Data Processing Agreement

Data Processing Agreement

Last Updated: March 5, 2026

This Data Processing Agreement (“DPA”) is entered into by and between the event organizer, venue, or other entity using the Big Tickets platform (hereinafter referred to as the “Controller”) and Xorbia Technologies, Inc., a Delaware corporation, operating as Big Tickets, having its principal business address at 2864 Franklin St, Avondale Estates, GA 30002 (hereinafter referred to as the “Processor”). The Controller and the Processor are each referred to herein as a “Party” and collectively as the “Parties.”

This DPA forms part of and is incorporated by reference into the Big Tickets Terms of Service available at https://www.bigtickets.com/online-ticketing/terms-of-service/ (the “Service Agreement”). By accepting the Service Agreement, the Controller agrees to the terms of this DPA. In the event of any conflict between this DPA and the Service Agreement, the terms of this DPA shall govern with respect to the processing of Personal Data.

This DPA applies exclusively to the processing of Personal Data of United States residents in connection with the Services provided by the Processor to the Controller. Big Tickets operates exclusively within the United States and this DPA is governed solely by applicable United States federal and state privacy laws.

FOR GOOD AND VALUABLE CONSIDERATION, THE RECEIPT OF WHICH IS ACKNOWLEDGED, THE PARTIES AGREE AS FOLLOWS:

