Data Processing Agreement

Parties and Background

(A) The customer identified in the Agreement (“Customer”) has entered into an agreement with ONELIVE, LLC (“ONELIVE”) (each a “Party” and together the “Parties”) under which ONELIVE has agreed to provide ecommerce technology, software applications, professional services, and related fulfillment services in accordance with such agreement (the “Agreement”). This Data Processing Agreement (the “DPA”) is incorporated into and forms part of the Agreement and is effective on the effective date of the Agreement, except that for a Customer that entered into an Agreement before the “Last updated” date above, this DPA is effective on that date and replaces any previously agreed data processing and security terms.

(B) ONELIVE operates as both (i) a service provider that provisions, configures, administers, and manages third-party ecommerce platforms on behalf of Customer, and (ii) an application developer that designs, builds, hosts, and operates proprietary software applications, integrations, and tools (the “Applications”) that run on top of those third-party ecommerce platforms — specifically Shopify and BigCommerce (each a “Platform” and together the “Platforms”). ONELIVE serves clients in the music, sports, entertainment, and creator industries.

(C) To the extent that ONELIVE processes any Customer Personal Data (as defined below) on behalf of Customer (or, where applicable, a Customer Affiliate) in connection with the Applications and Services, the Parties have agreed that it will do so on the terms of this DPA. This DPA reflects ONELIVE’s position that the underlying servers, infrastructure, and core data-processing systems are owned and operated by the Platforms and other Sub-processors, while ONELIVE processes Customer Personal Data principally at the application and administrative layer.

1. Definitions

1.1 Capitalized terms used but not defined within this DPA have the meaning set forth in the Agreement. The following terms are defined as follows:

“Account Information” means Customer’s information, including Personal Data of Customer’s and Customer Affiliates’ users, provided for account creation, access, administration, and maintenance, and may include names, usernames, login credentials, phone numbers, email addresses, and billing information associated with a ONELIVE account or a Platform account administered by ONELIVE;

“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement;

“Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as amended or updated from time to time;

“Applications” means the proprietary software applications, storefront themes, custom code, integrations, connectors, and tools that ONELIVE designs, builds, hosts, and/or operates on top of the Platforms on behalf of Customer;

“Customer Personal Data” means the Personal Data processed by ONELIVE on behalf of Customer or a Customer Affiliate in connection with the provision of the Applications and Services, but specifically excludes Personal Data contained in Account Information;

“DPF” or “Data Privacy Framework” means the EU–U.S. Data Privacy Framework and, where applicable, the UK Extension to the EU–U.S. Data Privacy Framework and the Swiss–U.S. Data Privacy Framework;

“EEA” means the European Economic Area;

“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as defined in section 3 of the Data Protection Act 2018;

“Personal Data” means any information relating to an identified or identifiable individual or device, or that is otherwise “personal data,” “personal information,” or “personally identifiable information” as defined by Applicable Data Protection Laws;

“Platform” or “Platforms” means the third-party ecommerce platforms on which ONELIVE provides the Applications and Services, specifically Shopify and BigCommerce, including their respective hosting infrastructure and processing systems;

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data processed by ONELIVE;

“Services” means the ecommerce technology, configuration, administration, support, consulting, and fulfillment services that ONELIVE provides under the Agreement, together with the Applications;

“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914;

“Sub-processor” means ONELIVE Affiliates and third-party processors — including the Platforms and ONELIVE’s hosting and infrastructure providers — engaged by ONELIVE to process Customer Personal Data;

“UK” means the United Kingdom of Great Britain and Northern Ireland; and

“US Data Protection Laws” means, to the extent applicable, the federal and state laws relating to data protection, the processing of Personal Data, and privacy in force from time to time in the United States.

1.2 The terms “controller,” “processor,” “data subject,” “process,” “supervisory authority,” “sell,” and “service provider” have the meanings given in the Applicable Data Protection Laws.

2. Interaction with the Agreement

2.1 This DPA supplements and, in the case of any conflict regarding the processing of Customer Personal Data, supersedes the Agreement.

2.2 With respect to Customer Affiliates, by entering into the Agreement Customer warrants that it is duly authorized to enter into this DPA for and on behalf of any such Customer Affiliates, and, subject to clause 2.3, each Customer Affiliate is bound by this DPA as if it were the Customer.

2.3 Customer warrants that it is duly mandated by any Customer Affiliate on whose behalf ONELIVE processes Customer Personal Data to (a) enforce this DPA on behalf of that Customer Affiliate and act on its behalf in the administration and conduct of any claims arising under this DPA, and (b) receive and respond to any notices or communications under this DPA on behalf of that Customer Affiliate.

2.4 Any notice or communication sent by ONELIVE to Customer satisfies any obligation to send such notice or communication to a Customer Affiliate.

