This Agreement is a legal agreement between you as the user of the Software (“you” or “the User”) and Theta Systems Limited ("Theta") an incorporated company in New Zealand. Theta (“we, “us” or “our”) offers technology consultancy and software products designed and developed specifically for businesses. EVA Check-in is one of our products.
By checking a box indicating your acceptance, or otherwise accessing and using the Software, you accept and agree to be bound by the terms and conditions of this agreement (including as amended from time to time) (the “Terms”) and that these Terms will remain in effect until terminated.
These Terms may be varied by Theta, on the posting of modified terms on this website (www.evacheckin.com) or by providing written notice to you. By continuing to access and use the Software from the date on which the Terms are updated, you agree to be bound by the updated Terms. IF YOU DO NOT AGREE WITH THE TERMS, DO NOT ACCESS AND USE THE SOFTWARE.
Definitions:
“Data Protection Laws” refers to applicable legislation protecting the personal data of natural persons, including (but not limited to):
“ProtectedArea” means:
A. Subject to these Terms, Theta grants you a limited, personal, non-transferable, and non-exclusive licence to use and display the Software and provide access to use the Software to your employees and contractors for your own lawful internal business uses for the Term.
B. You shall not make the Software available, nor permit any other person or entity, to use the Software on a sub-licenced or other basis.
C. Licence Fee – the fee payable for the Software (Fee) will be detailed on the EVA Check-in website. The Fee will be invoiced to you and/or charged to your credit card. Payment of the Fee must be made in advance of your use of the Software (unless this is your first month, in which case the Fee is typically charged at the end of the first month).
D. Theta may suspend or terminate your access to the Software where you fail to pay any Fee due to Theta under these Terms on the due date.
E. Access to the Software is subject to the following conditions:
A. Updates: From time-to-time Theta will make available amended versions, releases, updates, bug fixes and error correction and other modifications to the Software (collectively,"Updates"). All Updates will be deemed a part of the Software licenced to you under these Terms.
B. Theta will provide you with access to the EVA Check-in Contact us page (internet access) to log any issues or faults with the Software. Theta will attend to logged issues on a prioritised basis during Theta's normal business hours in New Zealand, Monday to Friday (excluding public holidays).
C. Error Correction: Theta will use reasonable endeavours to correct Software faults through Updates. Software faults are a function of an item of the Software not operating in accordance with the warranties set out below. Theta will use its reasonable endeavours to correct Software faults:
Theta will at its own option either advise you as to the correction or avoidance of the Software faults or make available Updates in a timely manner.
A. Theta warrants that the Software will perform in substantial conformance with the online help published for the Software.
B. Theta warrants that the Software does not infringe any copyright or trade secret of any third party arising under law. Theta's sole obligations in the event of breach of this warranty are those set out in this clause. Theta indemnifies you from costs, expenses, losses, damages, judgments arising out of any breach or alleged breach of the warranty in this clause to the limit of the liability established in the following clause; PROVIDED THAT you have notified Theta in writing as soon as practicable of any such infringement, suspected infringement or alleged infringement and you cooperate with Theta in the defence of such claim. Theta shall have the right to control the defence or settlement of any claim. If in Theta's determination your use of the Software is or is likely to be enjoined by any action or proceeding,
C. Theta shall have the right, at its expense, to:
Upon Theta making any remedy available to you, such remedy will be in lieu of Theta's indemnity obligation set out in the third sentence of clause 4.B.
D. Notwithstanding and without limiting the foregoing provisions of clause 4.B. Theta shall not be obligated to indemnify you to the extent such infringement, suspected or alleged infringement arises from:
E. Except for the express warranties made in these Terms, THETA MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE SOFTWARE OR SUPPORT AND ANY WARRANTIES OTHERWISE IMPLIED BY COMMON LAW OR STATUTE OR ARISING OUT OF CUSTOM OR COURSE OF DEALING ARE EXCLUDED FROM THESE TERMS TO THE FULLEST EXTENT PERMITTED BY LAW. EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS, THETA DOES NOT REPRESENT, WARRANT OR COVENANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET ANY REQUIREMENTS OR NEEDS OF YOU, OR THAT THE SOFTWARE WILL OPERATE ERROR FREE, OR IN AN UNINTERRUPTED FASHION, OR THAT ANY DEFECTS OR ERRORS IN THE SOFTWARE WILL BE CORRECTED, OR THAT THE SOFTWARE IS COMPATIBLE WITH ANY PARTICULAR PLATFORM.
