Data Processing Agreement (DPA)

This DPA is entered TicketSource (the Data Processor) and the Event Organiser (the Data Controller) and is incorporated into and governed by the Terms and Conditions of Use.

1. Definitions

ControllerMeans You, the Event Organiser
Data SubjectA natural person who is the subject of Personal Data, i.e. a Customer.
DPAMeans this data processing agreement together with its Appendices
Personal DataMeans all files, content, Confidential Information and any other data stored or processed TicketSource as requested by you as the Controller.  Personal Data covers any information that could be used to identify a natural person, directly or indirectly, in particular by reference to a name or personal identification number, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
ProcessorMeans us, TicketSource Ltd
ServiceMeans our online Ticketing Platform or any Professional Services provided by us to You and Authorised Affiliates
Sub-ProcessorMeans any person or entity engaged by us to process Personal Data in the provision of the Services to You.
Terms and ConditionsThe agreement entered into by the Event Organiser when signing up to use the TicketSource system.

2. Purpose

2.1 TicketSource has agreed to provide Services to you in accordance with the terms of the Terms and Conditions of Use. In providing Services, we shall process Personal Data on behalf of you. From the date that you agree to the Terms and Conditions of use of the TicketSource Service and commence using the TicketSource system, we will process and protect such Personal Data in accordance with the terms of this DPA for the term of the Agreement.

3. Scope

3.1 In providing Services to you, TicketSource shall process Personal Data only to the extent necessary to provide Services in accordance with both the Terms and Conditions of Use and this DPA.

4. Processor Obligations

4.1 TicketSource may collect, process or use Personal Data only within the scope of this DPA.
4.2 TicketSource will only process Personal Data with the Event Organiser’s written instruction (this DPA).
4.3 TicketSource will process data at all times in accordance with GDPR and with any guidance issued by the Information Commissioner.
4.4 TicketSource shall promptly inform you, if in our opinion, any of the instructions regarding the processing of Personal Data provided by you, breach any applicable data protection laws.
4.5 TicketSource shall ensure that all TicketSource employees or contractors involved in the handling of Personal Data:

    (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential;
(ii) have received appropriate training on their responsibilities as a data processor;
(iii) shall not disclose any personal data to any third parties unless permitted under this DPA, and
(iv) are bound by the terms of this DPA.
4.6 TicketSource shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
4.7 TicketSource shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

    (i) the encryption of Personal and Payment data when sending for authorisation;
(ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
    (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In accessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
4.8 The technical and organisational measures detailed in Appendix B shall be at all times adhered to as a minimum security standard. You accept and agree that the technical and organisational measures are subject to development and review and that we may use alternative suitable measures to those detailed in the attachments to this DPA.
4.9 You acknowledge and agree that, in the course of providing the Services to you, it may be necessary for us to access the Personal Data to respond to any technical problems or Controller queries and to ensure the proper working of the TicketSource system. All such access by us will be limited to those purposes defined in Appendix A.
4.10 Where Personal Data relating to an EU (or UK or Swiss) Data Subject is transferred outside of the EEA it shall be processed by an entity: (i) located in a third country or territory recognised by the EU Commission as having an adequate level of protection; or (ii) that is subject to Standard Contractual Clauses; or (iii) that has other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.
4.11 Taking into account the nature of the processing and the information available to us, we shall assist you by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the Data Subject’s rights and your compliance with your data protection obligations in respect of the processing of Personal Data.

5. Controller Obligations

5.1 You, the Event Organiser controls what happens to your Customer’s Personal Data.
5.2 You, the Event Organiser, represent and warrant that you shall comply with the TicketSource Terms and Conditions of Use, this DPA and all applicable data protection laws.
5.3 You represent and warrant that you have obtained any and all necessary permissions and authorisations necessary to permit us and our and Sub-Processors, to execute their rights or perform their obligations under this DPA.
5.4 You are responsible for compliance with all applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Terms and Conditions of Use.
5.5 Your employees or your authorised affiliates who use the TicketSource Services shall comply with your obligations set out in this DPA.
5.6 You shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
5.7 You shall implement appropriate technical and organisational measures to ensure a level of security appropriate to maintain the safety of your personal data.
5.8 You shall take steps to ensure that any natural person acting under your authority who has access to Personal Data does not process the Personal Data except on your instructions.
5.9 You may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. We will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with our standard operational procedures to the extent possible.