3. Role of the Parties

3.1 Because ONELIVE acts both as a service provider and as an application developer operating on top of the Platforms, the role of each Party depends on the nature of the activity. The Parties acknowledge and agree as follows:

(a) Customer is the controller of Customer Personal Data. Where Customer processes Personal Data on behalf of a third party — for example, an artist, athlete, team, label, venue, or other rights holder for whom Customer operates a storefront — Customer acts as a processor and ONELIVE acts as a sub-processor.

(b) Where ONELIVE designs, hosts, or operates Applications that access, receive, store, or otherwise process Customer Personal Data (for example, through Platform APIs, webhooks, or custom integrations), ONELIVE acts as a processor under the GDPR and as a service provider or processor under US Data Protection Laws, processing Customer Personal Data on behalf of and under the documented instructions of Customer.

(c) Where ONELIVE provisions, configures, and administers a Platform on Customer’s behalf without ONELIVE’s own Applications ingesting Customer Personal Data, the relevant Platform acts as a processor engaged in respect of Customer Personal Data, and ONELIVE acts as a service provider facilitating and administering that processing at the user-admin level. ONELIVE does not own or control the Platforms’ servers or underlying infrastructure.

(d) Account Information is not governed by this DPA and is subject to ONELIVE’s Privacy Notice, available at https://www.onelive.com/data-privacy-notice.

(e) This Data Processing Agreement applies only to engagements where Customer is the merchant of record. For engagements where ONELIVE holds merchant-of-record status, a separate data processing agreement will apply.

3.2 Regardless of the role characterization above, ONELIVE will process Customer Personal Data only as described in this DPA and the Agreement, and will not retain, use, disclose, or otherwise process Customer Personal Data for any purpose other than performing the Services or as otherwise permitted by Applicable Data Protection Laws.

3.3 Notwithstanding clause 3.2, ONELIVE may create and use anonymized or aggregated data derived from Customer Personal Data for the purposes of operating, improving, and developing the Applications and Services, fraud detection and prevention, and security monitoring, provided that such data is rendered non-identifiable so that no individual data subject can be re-identified from it, whether directly or indirectly, and provided that ONELIVE does not disclose such aggregated data in a manner that identifies Customer. Such anonymized or aggregated data does not constitute Customer Personal Data.

4. Details of Data Processing

4.1 The details of processing — including subject matter, nature and purpose, categories of Personal Data, and categories of data subjects — are described in the Agreement and in Schedule 1.

4.2 ONELIVE will process Customer Personal Data only on behalf of and under the documented instructions of Customer and in accordance with Applicable Data Protection Laws. The Agreement and this DPA constitute Customer’s complete and final instructions for the processing of Customer Personal Data. Customer may issue further reasonable written instructions consistent with this DPA.

4.3 If Customer’s instructions would cause ONELIVE to process Customer Personal Data in violation of Applicable Data Protection Laws, or outside the scope of the Agreement or this DPA, ONELIVE will promptly inform Customer, unless prohibited from doing so by law (without prejudice to the SCCs).

4.4 ONELIVE may store and process Customer Personal Data anywhere ONELIVE or its Sub-processors (including the Platforms) maintain facilities, subject to clauses 5 and 11 of this DPA.

4.5 Where Customer issues a further written instruction under clause 4.2 that goes beyond the processing described in the Agreement and this DPA, ONELIVE will, within ten (10) business days of receipt, provide Customer with a written assessment of the feasibility, timeline, and resource impact of the instruction. Any instruction that requires material additional work, system changes, or resources beyond the scope of the Services as then provided is subject to the Parties’ mutual written agreement on scope and cost, and ONELIVE is not obligated to implement such an instruction until that agreement is reached. ONELIVE will continue to process Customer Personal Data in accordance with existing instructions in the interim.

4.6 If ONELIVE reasonably determines that an instruction from Customer would cause ONELIVE to process Customer Personal Data in violation of Applicable Data Protection Laws, ONELIVE may, in addition to its obligation to inform Customer under clause 4.3, suspend the affected processing on five (5) business days’ written notice to Customer. If the matter giving rise to the suspension is not resolved to ONELIVE’s reasonable satisfaction within thirty (30) days of the suspension notice, ONELIVE may terminate this DPA and the affected portion of the Services on written notice, without liability to ONELIVE for such suspension or termination.

5. Sub-Processors

5.1 Customer grants ONELIVE general authorization to engage Sub-processors. Customer acknowledges and specifically authorizes the engagement of the Platforms (Shopify and BigCommerce) and ONELIVE’s hosting and infrastructure providers as Sub-processors. ONELIVE’s current list of Sub-processors is maintained at https://www.onelive.com/legal/processors as of the Effective Date.

5.2 ONELIVE will (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than ONELIVE’s obligations under this DPA, to the extent applicable to the nature of the services provided by that Sub-processor; and (ii) remain responsible for each Sub-processor’s performance of its data protection obligations to the extent set out in this DPA. Customer acknowledges that the Platforms maintain their own data processing terms, certifications, and security measures, which govern the processing performed on their infrastructure.

