Joint-Controller Data Processing Agreement

Parties and Background

(A) The customer identified in the Agreement (“Customer”) has entered into an agreement with ONELIVE, LLC (“ONELIVE”) (each a “Party” and together the “Parties”) under which ONELIVE has agreed to provide ecommerce technology, software applications, professional services, and related fulfillment services in accordance with such agreement (the “Agreement”). This Joint-Controller Data Processing Agreement (this “JC-DPA”) is incorporated into and forms part of the Agreement and is effective on the effective date of the Agreement, except that for a Customer that entered into an Agreement before the “Last Updated” date above, this JC-DPA is effective on that date. This JC-DPA applies only to engagements in which ONELIVE acts as the merchant of record.

(B) ONELIVE operates as (i) a service provider that provisions, configures, administers, and manages third-party ecommerce and/or membership platforms on behalf of Customer, (ii) an application developer that designs, builds, hosts, and operates proprietary software applications, integrations, and tools (the “Applications”) that run on top of those third-party ecommerce platforms — specifically Shopify and BigCommerce (each a “Platform” and together the “Platforms”), and (iii) a third-party logistics service provider. In the engagements governed by this JC-DPA, ONELIVE additionally acts as the merchant of record, taking on financial, payment-settlement, and tax obligations in connection with transactions conducted through Customer’s storefronts.

(C) Because ONELIVE’s merchant-of-record role causes ONELIVE to determine the purposes and means of processing certain financial, payment, and tax data, ONELIVE acts as a controller of that data jointly with Customer. For consumer and fan data processed in operating Customer’s storefronts, ONELIVE continues to act as Customer’s processor on the terms set out in this JC-DPA. This JC-DPA allocates responsibility across both roles and constitutes the arrangement required by Article 26 of the GDPR in respect of the jointly controlled processing.

1. Definitions

1.1 Capitalized terms used but not defined within this JC-DPA have the meaning set forth in the Agreement. The following terms are defined as follows:

“Account Information” means Customer’s information, including Personal Data of Customer’s and Customer Affiliates’ users, provided for account creation, access, administration, and maintenance, and may include names, usernames, login credentials, phone numbers, email addresses, and billing information associated with a ONELIVE account or a Platform account administered by ONELIVE;

“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement;

“Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as amended or updated from time to time;

“Applications” means the proprietary software applications, storefront themes, custom code, integrations, connectors, and tools that ONELIVE designs, builds, hosts, and/or operates on top of the Platforms on behalf of Customer;

“Article 26 Arrangement” means the allocation of joint-controller responsibilities set out in Schedule 5, as required by Article 26 of the GDPR;

“Cardholder Data” means the primary account number (PAN) and any associated authentication data, expiry, or security code, as defined by the PCI DSS. Cardholder Data is processed by the Platforms and their payment processors and is not controlled or stored by ONELIVE;

“Customer Personal Data” means the Personal Data processed by ONELIVE on behalf of Customer or a Customer Affiliate in connection with the provision of the Applications and Services within the Storefront Domain, but specifically excludes Personal Data contained in Account Information and Financial/Tax Data;

“DPF” or “Data Privacy Framework” means the EU–U.S. Data Privacy Framework and, where applicable, the UK Extension to the EU–U.S. Data Privacy Framework and the Swiss–U.S. Data Privacy Framework;

“EEA” means the European Economic Area;

“Financial/Tax Data” means Personal Data within the MoR Domain that ONELIVE processes as a controller, comprising: transaction and settlement records; invoice, receipt, refund, and chargeback records; tax determination, calculation, collection, and remittance records; payer/purchaser identity and billing information necessary for financial and tax compliance; and related financial-reporting and audit records. Financial/Tax Data excludes Cardholder Data;

“GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR” as defined in section 3 of the Data Protection Act 2018;

“Jointly Controlled Data” means Financial/Tax Data within the MoR Domain the purposes and means of which both Parties determine, as described in clause 3 and Schedule 5;

“MoR Domain” means the financial, payment-settlement, and tax obligations and associated Financial/Tax Data for which ONELIVE acts as merchant of record;

“Personal Data” means any information relating to an identified or identifiable individual or device, or that is otherwise “personal data,” “personal information,” or “personally identifiable information” as defined by Applicable Data Protection Laws;

“Platform” or “Platforms” means the third-party ecommerce platforms on which ONELIVE provides the Applications and Services, specifically Shopify and BigCommerce, including their respective hosting infrastructure and processing systems;

“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data or Jointly Controlled Data processed by ONELIVE;

“Services” means the ecommerce technology, configuration, administration, support, consulting, and fulfillment services that ONELIVE provides under the Agreement, together with the Applications;

“Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, comprising Module One (controller to controller), Module Two (controller to processor), and Module Three (processor to processor), as applicable under this JC-DPA;

“Storefront Domain” means consumer and fan Personal Data processed in operating Customer’s storefronts, memberships, and applications, for which ONELIVE acts as Customer’s processor;

“Sub-processor” means ONELIVE Affiliates and third-party processors — including the Platforms and ONELIVE’s hosting and infrastructure providers — engaged by ONELIVE to process Customer Personal Data;

“UK” means the United Kingdom of Great Britain and Northern Ireland; and

“US Data Protection Laws” means to the extent applicable, the federal and state laws relating to data protection, the processing of Personal Data, and privacy in force from time to time in the United States.

1.2 The terms “controller,” “joint controllers,” “processor,” “data subject,” “process,” “supervisory authority,” “sell,” “share,” and “service provider” have the meanings given in the Applicable Data Protection Laws.

2. Interaction with the Agreement

2.1 This JC-DPA supplements and, in the case of any conflict regarding the processing of Customer Personal Data or Jointly Controlled Data, supersedes the Agreement.

2.2 With respect to Customer Affiliates, by entering into the Agreement Customer warrants that it is duly authorized to enter into this JC-DPA for and on behalf of any such Customer Affiliates, and each Customer Affiliate is bound by this JC-DPA as if it were the Customer.

2.3 Customer warrants that it is duly mandated by any Customer Affiliate on whose behalf data is processed to (a) enforce this JC-DPA on behalf of that Customer Affiliate and act on its behalf in the administration and conduct of any claims arising under this JC-DPA, and (b) receive and respond to any notices or communications under this JC-DPA on behalf of that Customer Affiliate.