A. You agree that Theta's cumulative liability for damages under or in connection with these Terms, regardless of the form of action, is limited to the fees paid by you to Theta in the 12 months preceding the warranty/claim event. IN NO EVENT SHALL THETA BE LIABLE (REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE) FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, ANY LOSS OF DATA OR RECORDS, LOST PROFITS OR OTHER ECONOMIC LOSS) ARISING OUT OF OR IN CONNECTION WITH THESE TERMS AND/OR ANY OBLIGATION OF CONFIDENTIALITY, EVEN IF THETA HAD BEEN ADVISED OF THE POSSIBILITY OF, OR COULD HAVE FORESEEN, SUCH DAMAGES OR LOSSES. You acknowledge and agree that the amount of the fees payable under these Terms is related to the foregoing limitations on Theta's liability and that the fees would be greater if Theta’s liability were not so limited.
A. As between the parties, all copyright, and all other intellectual property rights in or related to the Software and the services provided by or on behalf of Theta shall remain theproperty of Theta and/or its licensors and you shall acquire no rights in any of the foregoing except as expressly provided in these Terms. You agree not to,and not to permit others to, use, copy, reproduce, display, deploy, perform, distribute, transmit, make available, or create derivative works of the Software or Documentation to decompile or reverse engineer any of the Software provided by or on behalf of Theta except as expressly permitted at law to do so.
B. Title to, and all intellectual property rights in, the data stored by the Software (“Data”) remains with you. Subject to all applicable Data Protection Laws, access to the Data is contingent on you having a current licence and any applicable Fees being paid in full and on time.
C. You grant (or will procure that your relevant licensor grants) to Theta a non-exclusive royalty free worldwide irrevocable, non-transferable, non-sublicensable, fully paid up, royalty free and limited right and licence to access, collect, compile, store, use and otherwise process the Data from your use of the Software solely for the purposes of providing the Services in accordance with these Terms, including for the processing purposes set out in Schedule 1.
A. Each party acknowledges and agrees that it will comply with all Data Protection Laws applicable to such party in carrying out its obligations under these Terms.
For the purpose of this clause “data controller”, “data processor”, “data subject”, “personal data”, "personal data breach", “processing”, "sub-processor", "supervisory authority", “special categories of personal data” and “appropriate technical and organisational measures” shall have the meanings ascribed to them in the Data Protection Laws.
B. The parties acknowledge and agree that you as the User of the Software are the data controller in respect of any personal data that Theta may process in providing the Software (other than business contact data processed by Theta to allow it to manage your account). The parties acknowledge that New Zealand is a country which the European Commission has recognised as ensuring an adequate level of protection for the rights of individuals in connection with the transfer of their personal data outside the European Economic Area.
C. Theta agrees to:
D. You authorise Theta to appoint third party sub-processors to assist in the management of the Software and the Services.
E. You warrant that:
i. you own or have obtained all necessary rights, title and interest in the personal data and all intellectual property rights and other rights contained therein, as well as the consent of any data subjects, necessary for the parties to perform their respective obligations under these Terms;
ii. you have disclosed to the data subjects in compliance with applicable laws how you will collect, use, and disclose their personal data; and
iii. you will use the personal data in accordance with these Terms and that such use will not constitute an infringement of the intellectual property rights, publicity or privacy or other proprietary rights of a third party, or the violation of any applicable laws, rules or regulations or a violation of any applicable privacy policy or terms and conditions.
iv. you will not use the Software to procure or upload any special categories of personal data, nor instruct Theta to procure or upload, include or process any special categories of personal data.
v. you will indemnify Theta from and against all reasonable losses, damages, costs, liabilities and expenses (including reasonable legal expenses) arising out of or in connection with your breach of this clause 7.
F. To the extent Theta processes personal data relating to a natural person who is a resident in a Protected Area, the parties agree to carry out their respective obligations under these Terms and those set out in the Data Processing Agreement attached at Schedule 1.
G. To the extent Theta processes personal data relating to a natural person who is a Californian resident in accordance with carrying out its obligations under these Terms, Theta shall not:
i. “sell” (as defined under the CCPA) such personal data;
ii. retain, use, or disclose such personal data for any purpose other than providing the Software or performing the services specified in these Terms (or as otherwise permitted by the CCPA), including without limitation retaining, using, or disclosing such personal data for any “commercial purpose” (as defined under the CCPA) other than providing the Software or performing the Services specified in this Agreement; or
iii. retain, use, or disclose such personal data outside of the direct business relationship between you and Theta.