6. Sub-Processors

6.1 You acknowledge and agree that TicketSource will engage Sub-processors in connection with the provision of the Services.
6.2 All Sub-processors who process Personal Data in the provision of Services to you shall comply with our obligations set out in this DPA.
6.3 Where Sub-processors are located outside of the EEA, we confirm that such Sub-processors: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with us; or (iii) have other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.
6.4 We shall make available to you the current list of Sub-processors in Appendix 3 which shall include the identities of Sub-processors and their country of location. During the term of this DPA, we shall provide you with prior notification of at least 30 days, via email, of any changes to the list of Sub-processor(s) who may process Personal Data before authorising any new or replacement Sub-processor(s) to process Personal Data in connection with the provision of the Services.
6.5 You may object to the use of a new or replacement Sub-processor, by notifying us promptly in writing within ten (10) Business Days after receipt of our notice. If you object to a new or replacement Sub-processor, and that objection is not unreasonable, you may terminate your Agreement with TicketSource, with respect to those services which cannot be provided by us without the use of the new or replacement Sub-processor.  At the point of termination, any outstanding events can either be honoured through the TicketSource system, or you may choose to follow our Event Cancellation procedure to cancel any future events and associated tickets sold.

7. Liability

7.1 The limitations on liability set out in the Terms and Conditions of Use apply to all claims made pursuant to any breach of the terms of this DPA, unless it is deemed that TicketSource is liable.
7.2 The parties agree that TicketSource shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of our Sub-processors to the same extent we would be liable if performing the services of each Sub-processor directly under the terms of the DPA.
7.3 The parties agree that you, the Event Organiser, shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of your Employees or Authorised Affiliates as if such acts, omissions or negligence had been committed by you yourself.  TicketSource can not be held liable where the negligence or breach is caused by the Event Organiser.

8. Audit

8.1 We shall make available to you all information reasonably necessary to demonstrate compliance with our processing obligations and allow for and contribute to audits and inspections.
8.2 Any audit conducted by you under this DPA shall consist of examination of our most recent reports, certificates and/or extracts prepared by us or an independent auditor bound by confidentiality provisions at least as strict as those set out in the Terms and Conditions of Use Agreement. In the event that provision of the same is not deemed sufficient in your reasonable opinion, you may conduct a more extensive audit which will be:
(i) at your expense;
(ii) limited in scope to matters specific to you and agreed in advance;
(iii) carried out during TicketSource business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and
(iv) conducted in a way which does not interfere with our day-to-day business.
8.3 This clause shall not modify or limit your rights of audit, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.

9. Notification of Data Breach

9.1 We shall notify you without undue delay after becoming aware of (and in any event within 72 hours of discovering) any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Personal Data (“Data Breach”).
9.2 Where required under GDPR, TicketSource will notify the relevant authorities of the Data Breach and comply with any instructions received from the relevant authorities.
9.3 We will promptly investigate every security breach and take reasonable measures to identify its root cause(s), mitigate its adverse effect and prevent a recurrence. As information becomes available, unless prohibited by law, we will provide you with a description of the security breach, the type of Personal Data that was the subject of the Data Breach, and other information you may reasonably request concerning the affected Personal Data.
9.4 We will take all commercially reasonable measures to secure the Personal Data, to limit the effects of any Data Breach, and to assist you in meeting your obligations under applicable law.

