Data Policy

Updated as of October 30th, 2024

Contact Support
  1. Definitions
  2. Scope
  3. Roles of the Parties; Client Responsibilities
  4. Our Services
  5. Purposes of Processing
  6. Personal Dara Processing Requirements. PRQX Will:
  7. Security
  8. Personal Data Breach Notification
  9. Data Transfers
  10. Return or Destruction
  11. Audits

This Data Processing Agreement forms as part of and is incorporated in the Term of Services Agreement between you and PRQX.  As used herein, this “Agreement” refers to the agreement or terms of service, and any associated contractual document between the parties, applicable to software, applications, and services provided by Event Data Tools Holding, Inc and/or any of its subsidiaries, affiliates, and divisions as may change from time to time (collectively, “PRQX”). As used herein, “Client” refers to the individual or entity subject to the Agreement. 

IF YOU DO NOT AGREE WITH THIS AGREEMENT, DO NOT ATTEMPT TO USE PRQX SERVICES AND/OR CONTINUE TO USE PRQX SERVICES AND/OR REGISTER A MEMBER ACCOUNT WITH PRQX SERVICES AND/OR OTHERWISE PROVIDE US WITH YOUR INFORMATION. 

1. DEFINITIONS

  1. Data Privacy Laws refers to all applicable laws, regulations, and other legal requirements in any jurisdiction related to privacy, data protection, data security, breach notification, or the processing of Personal Data. This includes, but is not limited to, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (“CCPA”), and other U.S. federal or state privacy laws (“U.S. Privacy Laws”). Each party is responsible only for the Data Privacy Laws applicable to it. 
  2. Data Subject is an identified or identifiable natural person to whom the Personal Data relates. 
  3. Personal Data includes terms such as “personal data,” “personal information,” “personally identifiable information,” and similar terms as defined by applicable Data Privacy Laws, which are processed in connection with the Agreement. 
  4. Personal Data Breach is any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data. 
  5. Process, Processed, Processing is any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, creation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction. 
  6. Subprocessor is any PRQX affiliate or subcontractor engaged by PRQX for the processing of Personal Data.

2. SCOPE

This Data Policy applies to the Personal Data that PRQX receives from the Client or otherwise processes on behalf of the Client through the PRQX services provided under the Agreement (the “Services”). 

3. ROLES OF THE PARTIES; CLIENT RESPONSIBILITIES

  1. The Client acknowledges that it is either (i) using the Services as the lawful owner of a physical or virtual ticket permitting entry to an event (“Ticket”) and is therefore considered a “controller” or “business” under Data Privacy Laws, with PRQX acting as a “processor” or “service provider” under those laws; or (ii) using the Services as a “processor” or “service provider” under Data Privacy Laws, in which case PRQX serves as the Client’s subprocessor or service provider. 
  2. The Client is responsible for complying with all applicable laws, including establishing legal bases for both its own and PRQX’s processing of Personal Data, and obtaining any necessary consents required under Data Privacy Laws for PRQX to process the Personal Data and provide the Services. 

4. OUR SERVICES

Our services assist organizations operating in the live entertainment ticket industry to price ticket inventory, process ticket purchases, distribute ticket inventory, process and fulfill orders, and manage general ticket inventory related to one or both of the following:

  • “Ticket”: A physical or “virtual” ticket granting entry to a venue, whether provided in PDF, PNG, JPG, paper, barcode, or other accepted format; and
  • “Associated Data”: the metadata corresponding to and defining that Ticket; including but not limited to event description, event date, event time, ticket section, row and seat number, sale price, purchaser-related personal information, and originating account-related information.

Services we offer currently include the following:

Inventory Management: PRQX provides services that allow its members to view all ticket inventory their organization owns on their existing point-of-sale, or multiple point-of-sales, to perform operations to manage the associated data with that ticket inventory.

Automated Pricing: PRQX provides services that monitor the active market to suggest inventory selling prices and dynamically continuously update inventory selling prices.

5. PURPOSES OF PROCESSING

  • PRQX will process Personal Data solely for the following purposes: (1) to fulfill its obligations to the Client under the Agreement, including this DPA; (2) on behalf of the Client; and (3) in compliance with Data Privacy Laws. Except as explicitly allowed by Data Privacy Laws, PRQX will: 
  • Not retain, use, or disclose Personal Data outside of the direct business relationship between the Client and PRQX, except as expressly permitted by Data Privacy Laws. 
  • Not “sell” or “share” any Personal Data, as those terms are defined in applicable U.S. Privacy Laws, to any third party. 
  • Not attempt to re-identify any pseudonymized, anonymized, aggregated, or de-identified Personal Data without the Client’s explicit written consent. 
  • Not attempt to link, identify, or otherwise associate Personal Data with non-Personal Data or any other data without the Client’s explicit authorization. 
  • Comply with any applicable restrictions under Data Privacy Laws regarding combining Personal Data with personal data obtained from, or on behalf of, other individuals or entities, or that PRQX collects from any interactions between itself and any individual. 
  • Provide the same level of protection for the Personal Data as required under Data Privacy Laws applicable to the Client. 
  • Not engage in any processing of Personal Data that is prohibited or not permitted for “processors” or “service providers” under Data Privacy Laws. 
  • Promptly notify the Client if PRQX determines that: (a) it can no longer meet its obligations under this DPA or Data Privacy Laws; (b) it has breached this DPA; and shall cooperate to remediate such breach; or (c) in PRQX’s opinion, an instruction from the Client infringes upon Data Privacy Laws. 
  • The Client reserves the right, upon notice, to take reasonable and appropriate steps to prevent and address any unauthorized use of Personal Data, including any use not expressly authorized under this DPA. 