H. Theta certifies that it and each of its employees, agents, and representatives who will receive such personal data understand, and shall comply with, the restrictions set forth in this clause 7.
I. Unless stated otherwise in these Terms, Theta reserves its right to charge additional reasonable fees for any assistance provided by Theta to you to assist you with complying with your obligations under applicable Data Protection Laws which Theta considers go beyond a reasonable level of support and/or assistance, provided that such fees will be pre-agreed by the parties in writing.
A. Term: These Terms become effective on the date that the Software is first accessed by you.
B. Termination -Theta, in addition to all other rights and remedies, has the right to terminate these Terms and all licence rights granted to you by notice in writing to you if:
i. you breach any material term of these Terms; or
ii. you become insolvent or bankrupt, or enter into liquidation or receivership under the law of any jurisdiction, whether compulsory or voluntary; or
iii. the Software is hosted on a third party’s platform and the third party determines not to host the Software for any reason;
C. You may terminate these Terms and your right to use the Software, with or without cause, at any time by cancelling your subscription via the EVA Check-in web portal (Billing (evacheckin.com))
If you are on annual invoice billing you need to cancel your subscription via the portal before your annual renewal date, or give us one month's written notice before your annual renewal date.
If you cancel after the renewal date we are not obligated to provide a refund. If you need assistance with cancelling your subscription you can get help from our support team.
A. The parties must use all reasonable efforts in good faith to resolve any dispute which arises between them in connection with these Terms. This provides for a form of alternative dispute resolution and is not a reference to arbitration.
B. A party will, as soon as reasonably practicable, give the other party notice of any dispute inconnection with these Terms.
C. Any dispute will be referred initially to a designated representative of Theta and your designated representative, who will endeavour to resolve the dispute within 10 days of the giving of the notice; and if the dispute is not resolved within the 10 days, to your Chief Executive and the Chief Executive of Theta who will endeavour to resolve the dispute within a further 10 days.
D. If, following the dispute resolution procedure set out above, the parties fail to resolve the dispute then the parties will try to settle the dispute by mediation before resorting to litigation. Either party may initiate mediation by giving written notice to the other. The mediator shall be agreed by the parties but if the parties cannot agree on one within 5 days after the mediation has been initiated, then the mediator shall be selected by the New Zealand Dispute Resolution Centre, or its successor.
E. No formal proceedings for the judicial resolution of any dispute between the parties may be commenced until a dispute has proceeded through the dispute resolution processes set out in (A) to (D) above; PROVIDED THAT, with respect to any claim by Theta of actual or alleged infringement of any confidentiality or intellectual property right of, or licenced to, Theta, Theta, in its sole discretion, may at any time seek judicial resolution with or without resorting to the dispute resolution and mediation processes set out above; and
F. All dispute resolution procedures shall be held in Auckland, New Zealand, unless otherwise agreed in writing.
A. No waiver of any breach of any provisions of these Terms shall constitute a waiver of a prior, concurrent or subsequent breach of the same or any other provision, and no waiver shall be effective unless made in writing.
B. Neither party shall issue any publicly disseminated statement using the name of the other party without that party’s consent (not to be unreasonably withheld or delayed). Not withstanding,we may list your name and logo alongside our other clients on our website and in marketing materials, unless you have withdrawn such permission in writing.
C. Theta intends that the Software will be available to the fullest extent possible.There will be occasions that the Software may be unavailable to allow for maintenance or development activities to take place. Theta will endeavour to publish in advance to you when such activity will take place when Theta considers that the non-availability will be longer than normally expected.
D. These Terms contain the entire agreement between Theta and you with respect to the Software and the provision of it to you by Theta, including, but not limited to, the licencing of the Software and provision of support as specified in clause 3.
E. These Terms are governed by the laws of New Zealand. Except in respect of the dispute procedure set out above, each party submits to the non-exclusive jurisdiction of the New Zealand courts inrespect of any dispute or proceeding arising out of it.
F. Whenever possible, each provision of these Terms will be interpreted in such manner as to be effective and valid under applicable law, but if any provision of these Terms is held to be prohibited by or invalid under applicable law, such provision will be ineffective only to the extent of such prohibition or invalidity, without invalidating the remainder of such provision or the remaining provisions of these Terms.