10. Compliance, Cooperation and Response

10.1 In the event of the exercise by the Data Subjects of any of their rights under the Act in relation to the Data, TicketSource will not respond to such Data Subjects but will inform the Event Organiser within two (2) working days. TicketSource will assist the Event Organiser with all Data Subject information requests which may be received from any Data Subject in relation to any Data within such timescales as may be prescribed by the Event Organiser.
10.2 TicketSource may update a Data Subject’s email address, phone number or address at their request if incorrect contact details are provided at the time of booking. This will only be undertaken with relation to recent bookings where a ticket has not been received for the intention to re-send tickets only.
10.3 In the event that we are legally required to respond to the Data Subject, you will fully cooperate with us as applicable.
10.4 We will notify you promptly of any request or complaint regarding the processing of Personal Data, which adversely affects you, unless such notification is not permitted under applicable law or a relevant court order.
10.5 We may make copies of and/or retain Personal Data in compliance with any legal or regulatory requirement including, but not limited to, retention requirements.
10.6 The Controller and the Processor and, where applicable, their representatives, shall cooperate, on request, with the applicable supervisory authority in the performance of their respective obligations under this DPA.

11. Term and Termination

11.1 The term of this DPA shall coincide with the commencement of the Terms and Conditions of Use Agreement. The term will continue until either the Event Organiser notifies TicketSource that they wish to end their Agreement or if the Event Organiser’s TicketSource account has remained dormant (i.e. no events listed) for a period of Two Years. At this point, this DPA shall terminate automatically together with termination or expiry of the Terms and Conditions of Use Agreement.
11.2 If you notify TicketSource that you wish to terminate your Agreement, you will be required to specify an end of Agreement date. We will retain Personal Data within the TicketSource system for up to Two Years from the end of Agreement date, in line with our retention policy (see Appendix 4).
11.3 If your TicketSource account is dormant for a period of Two Years, your TicketSource account will be closed and any remaining Personal Data deleted.

12. General

12.1 This DPA sets out the entire understanding of the parties with regards to the subject matter herein.
12.2 Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.
12.3 This DPA shall be governed by the law applicable to the terms of the Terms and Conditions of Use. The courts that shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA shall be the same as those set out in the terms of the Terms and Conditions of Use.

Appendix 1 – Details of the Processing

Details of Processing

TicketSource will sell tickets and manage bookings on behalf of the Event Organiser for events listed within the TicketSource system.  TicketSource will retain the Personal Data for any personal that has purchased tickets through the TicketSource system for not more than twelve months, for the purpose of identifying and resolving any payment dispute that might arise within that period.

Data Subjects

The personal data processed usually concerns the following data subjects:

  • Your customers seeking to book tickets

Categories of Personal Data

The categories of Personal Data processed is solely determined by you when using the TicketSource service.  The Categories of Personal Data processed includes, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position (for business events where you have selected to record this information)
  • Employer (for business events where you have selected to record this information)
  • Contact information (address, email, phone)
  • IP address
  • Payment details (payment details are encrypted when sending for processing inline with our Payment Card Industry Data Security Standards compliance.  TicketSource does not store card details within its system). 

Special Categories of Data

TicketSource does not require any special categories of Personal Data for Processing purposes in line with this Agreement.  The Event Organiser solely determines if and which special categories are stored within the TicketSource system and should any Special Categories of Data be stored, it is the Event Organiser’s responsibility to ensure compliance with Data Protection laws surrounding processing of Special Categories of Data.

Processing operations

The Personal Data processed will be subject to the following basic processing activities:

  • Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Terms and Conditions of Use and your instructions. We process Personal Data only on behalf of you, the Data Controller.

Processing operations include, but are not limited to:

  • Provision of the TicketSource Service via our hosting infrastructure.
  • Auditing use of the TicketSource Service for compliance with the DPA or Terms and Conditions of Use or applicable law.
  • Finding, analysing and protecting the TicketSource Service and Personal Data or users against threats.
  • Provision of Technical support, issue diagnosis and defect resolution to ensure the efficient and proper running of the systems and to identify, analyse and resolve technical issues both generally in the provision of the TicketSource Service and specifically in answer to your support query.
  • We may use data to perform quality assurance, sales analysis or other business analysis.
  • Fulfilling any other obligation set out in the Agreement.

All these operations relate to all categories and aspects of Personal Data processed.

