PLEASE READ THROUGH THESE TERMS CAREFULLY.
These Terms of Use (“Terms of Use”) describe the terms under which Wild Apricot Inc., formerly ePly Services, Inc., doing business as ePly (“ePly”), offers each Client access to the Services (as defined herein). ePly and Client may be referred to together herein as the “Parties” or individually herein as a “Party.”
By accessing the Services or any portion thereof, Client agrees to comply with and to be bound by these Terms of Use, including any policies and guidelines linked to (by way of the provided URLs) from these Terms of Use. If Client does not understand or agree with these Terms of Use, please do not use the Services.
These Terms of Use are incorporated by reference into each Order Form executed by the Client and, if applicable, each Statement of Work executed by the Client. ePly may amend these Terms of Use at any time in its sole discretion, effective upon posting the amended Terms of Use on the ePly website where the prior version of the Terms of Use was posted, or by communicating these changes through any written contact method ePly has established with the Client. Each Order Form and SOW shall be governed by the Terms of Use in effect on the effective date of each such Order Form and SOW; provided that, when an Order Form or SOW is affirmatively or automatically renewed, each such Order Form or SOW shall thereafter be governed by the version of the Terms of Use in effect at the time of the renewal.
Term
This contract covers a one year period unless terminated in accordance with the paragraph below.
Description of Services
These Terms of Use relate to the provision of the online event registration services (the “Services”). These Services allow event participants to register and pay for events online and for the Client to access the registration data via the ePly website.
Ownership
ePly owns all right, title and interest of all websites associated with ePly’s business and all components that make up the online registration Services. Clients may only use the Services as described within this contract.
Responsibility for Password
ePly will provide the Client with a password and event id to access the collected data. The Client is responsible for maintaining the confidentiality of the password and is fully responsible for all activities that occur using the password. ePly will not be liable for any loss or damage arising from the Client’s failure to comply with this responsibility.
Privacy and Personal Information
Client acknowledges and agrees that the use of the Services by Clients and its registrants shall be subject to the Privacy Policy, which may be found at https://www.eply.com/privacy-policy. Client shall ensure that each of its registrants and members has read and understands the Privacy Policy. Please note that all personal data acquired by and through the ePly Service is stored in Canada. However, as stated in our Privacy Policy, personal data acquired directly by ePly’s corporate parent, Personify Inc., or Personify Inc.’s affiliates may be stored outside of Canada.
Data Protection Addendum
Both Parties shall comply with the terms set forth in the Data Protection Addendum incorporated into these Terms of Use.
Technical Support
ePly will provide the Client technical support relating to the use of the Services via email and live chat between the hours of 9am and 5pm Eastern Standard Time, Monday through Friday, excluding federal holidays in the United States and Canada. ePly is not responsible for providing technical support to event participants. ePly reserves the right to establish reasonable limitations on the extent of technical support.
Pricing and Payment
ePly will invoice the client for all fees. Invoices are due upon receipt. Amounts 30 days or more past due will accrue interest at the rate of 1.5% per month. If ePly requires use of collection agencies, attorneys, or courts of law for collection on the Client’s account, the Client shall be responsible for those expenses. ePly may change any of the Fees upon the commencement of any renewal Term by giving thirty (30) days-notice to Client, which may be given in writing or by email to the address on file. It is the Client’s responsibility to keep their account information current. ePly is not responsible for notices that are undeliverable due to Client’s account information not being current.
Additional work not described in this contract or work that the Client asks ePly to do to help with set up, special customization or other programming will be billed at a rate of $125.00/hour. Before proceeding with any chargeable work, ePly will quote a time estimate or a fixed price and outline the work to be done in an email. The Client will be asked to reply to the email accepting the charges before the work is started.
Registration Charges
The Client will not be billed for fraudulent or duplicate registrations provided they are deleted from the database. ePly determines the registration count on the second day of each month. The Client is responsible for paying for all other registrations.
Client Using Own Online Merchant Account
The Client is responsible to open and/or maintain the required merchant and gateway company accounts and pay all associated fees and handle directly all chargebacks, refunds and other payment related issues. ePly’s responsibility is limited to linking the online registration form to the gateway company and setting up the database to record the result of the transactions.