2.4 Any notice or communication sent by ONELIVE to Customer satisfies any obligation to send such notice or communication to a Customer Affiliate. 2.5 Where ONELIVE is not the merchant of record for an engagement, this JC-DPA does not apply to that engagement and ONELIVE’s published Data Processing Agreement governs instead.

3. Role of the Parties

3.1 The role of each Party depends on the domain of processing. The Parties acknowledge and agree as follows:

(a) MoR Domain — Joint Control. In respect of Financial/Tax Data, ONELIVE and Customer act as joint controllers within the meaning of Article 26 of the GDPR. Each Party determines, in common, the purposes and means of processing necessary to discharge the merchant-of-record function and the Parties’ respective financial and tax obligations. The allocation of responsibilities between them is set out in Schedule 5.

(b) Storefront Domain — Processor. In respect of consumer and fan Personal Data processed to operate Customer’s storefronts, memberships, and applications, ONELIVE acts as Customer’s processor under the GDPR and as a service provider or processor under US Data Protection Laws, processing Customer Personal Data on behalf of and under the documented instructions of Customer. Where Customer itself processes such data on behalf of a third party — for example, an artist, athlete, team, label, venue, or other rights holder — Customer acts as a processor and ONELIVE acts as a sub-processor. Customer is the controller of Storefront Domain data.

(c) Platform-only administration. Where ONELIVE provisions, configures, and administers a Platform on Customer’s behalf without ONELIVE’s own Applications ingesting Customer Personal Data, the relevant Platform acts as a processor engaged in respect of Customer Personal Data, and ONELIVE acts as a service provider facilitating and administering that processing at the user-admin level. ONELIVE does not own or control the Platforms’ servers or underlying infrastructure.

(d) ONELIVE’s scoped controller role. ONELIVE’s controller role is limited to the MoR Domain. ONELIVE does not, by virtue of this JC-DPA, become a controller of Storefront Domain data, of Customer’s marketing or consumer-relationship data, or of website-management decisions, all of which remain within Customer’s sole control.

(e) Customer’s retained control. Customer retains sole control over consumer data access, storefront content and configuration, marketing, and the consumer-facing relationship, except to the limited extent the Parties jointly determine processing of Financial/Tax Data under (a).

(f) Account Information. Account Information is not governed by this JC-DPA and is subject to ONELIVE’s Data Privacy Notice, available at https://www.onelive.com/legal/data-privacy-notice.

3.2 Within the Storefront Domain, and regardless of the role characterization above, ONELIVE will process Customer Personal Data only as described in this JC-DPA and the Agreement, and will not retain, use, disclose, or otherwise process Customer Personal Data for any purpose other than performing the Services or as otherwise permitted by Applicable Data Protection Laws. Within the MoR Domain, each Party will process Jointly Controlled Data only for the purposes set out in Schedule 5 and will not use it for incompatible purposes; ONELIVE will not use Financial/Tax Data for its own marketing or to build consumer profiles.

3.3 ONELIVE may create and use anonymized or aggregated data derived from Customer Personal Data or Financial/Tax Data for the purposes of operating, improving, and developing the Applications and Services, fraud detection and prevention, and security monitoring, provided that such data is rendered non-identifiable so that no individual data subject can be re-identified from it, and provided that ONELIVE does not disclose such aggregated data in a manner that identifies Customer. Such anonymized or aggregated data does not constitute Customer Personal Data or Jointly Controlled Data.

3.4 Cardholder Data. Cardholder Data is processed by the Platforms and their payment processors as independent controllers or processors under their own terms. ONELIVE does not store, transmit, or control Cardholder Data, and nothing in this JC-DPA makes ONELIVE a controller of it. ONELIVE controls only the Financial/Tax Data derived from completed transactions.

3.5 Each Party is independently responsible for complying with the obligations applicable to it as a controller under Applicable Data Protection Laws in respect of the Jointly Controlled Data, including maintaining a lawful basis for its own processing. For ONELIVE’s tax and financial-recordkeeping processing, the lawful basis is compliance with a legal obligation and/or ONELIVE’s legitimate interests as merchant of record; Customer is responsible for the lawful basis applicable to its own commercial use of the same data.

4. Details of Data Processing (Storefront Domain)

4.1 The details of processing within the Storefront Domain — including subject matter, nature and purpose, categories of Personal Data, and categories of data subjects — are described in the Agreement and in Schedule 1.

4.2 ONELIVE will process Customer Personal Data only on behalf of and under the documented instructions of Customer and in accordance with Applicable Data Protection Laws. The Agreement and this JC-DPA constitute Customer’s complete and final instructions for the processing of Customer Personal Data. Customer may issue further reasonable written instructions consistent with this JC-DPA.

4.3 If Customer’s instructions would cause ONELIVE to process Customer Personal Data in violation of Applicable Data Protection Laws, or outside the scope of the Agreement or this JC-DPA, ONELIVE will promptly inform Customer, unless prohibited from doing so by law (without prejudice to the SCCs).

4.4 ONELIVE may store and process Customer Personal Data anywhere ONELIVE or its Sub-processors (including the Platforms) maintain facilities, subject to clauses 5 and 11 of this JC-DPA.

4.5 Where Customer issues a further written instruction under clause 4.2 that goes beyond the processing described in the Agreement and this JC-DPA, ONELIVE will, within ten (10) business days of receipt, provide Customer with a written assessment of the feasibility, timeline, and resource impact of the instruction. Any instruction that requires material additional work, system changes, or resources beyond the scope of the Services as then provided is subject to the Parties’ mutual written agreement on scope and cost, and ONELIVE is not obligated to implement such an instruction until that agreement is reached. ONELIVE will continue to process Customer Personal Data in accordance with existing instructions in the interim.

4.6 If ONELIVE reasonably determines that an instruction from Customer would cause ONELIVE to process Customer Personal Data in violation of Applicable Data Protection Laws, ONELIVE may, in addition to its obligation to inform Customer under clause 4.3, suspend the affected processing on five (5) business days’ written notice to Customer. If the matter giving rise to the suspension is not resolved to ONELIVE’s reasonable satisfaction within thirty (30) days of the suspension notice, ONELIVE may terminate this JC-DPA and the affected portion of the Services on written notice, without liability to ONELIVE for such suspension or termination.

