POSH
Terms of Service Agreement
Last Updated Date: [7/1/2025]
Welcome and thank you for your interest in Posh Group, Inc. (“Posh”, “we”, “us” or “our”). This Terms of Service Agreement (“Terms of Service”, and together with any applicable Supplemental Terms (as defined in Section 1.2 (Supplemental Terms)), the “Agreement”) describes the terms and conditions that apply to your use of (i) the website located at https://posh.vip/ and its subdomains and any of Posh’s other websites on which a link to these Terms of Service appears (collectively, the “Website”), (ii) any mobile application(s) that we offer subject to these Terms of Service (each, an “Application”), and (iii) the services, content, and other resources available on or enabled via our Website or any Application, which may include the organization or attendance of an in-person event (collectively, with our Applications and Website, the “Service”). These Terms of Service are applicable to both consumers who purchase tickets, registrations, and other items via the Service (“Consumers”) and event organizers who host or manage events via the Service (“Event Organizers”).
PLEASE READ THIS AGREEMENT CAREFULLY. THIS AGREEMENT GOVERNS THE USE OF THE SERVICE AND APPLIES TO ALL USERS VISITING OR ACCESSING THE SERVICE. BY ACCESSING OR USING THE SERVICE IN ANY WAY (INCLUDING PURCHASING ANY TICKETS, PRODUCTS OR SERVICES WHETHER VIA THE WEBSITE, APPLICATION OR IN-PERSON AT AN EVENT), ACCEPTING THIS AGREEMENT BY CLICKING ON THE “I ACCEPT” BUTTON, COMPLETING THE ACCOUNT REGISTRATION PROCESS, BROWSING THE WEBSITE OR DOWNLOADING THE APPLICATION, YOU REPRESENT THAT: (1) YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THIS AGREEMENT, (2) YOU ARE OF LEGAL AGE TO FORM A BINDING CONTRACT WITH POSH, (3) YOU ARE NOT BARRED FROM USING THE SERVICE UNDER THE LAWS OF THE UNITED STATES, YOUR PLACE OF RESIDENCE OR ANY OTHER APPLICABLE JURISDICTION; AND (4) YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT PERSONALLY OR, IF YOU ARE ACCESSING OR USING THE SERVICE ON BEHALF OF AN ENTITY, ON BEHALF OF THE ENTITY IDENTIFIED IN THE ACCOUNT REGISTRATION PROCESS. IF THE INDIVIDUAL ENTERING INTO THIS AGREEMENT IS DOING SO ON BEHALF OF AN ENTITY, ALL REFERENCES TO “YOU” OR “YOUR” IN THIS AGREEMENT WILL ALSO BE DEEMED TO REFER TO SUCH ENTITY. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF SERVICE, YOU MAY NOT ACCESS OR USE THE SERVICE.
SECTION 16 (ARBITRATION AGREEMENT) CONTAINS PROVISIONS THAT GOVERN HOW TO RESOLVE DISPUTES BETWEEN YOU AND POSH. AMONG OTHER THINGS, SECTION 16 (ARBITRATION AGREEMENT) INCLUDES AN AGREEMENT TO ARBITRATE WHICH REQUIRES, WITH LIMITED EXCEPTIONS, THAT ALL DISPUTES BETWEEN YOU AND US SHALL BE RESOLVED BY BINDING AND FINAL ARBITRATION. SECTION 16 ALSO CONTAINS A CLASS ACTION AND JURY TRIAL WAIVER. PLEASE READ SECTION 16 (ARBITRATION AGREEMENT) CAREFULLY.
UNLESS YOU OPT OUT OF THE ARBITRATION AGREEMENT (AS DEFINED IN SECTION 16) WITHIN THIRTY (30) DAYS IN ACCORDANCE WITH SECTION 16.10 (30-DAY RIGHT TO OPT OUT): (1) YOU WILL ONLY BE PERMITTED TO PURSUE DISPUTES OR CLAIMS AND SEEK RELIEF AGAINST US ON AN INDIVIDUAL BASIS, NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY CLASS OR REPRESENTATIVE ACTION OR PROCEEDING, AND YOU WAIVE YOUR RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION; AND (2) YOU ARE WAIVING YOUR RIGHT TO PURSUE DISPUTES OR CLAIMS AND SEEK RELIEF IN A COURT OF LAW AND TO HAVE A JURY TRIAL.