5.3 ONELIVE will provide Customer with at least fifteen (15) days’ notice of any proposed addition or replacement of a Sub-processor that processes Customer Personal Data. Customer may reasonably object to a new Sub-processor by giving ONELIVE written notice of the objection within ten (10) days after ONELIVE’s notice (an “Objection”). The Parties will work together in good faith to find a mutually acceptable resolution. If they cannot reach one within a reasonable period, either Party may, as its sole and exclusive remedy, terminate the affected portion of the Services by written notice. Where a Sub-processor is a Platform on which Customer’s store is built, the Parties acknowledge that an Objection may require migration of the store and may not be operationally feasible without terminating the affected Services.

6. Data Subject Rights Requests

6.1 As between the Parties, Customer has sole discretion and responsibility for responding to any request from an individual to exercise rights in relation to Customer Personal Data (a “Data Subject Request”).

6.2 ONELIVE will forward to Customer any Data Subject Request it or a Sub-processor receives in relation to Customer Personal Data within three (3) to five (5) business days of receipt, and may advise the individual to submit their request directly to Customer. ONELIVE will not respond to a Data Subject Request on Customer’s behalf without Customer’s prior written authorization, except to acknowledge receipt and redirect the individual to Customer.

6.3 Taking into account the nature of the processing, ONELIVE will provide Customer with reasonable assistance to fulfill Customer’s obligation to respond to Data Subject Requests, insofar as the request relates to the Applications and Platforms ONELIVE manages on Customer’s behalf. Such assistance includes helping Customer verify the identity of the requesting individual, clarifying the request where necessary, confirming whether the individual’s Personal Data is being processed within the Platforms, and inspecting, collecting, formatting, and packaging the relevant data for Customer to provide to the individual. ONELIVE will provide such assistance at no charge for up to ten (10) Data Subject Requests per calendar quarter. For any Data Subject Request beyond that threshold, and for any assistance beyond functionality made available as part of the Services, ONELIVE will charge Customer a per-request fee at its then-current professional services rate, and will provide Customer with a written fee estimate before commencing such assistance.

7. Security and Audits

7.1 ONELIVE will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as further described in Schedule 2. Customer acknowledges that, because ONELIVE operates at the application and administrative layer of the Platforms, certain security measures — including the security of servers, data centers, encryption at rest and in transit at the infrastructure level, and physical security — are implemented and maintained by the Platforms and other Sub-processors.

7.2 ONELIVE may update the measures in Schedule 2 from time to time, provided that the updates do not materially reduce the overall level of protection afforded to Customer Personal Data.

7.3 Customer, or an independent third-party auditor reasonably acceptable to ONELIVE (and not a competitor of ONELIVE), may audit ONELIVE’s compliance with this DPA up to once per year, or more frequently following a Security Incident or to the extent required by Applicable Data Protection Laws or a regulatory authority. Each audit is limited to a maximum duration of five (5) business days per audit cycle. Before any audit commences, Customer must agree in writing to ONELIVE’s good-faith estimate of the fees and time-and-materials charges that will be payable under clause 7.6 in connection with the audit.

7.4 To request an audit, Customer must submit a proposed audit plan at least two weeks before the proposed date. Audits must be conducted during regular business hours, in accordance with the agreed plan and ONELIVE’s policies, and must not unreasonably interfere with ONELIVE’s business. Nothing in this clause requires ONELIVE to breach any duty of confidentiality.

7.5 Where the requested audit scope is addressed by a Platform’s or Sub-processor’s SOC 2, ISO 27001, or comparable report issued within the prior twelve (12) months, Customer agrees to accept those findings in lieu of auditing the controls covered by that report. ONELIVE will, on request, provide or facilitate access to the relevant Platform certifications and reports it is permitted to share.

7.6 Audits are at Customer’s expense, and Customer will reimburse ONELIVE for time reasonably expended by ONELIVE or its Sub-processors in connection with an audit.

8. Security Incidents

ONELIVE will notify Customer in writing within seventy-two (72) hours of confirming that a Security Incident affecting Customer Personal Data has occurred. ONELIVE may take up to forty-eight (48) hours from initial detection of a suspected incident to investigate and confirm whether a Security Incident has in fact occurred before the notification period begins, consistent with the standard under Article 33 of the GDPR. ONELIVE will reasonably cooperate in investigating the Security Incident and in connection with any obligation of Customer to notify individuals, supervisory authorities, regulators, or the public. ONELIVE will take reasonable steps to contain, investigate, and mitigate the Security Incident, and will provide Customer with timely information including the nature of the Security Incident, the measures taken to mitigate or contain it, and the status of the investigation. Where a Security Incident originates with or affects a Platform or other Sub-processor, ONELIVE will promptly relay information it receives from that Sub-processor and coordinate with the Sub-processor on remediation. ONELIVE’s notification of, or response to, a Security Incident is not an acknowledgement of fault or liability.

