Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between BlueDuck LLC, a Colorado limited liability company doing business as ExperienceLocal ("Processor" or "ExperienceLocal"), and the organization using our Services ("Controller" or "Customer").

This DPA reflects the parties' agreement regarding the processing of Personal Data in connection with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and other applicable data protection laws ("Data Protection Laws").

This DPA applies where and only to the extent that Processor processes Personal Data on behalf of Controller in the course of providing the Services, and such Personal Data is subject to Data Protection Laws.

2. Definitions

For the purposes of this DPA, the following definitions apply:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party appointed by Processor to Process Personal Data on behalf of Controller.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.

3. Scope and Purpose

3.1 Subject Matter

The subject matter of this DPA is the Processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Services under the Agreement.

3.2 Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

• Controller's employees, agents, and authorized users
• Guests who book Experiences or Resources through Controller's use of the Services
• Experience Providers and their staff
• Other individuals whose Personal Data is submitted to the Services by Controller

3.3 Types of Personal Data

The following types of Personal Data may be Processed:

• Contact Information: Name, email address, phone number, mailing address
• Account Information: Username, encrypted passwords, account preferences
• Booking Information: Booking details, dates, times, guest counts, special requests, dietary requirements
• Payment Information: Payment card details, billing address (processed via Stripe as an independent controller)
• Business Information: Business name, business address, tax identification numbers
• Usage Data: IP addresses, device information, log data, analytics data
• Communications: Messages, support inquiries, feedback

3.4 Purpose of Processing

Personal Data will be Processed solely for the following purposes:

• Providing and maintaining the Services as described in the Agreement
• Processing bookings, payments, and refunds
• Facilitating communications between Controller, Providers, and Guests
• Providing customer support
• Generating analytics and reports for Controller
• Ensuring the security and integrity of the Services
• Complying with legal obligations
• Any other purposes specified in the Agreement or agreed in writing

3.5 Duration of Processing

Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.

4. Controller Obligations

Controller represents and warrants that:

• It has complied and will continue to comply with all applicable Data Protection Laws in its use of the Services and its Processing of Personal Data
• It has obtained all necessary consents, authorizations, and legal bases for the Processing of Personal Data by Processor
• It has provided all required notices to Data Subjects regarding the Processing
• Its instructions to Processor will comply with Data Protection Laws
• It has implemented appropriate technical and organizational measures to protect Personal Data in its possession or control

5. Processor Obligations

Processor agrees to:

• Process Personal Data only on documented instructions from Controller, unless required by applicable law, in which case Processor will inform Controller of that legal requirement before Processing (unless prohibited by law)
• Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6
• Respect the conditions for engaging Sub-processors as set out in Section 7
• Taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures for the fulfillment of Controller's obligation to respond to Data Subject requests
• Assist Controller in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to Processor
• At Controller's choice, delete or return all Personal Data upon termination of the Services, and delete existing copies unless applicable law requires storage
• Make available to Controller all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits as described in Section 11
• Immediately inform Controller if, in Processor's opinion, an instruction infringes Data Protection Laws

6. Security Measures

Processor implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures include:

6.1 Technical Measures

• Encryption: Personal Data encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
• Access Controls: Role-based access controls, principle of least privilege, multi-factor authentication
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Monitoring: Continuous security monitoring, audit logging, anomaly detection
• Vulnerability Management: Regular security assessments, penetration testing, timely patching
• Backup and Recovery: Regular backups, disaster recovery procedures, business continuity planning

6.2 Organizational Measures

• Security Policies: Documented information security policies and procedures
• Personnel Security: Background checks, confidentiality agreements, security training
• Incident Response: Documented incident response procedures
• Vendor Management: Security assessments of Sub-processors
• Physical Security: Data centers with appropriate physical security controls

7. Sub-processors

7.1 General Authorization

Controller provides general authorization for Processor to engage Sub-processors to Process Personal Data on Controller's behalf, subject to the requirements of this Section 7.

7.2 Current Sub-processors

The following Sub-processors are authorized as of the effective date of this DPA:

7.3 Notice of Changes

Processor will notify Controller of any intended changes to Sub-processors by updating the list at experiencelocal.io/dpa and, for material changes, by email at least thirty (30) days before the change takes effect.