ANY DISPUTE, CLAIM OR REQUEST FOR RELIEF RELATING IN ANY WAY TO YOUR USE OF THE SERVICE WILL BE GOVERNED AND INTERPRETED BY AND UNDER THE LAWS OF THE STATE OF NEW YORK, CONSISTENT WITH THE FEDERAL ARBITRATION ACT, WITHOUT GIVING EFFECT TO ANY PRINCIPLES THAT PROVIDE FOR THE APPLICATION OF THE LAW OF ANY OTHER JURISDICTION. THE UNITED NATIONS CONVENTION ON CONTRACTS FOR THE INTERNATIONAL SALE OF GOODS IS EXPRESSLY EXCLUDED FROM THIS AGREEMENT.
PLEASE NOTE THAT IF YOU OPT-IN TO OBTAIN TEXT MESSAGES FROM POSH, SECTION 1.5 (TEXT MESSAGE SERVICES) OF THIS AGREEMENT BELOW CONTAINS TERMS RELATED TO OUR TEXT MESSAGE SERVICES.
THE AGREEMENT IS SUBJECT TO CHANGE BY POSH IN ITS SOLE DISCRETION AT ANY TIME AS SET FORTH IN SECTION 17.9 (AGREEMENT UPDATES).
Without limiting the foregoing, Posh reserves the right to: (a) remove or refuse to post any of Your Content for any or no reason in our sole discretion; (b) take any action with respect to any of Your Content that we deem necessary or appropriate in our sole discretion, including if we believe that such Content violates this Agreement, infringes any intellectual property right or other right of any person or entity, threatens the personal safety of users of the Service or the public, or could create liability for Posh; (c) disclose your identity or other information about you to any third party who claims that material posted by you violates their rights, including their intellectual property rights or their right to privacy; (d) take appropriate legal action, including without limitation, referral to and cooperation with law enforcement and/or other applicable legal authorities, for any illegal or unauthorized use of the Service or if Posh otherwise believes that criminal activity has occurred; and/or (e) terminate or suspend your access to all or part of the Service for any or no reason, including without limitation, any violation of this Agreement. Upon determination of any possible violations by you of any provision of this Agreement, Posh, may, at its sole discretion immediately terminate your license to use the Service, or change, alter or remove Your Content, in whole or in part, without prior notice to you.
If Posh believes that criminal activity has occurred, Posh reserves the right to, except to the extent prohibited by applicable law, disclose any information or materials on or in the Service, including Your Content, in Posh’s possession in connection with your use of the Service, to (i) comply with applicable laws, legal process or governmental request, (ii) enforce this Agreement, (iii) respond to any claims that Your Content violates the rights of third parties, (iv) respond to your requests for customer service, or (v) protect the rights, property, or personal safety of Posh, its users or the public, and all enforcement or other government officials, as Posh in its sole discretion believes to be necessary or appropriate.
The party initiating a Dispute must give notice to the other party in writing of its intent to initiate an Informal Dispute Resolution Conference (“Notice”), which shall occur within forty-five (45) days after the other party receives such Notice, unless an extension is mutually agreed upon by the parties. Notice to Posh that you intend to initiate an Informal Dispute Resolution Conference should be sent by email to support@posh.vip or regular mail to our offices located at 40 Crosby St. #4, New York, NY 10013. The Notice must include: (1) your name, telephone number, mailing address, e‐mail address associated with your Account (if you have one); (2) the name, telephone number, mailing address and e‐mail address of your counsel, if any; and (3) a description of your Dispute.
The Informal Dispute Resolution Conference shall be individualized such that a separate conference must be held each time either party initiates a Dispute, even if the same law firm or group of law firms represents multiple users in similar cases, unless all parties agree; multiple individuals initiating a Dispute cannot participate in the same Informal Dispute Resolution Conference unless all parties agree. In the time between a party receiving the Notice and the Informal Dispute Resolution Conference, nothing in this Arbitration Agreement shall prohibit the parties from engaging in informal communications to resolve the initiating party’s Dispute. Engaging in the Informal Dispute Resolution Conference is a condition precedent and requirement that must be fulfilled before commencing arbitration. The statute of limitations and any filing fee deadlines shall be tolled while the parties engage in the Informal Dispute Resolution Conference process required by this section.