5. Sub-Processors (Storefront Domain)

5.1 Customer grants ONELIVE general authorization to engage Sub-processors. Customer acknowledges and specifically authorizes the engagement of the Platforms (Shopify and BigCommerce) and ONELIVE’s hosting and infrastructure providers as Sub-processors. ONELIVE’s current list of Sub-processors is maintained at https://www.onelive.com/legal/processors as of the Effective Date.

5.2 ONELIVE will (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data than ONELIVE’s obligations under this JC-DPA, to the extent applicable to the nature of the services provided by that Sub-processor; and (ii) remain responsible for each Sub-processor’s performance of its data protection obligations to the extent set out in this JC-DPA. Customer acknowledges that the Platforms maintain their own data processing terms, certifications, and security measures, which govern the processing performed on their infrastructure.

5.3 ONELIVE will provide Customer with at least fifteen (15) days’ notice of any proposed addition or replacement of a Sub-processor that processes Customer Personal Data. Customer may reasonably object to a new Sub-processor by giving ONELIVE written notice of the objection within ten (10) days after ONELIVE’s notice (an “Objection”). The Parties will work together in good faith to find a mutually acceptable resolution. If they cannot reach one within a reasonable period, either Party may, as its sole and exclusive remedy, terminate the affected portion of the Services by written notice. Where a Sub-processor is a Platform on which Customer’s store is built, the Parties acknowledge that an Objection may require migration of the store and may not be operationally feasible without terminating the affected Services.

6. Data Subject Rights Requests and Point of Contact

6.1 Domain-based point of contact. The point of contact for data-subject requests depends on the domain. For the Storefront Domain, Customer is the point of contact and, as between the Parties, has sole discretion and responsibility for responding to any request from an individual to exercise rights in relation to Customer Personal Data (a “Data Subject Request”). For the MoR Domain, ONELIVE is the point of contact and is responsible for responding to requests concerning Financial/Tax Data it controls as merchant of record. Under Article 26(3) of the GDPR, a data subject may exercise their rights against either Party regardless of this allocation, and each Party will honor that right and coordinate as set out below.

6.2 Forwarding between the Parties. Each Party will forward to the other any request it receives that falls within the other’s domain within three (3) to five (5) business days of receipt, and may advise the individual to submit their request to the responsible Party. For the Storefront Domain, ONELIVE will not respond to a Data Subject Request on Customer’s behalf without Customer’s prior written authorization, except to acknowledge receipt and redirect the individual to Customer. For the MoR Domain, Customer will promptly forward to ONELIVE any request concerning Financial/Tax Data, and ONELIVE will respond directly, including where it must decline erasure or restriction because retention of tax, settlement, or financial-compliance records is legally required.

6.3 Taking into account the nature of the processing, ONELIVE will provide Customer with reasonable assistance to fulfill Customer’s obligation to respond to Storefront-Domain Data Subject Requests, insofar as the request relates to the Applications and Platforms ONELIVE manages on Customer’s behalf. Such assistance includes helping verify the identity of the requesting individual, clarifying the request, confirming whether the individual’s Personal Data is processed within the Platforms, and inspecting, collecting, formatting, and packaging the relevant data. ONELIVE requires all requesting individuals that are missing Personal Data verification information to complete the online Data Request Form hosted at https://www.onelive.com/legal/personal-data-request. ONELIVE will provide such assistance at no charge for up to ten (10) Data Subject Requests per calendar quarter. For any Data Subject Request beyond that threshold, and for any assistance beyond functionality made available as part of the Services, ONELIVE will charge Customer a per-request fee at its then-current professional services rate, and will provide a written fee estimate before commencing such assistance.

7. Security and Audits

7.1 ONELIVE will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data and Jointly Controlled Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as further described in Schedule 2. Customer acknowledges that, because ONELIVE operates at the application and administrative layer of the Platforms, certain security measures — including the security of servers, data centers, encryption at rest and in transit at the infrastructure level, and physical security — are implemented and maintained by the Platforms and other Sub-processors. Within the MoR Domain, each Party is responsible for the security of Jointly Controlled Data within its own systems.

7.2 ONELIVE may update the measures in Schedule 2 from time to time, provided that the updates do not materially reduce the overall level of protection afforded to Customer Personal Data.

7.3 Customer, or an independent third-party auditor reasonably acceptable to ONELIVE (and not a competitor of ONELIVE), may audit ONELIVE’s compliance with this JC-DPA up to once per year, or more frequently following a Security Incident or to the extent required by Applicable Data Protection Laws or a regulatory authority. Each audit is limited to a maximum duration of five (5) business days per audit cycle. Before any audit commences, Customer must agree in writing to ONELIVE’s good-faith estimate of the fees and time-and-materials charges that will be payable under clause 7.6.

7.4 To request an audit, Customer must submit a proposed audit plan at least two weeks before the proposed date. Audits must be conducted during regular business hours, in accordance with the agreed plan and ONELIVE’s policies, and must not unreasonably interfere with ONELIVE’s business. Nothing in this clause requires ONELIVE to breach any duty of confidentiality.

7.5 Where the requested audit scope is addressed by a Platform’s or Sub-processor’s SOC 2, ISO 27001, or comparable report issued within the prior twelve (12) months, Customer agrees to accept those findings in lieu of auditing the controls covered by that report. ONELIVE will, on request, provide or facilitate access to the relevant Platform certifications and reports it is permitted to share.

7.6 Audits are at Customer’s expense, and Customer will reimburse ONELIVE for time reasonably expended by ONELIVE or its Sub-processors in connection with an audit.

8. Security Incidents

8.1 ONELIVE will notify Customer in writing within seventy-two (72) hours of confirming that a Security Incident affecting Customer Personal Data has occurred. ONELIVE may take up to forty-eight (48) hours from initial detection of a suspected incident to investigate and confirm whether a Security Incident has in fact occurred before the notification period begins, consistent with the standard under Article 33 of the GDPR. ONELIVE will reasonably cooperate in investigating the Security Incident and in connection with any obligation of Customer to notify individuals, supervisory authorities, regulators, or the public. ONELIVE will take reasonable steps to contain, investigate, and mitigate the Security Incident, and will provide Customer with timely information including the nature of the Security Incident, the measures taken to mitigate or contain it, and the status of the investigation. Where a Security Incident originates with or affects a Platform or other Sub-processor, ONELIVE will promptly relay information it receives and coordinate on remediation. ONELIVE’s notification of, or response to, a Security Incident is not an acknowledgement of fault or liability.