  1. Definitions
    1. Applicable Privacy Law” means all applicable United States federal and state privacy, data protection, and data security laws and regulations as enacted and amended from time to time, including without limitation: the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut Data Privacy Act (“CTDPA”); the Texas Data Privacy and Security Act (“TDPSA”); the Oregon Consumer Privacy Act (“OCPA”); the Minnesota Consumer Data Privacy Act (“MCDPA”); and any other US state or federal privacy law applicable to the processing of Personal Data under this DPA.
    2. Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person, and that is subject to Applicable Privacy Law. Personal Data includes the categories of data described in Schedule A of this DPA.
    3. Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, making available, aligning, combining, restricting, erasing, or destroying Personal Data.
    4. Controller” means the Party that determines the purposes and means of the Processing of Personal Data — in this context, the event organizer or venue that engages Big Tickets to provide ticketing services.
    5. Processor” means the Party that processes Personal Data on behalf of the Controller — in this context, Xorbia Technologies, Inc. (operating as Big Tickets).
    6. Data Subject” means the individual natural person to whom Personal Data relates — in this context, ticket buyers, event registrants, and waitlist participants whose data is collected through the Big Tickets platform.
    7. Security Incident” means any confirmed unauthorized or unlawful access to, acquisition of, disclosure of, alteration of, loss of, or destruction of Personal Data processed under this DPA.
    8. Services” means the event ticketing platform, registration, and related services provided by the Processor to the Controller under the Service Agreement.
    9. Service Provider” has the meaning ascribed to it under the CCPA: a business that processes Personal Data on behalf of another business pursuant to a written contract that prohibits the Service Provider from retaining, using, or disclosing Personal Data for any purpose other than performing the services specified in the contract.
    10. Subprocessor” means any third party engaged by the Processor to process Personal Data in connection with the Services.
  2. Scope and Nature of Processing
    1. This DPA governs the Processor’s processing of Personal Data on behalf of the Controller in connection with the Services. The Processor acts as a Service Provider and Processor with respect to Personal Data it processes on the Controller’s behalf. The categories of Personal Data processed, types of Data Subjects, and purposes of processing are described in Schedule A, attached hereto and incorporated by reference.
    2. The Processor shall process Personal Data only as necessary to perform the Services and only in accordance with the Controller’s documented instructions as set forth in the Service Agreement and this DPA, except where otherwise required by applicable law. If applicable law requires the Processor to process Personal Data in a manner inconsistent with the Controller’s instructions, the Processor shall notify the Controller of that requirement before processing, unless prohibited by law from doing so.
    3. The Processor shall promptly inform the Controller if, in its reasonable opinion, any Controller instruction would violate Applicable Privacy Law. The Processor shall not be required to follow any such instruction until the Controller has confirmed the instruction in writing with an explanation of the legal basis for compliance.
  3. Processor Obligations Under Applicable Privacy Law
    1. To the extent the CCPA or other Applicable Privacy Law applies to Personal Data processed under this DPA, the Processor agrees and certifies that it shall:
      1. process Personal Data only for the purpose of performing the Services specified in the Service Agreement or as otherwise permitted under Applicable Privacy Law;
      2. not sell Personal Data, as the term “sell” is defined under the CCPA or any other Applicable Privacy Law;
      3. not share Personal Data for cross-context behavioral advertising or targeted advertising purposes;
      4. not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services;
      5. not retain, use, or disclose Personal Data outside of the direct business relationship between the Processor and the Controller;
      6. not combine Personal Data received from the Controller with Personal Data received from, or collected in connection with, any other source, except as permitted by Applicable Privacy Law or as necessary to provide the Services;
      7. notify the Controller if the Processor determines it can no longer meet its obligations under Applicable Privacy Law, in which case the Controller may direct the Processor to take reasonable and appropriate steps to remediate unauthorized use of Personal Data; and
      8. not use Personal Data to build or modify user profiles for purposes other than providing the Services.
    2. With respect to SMS opt-in data and consent records collected through the Big Tickets platform, the Processor shall not sell, share, or transfer such data to any third party for any purpose, except as may be expressly authorized by the Data Subject or required by applicable law. This restriction applies to all text messaging originator opt-in data and consent records.
    3. The Controller represents and warrants that it has all necessary rights, consents, and legal bases to provide Personal Data to the Processor for processing in connection with the Services, and that its instructions to the Processor comply with Applicable Privacy Law.
  4. Confidentiality
    1. The Processor shall treat all Personal Data as strictly confidential and shall ensure that all employees, agents, contractors, and approved Subprocessors who access or process Personal Data are subject to appropriate confidentiality obligations, whether by written agreement, employment obligation, or applicable law.
    2. The Processor shall limit access to Personal Data to those personnel who require access to perform the Services and shall ensure that such personnel are trained on applicable data privacy and security obligations.
  5. Security
    1. The Processor shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures shall be appropriate to the risk presented by the processing, taking into account the nature, scope, context, and purposes of processing, and shall include as applicable:
      1. access controls limiting Personal Data access to authorized personnel only;
      2. encryption of Personal Data in transit and at rest using industry-standard protocols;
      3. ongoing confidentiality, integrity, availability, and resilience of processing systems;
      4. the ability to restore availability and access to Personal Data in a timely manner following a physical or technical incident;
      5. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational security measures; and
      6. procedures for identifying and addressing vulnerabilities in systems used to process Personal Data.
    2. The Processor shall maintain a written information security policy that describes the security measures implemented under this Article 5 and shall review and update that policy no less than annually.
    3. Upon reasonable written request (no more than once per calendar year, with at least thirty (30) days prior notice), the Processor shall provide the Controller with a written summary of its security practices, responses to a reasonable security questionnaire, or, where available, a copy of any relevant third-party security assessment or certification. Physical on-site audits shall require mutual written agreement and shall be subject to reasonable confidentiality obligations.
  6. Security Incident Notification
    1. Upon becoming aware of a confirmed Security Incident affecting Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and in no event later than seventy-two (72) hours of the Processor’s confirmation of the Security Incident.
    2. Such notification shall be sent to the contact designated by the Controller in Schedule A and shall include, to the extent known at the time of notification:
