Legal

Data Processing Addendum

Last updated March 13, 2025

This Data Processing Addendum, including its Schedules ("DPA") is a part of the Odeumate Customer Terms of Service Agreement. Capitalized terms used but not otherwise defined in the DPA will have the meanings set forth in the Customer Terms of Service Agreement. Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates.

1. Definitions

  • "Affiliate" — any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity (more than 50% of voting interests).
  • "Authorized Affiliate" — any of Customer's Affiliate(s) subject to Data Protection Laws and permitted to use the Odeumate Services.
  • "Customer Personal Data" — Customer Data comprising the categories of Personal Data described in Schedule 1. Excludes information about Users provided in connection with Account creation or administration.
  • "Data Protection Laws" — applicable laws governing Personal Data processed under the Agreement, including without limitation BC PIPA, PIPEDA, the GDPR, the UK GDPR, the FADP, the CCPA/CPRA, and equivalent laws in other jurisdictions.
  • "PIPA" — the British Columbia Personal Information Protection Act, SBC 2003, c. 63.
  • "PIPEDA" — the federal Personal Information Protection and Electronic Documents Act, SC 2000, c. 5.
  • "FADP" — Swiss Federal Act on Data Protection of 25 September 2020.
  • "GDPR" — European Union Regulation 2016/679.
  • "Personal Data" — "personal data," "personal information," "personally identifiable information," and analogous terms as defined by Data Protection Laws.
  • "Security Breach" — any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
  • "Standard Contractual Clauses" — the EU SCCs, UK Addendum, ADGM Addendum, DIFC SCCs, Turkish SCCs, and Brazilian SCCs, as applicable.
  • "Sub-processor" — any third-party engaged by Odeumate to process Customer Personal Data.

2. Data Processing

2.1 Scope. This DPA applies when Customer Personal Data is processed by Odeumate in connection with the Services.

2.2 Role of the Parties. Odeumate acts as a Processor on behalf of Customer, which may act as Controller or Processor.

2.3 Compliance. Each Party will comply with all applicable laws.

2.4 Details. The subject matter is the performance of the Odeumate Services. Duration, nature, purpose, data types, and categories of Data Subjects are specified in Schedule 1.

2.5 Instructions. Odeumate will process Customer Personal Data only in accordance with Customer's documented instructions.

2.6 Odeumate's Obligations. Odeumate will: (a) inform Customer of any instructions that violate Data Protection Laws; (b) not "sell" or "share" Customer Personal Data for targeted advertising; (c) not retain, use, or disclose Customer Personal Data outside the direct business relationship; and (d) treat Customer Personal Data as Confidential Information.

3. Odeumate Personnel and Data Protection Officer

Odeumate will ensure that personnel are informed of confidentiality requirements, appropriately trained, and bound by written confidentiality agreements. The data protection officer may be reached at privacy@odeumate.com.

4. Customer Responsibilities

Customer will process Customer Personal Data in accordance with Data Protection Laws, including providing notice to Data Subjects. Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data.

5. Assistance to Customer

5.1 Data Subject Requests. Odeumate will promptly notify Customer of any Data Subject Requests and provide commercially reasonable assistance in responding.

5.2 DPIAs. Odeumate will provide reasonable assistance to Customer in carrying out data protection impact assessments, including making available relevant information about Odeumate's technical and organizational security measures upon reasonable request and subject to confidentiality obligations.

6. Sub-processors

6.1 Appointment. Customer acknowledges that Odeumate may engage Sub-processors. Odeumate will enter into written agreements with data protection obligations not less protective than those in this DPA.

6.2 Sub-processor Lists. Available by emailing privacy@odeumate.com.

6.3 Objections. Customer may object to a new Sub-processor within 30 days. Odeumate will use commercially reasonable efforts to accommodate the objection. If unable, Customer may terminate the applicable Order Form(s).

6.4 Liability. Odeumate is liable for Sub-processor acts and omissions to the same extent as if performing the services directly.

7. Security

7.1 Controls. Odeumate has implemented and will maintain technical and organizational measures to protect Customer Personal Data against Security Breaches.

7.2 Security Documentation. Upon reasonable request and subject to confidentiality obligations, Odeumate will make available information reasonably necessary to demonstrate compliance with its obligations under this DPA, including documentation of its technical and organizational security measures.

