Contractual Clauses with such Sub-processor or use/take advantage of any other approved mechanism, including Binding Corporate Rules or an alternative recognised compliance standard for the lawful transfer of personal data.
6. COOPERATION
6.1 Data Subjects' Rights. Cvent shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under Applicable Data Protection Laws, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability of that Data Subject's Personal Data. Cvent will not respond to any Data Subject request other than to direct such request to Customer unless expressly authorized by Customer. Upon Customer’s written request, Cvent will be responsible for responding to Data Subject’s request for access, correction, restriction, objection, erasure or data portability or any other request from a Data Subject seeking to exercise his or her rights under Applicable Data Protection Laws to the extent the Customer itself does not have the ability, with the available standard functionalities of the Services, to respond to such request. To the extent legally permitted, Customer may be responsible for the reasonable cost of any time, expenditures or fees arising from such assistance provided to Customer.
6.2 Data Protection Impact Assessments and Prior Consultation. Cvent shall, to the extent required by Applicable Data Protection Laws, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under Applicable Data Protection Laws.
7. SECURITY REPORTS AND AUDITS
7.1 Any provision of security attestation reports (such as SOC 2, Type II or equivalent report) or audits shall take place in accordance with Customer's rights under the Agreement. If the Agreement does not include a provision regarding security attestation reports, Cvent shall provide a copy of its most current security attestation report upon Customer's written request no more than once annually.
7.2 Cvent will allow for and contribute to audits, including inspections, conducted by the Customer in accordance with Customer's rights under the Agreement. If the Agreement does not include audit rights, Cvent and Customer will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit; and Cvent reserves the right to charge a reasonable fee (based on Cvent’s reasonable costs) for any such audit. Cvent will provide further details of any applicable fee and the basis of its calculation to Customer in advance of such audit. The purpose of an audit pursuant to this clause will be strictly limited to verifying whether Cvent is processing Customer Personal Data in accordance with the obligations hereunder and Applicable Data Protection Laws.
7.3 Notwithstanding the above, Cvent will, subject to the confidentiality arrangements that will satisfy both parties, make available to the Customer all information held by Cvent necessary to demonstrate its compliance with the obligations laid down in the Applicable Data Protection Laws. If Customer wishes to receive such further information to which it is entitled under Applicable Data Protection Laws, Customer shall submit a request for additional information to Cvent in writing for that additional information. Where Cvent is in possession of such information, and subject to the aforementioned confidentiality arrangements, Cvent shall supply this information to Customer as soon as reasonably practicable.
8. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
8.1 Upon termination or expiration of the Agreement, Cvent shall, in accordance with the terms of the Agreement, delete or make available to Customer for retrieval all relevant Customer Personal Data (including copies) in Cvent's possession, save to the extent that Cvent is required by any applicable law or a governmental or regulatory order to retain some or all of the Customer Personal Data, or if it is otherwise subject to liability for not retaining some or all of the Customer Personal data. In such event, Cvent shall extend the protection of the Agreement and this DPA to such Customer Personal Data and limit any further processing of such Customer Personal Data to only those limited purposes that require the retention for so long as Cvent maintains the Customer Personal Data.
9. MISCELLANEOUS
9.1 In the event that Cvent, any of its Sub-processors, or the Customer receives any regulatory request, order, or other binding decision or recommendation from the competent authority that requires amendments to the provisions hereof or any changes to the processing of Customer Personal Data hereunder ("Regulatory Request"), Cvent and the Customer as well as, to the extent necessary and/or reasonably practicable, representatives of a respective Sub-processor, shall, within a reasonable time after receiving and reviewing the Regulatory Request, discuss and work in good faith towards agreeing on a plan (“Compliance Review Plan”) to determine the details of how the Regulatory Request can be addressed. A timeframe for reviewing the Regulatory Request and preparing the Compliance Review Plan will be agreed between the parties, taking into account the requirements of Applicable Data Protection Laws and the urgency of the matter as well as doing everything commercially reasonable given the circumstances and nature of the Services to meet specific time frames set by the relevant authority in connection with the Regulatory Request. If Cvent, any of its Sub-processors, or the Customer believe that it is not possible to meet a specific time frame set by the relevant authority in connection with the Regulatory Request, Cvent and/or its Sub-processor will assist Customer to explain this to the relevant authority, including by providing details of the reasons why the timeframes cannot be met.