A party who wishes to initiate arbitration must provide the other party with a request for arbitration (the “Request”). The Request must include: (1) the name, telephone number, mailing address, e‐mail address of the party seeking arbitration and the account username (if applicable) as well as the email address associated with any applicable Account; (2) a statement of the legal claims being asserted and the factual bases of those claims; (3) a description of the remedy sought and an accurate, good‐faith calculation of the amount in controversy in United States dollars; (4) a statement certifying completion of the Informal Dispute Resolution process as described above; and (5) evidence that the requesting party has paid any necessary filing fees in connection with such arbitration.
If the party requesting arbitration is represented by counsel, the Request shall also include counsel’s name, telephone number, mailing address, and email address. Such counsel must also sign the Request. By signing the Request, counsel certifies to the best of counsel’s knowledge, information, and belief, formed after an inquiry reasonable under the circumstances, that: (1) the Request is not being presented for any improper purpose, such as to harass, cause unnecessary delay, or needlessly increase the cost of dispute resolution; (2) the claims, defenses and other legal contentions are warranted by existing law or by a nonfrivolous argument for extending, modifying, or reversing existing law or for establishing new law; and (3) the factual and damages contentions have evidentiary support or, if specifically so identified, will likely have evidentiary support after a reasonable opportunity for further investigation or discovery.
Unless you and Posh otherwise agree, or the Batch Arbitration process discussed in Section 16.9 (Batch Arbitration) is triggered, the arbitration will be conducted in the county where you reside. Subject to the AAA Rules, the arbitrator may direct a limited and reasonable exchange of information between the parties, consistent with the expedited nature of the arbitration. If the AAA is not available to arbitrate, the parties will select an alternative arbitral forum. Your responsibility to pay any AAA fees and costs will be solely set forth in the applicable AAA Rules.
You and Posh agree that all materials and documents exchanged during the arbitration proceedings shall be kept confidential and shall not be shared with anyone except the parties’ attorneys, accountants, or business advisors, and shall be subject to the condition that they agree to keep all materials and documents exchanged during the arbitration proceedings confidential.
All parties agree that Requests are of a “substantially similar nature” if they arise out of or relate to the same event or factual scenario and raise the same or similar legal issues and seek the same or similar relief. To the extent the parties disagree on the application of the Batch Arbitration process, the disagreeing party shall advise the AAA, and the AAA shall appoint a sole standing arbitrator to determine the applicability of the Batch Arbitration process (“Administrative Arbitrator”). In an effort to expedite resolution of any such dispute by the Administrative Arbitrator, the parties agree the Administrative Arbitrator may set forth such procedures as are necessary to resolve any disputes promptly. The Administrative Arbitrator’s fees shall be paid by Posh.
You and Posh agree to cooperate in good faith with the AAA to implement the Batch Arbitration process including the payment of single filing and administrative fees for batches of Requests, as well as any steps to minimize the time and costs of arbitration, which may include: (1) the appointment of a discovery special master to assist the arbitrator in the resolution of discovery disputes; and (2) the adoption of an expedited calendar of the arbitration proceedings.
This Batch Arbitration provision shall in no way be interpreted as authorizing a class, collective and/or mass arbitration or action of any kind, or arbitration involving joint or consolidated claims under any circumstances, except as expressly set forth in this provision.
POSH Data Processing Addendum
THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the effective date of the Agreement by and between: (1) Posh Group Inc. (“Posh”); and (2) the entity or other person acting on behalf of an entity or in its business capacity, specifically excluding individuals acting solely in their private or personal capacity, who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Event Organizer”), together the “Parties” and each a “Party”. Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.
INTERPRETATION
In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
“Agreement” means the Posh Master Service Agreement under which Posh has agreed to provide services to Event Organizer entered into by and between the Parties.
“Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of the relevant Event Organizer Personal Data under the Agreement, including, without limitation, as applicable, the GDPR.
“Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the CCPA.
“Event Organizer Personal Data” means any Personal Data Processed by Posh or its Sub-Processors on behalf of Event Organizer to perform the Services under the Agreement.
“Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Data Protection Laws in respect of Event Organizer Personal Data and the Processing thereof.
“Data Subject” means the identified or identifiable natural person to whom Event Organizer Personal Data relates.
“EEA” means the European Economic Area.