8.2 Jointly Controlled Data — mutual notification. Because both Parties are controllers of Jointly Controlled Data with their own obligations under Articles 33–34, a Party that becomes aware of a Security Incident affecting Jointly Controlled Data will notify the other Party without undue delay and in any event in sufficient time to enable the other Party to meet its own notification deadlines, and in any event within seventy-two (72) hours of confirming the incident. The Parties will cooperate on investigation, containment, and any required notifications. Schedule 5 allocates which Party leads each notification.

9. Deletion and Return

9.1 ONELIVE will, on Customer’s request made by the date of termination or expiry of the Agreement, return a copy of Customer Personal Data within ONELIVE’s control or provide functionality enabling Customer to do the same (including export from the relevant Platforms into a standard format such as CSV). Within ninety (90) days of termination or expiry, ONELIVE will delete the remaining copies of Customer Personal Data within ONELIVE’s own systems and will confirm the deletion actions taken. Within the same period, ONELIVE will request deletion of Customer Personal Data by its Sub-processors; however, Customer acknowledges that Sub-processor deletion is subject to each Sub-processor’s own data retention policies, timelines, and legal obligations, which are outside ONELIVE’s control. ONELIVE may retain Customer Personal Data to the extent ONELIVE reasonably determines that retention is (i) required to comply with applicable law, a court order, subpoena, or regulatory requirement, or (ii) necessary for the establishment, exercise, or defense of legal claims. Customer acknowledges that data residing within a Platform that Customer continues to own or operate after termination remains subject to that Platform’s terms and Customer’s control.

9.2 Financial/Tax Data retention. Notwithstanding clause 9.1, ONELIVE will retain Financial/Tax Data for the periods required by applicable tax, accounting, and financial-services law, notwithstanding any deletion request, to the extent retention is legally required. ONELIVE will delete or anonymize such data once the applicable legal retention period expires.

9A. Payment Card Security (PCI DSS)

9A.1 The Parties acknowledge that Cardholder Data is processed by the Platforms and their payment processors, which are responsible for PCI DSS compliance in respect of the cardholder-data environment. ONELIVE does not store, process, or transmit Cardholder Data and is not a part of Customer’s or the Platforms’ cardholder-data environment.

9A.2 To the extent ONELIVE’s merchant-of-record role requires it to maintain a PCI DSS attestation appropriate to its actual interaction with payment flows (for example, a Self-Assessment Questionnaire of the type applicable to merchants that fully outsource cardholder-data handling), ONELIVE will maintain such attestation and make it available to Customer on reasonable request.

11. Cross-Border Data Transfers

11.1 Standard Contractual Clauses

For the Storefront Domain, the Parties agree that the Standard Contractual Clauses, as further specified in Schedule 3, are incorporated by reference and are deemed executed by the Parties, and constitute the primary legal mechanism governing any transfer of Customer Personal Data falling within the scope of the GDPR from Customer (as data exporter) to ONELIVE (as data importer). For the MoR Domain, where a transfer of Jointly Controlled Data falls within the scope of the GDPR and is made between the Parties as controllers, the Parties incorporate Module One (controller to controller) of the SCCs as specified in Schedule 5. ONELIVE may rely on additional or alternative transfer mechanisms (including any applicable adequacy decision, binding corporate rules, or successor framework) as they become available, provided that ONELIVE notifies Customer in writing and that the alternative mechanism provides an equivalent level of protection.

11.2 DPF Notification Obligation

ONELIVE does not currently rely on the EU–U.S. Data Privacy Framework (“DPF”) as a transfer mechanism, and the SCCs under clause 11.1 are the sole applicable basis for cross-border transfers under this JC-DPA. If ONELIVE obtains DPF self-certification in the future and elects to rely on it for transfers governed by this JC-DPA, ONELIVE will notify Customer in writing before doing so. In the event ONELIVE’s DPF certification is revoked, lapses, or is otherwise rendered invalid after Customer has been notified of its use, ONELIVE will notify Customer within five (5) business days of becoming aware of that fact, and the SCCs under clause 11.1 will automatically resume as the governing transfer mechanism from the date of lapse, without interruption to the processing.

11.3 Support for Cross-Border Data Transfers

ONELIVE will provide Customer with reasonable support to enable Customer’s compliance with requirements applicable to transfers of Personal Data to third countries with respect to data subjects in the EEA, the UK, and Switzerland, including providing information reasonably necessary for Customer to complete a transfer impact assessment. ONELIVE may charge Customer for assistance with transfer impact assessments, data protection impact assessments, or consultations with a supervisory authority.

12. Customer Personal Data Subject to UK and Swiss Data Protection Laws

To the extent the processing of Customer Personal Data or Jointly Controlled Data is subject to UK or Swiss data protection law, the UK International Data Transfer Addendum to the SCCs and/or the Swiss adaptations described in Schedule 3 apply, and the SCCs are read and interpreted accordingly so as to provide the appropriate safeguards required by Article 46 of the GDPR and/or the Swiss Federal Act on Data Protection, as applicable.

14. Data Protection Impact Assessments

14.1 ONELIVE will, taking into account the nature of the processing and the information available to it, provide Customer with reasonable assistance to fulfill Customer’s obligations under GDPR Article 35 or any equivalent provision to conduct a data protection impact assessment (“DPIA”) and, where required, to carry out prior consultation with a competent supervisory authority. For DPIAs concerning MoR-Domain processing, ONELIVE leads, with Customer providing inputs, as allocated in Schedule 5.

14.2 Upon written request, ONELIVE will provide Customer with information reasonably necessary for Customer to complete a DPIA, including information about ONELIVE’s processing activities, Sub-processors, and technical and organizational security measures as set out in this JC-DPA and Schedule 2, to the extent within ONELIVE’s control. ONELIVE is not required to disclose (i) information subject to confidentiality obligations owed to third parties, (ii) ONELIVE’s confidential business information, proprietary technology, source code, or trade secrets, or (iii) any information whose disclosure would itself create a security risk.