G. You must not assign, transfer, or grant a security interest in your rights under these Terms except if approved in writing by Theta.
H. All notices shall be in writing and delivered by email to the parties set out at the beginning of this Agreement.
SCHEDULE 1 - Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between Theta Systems Limited (“Theta”) and the licensed User of the Software known as EVA Check-in (“User”). It applies insofar as Personal Data is processed by Theta in connection with Theta’s provision of the EVA Check-in software services to the User in a Protected Area (as defined in the Terms), pursuant to the Terms to which this Annexure is appended.
PART I - INTRODUCTION
1. Background
1.1 Under the Terms, Theta provides the EVA Check-in software services (“Services)” to the User.
1.2 This DPA sets out data protection, security, and confidentiality requirements concerning the Processing of Personal Data disclosed or transferred to Theta or collected, stored, accessed, or otherwise processed by Theta in connection with the Terms.
1.3 This DPA consists of four parts:
2. Definitions
Capitalised terms not defined in the Terms, will have the following meaning:
Terms refers to the Terms and Conditions agreed between Theta and the licensed User of EVA Check-in services, which incorporates this DPA as an integral part.
Theta means Theta Systems Limited, a company having its registered address at Level 2, Theta House, 8 – 10 Beresford Square, Auckland, 1010, New Zealand.
Data Controller means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Processor means the entity which Processes Personal Data on behalf of the Data Controller.
Data Protection Laws means all laws and regulations applicable to the User or Theta relating to the privacy, confidentiality, security and protection of Personal Data, including GDPR as amended, supplemented or replaced from time to time, UK GDPR as amended, supplemented or replaced, from time to time, the EU Directive 2002/58/EC (“e-Privacy Directive”), as amended, supplemented or replaced from time to time, and EU Member State laws implementing the GDPR and e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications; EU Member State laws regulating security breach notification and imposing data security requirements; and any other data protection laws of the country which has jurisdiction over the Personal Data.
Data Subject means an identified or identifiable natural person to whom the Personal Data pertains.
EVA Check-in Privacy Policy refers to the privacy statement by Theta that describes how in the provision of the Services personal data is collected and processed by Theta. The current version of the EVA Check-in Privacy Policy is available on Theta’s website at https: https://www.evacheckin.com/privacy-policy.
Instructions means this DPA, the Terms, and any further written agreement of the Parties by way of which Theta as the Data Processor is instructed to perform specific Processing of Personal Data. SCC or Standard Contractual Clauses refers to the European Commission’s decision of 4 June 2021, on: (i) standard contractual clauses for the transfer of personal data to third countries and (ii) on standard contractual clauses between controllers and processors under Article 28(7) of the GDPR, as amended, supplemented, or replaced, from time to time.
Sub-processing Overview refers to Exhibit A which lists Theta’s Sub-processors and locations for processing Personal Data which is attached to this DPA. The sub-processor list is approved by the User and constitutes an integral part of this DPA.
Sub-processor means the entity engaged by the Data Processor or any further sub-processor to Process Personal Data on behalf and under the authority of the Data Controller.
User is the person or entity who has subscribed to licence EVA Check-in software under the Terms.
References to Personal Data, Personal Data Breach, Processing, Pseudonymisation, Special Categories of Personal Data and other terms not defined in this DPA or the Terms will have meanings given to them in the GDPR or, as applicable in relation to a Data Subject resident in the United Kingdom, the UK GDPR.
3 General compliance
3.1 Each Party will comply with the requirements of Data Protection Laws as applicable to such Party with respect to the Processing of Personal Data and the roles and responsibilities set out in this DPA.
3.2 The Parties acknowledge and agree that the processing activities, the type, and categories of Personal Data, the Data Subjects whose Personal Data are being processed under this DPA, are reflected in Part II and Part III.
3.3 The Parties acknowledge that certain Data Protection Laws, make specific distinctions between Data Controller and Data Processor responsibilities. When Theta is only acting as a Data Processor as described in this DPA, Theta’s compliance obligations are narrowed accordingly in accordance with Data Protection Laws.
3.4 Personal Data is being shared between the User and Theta under this DPA only in the context of the provision or receipt of the Services by the User.