“GDPR” means, as and where applicable to Processing concerned: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
“Personal Data” means any information or data that constitutes “personal data,” “personal information,” “personally identifiable information” or similar term defined in applicable Data Protection Laws.
“Personal Data Breach” means an actual breach of Posh’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Event Organizer Personal Data in Posh’s possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Event Organizer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
“Personnel” means a person’s employees, agents, consultants or contractors.
“Process” and inflection thereof means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity that Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the CCPA.
“Restricted Transfer” means the disclosure, grant of access or other transfer of Event Organizer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
“Services” means those services and activities carried out by Posh for Event Organizer pursuant to the Agreement.
“Sub-Processor” means any third party appointed by or on behalf of Posh to Process Event Organizer Personal Data.
“Supervisory Authority” means any entity with the authority to enforce Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.
SCOPE OF THIS DATA PROCESSING ADDENDUM
This DPA governs Posh’s Processing of Event Organizer Personal Data to provide the Services under the Agreement, for these Services Posh is a (Sub)-Processor in performing such Processing and Event Organizer is the Controller.
In respect of some Processing of Personal Data, including Event Organizer Personal Data, Posh may act as a Controller, for example, where Data Subjects have engaged with aspects of Posh’s applications and services beyond those relating to Event Organizer's event or for Posh’s own business/customer relationship administration purposes, its service analytics and enhancement purposes, its own marketing, its own targeted recommendations, or its own legal, regulatory or compliance purposes. With regard to such Processing, Posh is an independent Controller and not a joint Data Controller with Event Organizer. This DPA will not apply to such Processing. Event Organizer acknowledges and agrees that the Processing of Event Organizer Personal Data for the purposes set out in this Section 2.2 is compatible with the Processing to provide the Services and that all Data Subjects of the Event Organizer Personal Data are made aware of these purposes.
Annex 2 (European Annex) to this DPA applies only if and to the extent Posh’s Processing of Event Organizer Personal Data under the Agreement is subject to the GDPR.
PROCESSING OF EVENT ORGANIZER PERSONAL DATA
Posh shall not Process Event Organizer Personal Data other than on Event Organizer’s instructions, to provide the Services, or as required by applicable laws. Event Organizer instructs Posh to Process Event Organizer Personal Data as necessary to provide the Services to Event Organizer under and in accordance with the Agreement.
The Parties acknowledge and agree that the details of Posh’s Processing of Event Organizer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
POSH PERSONNEL
Posh shall take commercially reasonable steps to ascertain the reliability of any Posh Personnel who Process Event Organizer Personal Data, and shall enter into written confidentiality agreements with all Posh Personnel who Process Event Organizer Personal Data that are not subject to professional or statutory obligations of confidentiality.
SECURITY
Posh shall implement and maintain technical and organizational measures in relation to Event Organizer Personal Data described in Exhibit A (Data Security Addendum) to the Agreement (the “Security Measures”), which are designed to protect Event Organizer Personal Data against a Personal Data Breach.
Posh may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Event Organizer Personal Data.
SUB-PROCESSING
Event Organizer generally authorizes Posh to appoint Sub-Processors in accordance with this Section 6.
Posh may continue to use those Sub-Processors already engaged by Posh as at the date of this DPA (as those Sub-Processors are shown, together with their respective functions and locations, in the Sub-Processor list shown in Sub-Processor List.
Posh shall give Event Organizer prior notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, by updating the effective date of the Sub-Processor List. If, within ten (10) days of the date of update, Event Organizer notifies Posh in writing of any objections (on reasonable grounds) to the proposed appointment:
Posh shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and
where: (i) such a change cannot be made within thirty (30) days from Posh’s receipt of Event Organizer’s notice; (ii) no commercially reasonable change is available; and/or (iii) Event Organizer declines to bear the cost of the proposed change, then either Party may by written notice to the other Party with immediate effect terminate the Agreement, either in whole or to the extent that it relates to the Services which require the use of the proposed Sub-Processor, as its sole and exclusive remedy.
If Event Organizer does not object to Posh’s appointment of a Sub-Processor during the objection period referred to in Section 6.3, Event Organizer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
With respect to each Sub-Processor, Posh shall maintain a written contract between Posh and the Sub-Processor that includes terms which offer at least a level of protection for Event Organizer Personal Data substantially similar to those set out in this DPA (including the Security Measures). Posh shall remain liable for any breach of this DPA caused by a Sub-Processor to the same extent as Posh would have been had it performed the Processing itself.