9. Deletion and Return

ONELIVE will, on Customer’s request made by the date of termination or expiry of the Agreement, return a copy of Customer Personal Data within ONELIVE’s control or provide functionality enabling Customer to do the same (including export from the relevant Platforms into a standard format such as CSV). Within ninety (90) days of termination or expiry, ONELIVE will delete the remaining copies of Customer Personal Data within ONELIVE’s own systems and will confirm to Customer the deletion actions it has taken within those systems. Within the same period, ONELIVE will request deletion of Customer Personal Data by its Sub-processors; however, Customer acknowledges that Sub-processor deletion is subject to each Sub-processor’s own data retention policies, timelines, and legal obligations, which are outside ONELIVE’s control, and that ONELIVE cannot guarantee deletion by a Sub-processor within any particular timeframe. ONELIVE may retain Customer Personal Data to the extent ONELIVE reasonably determines that retention is (i) required to comply with applicable law, a court order, subpoena, or regulatory requirement, or (ii) necessary for the establishment, exercise, or defense of legal claims. Customer acknowledges that data residing within a Platform that Customer continues to own or operate after termination remains subject to that Platform’s terms and Customer’s control.

11. Cross-Border Data Transfers

11.1 Standard Contractual Clauses

The Parties agree that the Standard Contractual Clauses, as further specified in Schedule 3, are incorporated by reference and are deemed executed by the Parties, and constitute the primary legal mechanism governing any transfer of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to ONELIVE (as data importer). ONELIVE may rely on additional or alternative transfer mechanisms (including any applicable adequacy decision, binding corporate rules, or successor framework) as they become available or recognized under Applicable Data Protection Laws, provided that ONELIVE notifies Customer in writing of any such change and that the alternative mechanism provides an equivalent level of protection for the transferred data.

11.2 DPF Notification Obligation

ONELIVE does not currently rely on the EU–U.S. Data Privacy Framework (“DPF”) as a transfer mechanism, and the SCCs under clause 11.1 are the sole applicable basis for cross-border transfers under this DPA. If ONELIVE obtains DPF self-certification in the future and elects to rely on it for transfers governed by this DPA, ONELIVE will notify Customer in writing before doing so. In the event ONELIVE’s DPF certification is revoked, lapses, or is otherwise rendered invalid after Customer has been notified of its use, ONELIVE will notify Customer within five (5) business days of becoming aware of that fact, and the SCCs under clause 11.1 will automatically resume as the governing transfer mechanism from the date of lapse, without interruption to the processing.

11.3 Support for Cross-Border Data Transfers

ONELIVE will provide Customer with reasonable support to enable Customer’s compliance with requirements applicable to transfers of Personal Data to third countries with respect to data subjects in the EEA, the UK, and Switzerland, including providing information reasonably necessary for Customer to complete a transfer impact assessment. ONELIVE may charge Customer for assistance with transfer impact assessments, data protection impact assessments, or consultations with a supervisory authority.

12. Customer Personal Data Subject to UK and Swiss Data Protection Laws

To the extent the processing of Customer Personal Data is subject to UK or Swiss data protection law, the UK International Data Transfer Addendum to the SCCs and/or the Swiss adaptations described in Schedule 3 apply, and the SCCs are read and interpreted accordingly so as to provide the appropriate safeguards required by Article 46 of the GDPR and/or the Swiss Federal Act on Data Protection, as applicable.

15. Data Protection Impact Assessments

15.1 ONELIVE will, taking into account the nature of the processing and the information available to it, provide Customer with reasonable assistance to fulfill Customer’s obligations under GDPR Article 35 or any equivalent provision of Applicable Data Protection Laws to conduct a data protection impact assessment (“DPIA”) and, where required, to carry out prior consultation with a competent supervisory authority.

15.2 Upon written request, ONELIVE will provide Customer with information reasonably necessary for Customer to complete a DPIA, including information about ONELIVE’s processing activities, Sub-processors, and technical and organizational security measures as set out in this DPA and Schedule 2, to the extent such information is within ONELIVE’s control. ONELIVE is not required to disclose, and the foregoing obligation excludes, (i) information subject to confidentiality obligations owed to third parties, (ii) ONELIVE’s confidential business information, proprietary technology, source code, or trade secrets, and (iii) any information whose disclosure would itself create a security risk to ONELIVE, its other customers, or the Platforms.

15.3 ONELIVE will charge Customer, at its then-current professional services rate, and Customer shall reimburse ONELIVE, for any assistance with DPIAs, transfer impact assessments, or prior consultations with a supervisory authority that goes beyond providing information already contained in this DPA or its Schedules, or beyond standard self-service functionality included as part of the Services. ONELIVE will provide Customer with a written fee estimate before commencing any such extended assistance.

16. Limitation of Liability

16.1 Cap. Each Party’s aggregate liability to the other under or in connection with this DPA, whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, in respect of all claims in any twelve-month period, shall not exceed the total fees paid or payable by Customer to ONELIVE under the Agreement in the twelve (12) months immediately preceding the event giving rise to the claim (the “Liability Cap”).