9.2 Except as amended by this DPA, the Agreement will remain in full force and effect.
9.3 If there is a conflict between the Agreement and this DPA the terms of this DPA will control.
9.4 Nothing in this DPA modifies or affects any commission or supervisory authority's or Data Subject's rights under the EU Standard Contractual Clauses, UK Addendum or Switzerland Addendum (or any such other approved mechanism).
9.5 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.
ATTACHMENT A: Description of Processing
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: Each of the Customer entities, as identified in the Cvent Order Form or underlying Agreement
Address: Each of the Customer entity addresses, as identified in the Cvent Order Form or underlying Agreement
Contact person’s name, position and contact details: The Individual executing the Cvent Order Form on behalf of Customer, as identified in the Order Form or underlying Agreement.
Activities relevant to the data transferred under these Clauses: Cvent is a provider of cloud-based event registration, event management, and hospitality related services, such as making and responding to requests for proposals, reserving hotel rooms and managing room block reservations, among other related services. Only the Cvent services outlined in the Cvent Order Form are relevant to the data transferred under the Agreement between Customer and Cvent.
Signature and date: Execution of Cvent Order Form and Agreement which incorporates this document by reference.
Role (controller/processor): controller
Data importer(s):
Name: Cvent, Inc, on behalf of itself and its wholly-owned Affiliates.
Address: 1765 Greensboro Station Place, Suite 700, Tysons Corner, VA 22102
Contact person’s name, position and contact details: Jeannette Koonce, General Counsel
Activities relevant to the data transferred under these Clauses: Cvent is a provider of cloud-based event registration, event management, and hospitality related services, such as making and responding to requests for proposals, reserving hotel rooms and managing room block reservations, among other related services. Only the Cvent services outlined in the Cvent Order Form are relevant to the data transferred under the Agreement between Customer and Cvent.
Signature and date: Execution of Cvent Order Form and Agreement which incorporates this document by reference.
Role (controller/processor): processor
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred
Categories of personal data transferred
- Basic and contact data: name, organization, title, postal address, e-mail address, telephone number, fax number, social media account ID
- Usage data: browser and device information, operating system, device type, system and performance information, app usage data, information collected through cookies, pixel tags and other technologies, general geographic location;
- Further data about a person: dietary preferences, interests, activities, age, gender, education and occupation.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No special categories of data are processed, unless customer requests sensitive data via its configuration of the Cvent service.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The frequency of the transfer of Personal Data is continuous for the duration outlined in the Agreement.
Nature of the processing
The nature of the processing of Personal Data pertains to the provision of Services under the Agreement.
