Overview

This Data Processing Addendum (“DPA”) shall govern any services provided to Makemake, Inc. and its Affiliates (“Makemake”) by you (“you,” “your,” or “Vendor”) as a Processor or Sub-processor (as defined below) (the “Services”). You and Makemake shall each be referred to herein as a “Party” and together as “Parties”. This DPA supplements, is incorporated into, and will remain in effect for the term of any agreement between the Parties, including but not limited to any executed or click-through agreement or, if applicable, Makemake’s API Terms of Use (the “Agreement”), the duration of Services, or the processing of Makemake Data, whichever is later (the “Term”). Without limiting the generality of the foregoing, the subject matter, nature, and purpose of the processing under this DPA is the provision of the Services under the Agreement, and the categories of personal data and categories of data subjects are those necessary to provide the Services under the Agreement, as described more fully in the Agreement.

1. Definitions.

Capitalized terms used but not defined in this DPA shall have the same meanings as set out in the Agreement, if applicable. For the purposes of this DPA:

1.1 “Affiliate(s)” means any person or entity that controls, is controlled by, or is under common control with such entity, whether as of the date of the Agreement or thereafter. For purposes of this DPA, “control” means ownership or control, directly or indirectly, of more than 20% of the outstanding voting stock of an entity or otherwise possessing the power to direct the management and policies.

1.2 “Applicable Privacy Laws” means all applicable privacy and data protection laws and regulations anywhere in the world, including, where applicable, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), the EU Directive 2002/58/EC on privacy and electronic communications (in all cases, as amended, superseded or replaced), and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and its implementing regulations (“CCPA”).

1.3 “Controller” means the natural or legal person or entity who determines the purposes and means of the processing of Personal Data Controller is also a “business,” as that term is defined in the CCPA.

1.4 “Data Breach” means a breach of security leading to accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and all other unlawful forms of processing of Makemake Data.

1.5 “Makemake Data” means any and all data including Personal Data that is provided to Vendor or otherwise collected and/or accessed by Vendor on behalf of Makemake and/or its Affiliates in the course of providing the Services under the Agreement. Any Makemake Data that is Personal Data is hereby referred to as “Makemake Personal Data”.

1.6 “New EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.7 “Old EU SCCs” means the Standard Contractual Clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of the Effective Date at http://data.europa.eu/eli/dec/2010/87/2016-12-17).

1.8 “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

1.9 “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Privacy Shield (as may be amended, superseded or replaced), details of which can be found at www.privacyshield.gov/eu-us-framework.

1.10 “Processor” means an entity that processes Personal Data on behalf of, and in accordance with the instructions of, a Controller.

1.11 “Sub-processor” means an entity engaged by a Processor who agrees to receive from the Processor Personal Data exclusively intended for the processing activities to be carried out as part of the Services.

1.12 “Vendor” means the individual or entity which has entered into the Agreement with Makemake.

2. Role of the Parties and Nature of the Personal Data.

2.1 For purposes of this DPA, Makemake may act as a Controller, or it may act as a Processor of one of its customers. Vendor therefore acknowledges that it may act as a Processor of Makemake or a Sub-processor of Makemake. Where Makemake acts as a Processor, Makemake is obligated contractually and / or under Applicable Privacy Laws to flow down certain data protection related obligations to its appointed Sub-processors. Therefore all obligations placed on Processors in this DPA shall apply to Vendor regardless of whether Vendor acts as a Processor or Sub-processor.

2.2 The nature, purpose and subject matter of Vendor’s data processing activities performed as part of the Services are set out in the Agreement. The Personal Data that may be processed may relate to event organizers, attendees, employees, contractors and contacts and may include name, email address, billing and payment information, events booked, organized and attended and any other Personal Data that may be processed pursuant to the Agreement.

3. Vendor’s Compliance.

3.1 Vendor warrants and undertakes to process Makemake Personal Data only for the limited and specified purposes set out in the Agreement and/or as otherwise lawfully instructed by Makemake in writing (email or otherwise), except where otherwise required by applicable law. Vendor will immediately inform Makemake if, in its opinion, an instruction is in breach of Applicable Privacy Laws.