7.4 Objection Right

Controller may object to a new Sub-processor by notifying Processor in writing within fourteen (14) days of receiving notice. If Controller objects on reasonable grounds related to data protection, the parties will work in good faith to find a mutually acceptable solution. If no solution is found within thirty (30) days, Controller may terminate the affected Services.

7.5 Sub-processor Obligations

Processor will impose data protection obligations on Sub-processors that are no less protective than those in this DPA. Processor remains fully liable to Controller for the performance of Sub-processors' obligations.

8. International Data Transfers

8.1 Transfer Mechanisms

Personal Data may be transferred to and Processed in countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. For such transfers, Processor ensures appropriate safeguards through:

• Standard Contractual Clauses: EU Commission-approved SCCs (Module 2: Controller to Processor and Module 3: Processor to Processor) for transfers to countries without an adequacy decision
• UK International Data Transfer Agreement: For transfers from the UK
• Swiss Data Protection Addendum: For transfers from Switzerland
• Adequacy Decisions: Where the destination country has been deemed adequate by the relevant authority

8.2 Supplementary Measures

Where required, Processor implements supplementary measures to ensure the transferred data receives an essentially equivalent level of protection, including encryption, access controls, and contractual commitments.

8.3 Transfer Impact Assessment

Upon request, Processor will provide Controller with information necessary to conduct a transfer impact assessment regarding transfers to third countries.

9. Data Subject Rights

Processor will assist Controller in fulfilling its obligation to respond to Data Subject requests exercising their rights under Data Protection Laws, including:

• Right of Access (Article 15 GDPR): Providing access to Personal Data
• Right to Rectification (Article 16 GDPR): Correcting inaccurate Personal Data
• Right to Erasure (Article 17 GDPR): Deleting Personal Data ("right to be forgotten")
• Right to Restriction (Article 18 GDPR): Restricting Processing
• Right to Data Portability (Article 20 GDPR): Providing Personal Data in a portable format
• Right to Object (Article 21 GDPR): Objecting to Processing
• Rights related to Automated Decision-Making (Article 22 GDPR): Providing information about automated decisions

Processor will promptly notify Controller if it receives a request directly from a Data Subject, unless prohibited by law.

10. Data Breach Notification

10.1 Notification Timing

Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Controller's Personal Data.

10.2 Notification Content

The notification will include, to the extent known:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
• The name and contact details of Processor's point of contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

10.3 Cooperation

Processor will cooperate with Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

11. Audits and Inspections

11.1 Audit Rights

Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or an auditor mandated by Controller.

11.2 Audit Procedures

Audits are subject to the following conditions:

• Controller must provide at least thirty (30) days' written notice
• Audits may be conducted no more than once per year, unless required by a Supervisory Authority or following a Personal Data Breach
• Auditors must execute confidentiality agreements
• Audits must be conducted during normal business hours with minimal disruption
• Controller bears the cost of audits unless the audit reveals material non-compliance

11.3 Third-Party Certifications

Processor may satisfy audit requirements by providing Controller with relevant third-party certifications, audit reports (e.g., SOC 2), or other documentation demonstrating compliance.

12. Term and Termination

12.1 Duration

This DPA will remain in effect for the duration of the Agreement and for as long as Processor Processes Personal Data on behalf of Controller.

12.2 Effect of Termination

Upon termination of the Agreement or this DPA:

• Processor will cease Processing Personal Data, except as necessary for termination activities or as required by law
• At Controller's written request, Processor will return or delete all Personal Data within ninety (90) days
• If Controller does not provide instructions within thirty (30) days of termination, Processor will delete the Personal Data
• Processor will provide written certification of deletion upon request
• Processor may retain Personal Data to the extent required by applicable law, in which case Processor will continue to protect such data in accordance with this DPA

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not limit either party's liability for breaches of Data Protection Laws to the extent such limitation is prohibited by applicable law.

14. Contact Information

For questions about this DPA, data protection matters, or to exercise rights under this DPA, please contact:

BlueDuck LLC (d/b/a ExperienceLocal)
Data Protection Contact: dpo@experiencelocal.io
Privacy Inquiries: privacy@experiencelocal.io
Address: 1942 Broadway, Suite 314C, Boulder, CO 80302

For GDPR-related matters, Data Subjects may also contact their local Supervisory Authority.