16.2 Exclusions from Cap. The Liability Cap does not apply to: (a) a Party’s obligation to indemnify the other Party to the extent the indemnified claim arises from the indemnifying Party’s own gross negligence or willful misconduct; or (b) any liability that cannot be limited or excluded under Applicable Data Protection Laws. With respect to claims brought directly against ONELIVE by third-party data subjects under Article 82 of the GDPR or equivalent provisions of Applicable Data Protection Laws, ONELIVE’s aggregate liability in any contract year shall not exceed two (2) times the total fees paid or payable by Customer to ONELIVE under the Agreement in the twelve (12) months preceding the event giving rise to the claim (the “Data Subject Claims Cap”).

16.3 Consequential Loss. Neither Party shall be liable to the other for any loss of profits, revenue, business, goodwill, or data, or any indirect, special, incidental, or consequential loss or damages, however arising and whether or not that Party has been advised of the possibility of such loss, except to the extent such exclusion is prohibited by Applicable Data Protection Laws.

16.4 Customer acknowledges that ONELIVE processes Customer Personal Data principally at the application and administrative layer of third-party Platforms over whose underlying infrastructure ONELIVE has no control, and that the Liability Cap and the Data Subject Claims Cap reflect a fair allocation of risk between the Parties that is proportionate to the fees payable under the Agreement and the degree of control ONELIVE exercises over the relevant processing.

16.5 Customer Indemnification. Customer will indemnify, defend, and hold harmless ONELIVE and its Affiliates against all claims, demands, actions, losses, liabilities, damages, fines, penalties, and reasonable costs and expenses (including reasonable legal fees) arising out of or in connection with: (a) Customer’s breach of its obligations as a controller (or, where applicable, processor) under Applicable Data Protection Laws; (b) any instruction issued by Customer to ONELIVE that causes ONELIVE to be in violation of Applicable Data Protection Laws; (c) Customer’s failure to obtain or maintain any consent, authorization, or lawful basis required for the processing of Customer Personal Data under the Agreement; and (d) any inaccuracy, defect, or deficiency in the Customer Personal Data or in Customer’s configuration of the Applications or Platforms. The indemnification in this clause 16.5 is not subject to the Liability Cap.

17. Force Majeure

17.1 Neither Party will be in breach of its obligations under this DPA, or liable to the other Party for any failure to perform or delay in performing any obligation, to the extent that such failure or delay arises from a cause beyond that Party’s reasonable control (a “Force Majeure Event”), including: acts of God; flood, fire, earthquake, epidemic, or pandemic; war, terrorism, riot, or civil unrest; action or inaction of governmental or regulatory authorities; or the failure, outage, suspension, or security incident of a third-party Platform (including Shopify or BigCommerce), telecommunications provider, cloud infrastructure provider, or other upstream service on which ONELIVE’s delivery of the Services depends, provided the affected Party has taken reasonable precautions to avoid or mitigate the Force Majeure Event.

17.2 A Party claiming a Force Majeure Event will: (a) notify the other Party in writing as soon as reasonably practicable after the Force Majeure Event begins, describing the nature, likely duration, and anticipated impact on performance; and (b) use commercially reasonable efforts to resume full performance as promptly as practicable.

17.3 Where ONELIVE’s ability to meet its obligations under this DPA is prevented or materially delayed by a Force Majeure Event, any applicable service-level commitments, processing timelines, or notification deadlines in the Agreement or this DPA are suspended for the duration of the Force Majeure Event without liability to ONELIVE, provided ONELIVE continues to use reasonable efforts to notify Customer of the situation and to mitigate its effects.

17.4 If a Force Majeure Event affecting ONELIVE’s performance under this DPA continues for more than thirty (30) consecutive days, Customer may terminate the affected portion of the Services on written notice to ONELIVE without penalty to either Party. Any pre-paid fees for the affected Services will be refunded on a pro-rated basis from the date Customer’s written termination notice is received.

18. General

18.1 Each Party certifies that it understands and will comply with its obligations under this DPA.

18.2 This DPA and the Agreement set forth the entire agreement between the Parties with respect to the subject matter of this DPA. If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA continues in full force and effect.

18.3 ONELIVE may amend this DPA on thirty (30) days’ written notice to Customer where reasonably necessary to reflect changes in Applicable Data Protection Laws, updates to its technical and organizational measures, or the addition or replacement of Sub-processors. If Customer materially objects to an amendment on reasonable data protection grounds, Customer may notify ONELIVE within the thirty (30)-day notice period, and the Parties will work together in good faith to resolve the objection; if no resolution is reached, Customer may terminate the affected portion of the Services as its sole and exclusive remedy. Any amendment required to comply with Applicable Data Protection Laws takes effect immediately upon notice.

Part 1 — List of Parties

Data Exporter / Controller. Customer, as identified in the Agreement, together with any Customer Affiliates on whose behalf Customer Personal Data is processed. Customer’s contact person, and (where applicable) its data protection officer or EU/UK representative, are as identified in the Agreement or as notified to ONELIVE in writing. The activities relevant to the transfer are those defined by the Agreement, under which Customer determines the scope and purpose of processing in connection with the Applications and Services.