14.3 ONELIVE will charge Customer, at its then-current professional services rate, for any assistance with DPIAs, transfer impact assessments, or prior consultations that goes beyond providing information already contained in this JC-DPA or its Schedules, or beyond standard self-service functionality. ONELIVE will provide a written fee estimate before commencing any such extended assistance.

15. Limitation of Liability and Indemnification

15.1 Cap. Each Party’s aggregate liability to the other under or in connection with this JC-DPA, whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, in respect of all claims in any twelve-month period, shall not exceed the total fees paid or payable by Customer to ONELIVE under the Agreement in the twelve (12) months immediately preceding the event giving rise to the claim (the “Liability Cap”).

15.2 Exclusions from Cap. The Liability Cap does not apply to: (a) a Party’s obligation to indemnify the other to the extent the indemnified claim arises from the indemnifying Party’s own gross negligence or willful misconduct; or (b) any liability that cannot be limited or excluded under Applicable Data Protection Laws. With respect to claims brought directly against ONELIVE by third-party data subjects under Article 82 of the GDPR or equivalent provisions, ONELIVE’s aggregate liability in any contract year shall not exceed two (2) times the total fees paid or payable by Customer to ONELIVE under the Agreement in the twelve (12) months preceding the event giving rise to the claim (the “Data Subject Claims Cap”).

15.3 Consequential Loss. Neither Party shall be liable to the other for any loss of profits, revenue, business, goodwill, or data, or any indirect, special, incidental, or consequential loss or damages, however arising, except to the extent such exclusion is prohibited by Applicable Data Protection Laws.

15.4 Joint and several liability (Article 82). The Parties acknowledge that under Article 82(4) of the GDPR each controller involved in jointly controlled processing may be held liable to a data subject for the entire damage caused by that processing, subject to the right of contribution under Article 82(5). As between the Parties, each will be responsible for the portion of any such liability attributable to its own acts, omissions, or domain of responsibility under Schedule 5, and the indemnities in clause 15.6 give effect to that allocation. This allocation does not limit a data subject’s statutory right to claim against either Party.

15.5 Customer acknowledges that ONELIVE processes Customer Personal Data principally at the application and administrative layer of third-party Platforms over whose underlying infrastructure ONELIVE has no control, and that the Liability Cap and the Data Subject Claims Cap reflect a fair allocation of risk between the Parties that is proportionate to the fees payable under the Agreement and the degree of control ONELIVE exercises over the relevant processing.

15.6 Indemnification. Each Party will indemnify, defend, and hold harmless the other Party and its Affiliates against all claims, demands, actions, losses, liabilities, damages, fines, penalties, and reasonable costs and expenses (including reasonable legal fees) arising out of or in connection with the indemnifying Party’s breach of its allocated responsibilities under Schedule 5 or of its own controller obligations under Applicable Data Protection Laws in respect of Jointly Controlled Data. In addition, Customer will indemnify, defend, and hold harmless ONELIVE and its Affiliates against all such losses arising out of or in connection with: (a) Customer’s breach of its obligations as a controller (or, where applicable, processor) under Applicable Data Protection Laws in the Storefront Domain; (b) any instruction issued by Customer to ONELIVE that causes ONELIVE to be in violation of Applicable Data Protection Laws; (c) Customer’s failure to obtain or maintain any consent, authorization, or lawful basis required for the processing of Customer Personal Data; and (d) any inaccuracy, defect, or deficiency in the Customer Personal Data or in Customer’s configuration of the Applications or Platforms. The indemnification in this clause 15.6 is not subject to the Liability Cap.

16. Force Majeure

16.1 Neither Party will be in breach of its obligations under this JC-DPA, or liable to the other for any failure to perform or delay in performing any obligation, to the extent that such failure or delay arises from a cause beyond that Party’s reasonable control (a “Force Majeure Event”), including: acts of God; flood, fire, earthquake, epidemic, or pandemic; war, terrorism, riot, or civil unrest; action or inaction of governmental or regulatory authorities; or the failure, outage, suspension, or security incident of a third-party Platform (including Shopify or BigCommerce), telecommunications provider, cloud infrastructure provider, or other upstream service on which ONELIVE’s delivery of the Services depends, provided the affected Party has taken reasonable precautions to avoid or mitigate the Force Majeure Event.

16.2 A Party claiming a Force Majeure Event will: (a) notify the other Party in writing as soon as reasonably practicable after the Force Majeure Event begins, describing the nature, likely duration, and anticipated impact; and (b) use commercially reasonable efforts to resume full performance as promptly as practicable.

16.3 Where ONELIVE’s ability to meet its obligations under this JC-DPA is prevented or materially delayed by a Force Majeure Event, any applicable service-level commitments, processing timelines, or notification deadlines are suspended for the duration of the Force Majeure Event without liability to ONELIVE, provided ONELIVE continues to use reasonable efforts to notify Customer and to mitigate its effects.

16.4 If a Force Majeure Event affecting ONELIVE’s performance continues for more than thirty (30) consecutive days, Customer may terminate the affected portion of the Services on written notice to ONELIVE without penalty to either Party. Any pre-paid fees for the affected Services will be refunded on a pro-rated basis from the date Customer’s written termination notice is received.

17. General

17.1 Each Party certifies that it understands and will comply with its obligations under this JC-DPA.

17.2 This JC-DPA and the Agreement set forth the entire agreement between the Parties with respect to the subject matter of this JC-DPA. If any provision is held invalid or unenforceable, the remainder continues in full force and effect.

17.3 ONELIVE may amend this JC-DPA on thirty (30) days’ written notice to Customer where reasonably necessary to reflect changes in Applicable Data Protection Laws, updates to its technical and organizational measures, the addition or replacement of Sub-processors, or changes to its merchant-of-record arrangements. If Customer materially objects to an amendment on reasonable data protection grounds, Customer may notify ONELIVE within the thirty (30)-day notice period, and the Parties will work together in good faith to resolve the objection; if no resolution is reached, Customer may terminate the affected portion of the Services as its sole and exclusive remedy. Any amendment required to comply with Applicable Data Protection Laws takes effect immediately upon notice.