DATA SUBJECT RIGHTS
Posh, taking into account the nature of the Processing of Event Organizer Personal Data, shall provide Event Organizer with such assistance as may be reasonably necessary and technically feasible to assist Event Organizer in fulfilling its obligations to respond to Data Subject Requests, to the extent required by Data Protection Laws. If Posh receives a Data Subject Request, Event Organizer will be responsible for responding to any such request.
If required by applicable Data Protection Laws, Posh shall:
promptly notify Event Organizer if it receives a Data Subject Request; and
not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Event Organizer, except on the written instructions of Event Organizer or as required by Data Protection Laws.
Except to the extent prohibited by applicable law, Event Organizer shall be fully responsible for all time spent by Posh (at Posh’s then-current professional services rates) for Posh’s cooperation and assistance provided to Event Organizer under this Section 7, and shall on demand reimburse Posh any such costs incurred.
PERSONAL DATA BREACH
Posh shall notify Event Organizer without undue delay upon Posh’s determination that a Personal Data Breach has occurred affecting Event Organizer Personal Data. Posh shall provide Event Organizer with information (insofar as such information is within Posh’s possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Posh) to provide reasonable assistance to Event Organizer in meeting its obligations under the Data Protection Laws to report the Personal Data Breach. Posh’s notification of or response to a Personal Data Breach shall not be construed as Posh’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
Posh shall reasonably co-operate with Event Organizer and take such commercially reasonable steps to assist in the investigation of any such Personal Data Breach.
Event Organizer is solely responsible for complying with notification laws applicable to Event Organizer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
If Event Organizer determines that a Personal Data Breach must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Posh, where permitted by applicable laws, Event Organizer agrees to:
notify Posh in advance; and
in good faith, consult with Posh and consider any clarifications or corrections Posh may reasonably recommend or request to any such notification, which: (i) relate to Posh’s involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.
RETURN AND DELETION
Except for Personal Data, including Event Organizer Personal Data with respect to which Posh acts as a Controller and subject to Sections 9.2 and 9.3, upon the date of cessation of any Services involving the Processing of Event Organizer Personal Data (the “Cessation Date”), Posh shall promptly cease all Processing of Event Organizer Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.
Subject to Section 9.4, to the extent technically possible in the circumstances (as determined in Posh’s sole discretion), on written request to Posh (to be made no later than ten (10) days after the Cessation Date (“Post-cessation Storage Period”)), Posh shall within thirty (30) days of such request:
return a complete copy of all Event Organizer Personal Data within Posh’s possession to Event Organizer by secure file transfer, promptly following which Posh shall delete or anonymize all other copies of such Event Organizer Personal Data; or
either (at its option) delete or anonymize all Event Organizer Personal Data within POSH’S possession.
In the event that during the Post-cessation Storage Period, Event Organizer does not instruct Posh in writing to either delete or return Event Organizer Personal Data pursuant to Section 9.2, Posh shall promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or render anonymous, all Event Organizer Personal Data then within Posh’s possession to the fullest extent technically possible in the circumstances.
Posh may retain Event Organizer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that Posh shall:
maintain the confidentiality of all such Event Organizer Personal Data; and
Process the Event Organizer Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.
AUDIT RIGHTS
Upon Event Organizer’s request, Posh shall make available to Event Organizer, or a third-party auditor instructed by Event Organizer, once a year, information regarding Posh’s compliance with this DPA and Data Protection Laws.
In the event that Event Organizer (acting reasonably) is able to provide documentary evidence that the information made available by Posh is not sufficient in the circumstances to demonstrate Posh’s compliance with this DPA, Posh shall allow for and contribute to audits, including on-premise inspections, by Event Organizer or an auditor mandated by Event Organizer in relation to the Processing of Event Organizer Personal Data by Posh.
Prior to conducting any audit, Event Organizer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Posh will review the proposed audit plan and provide Event Organizer with any concerns or questions (for example, any request for information that could compromise Posh’s security, privacy, employment or other relevant policies). Posh will work cooperatively with Event Organizer to agree on a final audit plan. Before any information or audit is provided, the Parties shall mutually agree on the scope, timing, and duration of such audit. The Event Organizer shall ensure that each of its mandated auditors uses its best efforts to avoid causing any disruption to Posh’s equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Posh’s other Event Organizers or the availability of Posh’s Service to such other Event Organizers). Event Organizer shall bear all the costs associated with the audit.