6. PERSONAL DATA PROCESSING REQUIREMENTS. PRQX WILL:

  1. Ensure that the persons PRQX authorizes to Process the Personal Data are subject to a written confidentiality agreement covering such data, or are under an appropriate statutory obligation of confidentiality 
  2. Assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to honor requests by individuals (or their representatives) to exercise their rights under the Data Privacy Laws (such as rights to access or delete their Personal Data). 
  3. Notify Client of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about PRQX’s Processing of Personal Data, unless prohibited by applicable law. If PRQX receives a third-party, Data Subject, or governmental request, PRQX will, subject to legal obligations, await written instructions from Client on how, if at all, to assist in responding to the request. PRQX will provide the Client with reasonable cooperation and assistance in relation to any such request.   
  4. Assist Client in its performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Privacy Laws, by providing Client with access to documentation for the Services. Additional support for data protection impact assessments will require a statement of work and mutual agreement on fees, the scope of PRQX’s involvement, and any other terms that the parties deem appropriate. 
  5. Assist Client in its consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to  PRQX under Data Privacy Laws to consult with a regulatory authority in relation to PRQX’s Processing or proposed Processing of Personal Data, by providing Client with access to documentation for the Services. Additional support for consultation with regulators is available at Client expense and will require a statement of work and mutual agreement on fees, the scope of PRQX’s involvement, and any other terms that the parties deem appropriate. 
  6. Subprocessors. PRQX may subcontract the collection or other Processing of Personal Data only in compliance with Data Privacy Laws and any additional conditions for subcontracting set forth in the Agreement. Prior to a Subprocessor’s Processing of Personal Data, PRQX will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on PRQX under this DPA. A current list of Subprocessors for the services Client obtains under the Agreement is set forth as Exhibit C. Subject to Client’s registration of an email address to receive notices (to be sent to PRQX  at legal@pricerqx.com), PRQX will provide Client with at least fifteen (15) days’ notice of any new Subprocessor added to the list prior to transferring Personal Data to such new Subprocessor;  provided, however, PRQX may provide a shorter notice period where new Subprocessors are necessary for security purposes. PRQX remains responsible for its Subprocessors and liable for their performance under the Agreement and this DPA. 

7. SECURITY

  1. PRQX will assist Client in ensuring Client’s compliance with the security obligations of the  GDPR and other Data Privacy Laws, as relevant to PRQX’s role in Processing the Personal  Data, taking into account the nature of Processing and the information available to PRQX, by complying with this Section 7 and, if available in the Services, by providing configurable security options. 
  2. To protect the Personal Data, PRQX shall implement appropriate technical and organizational measures that comply with Exhibit B, without prejudice to PRQX’s right to make future updates to the measures that do not lower the level of protection of Personal Data.   
  3. Client is solely responsible for reviewing the available security documentation and evaluating for itself whether the Services and related security will meet Client’s needs, including Client’s security obligations under Data Privacy Laws. Client agrees that the security commitments in this DPA will provide a level of security appropriate to the risk in respect of the Personal Data. 

8. PERSONAL DATA BREACH NOTIFICATION

PRQX will comply with the Personal Data Breach-related obligations directly applicable to it under Data Privacy Laws. Taking into account the nature of Processing and the information available to PRQX, PRQX will assist Client in complying with those obligations applicable to Client by informing Client of a confirmed Personal Data Breach without undue delay. 

9. DATA TRANSFERS

  1. Client agrees and will ensure that Client and its affiliates are entitled to transfer the Personal Data to PRQX so that PRQX and its Subprocessors may lawfully Process the Personal Data in accordance with the Agreement and this DPA. 
  2. Client authorizes PRQX and its Subprocessors to make international transfers of the Personal Data in accordance with Data Privacy Laws and this DPA. 

10. RETURN OR DESTRUCTION

PRQX will, at the choice of Client, return to Client and/or destroy all Personal Data after the end of the provision of services relating to Processing, except to the extent applicable law requires storage of the Personal Data. 

Nothing will oblige PRQX to delete Personal Data from files created for security, backup, and business continuity purposes sooner than required by PRQX’s data retention processes. If Client requires earlier deletion of such Personal Data, and such deletion is commercially feasible, Client must first pay PRQX’s reasonable charges for such deletion, which may include costs for business interruptions associated with such a request. 

