Data Processing Addendum

Last Updated and Effective as of:  July 19, 2018

This Data Processing Addendum ("DPA") forms part of the written agreement ("Agreement") between the restaurant identified in such Agreement ("Restaurant") and Resy Network, Inc. ("Resy"). This DPA is entered into as of the later of the dates beneath the parties' signatures on the Agreement ("Effective Date").

The parties agree to comply with the following provisions with respect to any Personal Data of one or more Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purposes of the DPA is to ensure such Processing is conducted in accordance with Data Protection Laws, including the GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

Definitions

1. "Affiliates" means any entity which is controlled by, controls or is in common control with one of the parties.
2. "Data Protection Laws" means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR.
3. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
4. "Security Breach" has the meaning set forth in Section 7 of this DPA.
5. "Sub-processor" means any sub-processor engaged by a Controller or Processor for the Processing of Personal Data.
6. "Supervisory Authority" has the meaning set forth in Article 51 of the GDPR.
7. "Term" means the period from the Effective Date to the date the DPA is terminated in accordance with Section 11.1.
8. The terms "Controller", "Data Subject", "Personal Data", "Processor," "Processed" and "Processing," have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.

Processing of personal data - arrangement between independent controllers

The parties agree that Resy and Restaurant are independent Controllers with respect to the processing of such Personal Data described in the Agreement. To the extent that the data protection legislation of another jurisdiction is applicable to either party's processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Both parties shall keep a record of all Processing activities with respect to Personal Data covered under this DPA as required under GDPR.

Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under this DPA, including but not limited to: (i) providing the other party contact details for each party's privacy manager or Data Protection Officer (if legally required) which are accurate and up to date; (ii) providing reasonable information and assistance to the other party conducting data protection impact assessments as required by Data Protection Laws; and (iii) providing reasonable information and assistance to the other party regarding consultations between that party and a Supervisory Authority. Each party shall Process Personal Data in accordance with the requirements of the Data Protection Laws. The objective of its Processing of Personal Data by both parties is the performance of the the Agreement.

Rights of data subjects

Each party as Controller is separately responsible for honoring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from Data Subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Section 3.1.

Personnel

Both parties shall ensure that their respective personnel engaged in the Processing of Personal Data under this DPA are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Personal Data.

Each party will take appropriate steps to ensure compliance with the Security Measures (as defined below) by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of the Agreement.

Each party shall ensure that access to Personal Data covered under this DPA is limited to those personnel who require such access to perform the Services. Each party shall ensure that access to Personal Data provided by the other party pursuant to this DPA is limited to those personnel who require such access under the Agreement.

Sub-processors

A party acknowledges and agrees that the other party may engage third-party Sub-processors in connection with the performance of the Agreement.

The party acting as Processor shall (i) give the Controller prior written notice of the appointment of any Sub-processor, including full details of the Processing to be undertaken by the Sub-processor and permit the Controller to approve or reject such Sub-processor (on reasonable grounds); (ii) carry out adequate due diligence prior to the appointment of any Sub-processor to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by applicable Data Protection Laws and the Agreement, (iii) ensure that the arrangement between Processor and Sub-processor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Addendum and meet the requirements of applicable Data Protection Laws; and (iv) be liable for the acts and omissions of its Sub-processors to the same extent Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

Security and audit rights

Each party shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA. Each party will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (the "Security Measures"). The Security Measures shall ensure a level of security appropriate to that risk and in accordance with applicable requirements of Data Protection Laws, including encrypting Personal Data; ensuring ongoing confidentiality, integrity, availability and resilience of the party’s systems and services; helping restore timely access to Personal Data following a Security Breach; and regularly testing effectiveness of the Security Measures.

Both parties will (taking into account the nature of the processing of Personal Data under this DPA) cooperatively and reasonably assist each other in ensuring compliance with any of each other's respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, as applicable.

Each party shall make available to the other party all information necessary to demonstrate compliance with the DPA and each Party may (or if mandated by a Supervisory Authority, will) allow for an audit by a mutually agreeable firm. To request an audit, the requestor must submit a detailed audit plan reasonably in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. The auditor must be approved in advance by both parties (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to both parties before conducting the audit. The audit must be conducted during regular business hours, subject to both companies' policies, and may not unreasonably interfere with either company's business activities. Any such audits are at the expense of the party making the request. Both parties agree to share information regarding any non-compliance discovered during the course of an audit.

Security breach management and notification

If either party becomes aware of any actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party's equipment or facilities under this DPA ("Security Breach"), such party will promptly notify the other party of the Security Breach without undue delay. Notifications made pursuant to this section will take place within a reasonable time and certainly no longer than two (2) business days after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that either or both parties should take to address the Security Breach. Each party will promptly investigate the Security Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.

Notifications of Security Breaches to the other party will be delivered to one or more of the other party's business, technical or administrative contacts by any reasonable means, including via email. It is each party's responsibility to ensure it maintains accurate contact information. Any notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.

Unless required under applicable law, a party acting as Processor shall not notify any Supervisory Authority or law enforcement agency directly of any Security Breach and will not communicate with any Supervisory Authority or law enforcement agency directly about any actual or suspected Security Breach and shall allow the applicable Controller to manage all such communications.

Unless prohibited by applicable law, a party acting as Processor shall also notify the Controller of any third party legal process relating to any Security Breach, including, but not limited to, any legal process initiated by any governmental entity (foreign or domestic).

Without limiting the foregoing, the applicable Controller shall make the final decision on notifying (including the contents of such notice) such Controller’s client’s, employees, service providers, Data Subjects and/or the general public of such Security Breach, and the implementation of the remediation plan.

Return and deletion of personal data

Both parties will comply with instructions from the other party to delete certain Personal Data as soon as reasonably practicable or any other lawful timeframe as mutually agreed upon by the parties in writing, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.

On expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within a maximum period of 60 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.

Cross-border data transfers

Upon request by a party as Controller, the party acting as Processor and its Sub-processors shall (i) enter into Standard Contractual Clauses in respect of any transfer that would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses, or (ii) use another appropriate transfer mechanism that provide an adequate level of protection in compliance with Data Protection Law.

Liability

Both parties agree that their respective liability under this DPA shall be apportioned according to each parties͛ respective responsibility for the harm (if any) caused by each respective party.

Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

Miscellaneous

Nothing in this DPA shall impact a Controller’s intellectual property rights with respect to Personal Data provided by a party under the Agreement except to the extent required by applicable law.

Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.

This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one Agreement.