Purpose(s) of the data transfer and further processing
The purpose of the processing of Personal Data pertains to the provision of Services under the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The retention period of Personal Data is generally determined by Customer and is subject to the term of the DPA and the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Subject Matter, nature and duration of processing by sub-processors will be limited to the terms of Cvent’s agreement with the sub-processor.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13
Ireland Data Protection Commission
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational security measures implemented by Cvent available at:
https://www.cvent.com/en/infosec
ANNEX III
LIST OF SUB-PROCESSORS
EXPLANATORY NOTE:
This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1). Cvent, as data processor, voluntarily provides the following information:
The controller has authorised the use of the following sub-processors (not all listed sub-processors receive or process personal data of the controller):
https://www.cvent.com/uk/gdpr/cvents-affiliates-and-subprocessors
ATTACHMENT B:
UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | Effective Date of the Services Agreement(s) entered into by and between Exporter and Importer (“Agreement”) | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | Full legal name: As set forth in Attachment A, Annex I Trading name (if different): Main address (if a company registered address): As set forth in Attachment A, Annex I Official registration number (if any) (company number or similar identifier): As set forth in Attachment A, Annex I | Full legal name: Cvent, Inc. Trading name (if different): Main address (if a company registered address): 1765 Greensboro Station Place, Suite 700, Tysons Corner, VA 22102 Official registration number (if any) (company number or similar identifier): |
Key Contact | Full Name (optional): As set forth in Attachment A, Annex I Job Title: As set forth in Attachment A, Annex I Contact details including email: As set forth in Attachment A, Annex I | Full Name (optional): Jeannette Koonce Job Title: General Counsel Contact details including email: jkoonce@cvent.com |
Signature (if required for the purposes of Section 2) | N/A | N/A |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | ☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Date of Execution of Cvent Order Form and Agreement which incorporates this document by reference. Reference (if any): See DPA, Section 5.1 Other identifier (if any): Or ☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: The Data Exporter and Data Importer as defined in Annex I of the EU SCCs above. |
Annex 1B: Description of Transfer: As set out in Annex I of the EU SCCs above. |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in Annex II of the EU SCCs above. |
Annex III: List of Sub processors (Modules 2 and 3 only): As set out in Annex III of the EU SCCs above. |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☒Importer ☒Exporter ☐neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
ATTACHMENT C:
Switzerland – Addendum to the EU SCCs
Version in force as of 27 August 2021
For the purposes of the Swiss Data Protection Act 2020 (“nFADP” or “Swiss DPA”), the EU Standard Contractual Clauses shall apply with the following amendments (these amendments shall not affect the application of the EU SCC for the purposes of the GDPR or other applicable data protection laws):
- In Clause 2, delete the words: "and, with respect to data transfers from controller to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";
- Clause 8.8(i) of Modules Two and Three is replaced with: "the onward transfer is to a country that has been the subject of an adequacy assessment by the FDPIC or the Federal Council (as the case may be) that covers the onward transfer";
- References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or “GDPR”)" are to be interpreted as references to the Swiss DPA to the extent applicable;
- References to "Regulation (EU) 2018/1725" are removed;
- References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" shall be interpreted to mean Switzerland;
- Clause 13 (a) and Part C of Annex I are not used;
- The "competent supervisory authority" and "supervisory authority" are both replaced with the FDPIC insofar as the transfers are governed by the Swiss DPA;
- In Clause 16(e), subsection (i) is replaced with: "the FDPIC adopts its own standard contractual clauses pursuant to Article 16(2)(d) of the Swiss revised DPA that cover the transfer of personal data to which these clauses apply";
- Clause 17 is replaced with: "These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by the Swiss DPA.";
- Clause 18 is replaced with: "Any dispute arising from these Clauses relating to the Swiss DPA shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which they have their habitual residence. The parties agree to submit themselves to the jurisdiction of such courts.";
- As long as the Swiss DPA of 19 June 1992 is in force, the EU SCC shall also protect Personal Data of legal entities and legal entities shall receive the same protection under the EU SCC as natural persons.
ATTACHMENT D:
ABBREVIATED DIFC STANDARD CONTRACTUAL CLAUSES
(DIFC Exporter to Non-DIFC Importer in a Third Country with no or unrecognised data protection laws)
1. The Dubai International Financial Centre (“DIFC”) Standard Data Protection Contractual Clauses (the “DIFC SCCs” or “Clauses”) shall apply to the transfer of Personal Data from a Data Exporter based in the DIFC to Data Importers established in jurisdictions other than the DIFC, whether in UAE or elsewhere (“Third Country”), in accordance with Articles 26 and 27 of the Data Protection Law, DIFC Law No. 5 of 2020 (the “DP Law 2020”) and the Data Protection Regulations 2020 (the “Regulations”), together the Data Protection Legislation (the “DPL”).