3.2 Vendor will not sell Makemake Personal Data or otherwise process Makemake Personal Data for any purpose other than for the specific purposes set forth herein and in accordance with Applicable Privacy Laws. For the avoidance of doubt, Vendor will not process Makemake Personal Data outside of the direct business relationship between Makemake and Vendor. For purposes of this paragraph, “sell” shall have the meaning set forth in Applicable Privacy Laws .

3.3 Vendor certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them.

4. International Data Transfers

4.1 Makemake authorizes Vendor and its Sub-processors to make international data transfers of Makemake Personal Data in accordance with this DPA so long as Applicable Privacy Laws for such transfers are respected.

4.2 With respect to Makemake Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, and such law permits use of the Old EU SCCs but not use of the New EU SCCs, the Old EU SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the Old EU SCCs, until such time that the United Kingdom adopts new Standard Contractual Clauses, in which case new Standard Contractual Clauses will control.  For purposes of the Old EU SCCs, they shall be deemed completed as follows:

  1. The “exporters” and “importers” are the Parties and their Affiliates to the extent any of them is involved in such transfer, including those set forth in Annex I.A of the New EU SCCs.  
  2. Clause 9 of the Old EU SCCs specifies that United Kingdom law will govern the Old EU SCCs.
  3. The content of Appendix 1 of the Old EU SCCs is set forth in Annex I.B of the New EU SCCs herein.
  4. The content of Appendix 2 of the Old EU SCCs is set forth in Annex II of the New EU SCCs herein.


4.3 With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner.

4.4 With respect to Personal Data transferred from the European Economic Area, the New EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA as set forth in the New EU SCCs.  

  1. Where Vendor is acting as Makemake’s Processor, Module Two of the New EU SCCs shall apply.  
  2. Where Vendor is acting as Makemake’s Sub-processor, Module Three of the New EU SCCs shall apply.

5. Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom.  

To the extent that Vendor processes Makemake Personal Data of data subjects located in or subject to the Applicable Privacy Laws of the European Economic Area, Switzerland, or the United Kingdom, Vendor agrees to the following safeguards to protect such data to an equivalent level as Applicable Privacy Laws:


5.1 Vendor and Makemake shall encrypt all transfers of the Personal Data between them, and Vendor shall encrypt any onward transfers it makes of such personal data, to prevent the acquisition of such data by third parties, such as governmental authorities who may gain physical access to the transmission mechanisms (e.g., wires and cables) while the data is in transmission.

5.2 Vendor represents and warrants that:

  1. as of the date of this contract, it has not received any directive under Section 702 of the U.S. Foreign Intelligence Surveillance Act, codified at 50 U.S.C. § 1881a (“FISA Section 702”).
  2. it is not eligible to be required to provide information, facilities, or assistance under FISA Section 702; or that no court has found Vendor to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
  3. it is not the type of provider that is eligible to be subject to upstream collection (“bulk” collection) pursuant to FISA Section 702, as described in paragraphs 62 & 179 of the judgment in the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), and that therefore the only FISA Section 702 process it could be eligible to receive, if it is an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4), would be based on a specific “targeted selector” i.e., an identifier that is unique to the targeted endpoint of communications subject to the surveillance.
  4. Vendor will never comply with any request under FISA Section 702 for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
  5. Vendor will use all reasonably available legal mechanisms to challenge any demands for data access through national security process it receives as well as any non-disclosure provisions attached thereto. 
  6. Vendor will take no action pursuant to U.S. Executive Order 12333.
  7. At 6-month intervals or more often if allowed by law, Vendor shall create a transparency report that it will make available to Makemake indicating the types of binding legal demands for the personal data it has received, including national security orders and directives, which shall encompass any process issued under FISA Section 702. 
  8. Vendor will promptly notify Makemake if Vendor can no longer comply with the applicable Standard Contractual Clauses or the clauses in this Section.  Vendor shall not be required to provide Makemake with specific information about why it can no longer comply, if providing such information is prohibited by applicable law.  Such notice shall entitle Makemake to terminate the Agreement (or, at Makemake’s option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder.  This is without prejudice to Makemake’s other rights and remedies with respect to a breach of the Agreement.