Appendix 2 – Security

TicketSource handles Customer’s Personal Data daily.  Personal Data must have adequate safeguards in place to protect them, to protect their privacy and to ensure compliance with various regulations including GDPR and PCI DSS.

TicketSource commits to respecting the privacy of all its customers and to protecting any Personal Data from outside parties.  To this end management are committed to maintaining a secure environment in which to process Personal Data so that we can meet these promises.

Access to the Personal Data

All Access to Personal Data should be controlled and authorised. Any Job functions that require access to cardholder data should be clearly defined.

  • Access to Personal Data and Business Data is restricted to employees that have a legitimate need to view such information.
  • No other employees should have access to this Personal Data or Business Data unless they have a genuine business need.
  • It is strictly prohibited for employees to download Personal Data or Business Data, unless they have a genuine business need.
  • As soon as an individual leaves TicketSource employment, all his/her system logons must be revoked.
  • As part of the employee termination process the Operations Manager will inform IT operations of all leavers and their date of leaving and all system access will be terminated on the final day of employment.
  • If Personal Data is shared with a Service Provider (Sub Processor) then a list of such Service Providers will be maintained as detailed in Appendix C.
  • TicketSource will ensure a written agreement is in place with all Sub-Processors to ensure their compliance with GDPR and PCI DSS.
  • TicketSource will ensure that a there is an established process including proper due diligence is in place before engaging with a Service provider.
  • TicketSource will have a process in place to monitor the GDPR and PCI DSS compliance status of the Service provider.

Physical Security  

Access to sensitive information in both hard and soft media format or accessible by viewing the TicketSource system must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.

  • TicketSource will ensure that security at its office is maintained to safeguard any data stored on site.
  • Visitors must always be escorted by a trusted employee.  At no time should a Visitor be able to view Personal Data or Event Organiser data, or event information and the Visitor must never be left unattended.
  • Strict control is maintained over the storage and accessibility of media.
  • Employees are only permitted to use storage devices for work purposes with the express permission of a Senior Manager.  All data must be deleted from the device when no longer required for that specific work activity.  
  • All computers that access the TicketSource system where Personal Data can be viewed must have a password protected access and password protected screensaver enabled to prevent unauthorised use. Passwords must never be shared and be regularly changed in line with the TicketSource IT policy.
  • Backups of business-critical information is to be stored off-site.
  • Remote access to the TicketSource site is restricted to key personnel with responsibilities to monitor the site out of hours.

Disposal of Stored Data / Retention Policy

  • All Personal Data within the processing side of the TicketSource system will be securely disposed of when no longer required by TicketSource.  Personal Data will be stored for one year for business requirements, specifically to resolve charge disputes or personal charge queries.  
  • An automated process to permanently delete Personal Data will be run in-line with our retention policy stated above.

Security Awareness and Procedures  

The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of Personal Data demands regular training of all employees and contractors.

  • Undertake Security Awareness and Data Protection training as part of the employee induction process.
  • Review handling procedures for Personal Data and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.
  • Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgement form.
  • All Sub-Processors with access to Personal Data are contractually obligated to comply with regulations such as GDPR and PCI DSS (where applicable).  
  • Company security policies must be reviewed annually and updated as needed.  

Security Management / Incident Response Plan

'Security incident' means any incident (accidental, intentional or deliberate) relating to the TicketSource processing systems. The attacker could be a malicious stranger, a competitor, or a disgruntled employee, and their intention might be to steal information or money, or just to damage the company.

TicketSource has an Incident response plan which is tested once annually.

Employees of TicketSource will be expected to report to the Data Controller for any security related issues.

Network security

  • Stateful Firewall technology must be implemented where the Internet enters the TicketSource network to mitigate known and on-going threats. Firewalls must also be implemented to protect local network segments and the IT resources that attach to those segments such as the business network, and open network.
  • All inbound network traffic to TicketSource is blocked by default, unless explicitly allowed and the restrictions have to be documented.
  • A topology of the firewall environment must be documented and must be updated in accordance to the changes in the network.
  • The firewall rules will be reviewed on a six months basis to ensure validity?
  • No direct connections from Internet to the Personal Data environment will be permitted. All traffic has to traverse through a firewall.