Email Invitation System
The Client is only permitted to use ePly’s email system to invite contacts to register for an event where the ePly system is being used to handle the registrations or to directly communicate with contacts who are already registered in the ePly system provided that the email list complies with ePly’s Anti-Spam Policy at https://www.eply.com/anti-spam-policy. Use of the email system is monitored and using it for any other purpose such as to send newsletters or other marketing material will result in the Client’s emailing privileges being suspended. ePly reserves the right to remove any uploaded contacts from the invitation system without notice after an account has not had a live registration form for more than 30 days.
Compliance; Responsibility For Registrants.
Client shall comply with all terms of this Agreement, including without limitation the representation and warranty restrictions contained below, and shall ensure that all of Client’s registrants and clients comply with the terms of this Agreement. Client shall comply with all applicable, international, federal, state/provincial and local laws and regulations, and will respect and not violate the rights of third parties (including any intellectual property rights of a third party in any Client Content and any and all privacy laws), in the performance of its obligations hereunder. Client represents and warrants that it will not provide or upload any materials, including the Client Content, to ePly or the Services that actually, or could potentially, violate a third party’s intellectual property rights. Client is responsible for all acts or omissions of its registrants. Client will immediately notify ePly if Client becomes aware of any violation of the terms of this Agreement by Client or any of its registrants or clients.
License To Client Materials.
Client hereby grants to ePly a non-exclusive, worldwide, royalty-free, irrevocable (for the term), fully-paid, sublicensable license for the term of this Agreement to edit, modify, adapt, translate, exhibit, publish, transmit, participate in the transfer of, reproduce, create derivative works from, distribute, perform, display, process and otherwise use the Client Content as necessary to render the Services to Client under this Agreement. “Client Content” means all text, pictures, sound graphics, video and other data including personal data as defined under the General Data Protection Regulation or copyrightable material, whether owned by Client or a third party, supplied by Client to ePly to be included in the Services, as such materials may be modified from time to time. Client shall cause its registrants’ to assign to ePly the same rights and privileges that Client has granted to ePly.
Confidentiality
Information concerning the business affairs, finances and methods of operation and other confidential topics of either party (collectively “Confidential Information”) shall be kept confidential by both parties and not disclosed unless (a) such information becomes publicly available (b) written permission is granted by the owner of the information (c) in response to a valid court order or governmental order, or (d) required by law.
Termination
ePly or the Client shall have the right to terminate this Agreement with 60 days prior written notice or upon the occurrence of either of the following events: (a) either party breaching or failing to perform any provisions of this Agreement and the same is not cured within thirty (30) days after receipt of notice in writing specifying such breach; or (b) either party’s failure to pay when due any monies owed hereunder and such failure to pay continues for greater than thirty (30) days. No monies, except for those that were collected for or on behalf of Client that are in excess of any monies due to ePly shall be returnable or refundable upon termination of this Agreement for any reason, whether such termination is by the Client or ePly. This includes any setup/maintenance fees charged by ePly. Rights and obligations, which by their nature would be expected to survive, will survive the term ending or any termination of this Agreement.
Severability
Each provision of this Agreement shall be severable. If any provision of it is illegal or invalid, the illegality or invalidity shall not affect the validity of the remainder of this Agreement.
Entire Agreement
This agreement, and the terms and documents incorporated by reference, constitutes the entire agreement between ePly and the Client for the event described above. Any previous agreement or negotiations between ePly and the Client are superseded by this Agreement.
Agreement Binding
This Agreement shall enure to the benefit of and be binding on the respective heirs, executors, administrators and assigns of each of the parties to it.
No Assignment
Neither this Agreement nor any of the Clients rights or responsibilities may be assigned, subcontracted or otherwise transferred without ePly’s prior written consent. Any attempted assignment, subcontract or transfer will be considered a material breach of this Agreement.
DISCLAIMER OF WARRANTIES
THE SERVICES, INCLUDING ALL CONTENT AND CLIENT CONTENT INCORPORATED IN THE SERVICES AND TECHNOLOGY USED TO PROVIDE THE SERVICES (INCLUDING ANY TECHNOLOGY, SOFTWARE, OR HARDWARE PROVIDED BY A THIRD PARTY), ARE PROVIDED “AS-IS” AND “WITH ALL FAULTS.” ePly DOES NOT MAKE AND HEREBY DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTIES OF ANY KIND, INCLUDING BUT NOT LIMITED TO ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY OR NONINFRINGEMENT WITH RESPECT TO THE SERVICES AND ANY TECHNOLOGY, SOFTWARE, OR HARDWARE PROVIDED BY A THIRD PARTY. ePLY DOES NOT WARRANT THAT THE USE OR OPERATION OF THE SERVICES OR THE ePLY WEBSITE WILL BE WITHOUT INTERRUPTION, SECURE OR ERROR-FREE.