7.3 Audit. Customer may conduct, or commission a third-party auditor to conduct, an audit of Odeumate's data processing activities under this DPA no more than once per calendar year, following a Security Breach, or when required by Data Protection Laws or a Supervisory Authority. Audits require at least four weeks' written notice and must not unreasonably interfere with Odeumate's business operations. The cost of any audit is borne by Customer unless a Security Breach directly caused by Odeumate is confirmed.

8. Security Incident Management

8.1 Notification. Odeumate will notify Customer without undue delay after becoming aware of a Security Breach and take reasonable remediation steps.

8.2 Assistance. Odeumate will cooperate with Customer to notify Supervisory Authorities or Data Subjects as applicable.

9. Return and Deletion of Customer Personal Data

Upon Customer's request on or prior to termination, Odeumate will cooperate to facilitate data export and may thereafter delete all remaining Customer Personal Data, unless further preservation is required by law.

10. Data Transfers

10.1 Cross-border Transfers. Odeumate will comply with Data Protection Laws and ensure lawful transfer mechanisms are in place.

10.2 Transfers from the EEA. The EU SCCs apply, with Module 2 (Controller to Processor) and Module 3 (Processor to Sub-processor). Governing law: Republic of Ireland.

10.3 Transfers from the UK. The UK Addendum applies.

10.4 Transfers from Switzerland. EU SCCs apply with FADP modifications.

10.5 Transfers from the ADGM. The ADGM Addendum applies.

10.6 Transfers from the DIFC. The DIFC SCCs apply.

10.7 Transfers from Turkey. The Turkish SCCs apply.

10.8 Transfers from Brazil. The Brazilian SCCs apply.

11. Authorized Affiliates

Customer enters into this DPA on behalf of itself and its Authorized Affiliates. The contracting Customer remains responsible for coordinating all communication with Odeumate.

12. Limitation of Liability

Each Party's liability arising out of this DPA is subject to the Limitation of Liability section of the Customer Terms of Service. Odeumate's total liability for all claims applies in the aggregate across the Agreement and all DPAs.

Schedule 1 — Description of Transfer and Processing

List of Parties

Data exporter: The entity identified as "Customer" in the DPA, as set forth in the applicable Order Form.

Data importer: Odeumate. Contact: Associate General Counsel — Privacy and Product, privacy@odeumate.com.

Categories of Data Subjects

  • Personnel of Customer, including administrators, production managers, directors, stage managers, technical crew, and other staff or contractors.
  • Cast members, volunteer crew, and other participants in Customer's productions.
  • Venue contacts and third-party collaborators associated with Customer's productions.
  • Any individual whose Personal Data is submitted to the Services by Customer or its authorized Users.

Categories of Personal Data

  • Contact information (name, address, email address, phone number)
  • Account and authentication information (username, credentials, access logs)
  • Role and production information (job title, role in production, department, skills, availability)
  • Scheduling and production data associated with individuals
  • Payment and billing information (credit card and billing details for subscription management)
  • Communications information (messages, notes, support history)
  • Log data and device information (IP address, browser type, operating system, access dates and times)
  • Any other personal data submitted by Customer or its Users in connection with the Services

Sensitive Data

Customer Personal Data may include demographic information submitted voluntarily by Customer for equity, diversity, or accessibility purposes. Such data is processed solely as directed by Customer.

Processing Details

Frequency: Continuous, depending on use of the Odeumate Services.

Nature: Performance of the Odeumate Services pursuant to the Agreement.

Purposes: Set up, operate, and maintain the platform; ensure security and integrity; develop and improve features; comply with legal obligations.

Retention: For as long as necessary to perform the Odeumate Services.

Competent Supervisory Authority: For data processed primarily under Canadian law: the Office of the Privacy Commissioner of Canada (OPC) under PIPEDA, or the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) under PIPA, as applicable. For EEA transfers under the EU SCCs: the data protection supervisory authority of the EU Member State in which the data exporter (Customer) is established, or such other authority as required by applicable Data Protection Laws.

Schedule 2 — Technical and Organizational Measures

Odeumate maintains an information security program designed to (a) secure Customer Personal Data against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable risks to the security and availability of the Odeumate Services, and (c) minimize physical and logical security risks. One or more designated employees coordinate and are accountable for the program.

Schedule 3 — Additional Provisions for Certain Jurisdictions

Jurisdiction-specific provisions apply for transfers involving Canada, Israel, Japan, Korea, Mexico, Singapore, and South Africa. Full details are available by contacting privacy@odeumate.com.