      1. a description of the nature of the Security Incident, including where possible the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records involved;
      2. the name and contact details of the Processor’s designated privacy or security contact;
      3. a description of the likely consequences of the Security Incident; and
      4. a description of the measures taken or proposed by the Processor to address the Security Incident, including steps to mitigate adverse effects.
    3. The Processor shall reasonably cooperate with the Controller in connection with any Security Incident response, including providing updated information as it becomes available and assisting the Controller in meeting any notification obligations the Controller may have under Applicable Privacy Law or applicable breach notification statutes.
    4. Notification by the Processor of a Security Incident under this Article 6 shall not constitute an admission of fault or liability by the Processor.
  7. Subprocessors
    1. The Controller hereby provides general authorization for the Processor to engage Subprocessors to perform processing activities in connection with the Services, subject to the conditions in this Article 7. The Processor’s current list of authorized Subprocessors is set forth in Schedule B, attached hereto.
    2. The Processor shall provide the Controller with at least thirty (30) days prior written notice before engaging any new Subprocessor or replacing an existing Subprocessor that will process Personal Data under this DPA. Such notice shall be provided by updating Schedule B on this page. If the Controller reasonably objects to a new Subprocessor on data protection grounds, the Controller shall notify the Processor in writing within fifteen (15) days of the notice, and the Parties shall cooperate in good faith to resolve the objection.
    3. The Processor shall ensure that each Subprocessor is bound by written data protection obligations no less protective than those imposed on the Processor under this DPA, including obligations relating to confidentiality, security, and compliance with Applicable Privacy Law.
    4. The Processor shall remain liable to the Controller for the performance of each Subprocessor’s obligations under this DPA to the extent the Processor would be liable if performing the services directly.
  8. Data Subject Rights
    1. To the extent the Processor receives a request directly from a Data Subject seeking to exercise rights under Applicable Privacy Law (including rights to access, correct, delete, or opt out of the sale or sharing of their Personal Data), the Processor shall:
      1. promptly notify the Controller of the request, typically within five (5) business days of receipt; and
      2. not respond to the Data Subject directly regarding their rights request, unless authorized in writing by the Controller or required by applicable law.
    2. The Processor shall provide reasonable assistance to the Controller in responding to Data Subject rights requests, using appropriate technical and organizational means, to the extent that the Controller is unable to respond to such requests without the Processor’s assistance.
    3. The Controller is responsible for determining whether any Data Subject rights request is valid and for providing the substantive response to Data Subjects within the timeframes required by Applicable Privacy Law.
  9. Data Retention and Return or Destruction
    1. The Processor shall retain Personal Data only for as long as necessary to perform the Services or as required by applicable law. Retention periods applicable to specific categories of Personal Data are described in the Big Tickets Privacy Policy available at https://www.bigtickets.com/online-ticketing/privacy-policy/.
    2. Upon termination or expiration of the Service Agreement, or upon written request by the Controller, the Processor shall, at the Controller’s election, return or securely destroy all Personal Data provided by the Controller and not subject to a legal hold or applicable retention requirement, within sixty (60) days of such request. The Processor shall provide written confirmation of destruction upon request.
    3. Notwithstanding the foregoing, the Processor may retain Personal Data where required by applicable law, including for financial recordkeeping, tax compliance, fraud prevention, or legal hold purposes, provided that such retained data is subject to the confidentiality and security obligations of this DPA.
  10. Data Transfers
    1. Big Tickets processes Personal Data exclusively within the United States. The Processor shall not transfer Personal Data to any jurisdiction outside of the United States without the prior written consent of the Controller and a lawful transfer mechanism as required by Applicable Privacy Law.
    2. In the event that a Subprocessor processes Personal Data outside of the United States, the Processor shall ensure that appropriate contractual and technical safeguards are in place to protect such Personal Data to the standard required by this DPA and Applicable Privacy Law.
  11. Liability and Indemnification
    1. Each Party shall be liable for any damages caused to the other Party or to Data Subjects resulting from that Party’s material breach of this DPA or violation of Applicable Privacy Law, subject to the limitations of liability set forth in the Service Agreement.
    2. The Processor shall indemnify, defend, and hold harmless the Controller from and against any third-party claims, losses, penalties, or expenses (including reasonable attorneys’ fees) arising directly from the Processor’s confirmed material breach of this DPA, provided that such indemnification obligation shall not exceed the total fees paid by the Controller to the Processor under the Service Agreement during the twelve (12) months preceding the event giving rise to the claim.
    3. The Controller shall indemnify, defend, and hold harmless the Processor from and against any third-party claims, losses, penalties, or expenses (including reasonable attorneys’ fees) arising from the Controller’s breach of this DPA, its failure to obtain required consents from Data Subjects, or its violation of Applicable Privacy Law.
    4. NOTWITHSTANDING ANY OTHER PROVISION HEREIN, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS DPA, EXCEPT IN THE CASE OF GROSS NEGLIGENCE OR WILLFUL MISCONDUCT.
  12. Duration and Termination
    1. This DPA is effective as of the date the Controller accepts the Service Agreement and shall remain in effect until the expiration or termination of the Service Agreement.
    2. Upon termination or expiration, Articles 4 (Confidentiality), 9 (Data Retention and Return or Destruction), 11 (Liability and Indemnification), and 13 (Miscellaneous) shall survive.
    3. If the Services no longer involve the processing of Personal Data subject to Applicable Privacy Law, this DPA may be terminated earlier upon mutual written agreement of the Parties.
  13. Miscellaneous
    1. This DPA, together with the Service Agreement and the Schedules attached hereto, constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes all prior agreements, representations, and understandings relating to the same subject matter, including the Data Processing Agreement dated May 23, 2018.
    2. This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law provisions. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Service Agreement.
    3. No amendment to, or waiver of any right under, this DPA is effective unless in writing signed by authorized representatives of both Parties, except that the Processor may update Schedule B (Subprocessors) by posting notice on this page with the notice period specified in Article 7.2.
    4. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be reformed to most nearly reflect the Parties’ original intent.
    5. The Controller’s acceptance of the Service Agreement shall constitute the Controller’s execution of this DPA. No separate signature is required for this DPA to be legally binding on both Parties.
    6. This DPA may not be assigned by either Party without the prior written consent of the other Party, except that the Processor may assign this DPA without consent in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the acquiring entity assumes all obligations under this DPA.