2. Defined terms have the same meeting as set out in Schedule 1, Article 3 of the DP Law 2020.
3. The Parties agree the following SCCs for the transfer of Personal Data to a Data Importer located in a jurisdiction without a data protection law equivalent or substantially encompassing the principles set out in the DPL.
ABBREVIATED DIFC SCCs
Commissioner of Data Protection
Standard Contractual Clauses for Compliance with DIFC Law No 5 of 2020.
As set out in Clause 5 of the DPA regarding transfers of Personal Data to a Third Country that is not yet considered adequate by the DIFC Commissioner of Data Protection the standard contractual clauses (SCCs) available at the link selected below are deemed to be appended to the general framework agreement and binding on the Parties in order to comply with DIFC Law No 5 of 2020.
☒ DIFC SCCs
For the purposes of Clause 9(1)(a), the Parties agree to Option 1 ☐ Option 2 ☒
For the purposes of Clause 9(2)(a), the Parties agree to Option 1 ☐ Option 2 ☒
☐ EU SCCs
Selected modules to be agreed by the Parties in a separate Annex
☐ UK SCCs / Addendum
Appropriate selections and / or UK addendum for EU transfers to be completed in a separate Annex
☐ OTHER SCCs (To be provided by Exporter or Importer)
On behalf of the Data Exporter:
Name (written out in full): As set forth in Attachment A, Annex I
Position: As set forth in Attachment A, Annex I
Address: As set forth in Attachment A, Annex I
Other information necessary in order for the contract to be binding (if any):
Signature: Execution of Cvent Order Form and Agreement which incorporates this document by reference.
On behalf of the Data Importer(s): Cvent, Inc.
Name (written out in full): Jeannette Koonce
Position: General Counsel
Address: 1765 Greensboro Station Place, Suite 700, Tysons Corner, VA 22102
Other information necessary in order for the contract to be binding (if any):
Signature: Execution of Cvent Order Form and Agreement which incorporates this document by reference.
ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES (SCC) FOR PROCESSING PERSONAL DATA
As set out in Annex I to Attachment A to the DPA.
ANNEX 2 TO THE SCCS – TECHNICAL AND ORGANISATIONAL MEASURES
As set out in Annex II to Attachment A to the DPA.
ANNEX 3: LIST OF PROCESSORS OR SUB-PROCESSORS
As set out in Annex III to Attachment A to the DPA.
ATTACHMENT E:
U.S. Privacy Law Service Provider Addendum
This U.S. Privacy Law Service Provider Addendum (this “Addendum”) is attached to and made a part of the Data Processing Addendum (DPA).
Capitalized terms used in this Addendum but not defined herein will have the same meaning as in the Agreement. If there is any inconsistency between the terms of this Addendum and the Agreement relating to data protection or Personal Information, the terms of this Addendum will prevail. This Addendum will continue in force until the termination of the Agreement, unless otherwise specified herein.
This Addendum sets forth the requirements for the Processing by Cvent of the Personal Information of Consumers pursuant to the Agreement.
1. Definitions
1.1 “Applicable U.S. Privacy Laws” means, as may apply to the processing of Consumer Personal Information by Customer and Cvent, any U.S. consumer privacy laws and regulations, including but not limited to the California Consumer Privacy Act, as amended by the California Privacy Rights Act and its Regulations, codified at Cal. Civ. Code § 1798.100, et seq. (“CCPA”), the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, codified at Conn. P.A. No. 22-15 §§ 1-12 (“CTDPA”), the Colorado Privacy Act, codified at Colo. Rev. Stat. § 6-1-1301, et seq. (“CPA”), the Utah Consumer Privacy Act, codified at Utah Code § 13-61-101, et seq. (“UCPA”), and the Virginia Consumer Data Protection Act, codified at Va. Code Ann. §§ 59.1-571 through 59.1-581. (“VCDPA”).