Data Importer / Processor. ONELIVE, LLC, 4101 Smith School Rd., Bldg. 3, Ste. 300, Austin, TX 78744, United States. Contact and Data Protection Lead: Dustin Hall, President — dustin.hall@onelive.com. ONELIVE’s activities relevant to the transfer: provision, development, hosting, configuration, and administration of Applications and Services on top of the Platforms, and facilitation of the processing necessary to deliver the Services, on behalf of and under the instructions of Customer.

Part 2 — Description of Transfer

Categories of data subjects whose Personal Data is transferred:

Consumers and fans purchasing from, registering with, or otherwise interacting with Customer’s storefronts and the Applications;
Customer’s personnel and authorized users who access or administer the Platforms and Applications; and
Where applicable, artists, athletes, talent, or other rights holders’ representatives whose data Customer shares in connection with the Services.
Consumer / fan data: identifying information including name, stage name, representative’s name, and previous name; contact details (including email and postal address); date of birth; address history; country of residence; order, purchase, and booking information; price and payment information (excluding full payment-card data, which is processed by the Platforms’ payment processors); preferences, ratings, and settings information; messages; and technical data including device and browser information and IP address.
Personnel / user data: identifying information including name and email address; role and permission level; and technical data including device and browser information and IP address.

Categories of Personal Data transferred:

Sensitive data: None. ONELIVE does not request or require special categories of Personal Data to provide the Services, and Customer is responsible for not configuring the Applications or Platforms to process such data without appropriate safeguards.

Frequency of transfer: Continuous, for the term of the Agreement.

Nature of processing: Collection, storage, organization, retrieval, consultation, use, configuration, transmission, and erasure of Customer Personal Data as necessary to develop, host, operate, and administer the Applications and Services on the Platforms.

Purpose(s): To perform the Applications and Services as described in the Agreement.

Retention period: For as long as necessary to provide the Services specified in the Agreement, or as required by applicable law, after which the deletion and return provisions of clause 9 apply.

Transfers to Sub-processors: As specified in Schedule 3 and the Sub-processor list, and solely for as long as necessary to provide the Services or as required by applicable law.

Part 3 — Competent Supervisory Authority

Where Customer is established in an EU Member State, the competent supervisory authority is that of the Member State in which Customer is established. Where Customer is not established in the EEA but falls within the territorial scope of the GDPR and has appointed an Article 27 representative, the competent supervisory authority is that of the Member State where the representative is established. Otherwise, the competent supervisory authority is identified in accordance with clause 13 of the SCCs.

ONELIVE has implemented the following technical and organizational measures to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks to data subjects. Because ONELIVE operates at the application and administrative layer of the Platforms, infrastructure-level measures are implemented by the Platforms and other Sub-processors; ONELIVE’s measures focus on the secure development and operation of the Applications and on secure administration of the Platforms on Customer’s behalf.