Part 1 — List of Parties

Data Exporter / Controller. Customer, as identified in the Agreement, together with any Customer Affiliates on whose behalf Customer Personal Data is processed. Customer’s contact person, and (where applicable) its data protection officer or EU/UK representative, are as identified in the Agreement or as notified to ONELIVE in writing. The activities relevant to the transfer are those defined by the Agreement, under which Customer determines the scope and purpose of processing in connection with the Applications and Services.

Data Importer / Processor (Storefront Domain) and Joint Controller (MoR Domain). ONELIVE, LLC, 4101 Smith School Rd., Bldg. 3, Ste. 300, Austin, TX 78744, United States. Contact and Data Protection Lead: ONELIVE Legal Team — legal@onelive.com. ONELIVE’s activities relevant to the transfer: provision, development, hosting, configuration, and administration of Applications and Services on top of the Platforms; facilitation of the processing necessary to deliver the Services; and, as merchant of record, determination and processing of Financial/Tax Data for financial, payment-settlement, and tax-compliance purposes.

Part 2 — Description of Transfer

Consumers and fans purchasing from, registering with, or otherwise interacting with Customer’s storefronts and the Applications;
Customer’s personnel and authorized users who access or administer the Platforms and Applications; and
Where applicable, artists, athletes, talent, or other rights holders’ representatives whose data Customer shares in connection with the Services.
Consumer / fan data: identifying information including name, stage name, representative’s name, and previous name; contact details (including email and postal address); date of birth; address history; country of residence; order, purchase, and booking information; price and payment information (excluding full payment-card data, which is processed by the Platforms’ payment processors); preferences, ratings, and settings information; messages; and technical data including device and browser information and IP address.
Personnel / user data: identifying information including name and email address; role and permission level; and technical data including device and browser information and IP address.
Financial/Tax Data (MoR Domain, jointly controlled): transaction, settlement, invoice, receipt, refund, and chargeback records; tax determination, collection, and remittance records; and payer/purchaser billing identity necessary for financial and tax compliance. Excludes Cardholder Data.
Sensitive data: None. ONELIVE does not request or require special categories of Personal Data to provide the Services, and Customer is responsible for not configuring the Applications or Platforms to process such data without appropriate safeguards.
Frequency of transfer: Continuous, for the term of the Agreement.
Nature of processing: Collection, storage, organization, retrieval, consultation, use, configuration, transmission, and erasure of Customer Personal Data and Financial/Tax Data as necessary to develop, host, operate, and administer the Applications and Services on the Platforms and to discharge ONELIVE’s merchant-of-record obligations.
Purpose(s): To perform the Applications and Services as described in the Agreement, and to determine, collect, remit, and record transaction taxes and financial settlements as merchant of record.
Retention period: For as long as necessary to provide the Services, or as required by applicable law (including tax and financial-recordkeeping law for Financial/Tax Data), after which the deletion and return provisions of clause 9 apply.
Transfers to Sub-processors: As specified in Schedule 3 and the Sub-processor list, and solely for as long as necessary to provide the Services or as required by applicable law.

Part 3 — Competent Supervisory Authority

Where Customer is established in an EU Member State, the competent supervisory authority is that of the Member State in which Customer is established. Where Customer is not established in the EEA but falls within the territorial scope of the GDPR and has appointed an Article 27 representative, the competent supervisory authority is that of the Member State where the representative is established. Otherwise, the competent supervisory authority is identified in accordance with clause 13 of the SCCs.

ONELIVE has implemented the following technical and organizational measures to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks to data subjects. Because ONELIVE operates at the application and administrative layer of the Platforms, infrastructure-level measures are implemented by the Platforms and other Sub-processors; ONELIVE’s measures focus on the secure development and operation of the Applications and on secure administration of the Platforms on Customer’s behalf.