1.2 "Breach” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any Consumer. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.
1.3 “Consumer” means: (i) a natural person who is a California resident, however identified, including by any unique identifier, or (ii) a natural person who is a resident of Colorado, Connecticut, Utah, and/or the Commonwealth of Virginia, acting only in an individual or household context and not a commercial or employment context.
1.4 “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household.
1.5 “Customer Personal Information” means Personal Information either (i) transmitted by Customer or Customer’s agents through the SaaS Solution pursuant to the provision of the Services provided by Cvent, or (ii) collected by Cvent on behalf of Customer and transmitted into Cvent’s SaaS Solution pursuant to the Services provided by Cvent.
1.6 “Process” or “Processing” means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
1.7 “Sell” means transferring or communicating Personal Information to a third party for monetary or other valuable consideration.
1.8 “Share” means transferring or communicating Personal Information to a third party for the targeting of advertising to a Consumer based on the Consumer’s Personal Information obtained from the Consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business’s distinctly-branded website, application, or service with which the Consumer intentionally interacts.
2. Processing of Personal Information of Consumers
2.1 Customer is disclosing Customer Personal Information to Cvent pursuant to this Addendum for the specific purposes set forth in the Agreement. To the extent that Customer discloses Customer Personal Information to Cvent, Cvent will Process that Personal Information only on behalf of Customer and pursuant to this Agreement and Addendum, or as otherwise permitted by law. Cvent will not Process, retain, use, or disclose Customer Personal Information for any purpose other than for business purposes specified in the Agreement, unless or as otherwise permitted by law.
2.2 Cvent will not Sell or Share Customer Personal Information it receives from or on behalf of Customer, as required by the CCPA.
2.3 Cvent will provide the level of data security required of it under Applicable U.S. Privacy Laws.
2.4 Cvent will reasonably assist Customer in meeting Customer’s obligations in relation to the notification of a Breach of Cvent’s systems as required by Applicable U.S. Privacy Laws.
2.5 Cvent grants Customer the rights to take reasonable and appropriate steps to help ensure that Cvent uses Customer Personal Information transferred to it under the Agreement and this Addendum in a manner consistent with Customer’s obligations under Applicable U.S. Privacy Laws.
2.6 Cvent will notify Customer if it can no longer meet its obligations under Applicable U.S. Privacy Laws.
2.7 Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information, as required under Applicable U.S. Privacy Laws.
2.8 Cvent, and each individual Processing Personal Information on its behalf, is subject to a duty of confidentiality with respect to the Processing of Customer Personal Information pursuant to this Agreement and Addendum, as required under Applicable U.S. Privacy Laws.
2.9 Any subcontractor Cvent engages that processes Customer Personal Information on Cvent’s behalf will be subject to a written contract that requires the subcontractor to meet the requirements placed on Cvent under the Agreement and this Addendum with respect to the Processing of Personal Information. Cvent will provide a mechanism for Customer to subscribe to receive notifications when Cvent updates its list of subcontractors at https://www.cvent.com/uk/gdpr/cvents-affiliates-and-subprocessors, which will provide Customer with the opportunity to object to the addition or replacement of subcontractors.
2.10 Upon Customer’s written request, Cvent will delete or return all Personal Information to Customer, at the end of the provision of services, unless Cvent’s retention of the Personal Information is required by law.
2.11 Upon Customer’s written request, Cvent will make available to Customer all information in its possession necessary to demonstrate Cvent’s compliance with Applicable U.S. Privacy Laws
2.12 No more than once annually, Cvent will arrange for a qualified and independent assessor to conduct an assessment of Cvent’s policies and technical and organizational measures in support of its compliance with applicable obligations under Applicable U.S. Privacy Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Cvent will provide a summary report of such assessment to Customer upon request.