Pseudonymization and encryption of Personal Data. Within the Applications it develops, ONELIVE uses commercially available, industry-standard encryption for data in transit and supports encryption of data at rest. At the infrastructure level, pseudonymization and encryption are performed by the Platforms and Sub-processors; technical details are available via the links in ONELIVE’s list of data processors at https://www.onelive.com/legal/processors.
Confidentiality, integrity, availability, and resilience of processing systems. ONELIVE ensures confidentiality internally through ongoing employee training and role- and necessity-based data access levels. The ongoing integrity, availability, and resilience of the underlying processing systems are managed by the Platforms on which the Applications operate.
Ability to restore availability and access after an incident. As an application developer and service provider, ONELIVE does not own or control the servers of the Platforms or other Sub-processors, but works with them to ensure timely remediation. Restoration capabilities vary by Sub-processor; all of ONELIVE’s Platforms maintain defined measures for restoring availability and access.
Regular testing, assessment, and evaluation of effectiveness. ONELIVE conducts periodic reviews of its internal security processes and holds recurring meetings with its Sub-processors to address operational and organizational needs and any issues affecting data security. Because ONELIVE does not control Sub-processor servers, direct infrastructure testing is performed by the Sub-processors. If an issue is discovered relating to a Sub-processor, ONELIVE will notify Customer promptly and work with the Sub-processor to protect Customer Personal Data.
User identification and authorization. ONELIVE maintains administrative access within the Platforms and Applications provisioned to Customer and enables administrative access to Customer on request; user identification and authorization may therefore be controlled by both Customer and ONELIVE. ONELIVE’s internal practices include notifications of new users added to a Platform, followed by evaluation and confirmation of access and permission levels in collaboration with Customer. Unauthorized or unapproved users are denied access or removed.
Protection of data during transmission. ONELIVE does not manage the servers or transmission-layer security of its Sub-processors, which are managed by the Sub-processors. At the application and admin level, ONELIVE configures available options within Platform and integration settings to protect data in transit to the extent those configurations allow, and uses encrypted connections within the Applications it builds.
Protection of data during storage. ONELIVE does not manage the servers of its Sub-processors; measures for protecting data at rest are taken by the Sub-processors. Where the Applications store Customer Personal Data, ONELIVE applies access controls and supports encryption at rest.
Physical security of processing locations. ONELIVE accesses the Platforms under license and does not own or control the Sub-processors’ server rooms or on-premises facilities, including their physical security. Physical security at the infrastructure level is maintained by the Sub-processors.
Events logging. Within each Platform’s available administrative configurations, ONELIVE ensures event logging is enabled and accessible and, where supported, configured to trigger notifications relevant to security or Customer’s requested parameters. The degree of logging available is determined by each Platform.
System configuration, including default configuration. Within each Platform’s administrative and permissions tools, ONELIVE configures systems (including modifying default configurations where necessary) to be consistent with Customer’s data security and access needs and with applicable compliance requirements.
Internal IT and IT security governance. Details of ONELIVE’s internal IT security management are available in ONELIVE’s Data Privacy Notice at https://www.onelive.com/data-privacy-notice.
Certification and assurance of processes and products. Each Platform and Sub-processor maintains its own certifications and assurances, available via the links in ONELIVE’s list of data processors. Assurances of ONELIVE’s own processes are described in ONELIVE’s Privacy Standard and Data Privacy Notice at https://www.onelive.com/privacy and https://www.onelive.com/data-privacy-notice.
Data minimization. From an application-design and administrative perspective, ONELIVE limits its use of Customer Personal Data to what is necessary to achieve Customer’s intended purposes, and nothing beyond. Further measures are described in ONELIVE’s Privacy Policy at https://www.onelive.com/privacy.
Data quality. In accordance with Customer requests and the capabilities provided by each Platform, ONELIVE supports the quality of Customer Personal Data through Platform admin settings and any customizations made to the Applications.
Limited data retention. In accordance with Customer’s request, or where required by law, ONELIVE takes reasonable steps to remove Personal Data from systems where the data or the system is no longer required, including obliging Sub-processors to delete or destroy such data where applicable.
Accountability. ONELIVE maintains internal accountability measures including adherence to the data protection principles in its Privacy Standard, assignment of a Data Protection Lead, integration of data protection into internal documents and processes, regular employee training, periodic internal reviews, and joint reviews of Sub-processor security processes. See https://www.onelive.com/privacy.
Data portability and erasure. Sub-processors maintain their own formats for portability. On request, ONELIVE can assist with portability by exporting data from relevant Platforms into a standard CSV file for the requesting individual. For erasure, ONELIVE works directly with Sub-processors to erase data within available admin privileges and to confirm system-wide erasure for data outside those privileges.
Assistance with data subject right requests. ONELIVE assists with Data Subject Requests insofar as they relate to the Applications and Platforms ONELIVE manages on Customer’s behalf, including identity verification, request clarification, confirming whether data is processed or stored within the Platforms, and inspecting, collecting, formatting, and packaging the data for Customer.

For the purposes of the Standard Contractual Clauses:

Module Two (controller to processor) applies where Customer acts as controller and ONELIVE as processor; Module Three (processor to processor) applies where Customer acts as processor and ONELIVE as sub-processor, as described in clause 3 of this DPA.
Clause 7 of the SCCs (Docking Clause) does not apply.
Under Clause 9, Option 2 (general written authorization) applies; the notice period is the period specified in clause 5.3 of this DPA.
The option in Clause 11(a) of the SCCs (independent dispute resolution body) does not apply.
For Clause 17 (Governing law) and Clause 18 (Choice of forum and jurisdiction), the Parties select the law and courts specified in the Agreement; where the Agreement is silent, the law of Ireland and the courts of Ireland apply.
For Annex I of the SCCs, Schedule 1 of this DPA provides the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
For Annex II of the SCCs, Schedule 2 of this DPA provides the technical and organizational measures.
For Annex III of the SCCs, the authorized Sub-processors are the Platforms (Shopify and BigCommerce) and the Sub-processors listed at https://www.onelive.com/legal/processors. The contact details of a Sub-processor will be provided by ONELIVE on request.

UK transfers: The UK International Data Transfer Addendum issued by the UK Information Commissioner forms part of this DPA for transfers subject to the UK GDPR, and the SCCs are read and interpreted in light of that Addendum.

Swiss transfers: For transfers subject to Swiss data protection law, references in the SCCs to the GDPR are read as references to the Swiss Federal Act on Data Protection, the competent authority is the Federal Data Protection and Information Commissioner, and references to EU Member States are read to permit data subjects to bring proceedings in their place of habitual residence in Switzerland.