Pseudonymization and encryption of Personal Data. Within the Applications it develops, ONELIVE uses commercially available, industry-standard encryption for data in transit and supports encryption of data at rest. At the infrastructure level, pseudonymization and encryption are performed by the Platforms and Sub-processors; technical details are available via the links in ONELIVE’s list of data processors at https://www.onelive.com/legal/processors.
Confidentiality, integrity, availability, and resilience of processing systems. ONELIVE ensures confidentiality internally through ongoing employee training and role- and necessity-based data access levels. The ongoing integrity, availability, and resilience of the underlying processing systems are managed by the Platforms on which the Applications operate.
Ability to restore availability and access after an incident. As an application developer and service provider, ONELIVE does not own or control the servers of the Platforms or other Sub-processors, but works with them to ensure timely remediation. Restoration capabilities vary by Sub-processor; all of ONELIVE’s Platforms maintain defined measures for restoring availability and access.
Regular testing, assessment, and evaluation of effectiveness. ONELIVE conducts periodic reviews of its internal security processes and holds recurring meetings with its Sub-processors to address operational and organizational needs and any issues affecting data security. Because ONELIVE does not control Sub-processor servers, direct infrastructure testing is performed by the Sub-processors. If an issue is discovered relating to a Sub-processor, ONELIVE will notify Customer promptly and work with the Sub-processor to protect Customer Personal Data.
User identification and authorization. ONELIVE maintains administrative access within the Platforms and Applications provisioned to Customer and enables administrative access to Customer on request; user identification and authorization may therefore be controlled by both Customer and ONELIVE. ONELIVE’s internal practices include notifications of new users added to a Platform, followed by evaluation and confirmation of access and permission levels in collaboration with Customer. Unauthorized or unapproved users are denied access or removed.
Protection of data during transmission. ONELIVE does not manage the servers or transmission-layer security of its Sub-processors, which are managed by the Sub-processors. At the application and admin level, ONELIVE configures available options within Platform and integration settings to protect data in transit to the extent those configurations allow, and uses encrypted connections within the Applications it builds.
Protection of data during storage. ONELIVE does not manage the servers of its Sub-processors; measures for protecting data at rest are taken by the Sub-processors. Where the Applications store Customer Personal Data, ONELIVE applies access controls and supports encryption at rest.
Physical security of processing locations. ONELIVE accesses the Platforms under license and does not own or control the Sub-processors’ server rooms or on-premises facilities, including their physical security. Physical security at the infrastructure level is maintained by the Sub-processors.
Events logging. Within each Platform’s available administrative configurations, ONELIVE ensures event logging is enabled and accessible and, where supported, configured to trigger notifications relevant to security or Customer’s requested parameters. The degree of logging available is determined by each Platform.
System configuration, including default configuration. Within each Platform’s administrative and permissions tools, ONELIVE configures systems (including modifying default configurations where necessary) to be consistent with Customer’s data security and access needs and with applicable compliance requirements.
Internal IT and IT security governance. Details of ONELIVE’s internal IT security management are available in ONELIVE’s Data Privacy Notice at https://www.onelive.com/data-privacy-notice.
Certification and assurance of processes and products. Each Platform and Sub-processor maintains its own certifications and assurances, available via the links in ONELIVE’s list of data processors. Assurances of ONELIVE’s own processes are described in ONELIVE’s Privacy Standard and Data Privacy Notice at https://www.onelive.com/data-privacy-notice
Data minimization. From an application-design and administrative perspective, ONELIVE limits its use of Customer Personal Data to what is necessary to achieve Customer’s intended purposes, and nothing beyond. Further measures are described in ONELIVE’s Data Privacy Notice at https://www.onelive.com/data-privacy-notice.
Data quality. In accordance with Customer requests and the capabilities provided by each Platform, ONELIVE supports the quality of Customer Personal Data through Platform admin settings and any customizations made to the Applications.
Limited data retention. In accordance with Customer’s request, or where required by law, ONELIVE takes reasonable steps to remove Personal Data from systems where the data or the system is no longer required, including obliging Sub-processors to delete or destroy such data where applicable.
Accountability. ONELIVE maintains internal accountability measures including adherence to the data protection principles in its Privacy Standard, assignment of a Data Protection Lead, integration of data protection into internal documents and processes, regular employee training, periodic internal reviews, and joint reviews of Sub-processor security processes.
Data portability and erasure. Sub-processors maintain their own formats for portability. On request, ONELIVE can assist with portability by exporting data from relevant Platforms into a standard CSV file for the requesting individual. For erasure, ONELIVE works directly with Sub-processors to erase data within available admin privileges and to confirm system-wide erasure for data outside those privileges.
Assistance with data subject right requests. ONELIVE assists with Data Subject Requests insofar as they relate to the Applications and Platforms ONELIVE manages on Customer’s behalf, including identity verification, request clarification, confirming whether data is processed or stored within the Platforms, and inspecting, collecting, formatting, and packaging the data for Customer.

For the purposes of the EU Standard Contractual Clauses:

Module One (controller to controller) applies to transfers of Jointly Controlled Data between Customer and ONELIVE as joint controllers in the MoR Domain.
Module Two (controller to processor) applies where Customer acts as controller and ONELIVE as processor in the Storefront Domain.
Module Three (processor to processor) applies where Customer acts as processor and ONELIVE as sub-processor, as described in clause 3 of this JC-DPA.
Clause 7 of the SCCs (Docking Clause) does not apply.
Under Clause 9, Option 2 (general written authorization) applies; the notice period is the period specified in clause 5.3 of this DPA.
The option in Clause 11(a) of the SCCs (independent dispute resolution body) does not apply.
For Clause 17 (Governing law) and Clause 18 (Choice of forum and jurisdiction), the Parties select the law and courts specified in the Agreement; where the Agreement is silent, the law of Ireland and the courts of Ireland apply.
For Annex I of the SCCs, Schedule 1 of this DPA provides the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
For Annex II of the SCCs, Schedule 2 of this DPA provides the technical and organizational measures.
For Annex III of the SCCs, the authorized Sub-processors are the Platforms (Shopify and BigCommerce) and the Sub-processors listed at https://www.onelive.com/legal/processors. The contact details of a Sub-processor will be provided by ONELIVE on request.

UK transfers: The UK International Data Transfer Addendum issued by the UK Information Commissioner forms part of this DPA for transfers subject to the UK GDPR, and the SCCs are read and interpreted in light of that Addendum.

Swiss transfers: For transfers subject to Swiss data protection law, references in the SCCs to the GDPR are read as references to the Swiss Federal Act on Data Protection, the competent authority is the Federal Data Protection and Information Commissioner, and references to EU Member States are read to permit data subjects to bring proceedings in their place of habitual residence in Switzerland.

Part 1 — Service Provider Contract Terms (Cal. Civ. Code §1798.140(ag)(1))

To the extent that the processing of Customer Personal Data is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CPRA”) or other applicable US Data Protection Laws, the following terms apply. ONELIVE acts as a “service provider” as defined in Cal. Civ. Code §1798.140(ag) and is subject to the restrictions set forth below. In the MoR Domain, ONELIVE acts as a business/controller and complies with the obligations applicable to it in that capacity.

1. Business Purposes and Use Restrictions

ONELIVE will collect, access, retain, use, disclose, and otherwise process Customer Personal Data solely for the business purposes specified in the Agreement (including providing, maintaining, and improving the Applications and Services, preventing fraud and security incidents, and complying with applicable law), and will not process Customer Personal Data for any purpose other than those business purposes, including for ONELIVE’s own commercial purposes. ONELIVE specifically is prohibited from:

selling Customer Personal Data, or making Customer Personal Data available to any third party, for monetary or other valuable consideration;
sharing Customer Personal Data with any third party for cross-context behavioral advertising;
retaining, using, or disclosing Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by US Data Protection Laws;
retaining, using, or disclosing Customer Personal Data outside the direct business relationship between the Parties; and
except as otherwise permitted by US Data Protection Laws, combining Customer Personal Data with Personal Data that ONELIVE receives from, or on behalf of, another person, or collects from its own interaction with the data subject.

2. Sensitive Personal Information

Where Customer Personal Data includes “sensitive personal information” as defined in Cal. Civ. Code §1798.140(ae) — including Social Security numbers, driver’s license or passport numbers, financial account credentials, precise geolocation data, racial or ethnic origin, religious beliefs, union membership, content of private communications, genetic data, biometric data processed to identify an individual, health or medical information, or information concerning sexual orientation or gender identity — ONELIVE will process such data solely for the purpose of providing the Services as specified in the Agreement and for no other purpose. ONELIVE will implement and maintain additional technical safeguards appropriate to the heightened sensitivity of such data, including stricter access controls and enhanced logging.