Posh may deny the exercise of audit rights: i) if Event Organizer has not given Posh thirty (30) days prior written notice of the intention to carry out any audit; ii) to any auditor that Posh has not approved; iii) to any individual unless he or she presents reasonable evidence of identity and authority to Posh; iv) if the auditor does not enter into a non-disclosure agreement with Posh; v) where, and to the extent that Posh considers the audit performance is capable of constituting a material interference with confidentiality, data security and business hours at the premises in question; vi) on more than 1 occasion in each period of 12 months, unless in case of an audit performed as a consequence of a Personal Data Breach or that is conducted by a Supervisory Authority.
Nothing in this DPA shall require Posh to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their Event Organizers. Nothing in this Section 10 shall be construed to obligate Posh to breach any duty of confidentiality.
EVENT ORGANIZER’S RESPONSIBILITIES
Event Organizer agrees that, without limiting Posh’s obligations under Section 5 (Security), Event Organizer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Event Organizer Personal Data; (b) securing the account authentication credentials, systems and devices Event Organizer uses to access the Services; (c) securing Event Organizer’s systems and devices that Posh uses to provide the Services; and (d) backing up Event Organizer Personal Data.
Except where stated otherwise in the Agreement, Event Organizer shall ensure:
that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Event Organizer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Event Organizer from time to time in respect of such Processing) for the purposes of all Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Posh of Event Organizer Personal Data.
Event Organizer agrees that the Service, the Security Measures, and Posh’s commitments under this DPA are adequate to meet Event Organizer’s needs, including with respect to any security obligations of Event Organizer under Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Event Organizer Personal Data.
Event Organizer shall not use the Services to collect or otherwise make available to Posh any Event Organizer Personal Data that contains any sensitive data, including, any restricted data as defined in Section 7.2 of the Agreement or any other information that falls within any special categories of personal data (as defined in GDPR) (together, “Restricted Data”).
LIABILITY
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA and the SCCs (if and as they apply) will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in the Agreement; provided that, nothing in this Section 12 will affect any person’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs (if and as they apply).
CHANGE IN LAWS
Posh may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraph 3.3 of Annex 2 (European Annex).
INCORPORATION AND PRECEDENCE
This DPA shall be incorporated into and form part of the Agreement.
In the event of any conflict or inconsistency between:
this DPA and the Agreement, this DPA shall prevail; and
any SCCs entered into pursuant to Paragraph 2 of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
Data Processing Details
POSH / ‘DATA IMPORTER’ DETAILS
Name:
Posh Group Inc.
Address:
POSH Activities:
Provision of the Services by Posh under the Agreement.
Role:
Processor
EVENT ORGANIZER / ‘DATA EXPORTER’ DETAILS
Name:
The entity or other person who is a counterparty to the Agreement.
Address:
Event Organizer’s address is the address shown in the Agreement entered into by and between the Event Organizer and Posh; or if the Agreement does not include the address, the Event Organizer’s principal business trading address unless otherwise notified to support@posh.vip.
Contact Details for Data Protection:
Event Organizer’s contact details are:
Event Organizer Activities:
Event Organizer’s activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.
Role:
Categories of Data Subjects:
Relevant Data Subjects include:
Where any of the above is a business or organisation, it includes their staff, namely, employees and non-employee workers; students, interns, apprentices and volunteers; directors and officers; advisers, consultants, independent contractors, agents and autonomous, temporary or casual workers, together with applicants and candidates for any one or more of the foregoing roles or positions (collectively, “Staff”).
Each category includes current, past and prospective Data Subjects.
Categories of Personal Data:
Relevant Personal Data includes:
Sensitive Categories of Data, and associated additional restrictions/safeguards:
Categories of sensitive data:
None – as noted in Section 11.4 of the DPA, Event Organizer agrees that Restricted Data, which includes ‘sensitive data’ (as defined in Clause 8.7 of the SCCs), must not be submitted to the Services and Event Organizer shall be liable for any Restricted Data that it does submit.
Additional safeguards for sensitive data:
N/A
Frequency of transfer:
Ongoing – as initiated by Event Organizer in and through its use, or use on its behalf, of the Services.