PART II - Theta as Data Controller
4 Data Processing
4.1 The Parties acknowledge and agree that concerning the processing of Personal Data as described in this section 4, Theta acts as a Data Controller. The processing activities, the type and categories of Personal Data, the Data Subjects whose Personal Data are being processed by Theta as Data Controller under this DPA, concern:
The Processing of the following categories of Data Subjects:
The Processing concerns the following potential categories of Personal Data:
First name, last name, email address, city, country, company, title, phone number, banking details, IP address and other information set out in the EVA Check-in Privacy Policy.
The Processing concerns the following categories of Data Processing activities:
4.2 To the extent that Theta is acting as a Data Controller pursuant to this section 4, Theta will:
a. Perform all of its obligations in accordance with Data Protection Laws incumbent on Data Controllers and only for the purposes stated in this DPA;
b. Process Personal Data in accordance with the EVA Check-in Privacy Policy;
c. Ensure that Data Subjects are provided with appropriate information regarding the Processing of their Personal Data in accordance with Data Protection Laws, including by means of offering a transparent and easily accessible public privacy notice (EVA Check-in Privacy Policy);
d. Ensure that there is a lawful basis for the Processing of Personal Data in accordance with Article 6 of the GDPR;
e. Ensure that Data Subjects can exercise their data protection rights granted to them under Data Protection Laws.
PART III – Theta as Data Processor
5 Data Processing
5.1 The Parties acknowledge and agree that in the processing of Personal Data as described in this section 5, Theta acts as a Data Processor (or Sub-processor) acting on the User’s behalf and the User appoints Theta to process Personal Data to provide the Services to the User.
5.2 The Processing activities, the type and categories of Personal Data, the Data Subjects whose Personal Data are being processed by Theta as Data Processor (or Sub-processor) under this DPA are described here:
The Processing concerns the following categories of Data Subjects:
The Processing concerns the following categories of Personal Data:
Theta is a Data Processor with respect to the following Processing activities:
5.3 As a Data Processor, Theta processes Personal Data only on documented Instructions from the User. The terms set out in the Terms and this DPA are the User’s complete Instructions to Theta for the processing of Personal Data. Any additional Instructions must be agreed between the Parties in writing.
5.4 The duration of Personal Data processing shall be for the term of the DPA unless further storage of the Personal Data is required or authorised under Data Protection Laws.
5.5 By way of this DPA, the User provides general written authorisation to Theta:
a) to engage those of Theta’s Sub-processors listed in the Sub-processor Overview; and
b) to transfer and process Personal Data in locations outside the United Kingdom and the European Economic Area (the “EEA”) as listed in the Sub-processing Overview. The notifications about the addition, replacement or changes of Theta’s Sub-processors or sub-processing locations for Processing will be communicated to the User by email in accordance with clause 5.7.
5.6 Without prejudice to other obligations of the User under this DPA, the User shall:
a) Only provide Instructions to Theta that are lawful.
b) Perform all its obligations in conformance with all applicable Data Protection Laws, including in relation to data security and confidentiality obligations.
c) Ensure that Data Subjects are provided with appropriate information regarding the Processing of their Personal Data, including by means of offering a transparent and easily accessible public privacy notice.
d) Ensure that there is a lawful basis for Processing of Personal Data in accordance with Data Protection Laws (including Article 6 of the GDPR).
e) Ensure that Data Subjects can exercise their data protection rights granted to them under Data Protection Laws.
f) Be solely responsible for: (i) complying with incident notification laws applicable to User and fulfilling any notification obligations related to any Personal Data Breach; and (ii) notifying each Data Subject affected by the breach without undue delay, when so required by Data Protection Laws; and
g) To the extent necessary to comply with Data Protection Laws, inform Theta without unreasonable delay, but in no event more than 48 hours, after it becomes aware of any Personal Data Breach which affects Personal Data processed under the DPA. User will provide reasonable information and cooperation to Theta so that Theta can meet any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable Data Protection Laws. User will further take reasonably necessary measures and actions to remedy or mitigate the effects of the Personal Data Breach and will keep Theta informed of all material developments in connection with the Personal Data Breach.