11. AUDITS

  • PRQX will allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, as follows: 
  • If the requested audit scope is addressed in an ISO or similar audit report issued by a third party auditor within the prior twelve (12) months and PRQX provides such report to Client confirming there are no known material changes in the controls audited, Client agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.   
  • In the event an audit report is not provided, any audit, whether by Client or a third party, must be limited to no more than once per twelve (12) month period, and Client will (i)  conduct the audit only on an agreed date during normal business hours (9:00 am – 5:00 pm local time); (ii) limit its audit to only one business day; and (iii) pay PRQX’s then-current audit fee.   
  • If a third party is to conduct the audit, Client will provide at least thirty (30) days’ advance notice. The third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). PRQX will not unreasonably withhold its consent to a third-party auditor requested by Client, unless such third-party auditor is a competitor or another customer of PRQX’s. Any third-party auditor must execute a written confidentiality agreement acceptable to PRQX. 
  • Client must promptly provide PRQX with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than Client’s Personal Data) is confidential information of PRQX. 

Nothing herein will require PRQX to disclose or make available:   

  • Any data of any other customer of PRQX; 
  • PRQX’s internal accounting or financial information; 
  • Any trade secret of PRQX; 
  • Any information that, in PRQX’s reasonable opinion, could (i) compromise the security of PRQX systems or premises; or (ii) cause PRQX to breach its obligations under applicable law or its security and/or privacy obligations to Client or any third party; or 
  • Any information sought for any reason other than the good faith fullfilment of Client’s obligations under the Standard Contractual Clauses or Data Privacy Laws. 
  • In addition, to the extent required by Data Privacy Laws, including where mandated by Client’s Supervisory Authority, Client or Client’s Supervisory Authority may perform, at Client’s expense, a broader audit, including inspections of the data center facility that Processes Personal Data. PRQX will contribute to such audits by providing Client or Client’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services. 
  • Client must provide PRQX with any audit reports generated in connection with this DPA, unless prohibited by applicable law. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and/or confirming compliance with the terms of this DPA. 

Exhibit A:  

Information Security 

  • PRQX has agreed to employ appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data (“Information Security Program”). 
  • PRQX’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Client Personal Data (“Data Personnel”). PRQX’s security requirements covers the following areas: 
  • Information Security Policies and Standards. PRQX will maintain information security policies, standards and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Client Personal Data. These policies, standards, and procedures shall be designed and implemented to: 
  • Prevent unauthorized persons from gaining physical access to Client Personal Data Processing systems (e.g. physical access controls); 
  • Prevent Client Personal Data Processing systems from being used without authorization (e.g. logical access control); 
  • Ensure that Data Personnel gain access only to such Client Personal Data as they  are entitled to access (e.g. in accordance with their access rights) and that, in the  course of Processing or use and after storage, Client Personal Data cannot be  read, copied, modified or deleted without authorization (e.g. data access controls); 
  • Ensure that Client Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the recipients of any transfer of Client Personal Data by means of data transmission facilities can be established and verified (e.g. data transfer controls); and 
  • Ensure that all systems that Process Client Personal Data are the subject of a vulnerability management program that includes without limitation internal and external vulnerability scanning with risk rating findings and formal remediation plans to address any identified vulnerabilities. 
  • Physical Security. PRQX will maintain commercially reasonable security systems at all PRQX sites at which an information system that uses or stores Client Personal Data is located (“Processing Locations”) and will reasonably restrict access to such Processing Locations. 
  • Organizational Security. PRQX will maintain information security policies and procedures addressing: 
  • Data Disposal. Procedures for when media are to be disposed or reused have been implemented to prevent any subsequent retrieval of any Client Personal Data stored on media before they are withdrawn from the PRQX’s inventory or control. 
  • Data Minimization. Procedures for when media are to leave the premises at which the files are located as a result of maintenance operations have been implemented to prevent undue retrieval of Client Personal Data stored on media. 
  • Data Classification. Policies and procedures to classify sensitive information assets, clarify security responsibilities, and promote awareness for all employees have been implemented and are maintained. 
  • Incident Response. All Client Personal Data security incidents are managed in accordance with appropriate incident response procedures. 
  • Network Security. PRQX maintains commercially reasonable information security policies and procedures addressing network security. 
  • Access Control (Governance). 
  • PRQX governs access to information systems that Process Client Personal Data. 
  • Only authorized PRQX staff can grant, modify or revoke access to an information system that Processes Client Personal Data. 
  • PRQX implements commercially reasonable physical and technical safeguards to create and protect passwords. 
  • Virus and Malware Controls. PRQX protects Client Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Client Personal Data. 

Personnel 

  • PRQX has implemented and maintains a security awareness program to train all employees about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting. 
  • Data Personnel strictly follow established security policies and procedures.  Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures. 
  • PRQX shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may Process Client Personal Data. 
  • Business Continuity. PRQX implements disaster recovery and business resumption plans.  Business continuity plans are tested and updated regularly to ensure that they are up to date and effective. 

Exhibit B: 

Subprocessor Country of Jurisdiction Brief Description of Processing 
Azure United States Server hosting services