Part 1 — Service Provider Contract Terms (Cal. Civ. Code §1798.140(ag)(1))

To the extent that the processing of Customer Personal Data is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) or other applicable US Data Protection Laws, the following terms apply. ONELIVE acts as a “service provider” as defined in Cal. Civ. Code §1798.140(ag) and is subject to the restrictions set forth below.

1. Business Purposes and Use Restrictions

ONELIVE will collect, access, retain, use, disclose, and otherwise process Customer Personal Data solely for the business purposes specified in the Agreement (including providing, maintaining, and improving the Applications and Services, preventing fraud and security incidents, and complying with applicable law), and will not process Customer Personal Data for any purpose other than those business purposes, including for ONELIVE’s own commercial purposes. ONELIVE specifically is prohibited from:

selling Customer Personal Data, or making Customer Personal Data available to any third party, for monetary or other valuable consideration;
sharing Customer Personal Data with any third party for cross-context behavioral advertising;
retaining, using, or disclosing Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by US Data Protection Laws;
retaining, using, or disclosing Customer Personal Data outside the direct business relationship between the Parties; and
except as otherwise permitted by US Data Protection Laws, combining Customer Personal Data with Personal Data that ONELIVE receives from, or on behalf of, another person, or collects from its own interaction with the data subject.

2. Sensitive Personal Information

Where Customer Personal Data includes “sensitive personal information” as defined in Cal. Civ. Code §1798.140(ae) — including Social Security numbers, driver’s license or passport numbers, financial account credentials, precise geolocation data, racial or ethnic origin, religious beliefs, union membership, content of private communications, genetic data, biometric data processed to identify an individual, health or medical information, or information concerning sexual orientation or gender identity — ONELIVE will process such data solely for the purpose of providing the Services as specified in the Agreement and for no other purpose. ONELIVE will implement and maintain additional technical safeguards appropriate to the heightened sensitivity of such data, including stricter access controls and enhanced logging.

3. Customer Monitoring Rights

Customer may take reasonable and appropriate steps to verify that ONELIVE is processing Customer Personal Data in a manner consistent with Customer’s obligations under US Data Protection Laws and with the terms of this DPA and the Agreement. Such steps may include: (a) requesting and reviewing ONELIVE’s data processing records and policies relevant to the Services; (b) conducting or commissioning a compliance assessment or audit pursuant to clause 7 of the DPA; and (c) requesting written certification from ONELIVE that it has complied and continues to comply with the restrictions in this Schedule. ONELIVE will reasonably cooperate with such monitoring activities.

4. ONELIVE’s Obligation to Notify if Compliance Cannot Be Met

If ONELIVE determines at any time that it can no longer meet its obligations under US Data Protection Laws or under this Schedule 4 with respect to Customer Personal Data, ONELIVE will notify Customer in writing without undue delay and in any event within five (5) business days of that determination. Upon such notice, Customer may direct ONELIVE to stop processing the affected Customer Personal Data, and ONELIVE will cease processing promptly upon receipt of such direction, without prejudice to Customer’s right to terminate the Agreement.

5. Customer’s Right to Stop and Remediate Unauthorized Processing

Upon Customer’s reasonable determination that ONELIVE is processing Customer Personal Data in a manner that is unauthorized or inconsistent with the Agreement or this DPA, Customer may direct ONELIVE in writing to cease the unauthorized processing immediately. ONELIVE will cease such processing within forty-eight (48) hours of receiving Customer’s written direction, and will cooperate with Customer to remediate any unauthorized use, including by deleting or returning the relevant data as directed.

6. Assistance with Consumer Requests

ONELIVE will assist Customer in fulfilling its obligations to respond to verifiable consumer requests under US Data Protection Laws, including requests to know, delete, correct, and opt out of sale or sharing of personal information, to the extent such requests relate to Customer Personal Data processed by ONELIVE on Customer’s behalf. ONELIVE will not be required to disclose to consumers any of ONELIVE’s confidential business information in responding to such requests.

7. Sub-processors and Downstream Contracts

ONELIVE will ensure that any Sub-processor engaged to process California residents’ Personal Data on ONELIVE’s behalf is bound by a written contract imposing the same restrictions and requirements as this Schedule 4, to the extent applicable to the nature of that Sub-processor’s services. ONELIVE remains responsible for each Sub-processor’s compliance with this Schedule to the extent set out in clause 5.2 of the DPA.

8. Other US State Privacy Laws

To the extent Customer Personal Data includes Personal Data of residents of states with applicable comprehensive privacy laws (including, without limitation, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and Delaware), ONELIVE will process such data as a “processor” or “service provider” under those laws and will comply with the obligations applicable to processors and service providers thereunder. ONELIVE will provide the same level of privacy protection to residents of all states as is required under the most stringent applicable US Data Protection Law. ONELIVE will comply with the applicable obligations under US Data Protection Laws and will provide the same level of privacy protection as required of Customer. Customer may take reasonable and appropriate steps to help ensure that ONELIVE uses Customer Personal Data in a manner consistent with Customer’s obligations under US Data Protection Laws, and to stop and remediate any unauthorized use.

Legal