5.7 To the extent that Theta is acting as a Data Processor, Theta will:
a) Inform the User without undue delay if, in its opinion, Instructions infringe applicable Data Protection Laws;
b) Ensure that any person authorised to Process Personal Data in the context of the Services is granted access to Personal Data on a need-to-know basis and is committed to respecting the confidentiality of the Personal Data;
c) When required by Data Protection Laws, inform the User without undue delay of: (i) any formal requests from Data Subjects exercising their rights under Data Protection Laws, and not to fulfil or resolve such requests, unless instructed by the User in writing; and (ii) if permitted, any requests made by public authorities requiring Theta to disclose the Personal Data Processed in the context of the Services or to participate in an investigation involving such Personal Data;
d) If Theta receives any request from a Data Subject in relation to their Personal Data, Theta will advise the Data Subject to submit its request to the User and the User will be responsible for responding to the request. Nevertheless, Theta shall, taking into account the nature of the processing, assist the User by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the User’s obligation to respond to requests from Data Subjects regarding exercising their rights laid down in Data Protection Laws (including Chapter 3 of the GDPR);
e) When required by Data Protection Laws, provide reasonable assistance to the User (such assistance to be at the expense of the User) in ensuring compliance with the obligations of the User under Data Protection Laws, including but not limited to conducting data protection impact assessments and consulting with a supervisory authority, taking account of the nature of the Processing and the information available to Theta;
f) Upon the occurrence of any Personal Data Breach, without undue delay, from becoming aware of the Personal Data Breach (i) notify the User in accordance with the notification requirements set out in the Data Protection Laws; and (ii) promptly take reasonable steps to minimise harm and secure Personal Data. Theta notification of or response to Personal Data Breach under this clause will not be construed as an acknowledgment by Theta of any fault or liability with respect to the breach;
g) When required by Data Protection Laws, inform the User by giving reasonable written prior notice (unless unforeseen circumstances requiring Theta to take urgent action mean that Theta cannot provide such notice) of any addition, replacement or other changes of Theta’s Sub-processors and provide the User with the opportunity to object to such changes. In the event the User objects to any addition, replacement or other change of Theta’s Sub-processor, the User may at its discretion elect to terminate the DPA without any charge if Theta is unable to address the User’s objection to its satisfaction (acting reasonably). The User acknowledges that engagement of Theta’s Sub-processors is essential to provide the Services and that objecting to the use of Theta’s Sub-processor may prevent Theta from offering the Services to the User;
h) Enter into a written agreement with Theta’s Sub-processors imposing on those Sub-processors substantially the same obligations as those imposed on Theta under this DPA, including appropriate technical and organisational measures (described in Section 7 below). In case Theta’s Sub-processor fails to fulfil its data protection obligations under such written agreement with Theta, Theta will remain liable towards the User for the performance of the Theta Sub-processor’s obligations under such agreement to the same extent as if Theta itself is liable to the User;
i) Except as authorised pursuant to this DPA, not transfer Personal Data out of the UK or the European Economic Area (the “EEA”) without the prior written approval of the User. Where approval is granted, Theta will comply with Data Protection Laws for the transfer of Personal Data outside of the UK and/or the EEA, including by facilitating the conclusion of Standard Contractual Clauses to the extent applicable. For the avoidance of doubt, the prior written approval of the User is not required if the transfer of Personal Data out of the UK and/or the EEA is required by Data Protection Laws to which Theta is subject to. In such case, Theta shall inform the User of such legal requirement before processing, unless law or authorities prohibits such information;
j) Theta will not, and will procure that its sub-processors will not, process or transfer any Personal Data outside of the country such personal data originated in without an adequate level of protection where required under applicable Data Protection Laws. User agrees that Theta’s use of the Sub-processors listed in Exhibit A will involve a transfer of Personal Data and the processing of Personal Data by the Sub-processors listed outside of the United Kingdom and the EEA (“relevant transfer”). Theta will ensure that such transfer and processing of personal data by the Sub-processors listed is governed by either Standard Data Protection Clauses issued by the UK Information Commissioner under the United Kingdom’s Data Protection Act 2018 (“SDPC”) or the SCCs in accordance with GDPR. Accordingly, User agrees that Theta may enter into the SDPC and/or the SCCs as “data exporter” on behalf of the User and the relevant Sub-processor as listed in Exhibit A as “data importer” or “sub-processor”;
k) Contribute to audits or inspections by the auditor appointed by Theta or, if the User objects to such auditor, by an independent auditor which is acceptable to both parties (acting reasonably), to audit Theta’s data processing activities to enable the User to verify and/or procure that Theta and/or Theta’s Sub-processors are in full compliance with their obligations under this DPA. The User must notify Theta in advance of a planned audit, with at least twenty (20) Business Days written notice. An audit or inspection may take place only during normal working hours of Theta. Any audits, inspections or other activities intended for demonstrating Theta compliance under this DPA shall be conducted at the expense of the User. Unless required by Data Protection Laws no audits will be conducted more than once in any twelve (12) month period. In addition, Theta will make available to the User, upon request, a summary of any applicable audit report which the User must treat confidentially under the confidentiality provisions of the Terms or under a separate non-disclosure agreement concluded between the Parties, whichever is applicable.
k) At the choice of the User, delete or return all Personal Data to the User after the end of the provision of the Services or fulfilment of all obligations under the Terms, and delete existing copies, unless further storage of the Personal Data is required or authorised by Data Protection Laws.