LIMITATION OF LIABILITY
ePLY, ITS OFFICERS, DIRECTORS, EMPLOYEES, OR AFFILIATES WILL NOT BE LIABLE FOR ANY LOSSES, DAMAGES, COSTS, OR EXPENSES RELATING TO (A) THE CLIENT CONTENT, (B) THE RESULTS THAT MAY BE OBTAINED OR DECISIONS MADE USING ANY PART OF THE SERVICES, OR (C) ANY DAMAGES RESULTING FROM UNAUTHORIZED THIRD PARTY MISUSE OF THE SERVICES. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THIS AGREEMENT, IN NO EVENT SHALL ePLY BE LIABLE FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES RELATED TO LOSS OF DATA OR INFORMATION OR LOST PROFITS, RELATING TO OR ARISING FROM THIS AGREEMENT, INCLUDING THE USE OF, OR INABILITY TO USE ANY OF THE SERVICES, OR ACTION OR INACTION WITH RESPECT TO THE WEBSITE, EVEN IF ePLY IS NOTIFIED IN ADVANCE OF SUCH POSSIBILITY. ePLY AND CLIENT’S TOTAL LIABILITY UNDER THIS AGREEMENT SHALL NOT EXCEED FIFTY-PERCENT (50%) OF THE TOTAL AMOUNT PAID BY CLIENT TO ePLY UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS PRIOR TO WHEN THE LIABILITY ARISES. ALL LIABILITY IS CUMULATIVE AND NOT PER INCIDENT.
Indemnity from Client
Client shall defend and hold harmless ePly and/or its shareholders, officers, directors, attorneys and employees (each, an “ePly Indemnified Party”) from and against any third party claim, suit, damage, action, or proceeding brought against any ePly Indemnified Party, and Client agrees to indemnify ePly against any damages and costs (including reasonable attorney’s fees) incurred by any of the ePly Indemnified Parties which arise out of, result from or are related to: (i) any breach by Client of this Agreement; (ii) the results obtained, products obtained, transactions attempted or processed, or decisions made by Client or any of its users of any Service; (iii) any act, omission, misuse or use of any portion of the Services by Client or any of Client’s registrants; (iv) the Advertisements; (vi) any breach of any privacy laws or (vii) any claims of infringement of any copyright, patent or trade secret or other proprietary rights arising from the Content, Client Content, or from any unauthorized modification, enhancement or misuse of any Service by Client. If the Client receives payment services, the Client will additionally indemnify, defend and hold harmless the Indemnified Parties from and against any and all claims, losses, demands, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) either arising out of or relating to (i) the sale or use of any product or service sold by Client, (ii) claims brought or damages suffered by any third party relating to Client’s or its agent’s misuse of the Payment Services, (iii) claims by credit card holders that their credit cards were charged by Client without authorization, (iv) Client’s breach of any third-party terms incorporated into this Agreement by reference; or (v) revocation of Payment Services. Client shall not settle any such claim without ePly’s prior written consent. ePly shall promptly notify Client in writing of any claim arising or potentially arising under this indemnity.
Indemnity by ePly
ePly shall defend and hold harmless Client and/or its shareholders, officers, directors, attorneys and employees (each, a “Client Indemnified Party”) from and against any third party claim, suit, damage, action, or proceeding brought against any Client Indemnified Party, and ePly agrees to indemnify Client against any damages and costs (including reasonable attorney’s fees) incurred by any of the Client Indemnified Parties which arise out of, result from or are related to: (i) any breach by ePly of this Agreement; (ii) any act, omission, misuse or use of the Content or Client Content; or (iii) any claims of infringement of any copyright, patent or trade secret or other proprietary rights arising from the Services. Client shall promptly notify ePly in writing of any claim arising or potentially arising under this indemnity.