System and Password Policy

All employees with access to TicketSource systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

  • All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.
  • All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.
  • Administrator access to web-based management interfaces is encrypted using strong cryptography.

Anti-virus policy

  • All machines must be configured to run the latest anti-virus software as approved by TicketSource.  This software must be configured to retrieve the latest updates to the antiviral program automatically on a daily basis. The antivirus should have periodic scanning enabled for all the systems.
  • All removable media where permitted to be used (for example USB sticks or storage devices) should be scanned for viruses before being used.
  • E-mail with attachments coming from suspicious or unknown sources should not be opened. All such e-mails and their attachments should be deleted from the mail system as well as from the trash bin. No one should forward any e-mail, which they suspect may contain virus.

Patch Management Policy

  • All Workstations, servers, software, system components etc. owned by TicketSource must have up-to-date system security patches installed to protect the asset from known vulnerabilities.
  • Where ever possible all systems, software must have automatic updates enabled for system patches released from their respective vendors. Security patches have to be installed within one month of release from the respective vendor.
  • Any exceptions to this process have to be documented.

Vulnerability Management Policy

  • As part of the PCI-DSS Compliance requirements, TicketSource will run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
  • Quarterly internal vulnerability scans must be performed by TicketSource by internal staff or a 3rd party vendor and the scan process has to include that rescans will be done until passing results are obtained, or all High vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
  • Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV). Scans conducted after network changes may be performed by TicketSource’s internal staff. The scan process should include re-scans until passing results are obtained.

Protect Data - Transfer of Personal Data to a Sub-Processor

  • All third-party companies providing critical services to TicketSource must have a contract to with TicketSource which confirms that they:
    1. Adhere to the GDPR and PCI DSS security requirements.
    2. Acknowledge their responsibility for securing the Personal Data.
    3. Acknowledge that the Personal Data must only be used for assisting the completion of a transaction, providing a fraud control service or for uses specifically required by law.
    4. Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
    5. Provide full cooperation and access to conduct a thorough security review after a security intrusion to the ICO or a Payment Card industry representative, or a Payment Card industry approved third party.

Protect Data – Telephone Box Office Transactions

  • Box Office Staff are not permitted to read out card details or repeat back to a customer.  
  • Box Office Staff are not permitted to write down card details in any format or media, except to enter them directly into the TicketSource system.
  • Box Office Staff must talk to the card-holder to obtain card authorisation.  If the card-holder is not present, the booking cannot proceed.
  • If a card is declined, Box Office Staff are only permitted one further attempt to authorise the card.  Following the second attempt, a new card must be entered or request that the personal contacts us again in 24 hours.
  • No employee is permitted to have a mobile phone on their desk unless the mobile phone is being used for work purposes (e.g. Developers, Marketing Team) and under no circumstances can photos of a computer screen displaying Personal Data be taken.  

Appendix Three – Sub Processors

Barclaycard (Payment Processor) - UK

Realex (Payment Gateway) - UK

ePDQ (Payment Gateway) - UK

Stripe (Payment Gateway and Processor) - Ireland

Mandrill (e-ticket and reminder email delivery) - USA

Twilio (mobile ticket delivery) - USA

Postcode Anywhere (postcode lookup) - UK

Amazon (Web Server) - UK

Cloudflare (Website security and application firewall) - UK/Europe/USA (dependent on where the customer is based)

Google Analytics (tracking website traffic) - Europe

Booking Protect (ticket refund protection) - UK/Europe

Appendix Four – Data Retention

Customer Personal Data

TicketSource will keep a customer’s Personal Data for no longer than reasonably necessary and will be deleted after one (1) year.  Personal Data is retained by TicketSource for this period to assist us to respond to customer booking queries or any charge disputes that may arise.

TicketSource has an automated process to delete customer data.

An Event Organiser may have a different retention period and this will be stated in their own Data Privacy Policy.

Category: Terms of Use

Last modified on Mon 8 April 2019