3. Customer Monitoring Rights

Customer may take reasonable and appropriate steps to verify that ONELIVE is processing Customer Personal Data in a manner consistent with Customer’s obligations under US Data Protection Laws and with the terms of this DPA and the Agreement. Such steps may include: (a) requesting and reviewing ONELIVE’s data processing records and policies relevant to the Services; (b) conducting or commissioning a compliance assessment or audit pursuant to clause 7 of the DPA; and (c) requesting written certification from ONELIVE that it has complied and continues to comply with the restrictions in this Schedule. ONELIVE will reasonably cooperate with such monitoring activities.

4. ONELIVE’s Obligation to Notify if Compliance Cannot Be Met

If ONELIVE determines at any time that it can no longer meet its obligations under US Data Protection Laws or under this Schedule 4 with respect to Customer Personal Data, ONELIVE will notify Customer in writing without undue delay and in any event within five (5) business days of that determination. Upon such notice, Customer may direct ONELIVE to stop processing the affected Customer Personal Data, and ONELIVE will cease processing promptly upon receipt of such direction, without prejudice to Customer’s right to terminate the Agreement.

5. Customer’s Right to Stop and Remediate Unauthorized Processing

Upon Customer’s reasonable determination that ONELIVE is processing Customer Personal Data in a manner that is unauthorized or inconsistent with the Agreement or this DPA, Customer may direct ONELIVE in writing to cease the unauthorized processing immediately. ONELIVE will cease such processing within forty-eight (48) hours of receiving Customer’s written direction, and will cooperate with Customer to remediate any unauthorized use, including by deleting or returning the relevant data as directed.

6. Assistance with Consumer Requests

ONELIVE will assist Customer in fulfilling its obligations to respond to verifiable consumer requests under US Data Protection Laws, including requests to know, delete, correct, and opt out of sale or sharing of personal information, to the extent such requests relate to Customer Personal Data processed by ONELIVE on Customer’s behalf. ONELIVE will not be required to disclose to consumers any of ONELIVE’s confidential business information in responding to such requests.

7. Sub-processors and Downstream Contracts

ONELIVE will ensure that any Sub-processor engaged to process California residents’ Personal Data on ONELIVE’s behalf is bound by a written contract imposing the same restrictions and requirements as this Schedule 4, to the extent applicable to the nature of that Sub-processor’s services. ONELIVE remains responsible for each Sub-processor’s compliance with this Schedule to the extent set out in clause 5.2 of the DPA.

8. Other US State Privacy Laws

To the extent Customer Personal Data includes Personal Data of residents of states with applicable comprehensive privacy laws (including, without limitation, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and Delaware), ONELIVE will process such data as a “processor” or “service provider” under those laws and will comply with the obligations applicable to processors and service providers thereunder. ONELIVE will provide the same level of privacy protection to residents of all states as is required under the most stringent applicable US Data Protection Law. ONELIVE will comply with the applicable obligations under US Data Protection Laws and will provide the same level of privacy protection as required of Customer. Customer may take reasonable and appropriate steps to help ensure that ONELIVE uses Customer Personal Data in a manner consistent with Customer’s obligations under US Data Protection Laws, and to stop and remediate any unauthorized use.

This Schedule constitutes the arrangement required by Article 26 of the GDPR. It allocates responsibility between the Parties for the Jointly Controlled Data in the MoR Domain. The essence of this Schedule will be made available to data subjects through each Party’s privacy notice.

Part 1 — Scope of Joint Control

Joint control applies solely to Financial/Tax Data within the MoR Domain: transaction and settlement records; invoice, receipt, refund, and chargeback records; tax determination, collection, and remittance records; payer/purchaser billing identity necessary for financial and tax compliance; and related financial-reporting records. It does not extend to Storefront-Domain data, Cardholder Data, Account Information, or Customer’s marketing and consumer-relationship data.

Part 2 — Allocation of Responsibilities

GDPR Obligation	Lead Party	Supporting Party
Transparency to data subjects (Arts. 13–14) — financial/tax processing	ONELIVE (for its MoR processing); Customer (for its commercial use)	Each supports the other’s notice content
Data-subject requests (Arts. 15–22) — Storefront Domain	Customer	ONELIVE forwards & assists
Data-subject requests touching tax/financial records	ONELIVE	Customer forwards to ONELIVE
Security of processing (Art. 32)	Each Party for its own systems	Mutual cooperation
Breach notification to supervisory authority (Art. 33)	Each Party for its own Art. 33 duty	72-hour inter-Party alert (clause 8.2)
Breach communication to data subjects (Art. 34)	Customer for Storefront; ONELIVE for MoR records	Mutual cooperation
DPIA (Art. 35) for MoR processing	ONELIVE	Customer provides inputs
Records of processing (Art. 30)	Each Party maintains its own	--
Tax / financial regulatory reporting	ONELIVE	Customer provides accurate data

Part 3 — Point of Contact

For the MoR Domain (Financial/Tax Data), ONELIVE is the designated point of contact for data subjects: ONELIVE Legal Team, legal@onelive.com. For the Storefront Domain, Customer is the designated point of contact. Under Article 26(3) of the GDPR, a data subject may exercise their rights against either Party irrespective of this allocation. Each Party will publish the point-of-contact information and the essence of this arrangement in its privacy notice.

Part 4 — Transfers of Jointly Controlled Data

Where Jointly Controlled Data subject to the GDPR, UK GDPR, or Swiss law is transferred between the Parties as controllers to a country without an adequacy decision, the controller-to-controller Standard Contractual Clauses (Module One), with the UK Addendum and Swiss adaptations as applicable, apply. [CONFIRM whether any such controller-to-controller cross-border flow currently occurs; the mechanism is retained for future use regardless.]

Part 5 — Liability Allocation

As between the Parties, liability for jointly controlled processing is borne by the Party responsible for the relevant obligation under Part 2, subject to the right of contribution under Article 82(5) and the cross-indemnities in clause 15.6. This allocation does not limit a data subject’s right under Article 82(4) to claim against either Party.

In this JC-DPA