Cooperation with ePly and Authorities
Each party will cooperate with law enforcement and other authorities in investigating claims of illegal activity or suspected illegal activity or violations of law. In addition, Client shall cooperate with ePly in any corrective action that ePly deems necessary to correct and prevent impermissible use of ePly’ Services by any of Client’s end users, including without limitation, providing ePly with all information necessary to investigate the suspected violation. In addition, ePly may disclose information transmitted over its facilities where necessary to protect ePly and its customers from harm, or where such disclosure is necessary to the proper operation of ePly’ Services.
Governing Law; Enforcement of Agreement
This Agreement shall be governed by, and construed in accordance with, the laws of the Province of Ontario, Canada, regardless of the laws that might otherwise govern under applicable principles of conflicts of laws thereof. Each party hereby irrevocably submits to the exclusive jurisdiction of the Ontario Court.
Force Majeure
Neither ePly nor our customers shall be responsible for damages or for delays or failures in performance resulting from acts or occurrences beyond their reasonable control, including, without limitation: computer and internet viruses, fire, lightning, explosion, power surge or failure, water, acts of God, war, revolution, civil commotion or acts of civil or military authorities or public enemies; any law, order, regulation, ordinance, or requirement of any government or legal body or any representative of any such government or legal body; or labour unrest, including without limitation, strikes, slowdowns, picketing, or boycotts; inability to secure raw materials, transportation facilities, fuel or energy shortages, or acts or omissions of other common carriers. No delay or failure to perform shall be excused under this Section by the acts or omissions of ePly’s subcontractors, vendors or suppliers unless such acts or omissions are themselves the product of a force majeure condition described in this above.
Headings
The headings of the sections of this Agreement are for convenience and shall not by themselves determine the interpretation of this Agreement.
Data Protection Addendum – ePly
Addendum to Main Agreement between:
- Wild Apricot Inc., formerly ePly Services, Inc., doing business as ePly (“ePly”); and
- “Client,” the legal entity that executes one or more Order Forms and/or Statements of Work in connection with receiving the Services from ePly.
Client and ePly may be referred to individually as a “Party” and collectively as the “Parties.”
WHEREAS
- Client and ePly have entered into an agreement, which is made up of executed Order Forms and Statements of Work, including all exhibits and attachments referenced in such Order Forms and Statements of Work, including but not limited to the ePly Terms of Use, under which Client has engaged ePly to provide online event registration services (the “Services”), (collectively, all executed Order Forms and Statements of Work, including all exhibits and attachments shall be referred to as the “Main Agreement”), which include Processing Personal Data received from Client (“Client Personal Data”) for the purpose[s] set forth in the Main Agreement and Exhibit A to this Addendum;
- Under applicable data protection laws and regulations, including but not limited to the European Union (“EU”) General Data Protection Regulation 2016/679 and the legislation implementing the GDPR into law in the United Kingdom (“UK”), including the Data Protection Act 2018 as amended (“GDPR”) and the California Consumer Privacy Act (“CCPA”), certain data protection and privacy obligations either must or should be addressed in contracts between companies and their service providers;
- To help ensure compliance with legal developments relating to lawful mechanisms for cross-border data transfers, ePly is incorporating certain standard contractual clauses into its data processing contracts; and
- To meet their respective obligations to each other under applicable data protection and privacy laws, the Parties are entering into this Data Protection Addendum to the Main Agreement (“Addendum”).
Therefore, the Parties agree as follows:
- Amendment to Main Agreement/Order of Precedence. This Addendum is an amendment to, not in substitution of, the Main Agreement. All provisions set forth in the Main Agreement will remain in full force and effect as long as they do not conflict with this Addendum. To the extent that any terms set forth in this Addendum conflict with any other agreement, including but not limited to the Main Agreement or any prior-entered Data Processing/Protection Agreement/Addendum, the terms of this Addendum shall take precedence over any conflicting terms in any other agreement, unless the Parties explicitly agree otherwise in writing.
- Effective Period. This Addendum will be effective beginning on the date of signing by the Parties, and will remain effective for as long as the Main Agreement is in effect and ePly and any Sub-Processor to which ePly has disclosed any Client Personal Data retains any Client Personal Data. Additionally, as further addressed in the Survival provision in this Addendum, certain provisions of this Addendum will remain in effect even after the Main Agreement is no longer in effect.
-
- For purposes of this Addendum, the following terms will have the following meanings:
- Client: The legal entity that contracts to receive Services from ePly by entering into the Main Agreement.
- Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- Data Subject: An identified or identifiable natural person whose Personal Data is being Processed. The term “Data Subject” includes “consumers,” as that term is defined under the CCPA.
- Personal Data: Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal Data includes “personal information,” as that term is defined under the CCPA. Under the CCPA, personal information broadly includes any information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household.
- Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Processor: A natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
- Restricted Transfer: means a transfer of Personal Data to a country other than the country of origin which is not subject to an adequacy determination by the authorities competent for the country of origin.
- For purposes of this Addendum, the following terms will have the following meanings:
- Standard Contractual Clauses (EU/EEA) means the standard contractual clauses for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection the Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91.
- Standard Contractual Clauses (UK) means the Standard Contractual Clauses (Processors), dated 5 February 2010, for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR, approved by European Commission Decision 2010/87/EU and recognized by the regulatory or supervisory authorities of the United Kingdom for use in connection with data transfers from the United Kingdom.
- Sub-Processor: A Sub-Processor retained by a Processor to assist with Processing activities.
- Any capitalized data protection terms used but not defined in this Addendum will have the meaning ascribed to them by applicable data protection law.
- Personal Data Protection and Privacy.
- General Data Protection and Privacy Obligations.
- Legal Obligations. In connection with fulfilling their respective obligations under the Main Agreement (the “Services”), ePly and Client agree to comply with all applicable provisions of the GDPR, the CCPA, and the Swiss data protection law, and also with all applicable provisions of all other applicable data protection laws and regulations. The Parties will not, under any circumstances, provide less protection to Personal Data than is required by all applicable laws, regulations, directives, rules, standards, and frameworks.
- Details of Processing. Pursuant to Article 28 of the GDPR, the details of the processing including the subject matter and duration of Processing, nature and purpose of Processing, categories of Data Subjects, and categories of Personal Data are incorporated into this Addendum and attached hereto as Exhibit A to this Addendum.
- Client’s Obligations and Authorization.
- Controller Responsibilities. Client is the Controller of all Personal Data provided to ePly, and ePly is the Processor of such Personal Data. Client is and shall remain responsible for compliance with all requirements imposed on Controllers, including but not limited to (a) confirming the lawful basis for all processing activities conducted by ePly on Client’s behalf; and (b) obtaining consent from data subjects, where required.
- Data Minimization. Client agrees to limit any Personal Data it transfers to ePly, or to which ePly is otherwise given access for processing to only the Personal Data needed by ePly to fulfill its obligations under the Main Agreement and this Addendum.
- Authorization to Process and Transfer. Client authorizes ePly to collect and process the Personal Data needed to perform the Services for which Client is contracting with ePly in the Main Agreement. Where required, Client authorizes the transfer, processing and storage of Personal Data outside the UK and/or European Economic Area (EEA) in order to fulfill the purpose of the Services.
- Authorization to Engage Sub-Processors. Client agrees that ePly may engage third-party Sub-Processors to Process Personal Data on ePly’s behalf to fulfill the purpose of the Services. Client authorizes ePly to engage all Sub-Processors appearing on ePly’s Sub-Processor List as of the Effective Date of the Main Agreement (“Sub-Processor List”), which can be found at https://personifycorp.atlassian.net/wiki/x/BoAy-wI. Client agrees that ePly may inform Client of its intent to engage new Sub-Processors. Client further agrees that ePly may engage such new Sub-Processors unless Client chooses to exercise its right to object to any such new Sub-Processors by providing ePly with a written notice of Client’s objection. Such notice should include an explanation of the grounds for objecting to the use of such new Sub-Processor so ePly has an opportunity to re-evaluate any such new Sub-Processor based on Client’s asserted concerns. In the event that Client objects to such Sub-Processor and ePly is unable to address Client’s concerns in a manner acceptable to Client, Client may terminate the affected Services in accordance with the procedure for termination set forth in the Main Agreement.
- ePly’s Personal Data Obligations and Restrictions.
- Processing Restrictions. ePly will process Personal Data on Client’s behalf only for the limited and specified purposes set forth in the Main Agreement, the Exhibits and Appendices to this Addendum, and/or as set forth in any other written instructions received from Client. ePly will promptly inform Client if, in ePly’s opinion, an instruction from Client violates the GDPR or other Member State data protection provisions.