Nature of the Processing:
Processing operations required in order to provide the Services in accordance with the Agreement.
Purpose of the Processing:
Event Organizer Personal Data will be processed:
Duration of Processing / Retention Period:
For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.
Transfers to (sub)processors:
Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List.
European Annex
PROCESSING OF EVENT ORGANIZER PERSONAL DATA
Where Posh receives an instruction from Event Organizer that, in its reasonable opinion, infringes the GDPR, Posh shall inform Event Organizer.
Event Organizer acknowledges and agrees that any instructions issued by Event Organizer with regards to the Processing of Event Organizer Personal Data by or on behalf of Posh pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Posh, taking into account the nature of the Processing and the information available to Posh, shall provide reasonable assistance to Event Organizer, at Event Organizer’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Event Organizer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Event Organizer Personal Data by Posh.
Except to the extent prohibited by applicable law, Event Organizer shall be fully responsible for all time spent by Posh (at Posh’s then-current professional services rates) in Posh’s provision of any cooperation and assistance provided to Event Organizer under Paragraph 2.1, and shall on demand reimburse Posh any such costs incurred by Posh.
RESTRICTED TRANSFERS
EU Restricted Transfers
To the extent that any Processing of Event Organizer Personal Data under this DPA involves an EU Restricted Transfer from Event Organizer to Posh, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
UK Restricted Transfers
To the extent that any Processing of Event Organizer Personal Data under this DPA involves a UK Restricted Transfer from Event Organizer to Posh, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:
varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.
Adoption of new transfer mechanism
Posh may on notice vary this DPA and replace the relevant SCCs with:
any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
another transfer mechanism, other than the SCCs, that enables the lawful transfer of Event Organizer Personal Data to Posh under this DPA in compliance with Chapter V of the GDPR.
Provision of full-form SCCs
In respect of any given Restricted Transfer, if requested of Event Organizer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Posh shall provide Event Organizer with an executed version of the relevant set(s) of SCCs responsive to the request made of Event Organizer (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Event Organizer, onward provision to the relevant requestor and/or storage to evidence Event Organizer’s compliance with Data Protection Laws.
Operational clarifications
When complying with its transparency obligations under Clause 8.3 of the SCCs, Event Organizer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Posh’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Event Organizer acknowledges and agrees that there are no circumstances in which it would be appropriate for Posh to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Event Organizer.
For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/ or the relevant public authority, as between the Parties, Event Organizer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
The terms and conditions of Section 6 of the DPA apply in relation to Posh’s appointment and use of Sub-Processors under the SCCs. Any approval by Event Organizer of Posh’s appointment of a Sub-Processor that is given expressly or deemed given pursuant to that Section 6 constitutes Event Organizer’s documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs.
The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 10 of the DPA.
Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Event Organizer’s written request.
Attachment 1
To Annex 2 (European Annex)
POPULATION OF SCCs
Note
: POPULATION OF THE SCCs
Where the SCCs apply in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.
MODULES
The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Event Organizer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):
Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Event Organizer Personal Data in respect of which Event Organizer is a Controller in its own right; and/or
Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Event Organizer Personal Data in respect of which Event Organizer is itself acting as a Processor on behalf of any other person.
POPULATION OF THE BODY OF THE SCCs
For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
In Clause 9:
OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 6.3 of the DPA; and
OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
In Clause 11, the optional language is not used and is deleted.
In Clause 13, all square brackets are removed and all text therein is retained.
In Clause 17:
OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and
OPTION 2 is not used and that optional language is deleted.
For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
In this Paragraph 5, references to “Clauses” are references to the Clauses of the SCCs.
POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs
Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with:
Event Organizer being ‘data exporter’; and
Posh being ‘data importer’.
Part C of Annex I to the Appendix to the SCCs is populated as below:
The competent supervisory authority shall be determined as follows:
Annex II to the Appendix to the SCCs is populated as below:
General:
Sub-Processors: When Posh engages a Sub-Processor under these Clauses, Posh shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:
Supplementary Measures:
: UK RESTRICTED TRANSFERS
Where relevant in accordance with Paragraph 3.2 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.
In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 6.4 of this Part 2.
Subprocessors
Posh uses certain third-party service providers (sub-processors) to help deliver our services. View our current Sub-processors List.