6. Confidentiality and Security.

6.1 Vendor shall ensure that any person that it authorizes to process the Makemake Data (including Vendor’s staff, agents and subcontractors) shall be subject to a duty of confidentiality.

6.2 Vendor shall ensure it implements and maintains throughout the term of the Agreement, or duration of its services to Makemake as a Processor or Sub-processor, appropriate technical and organizational measures to protect Makemake Data, including protection against Data Breaches. Such measures shall include, at minimum, the measures specified in Annex II of the New EU SCCs.

7. Sub-processing.

Vendor shall notify Makemake of any Sub-processors it uses in respect of Makemake Personal Data, and Vendor shall:

  1. ensure that any Sub-processor is contractually bound in writing to provide at least the same level of protection as is required by this DPA and complies with Applicable Privacy Laws;
  2. be fully responsible for, and liable to Makemake for acts and omissions of any Sub-processor as if they were Vendor’s own act or omission; and
  3. provide Makemake with details of any Sub-processors appointed, on request.

8. Cooperation and Data Subjects Rights.

Vendor will provide all assistance reasonably required by Makemake to enable Makemake to:

  1. respond to, comply with or otherwise resolve any rights request, question or complaint received by Makemake (or an Makemake customer) from:
    1. any living individual whose Personal Data is processed by Vendor on behalf of Makemake; or
    2. any applicable formally designated data protection authority; and
  2. comply with (and demonstrate compliance with) its obligations under Applicable Privacy Laws. In the event that any such request, question or complaint under this Section 5 is made directly to Vendor, Vendor shall inform Makemake providing full details of the same.

9. Audit.

On reasonable prior written notice, Vendor agrees to provide Makemake (or its appointed auditors) with all information Makemake deems reasonably necessary for Makemake to audit Vendor’s compliance with the requirements of this DPA, including completion of audit questionnaires, provision of security policies and summaries of assessments of compliance with any industry standards (such as ISO 27001, SSAE 16 SOC II), penetration testing and vulnerability scans.

10. Data Breach.

In the event of a Data Breach, Vendor will take only the following actions (unless authorized by Makemake):

10.1 promptly notify Makemake without undue delay (and latest within 48 hours of becoming aware of the Data Breach) and provide Makemake with a reasonably detailed description of the Data Breach, the type of data that was the subject of the Data Breach and the identity of each affected person as soon as such information can be collected or otherwise becomes available, as well as any other information that Makemake may reasonably request relating to the Data Breach; and

10.2 promptly (and latest beginning within 48 hours of becoming aware of the Data Breach) investigate the Data Breach, make reasonable efforts to mitigate the effects and harm of the Data Breach in accordance with its obligations under Section 3 (Confidentiality and Security) above, and provide any other assistance that Makemake may reasonably request relating to the Data Breach.

11. Deletion or Return of Data.

Upon termination or expiry of this DPA, Vendor shall (at Makemake’s election) destroy or return to Makemake all Makemake Data (including all copies of Makemake Data) in its possession or control (including any Makemake Data subcontracted to a third party for processing), unless any applicable law requires Vendor to retain Makemake Data.

12. Indemnity

Vendor will indemnify, keep indemnified and hold harmless Makemake, its clients, officers, directors, employees, agents, representatives and Affiliates (each an “Indemnified Party”) from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Vendor’s non-compliance with the requirements of this DPA.

13. Miscellaneous

Except for the changes made by this DPA, the Agreement and/or any other agreements related to the Services remain unchanged and in full force and effect.

With respect to provisions regarding processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where you and Makemake have individually negotiated data processing terms that are different from this DPA and which meet the requirements of Applicable Privacy Laws in full, in which case those negotiated terms will control.