- Access Limitations and Confidentiality Obligations. ePly will limit access to Personal Data to only those individuals with a need to know and have access to such Personal Data for purposes of fulfilling the Main Agreement and complying with applicable laws. ePly will take reasonable steps to ensure the reliability of all such individuals, and will impose confidentiality obligations upon any employee, agent, or Sub-Processors that is authorized to access or otherwise Process Personal Data.
- Notification Obligations. After becoming aware of any Personal Data Breach involving Personal Data received from Client or collected on Client’s behalf, ePly will notify Client without undue delay.
- Data Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ePly has implemented and shall maintain appropriate technical and organizational security measures to help ensure a level of security that is appropriate in light of the risks presented by the processing, in particular risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to EU Personal Data transmitted, stored, or otherwise processed in accordance with Article 32 of the GDPR.
- Restrictions on Engaging Sub-Processors. ePly will abide by the requirements set forth in the GDPR for the appointment of Sub-Processors, including entering into written agreements with each Sub-Processor that contain reasonable provisions relating to the implementation of appropriate technical and organizational measures in compliance with the GDPR. ePly has provided Client with a list of its current Sub-Processors, and Client has provided ePly with general authorization to engage such Sub-Processors. ePly will provide Client with advance notice of any intended changes to the Sub-Processor List that involve the addition or replacement of any Sub-Processors. If Client reasonably objects to any new Sub-Processor in accordance with any instructions set forth in such notice, ePly will seek to address Client’s concerns with such Sub-Processor. If ePly is unable to address Client’s concerns in a manner acceptable to Client and Client continues to object to such Sub-Processor, ePly agrees that Client may terminate the affected Services in accordance with the procedure for termination set forth in the Main Agreement. If any ePly Sub-Processor fails to fulfill its data protection obligations, ePly will remain liable to Client for the performance of such Sub-Processor’s obligations in connection with providing Services under the Main Agreement.
- Responding to Data Subject Requests.
- Taking into account the nature of the Processing, ePly will implement appropriate technical and organizational measures to assist Client in responding to Data Subject requests to exercise their Data Subject rights with respect to EU Personal Data being Processed by ePly.
- The Parties agree that Client (as the Controller) has the obligation to respond to Data Subject requests in compliance with the GDPR (e., in an appropriate and timely fashion). If Client wishes and directs ePly to respond to a Data Subject request, Client agrees to provide such direction within three (3) business days after receiving the Data Subject request.
- Obligations in Event of Personal Data Breach. Should either Party become aware of any Personal Data Breach involving Personal Data received from Client or collected on Client’s behalf, that Party will notify the other Party without undue delay.
- Assistance with Client’s GDPR Obligations. Upon Client’s written request, ePly will assist Client in complying with its GDPR obligations, including the security of processing, notification of a Personal Data Breach, data protection impact assessments, and prior consultations.
- Verification of Processor’s Compliance. Upon Client’s written request, ePly will provide Client with information needed to demonstrate compliance with the obligations of Article 28 of the GDPR, and will permit and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client. ePly reserves the right to charge reasonable fees for any excessive amount of the time that may be required to participate in audits and inspections required by the Client.
- Disposition or Return of Personal Data. Unless Client has provided a written request to return Client Personal Data, ePly will (and will take steps to help ensure that any and all Sub-Processors will) delete all copies of EU Personal Data after the end of the provision of Services unless EU or Member State law requires storage of EU Personal Data.
- Cross Border Data Transfers.
- General Data Protection and Privacy Obligations.
- Necessary Transfers. To provide the Services outlined in the Main Agreement, it may be necessary for Client to transfer Personal Data from the EU, UK and/or Switzerland (collectively, “EU/UK/Swiss Personal Data”) to ePly in the United States and/or for ePly to transfer EU/UK/Swiss Personal Data to locations that have not been deemed by the European Commission to provide an adequate level of data protection (collectively, “Necessary Transfers”).
- Transfer Authorization. Client hereby authorizes ePly to make Necessary Transfers of EU/UK/Swiss Personal Data. This Addendum constitutes Client’s written authorization of such Necessary Transfers.
- Adequate Safeguards. To provide adequate safeguards for Necessary Transfers of EU/UK/Swiss Personal Data, the Parties agree to rely on the lawful transfer mechanisms.