PART IV – General Legal Provisions
6 Content and valid Basis
6.1 As between Theta and the User, the User is responsible for the content of all the data, including Personal Data, that the User provides to Theta. The User confirms that it has legal grounds to process and has rights to provide Personal Data to Theta for processing.
6.2 Before obtaining Personal Data from Data Subjects and providing it to Theta, the User must obtain their legally valid permission or have another valid legal basis to permit the Processing and transfer of the Personal Data by Theta and Theta’s sub-processors, and each Parties’ respective representatives and service providers as contemplated under this DPA and the Terms. User shall ensure that Data Subjects whose personal data is processed under this Agreement, receive information of Theta processing their Personal Data (including reference to Theta’s EVA Check-in Privacy Policy, where applicable).
6.3 Parties acknowledge and agree that it is not intended or foreseen that any Special Categories of Personal Data will be Processed under the Terms. Where any Special Categories of Personal Data are provided to Theta, the User shall notify Theta in writing in advance and the parties will enter into any additional terms and conditions, as may be required. The User shall prior to providing any Special Categories of Personal Data obtain Data Subject’s explicit consent to the Processing of such data and guarantee to Theta that applicable Data Protection Laws do not prohibit Processing of it.
7 Data security
7.1 Each Party will implement and maintain appropriate technical and organisational measures, internal controls, and data security routines (including pursuant to Article 32 of the GDPR) intended to protect the Personal Data against accidental loss or change, unauthorised disclosure or access, or unlawful destruction, including those set out in Schedule 2, and as appropriate:
a. Pseudonymisation and encryption of Personal Data.
b. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services involved in the processing of Personal Data.
c. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
d. A process for regularly testing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data.
7.2 The User shall notify Theta promptly about any possible misuse of its accounts or authentication credentials or any security incident related to the Services.
8 Aggregated Data
Theta may collect and use information related to the provision of the Services, as aggregated data, provided that “aggregated data” means statistical information that is not identifiable to any person. Theta may use aggregated data to provide and improve the Services, including, without limitations, to conduct research and analysis, to provide the analysis results on the aggregated data to third parties and to market the Services.
9 Miscellaneous
9.1 Theta shall not bear any liability for the User not complying with obligations listed in this DPA. User shall hold Theta harmless and indemnify Theta against any claims from third parties, including Data Subjects and data protection authorities based on violations of Data Protection Laws or obligations under this DPA by the User or on its behalf.
9.2 From the Effective Date, this DPA replaces and supersedes any earlier data processing agreement, if any, executed by the Parties (or their Affiliates) in its entirety.
9.3 This DPA will have the same duration as the Terms. Notwithstanding, the provisions in this DPA shall remain in force for as long as Theta Processes Personal Data as a Data Processor of the User. In the event of changes in the Services or applicable Data Protection Laws which will affect the Processing of the Personal Data and requires the amendment of this DPA in order for the parties to be able to address the requirements and comply with the applicable laws, the Parties will consult with each other and cooperate in good faith in order to amend this DPA. Any amendments to this DPA can be made in writing by authorised representatives of the Parties.
9.4 This DPA is subject to the terms and conditions of the Terms. Any provision, including but not limited to limitation of liability, confidentiality, governing law and dispute resolution provisions and other terms and conditions of the Terms shall apply to this DPA.
9.5 If any of the provisions of this DPA conflict with the provisions of any other written agreement concluded between the Parties, then the provisions of this DPA shall prevail. Notwithstanding the foregoing, this DPA shall not apply if and to the extent the SDPC or the SCC for the transfer of Personal Data to third countries are concluded and such clauses set out stricter obligations for the Parties. The Parties have carefully reviewed this DPA and agree to its terms and conditions.
Exhibit A - Sub-Processing Overview
SCHEDULE 2 - SECURITY MEASURES
This Schedule sets out the security measures Theta takes to ensure a level of security for the personal data appropriate to the level of the risk.
Last updated: March 2024