Schedule A — Details of Processing

1. Controller Contact Information

The Controller shall provide its contact information for Security Incident notifications and Data Subject rights requests through the Big Tickets organizer account portal or by written notice to support@bigtickets.com.

2. Processor Contact Information

Xorbia Technologies, Inc. (operating as Big Tickets)
2864 Franklin St
Avondale Estates, GA 30002
Tel: 1-888-318-2752
Email: support@bigtickets.com

3. Categories of Data Subjects

Personal Data processed under this DPA relates to the following categories of Data Subjects:

  • Ticket buyers and event registrants who purchase tickets or register for events through the Big Tickets platform;
  • Waitlist registrants who submit a request to join an event waitlist;
  • Event attendees whose information is collected in connection with event access and fulfillment; and
  • Individuals who contact Big Tickets customer support in connection with a ticket purchase.

4. Categories of Personal Data

The following categories of Personal Data may be processed in connection with the Services:

  • Identifiers: first name, last name, email address, mobile phone number, billing address, IP address;
  • Commercial information: ticket purchase history, order details, event registrations, waitlist status;
  • Financial information: payment card data (processed securely by third-party payment processors; Big Tickets does not store full card numbers);
  • Internet and electronic activity: website usage data, browser and device information; and
  • SMS consent records: opt-in status, consent timestamp, and opt-out records for Big Tickets and event organizer SMS programs.

5. Purposes of Processing

Personal Data is processed for the following purposes:

  • Processing ticket purchases, event registrations, and waitlist requests on behalf of the Controller;
  • Delivering tickets and order confirmations to Data Subjects;
  • Sending transactional SMS and email notifications to Data Subjects who have opted in;
  • Providing customer support for ticket purchases and event inquiries;
  • Detecting and preventing fraud and unauthorized transactions;
  • Facilitating refunds and chargebacks as directed by the Controller; and
  • Complying with applicable legal obligations, including tax reporting and breach notification requirements.

6. Retention Periods

  • Transaction and order records: seven (7) years from the date of the transaction, as required for financial and tax recordkeeping compliance.
  • SMS consent records: minimum four (4) years from the date of consent or opt-out, in accordance with CTIA guidelines and applicable law.
  • Customer support records: three (3) years from the date of the support interaction.
  • Account data: retained for the duration of the active organizer account relationship, and deleted or anonymized within ninety (90) days of account termination, subject to any applicable legal hold or retention requirement.

7. Applicable Privacy Laws

This DPA is designed to support compliance with the following laws, as applicable to the Personal Data processed under the Service Agreement:

  • California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Texas Data Privacy and Security Act (TDPSA)
  • Oregon Consumer Privacy Act (OCPA)
  • Minnesota Consumer Data Privacy Act (MCDPA)
  • Applicable US state breach notification statutes
  • CTIA Messaging Principles and Best Practices (for SMS consent records)

Schedule B — Authorized Subprocessors

The following Subprocessors are currently authorized to process Personal Data in connection with the Big Tickets Services. The Processor will update this list and provide thirty (30) days’ advance notice before adding or replacing any Subprocessor as required by Article 7.2.

Subprocessor Purpose Data Location
Twilio, Inc. SMS message delivery and transactional notifications United States
Braintree/PayPal/Stripe/Authorize.net Secure payment processing and transaction settlement United States
Mailchimp Transactional API | Mandrill Transactional email delivery (order confirmations, ticket delivery) United States
Big Tickets Platform infrastructure and data storage United States
Help Scout Customer support ticket management United States

Schedule B last updated: March 5, 2026. Controllers who object to a newly listed Subprocessor should notify Big Tickets in writing at support@bigtickets.com within fifteen (15) days of the updated posting date.

Execution

By accepting the Big Tickets Terms of Service, the Controller acknowledges that it has read, understood, and agrees to the terms of this Data Processing Agreement. No separate signature page is required. The Controller’s acceptance of the Service Agreement constitutes its legally binding execution of this DPA on behalf of itself or the entity it represents.

For and on behalf of the Processor:
Authorized signature
Name: John Ashbaugh
Title: Chief Executive Officer
Company: Xorbia Technologies, Inc. (operating as Big Tickets)
Date: March 5, 2026
For and on behalf of the Controller:
Accepted electronically via acceptance of the Big Tickets Terms of Service.
Name: ___________________________
Title: ____________________________
Company: _________________________
Date: ____________________________

Big Tickets is based in Avondale Estates, GA just outside of Atlanta.

Big Tickets • 2864 Franklin St • Avondale Estates, GA 30002

Tel. 888-318-2752