- EU GDPR Transfers. With respect to Restricted Transfers from the EEA, Switzerland, or similar countries, effective from the commencement of the relevant Restricted Transfer, Client and ePly hereby enter into, and incorporate into this Data Processing Addendum by reference, the Standard Contractual Clauses (EU/EEA) in respect of any Restricted Transfer (or onward transfer) or Personal Data by or on behalf of the Client to ePly from: (1) the EEA, (2) Switzerland, or (3) any country in which the competent authorities have approved the use of the Standard Contractual Clauses (EU/EEA) and where such Restricted Transfer (or onward transfer) would otherwise be prohibited by applicable laws (or by the terms of data transfer agreements put in place to address applicable laws). In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses (EU/EEA) shall be deemed complete as follows:
- In Clause 7, the optional docking clause will not apply;
- In Clause 9(a), Option 2 will apply, and the time period for prior notice of additions or replacements of ePly Sub-Processors shall be thirty (30) days;
- In Clause 11, the optional language will not apply;
- In Clause 17, Option 1 will apply, and the Standard Contractual Clauses (EU/EEA) will be governed by the law of the Member State in which the data exporter is established.
- As per Clause 18(b), disputes shall be resolved before the courts of the Member State in which the data exporter is established.
- Annex 1 to Standard Contractual (EU/EEA) shall be deemed to be pre-populated with the Processing Details in Exhibit A and Appendix 1 hereto; and
- Annex 2 to the Standard Contractual Clauses (EU/EEA) shall be deemed to be pre-populated with the Security Measures set forth in Appendix 2 hereto.
- Restricted Transfers from the United Kingdom. With respect to Restricted Transfers from the UK, effective from the commencement of the relevant Restricted Transfer, Client and ePly hereby enter into, and incorporate into this Data Processing Addendum by reference, the Standard Contractual Clauses (UK) in respect of any Restricted Transfer (or onward transfer) of Personal Data by or on behalf of Client to ePly from the UK. In respect of any such Restricted Transfer (or onward transfer), the Standard Contractual Clauses (UK) shall be deemed complete as follows:
- Appendix 1 to the Standard Contractual Clauses (UK) shall be deemed to be pre-populated with the Processing Details in Exhibit A and Appendix 1 hereto; and
- Appendix 2 to the Standard Contractual Clauses (UK) shall be deemed to be pre-populated with the Security Measures set forth in Appendix 2 hereto.
- If at any time the UK Government approves the Standard Contractual Clauses (EU/EEA) for use, the provisions of the Standard Contractual Clauses (EU/EEA) shall apply in place of the Standard Contractual Clauses (UK), subject to the terms set forth in section 4.4.4. shall apply, as applicable, and any modifications to the Standard Contractual Clauses (EU/EEA) required by the UK privacy laws (and subject to the governing law being English law, the competent courts being the English courts and the competent supervisory authority being the Information Commissioner’s Office).
- In the event of a conflict between (i) the Agreement, and (ii) the Standard Contractual Clauses (EU/EEA) or the Standard Contractual Clauses (UK), the latter shall prevail.
- If, at any point during the Term, changes in applicable laws require amendments to this Data Processing Addendum in order to ensure the lawful transfer of Personal Data, Client and ePly will cooperate in good faith to implement such amendments without undue delay.
- CCPA Compliance.
- For purposes of this Section, the terms “Service Provider,” “Business Purpose,” “Commercial Purpose,” “Collect,” and “Sell” shall have the meanings set forth in the California Consumer Privacy Act (“CCPA”).
- Service Provider Obligations and Restrictions. The Parties agree that ePly is a Service Provider to Client with respect to Personal Data Processed by ePly.
- As a Service Provider, ePly will:
- Implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it Processes as set forth in the Data Security Obligations Section of this Addendum.
- Apply its obligations regarding Data Subject requests, as set forth in the Responding to Data Subject Requests Section of this Addendum, to Data Subject requests submitted under the CCPA.
- As a Service Provider, ePly will not retain, use, sell, or disclose Personal Data outside of the direct business relationship between the Parties except under the following limited circumstances:
- To perform Services on behalf of Client for a Business Purpose as specified in the Main Agreement, the Exhibits and Appendices to this Addendum, and any other written agreements into which the Parties enter.
- To retain and employ a Sub-Processor that meets the requirements for a Service Provider under the CCPA.
- For internal use by ePly to build or improve the quality of its Services, provided that the use does not include building or modifying household or consumer profiles, or correcting or augmenting data acquired from another source.
- To detect data security incidents, or protect against fraudulent or illegal activity.
- To collect, use, retain, sell, or disclose Personal Data that is deidentified or aggregated information.
- As otherwise required by applicable law, including: (a) compliance with federal, state, or local laws; (b) compliance with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (c) cooperating with law enforcement agencies concerning conduct or activity that ePly reasonably and in good faith believes may violate federal, state, or local law; (d) exercising or defending legal claims and as otherwise permitted by applicable law.
- As a Service Provider, ePly will:
- Compliance with Other Applicable Data Protection and Privacy Laws and Regulations. The Parties agree to comply with all applicable data protection, privacy, and data breach notification laws, regulations, and standards from the effective date of this Addendum until all Processing activities covered by the Main Agreement and this Addendum have ceased and until all Client Personal Data has either been completely, permanently, and securely disposed of or securely transferred back to Client.
- Right to Terminate Agreement. In the event of any breach of this Addendum by Client, ePly has the right to terminate the Main Agreement without penalty to ePly upon written notice to Client.
- Severability. If any provision of this Addendum is, to any extent, invalid or unenforceable, all other provisions of the Addendum will remain in full force and effect. To the extent permitted and possible, the invalid or unenforceable provision will be deemed replaced by a term that is valid and enforceable and that comes closest to expressing the intention of such invalid or unenforceable term. If this is not permissible or not possible, then the Addendum will be construed as if the invalid or unenforceable provision were not included in the Addendum.
- No Limitation on ePly’s Rights or Remedies. Nothing in this Addendum will limit ePly’s rights or remedies under the Main Agreement or at law.
- Governing Laws/Jurisdiction. The Parties to this Addendum submit to the choice of jurisdiction set forth in the Main Agreement with respect to any disputes or claims arising under this Addendum unless otherwise required under applicable law. The Parties further stipulate that any and all disputes concerning the construction and interpretation of this Addendum and/or the Parties’ obligations under this Addendum will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Main Agreement.
- Incorporation into Main Agreement. This Addendum, after being duly executed by the Parties, is incorporated into the Main Agreement between ePly and Client, and made an integral part thereof.
- All provisions of this Addendum, that by their own express terms or nature and context are intended to survive the termination or expiration of the Main Agreement shall survive.
List of Schedules to this Addendum:
- Exhibit A to Data Protection Addendum (Details of Processing)
- Appendix 1 to Standard Contractual Clauses
- Appendix 2 to Standard Contractual Clauses
Exhibit A to Data Protection Addendum
(Details of Processing)
Subject Matter and Duration of Processing:
The subject matter and duration of the Processing of EU Personal Data are set forth in the Main Agreement and the Exhibits and Appendices to this Addendum.
Nature and Purpose of Processing:
ePly may obtain Personal Data during its provision of the Services and in the development, testing, hosting, and maintenance of software and related services, which include the following tools:
- Event registration
- Online payments
- Email and contact database
Categories of Data Subjects:
- Client Staff
- Client’s Customers, Members, or other Contacts
Categories of Personal Data:
- Contact Information (g., name, organization and title, phone number, email address, physical address)
- Communication Information (g., emails and messages sent through the Services)
- Site Usage and Location Information (g., IP address, geographic location of device, browser type and language, device model, hardware and operating system, user behavior (e.g., time of visits, page views (e.g., links clicked), features used, frequency of use))
- Special Categories of Personal Data (g., photo, age, ethnicity, education, sex/gender, registrations, memberships, employment history, economic data)
Appendix 1
to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Data exporter
The data exporter is:
The legal entity identified as “Client” in the Main Agreement
Data importer
The data importer is:
Wild Apricot Inc., formerly ePly Services, Inc., doing business as ePly (“ePly”)
Data subjects
The personal data transferred concern the following categories of data subjects:
The categories of data subjects are listed in Exhibit A to this Addendum.
Categories of data
The personal data transferred concern the following categories of data:
The categories of personal data transferred are listed in Exhibit A to this Addendum.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
The categories of personal data transferred are listed in Exhibit A to this Addendum.
Processing operations
The personal data transferred will be subject to the following basic processing activities:
The data importer will process personal data as necessary to perform the Services described in the Main Agreement and in the Exhibits and Appendices to this Addendum.
Appendix 2
to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The undersigned data importer implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among other things, as appropriate:
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- And a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.