Data Processing Agreement

This Agreement applies to all processing of Personal Data carried out by VenueOra on behalf of the Customer via the Platform. The details of the processing — including the nature, purpose, types of Personal Data, and categories of Data Subjects — are set out in Schedule 1.

This Agreement shall remain in force for as long as VenueOra processes Personal Data on behalf of the Customer, beginning on the date the Customer first uses the Platform and ending on the later of:

• the termination or expiry of the Principal Agreement; or
• the date on which VenueOra completes the return or deletion of all Personal Data as required by Clause 11.

This Agreement supplements and forms part of the Principal Agreement. The Customer's continued use of the Platform following the effective date of this Agreement constitutes acceptance of its terms. VenueOra may update this Agreement from time to time in accordance with Clause 13.3, with reasonable advance notice provided.

The Customer warrants and represents that, in respect of all Personal Data it provides to VenueOra for processing via the Platform:

• it has a valid lawful basis under UK GDPR Article 6 for each processing activity;
• where Special Category Data is involved, it has identified and documented a condition under UK GDPR Article 9 that permits that processing;
• it has provided Data Subjects with all required privacy notices and information; and
• it has obtained any consents required by Applicable Data Protection Law.

The Customer's instructions to VenueOra regarding the processing of Personal Data shall be set out in this Agreement and the Principal Agreement. The Customer may issue additional written instructions from time to time, provided those instructions are consistent with Applicable Data Protection Law. VenueOra shall be entitled to charge for any additional work required to comply with instructions outside the scope of the standard Platform functionality.

If the Customer's instructions would, in VenueOra's reasonable opinion, require VenueOra to process Personal Data in a manner that infringes Applicable Data Protection Law, VenueOra shall promptly notify the Customer and shall not be obliged to comply with such instructions until they are amended.

The Customer is responsible for:

• maintaining and publishing its own privacy policy to its members and end-users, setting out the processing it undertakes as a Controller — VenueOra provides tools to assist with this but the content is the Customer's responsibility;
• ensuring that its configuration of the Platform (including any special category data features such as biometric check-in, health data collection, or sexual orientation fields) complies with the Applicable Data Protection Law, including any requirement to conduct a Data Protection Impact Assessment (DPIA) prior to use;
• managing its own data subject rights requests in respect of Personal Data it controls, with VenueOra's assistance as described in Clause 6; and
• registering with the ICO as a Data Controller where required to do so.

The Customer is responsible for the accuracy, integrity, and quality of the Personal Data it submits to the Platform. VenueOra processes data as provided and is not responsible for errors or inaccuracies in data supplied by or on behalf of the Customer.

VenueOra shall only process Personal Data on the documented instructions of the Controller, as set out in this Agreement and the Principal Agreement, unless required to do so by Applicable Data Protection Law. Where VenueOra is required by law to process Personal Data beyond the Customer's instructions, VenueOra shall inform the Customer of that legal requirement before processing (unless prohibited from doing so by law).

VenueOra shall ensure that all persons authorised to process Personal Data on its behalf are subject to appropriate obligations of confidentiality (whether contractual or statutory) and are trained on their data protection obligations. VenueOra shall ensure that access to Personal Data is restricted to those who need it to perform their functions.

VenueOra shall implement and maintain appropriate Technical and Organisational Measures to ensure a level of security appropriate to the risk of the processing, having regard to:

• the state of the art and the costs of implementation;
• the nature, scope, context, and purposes of processing; and
• the risk to the rights and freedoms of Data Subjects, in particular the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

The Technical and Organisational Measures currently in place are described in Schedule 3. VenueOra may update these measures from time to time provided the overall level of protection is not materially reduced.

VenueOra shall not process Personal Data for any purpose other than:

• providing the Platform and its contracted features to the Customer;
• complying with Applicable Data Protection Law or any other applicable legal obligation; or
• any other purpose expressly authorised in writing by the Customer.

VenueOra shall not process Personal Data for its own commercial purposes, shall not sell Personal Data to any third party, and shall not use Personal Data to build profiles or datasets for any purpose other than provision of the Platform.

Taking into account the nature of the processing and the information available to it, VenueOra shall provide reasonable assistance to the Customer to enable the Customer to comply with its obligations under Applicable Data Protection Law, including in relation to:

• data security (UK GDPR Article 32);
• notification of personal data breaches (UK GDPR Articles 33–34);
• data protection impact assessments (UK GDPR Article 35);
• prior consultation with the ICO (UK GDPR Article 36); and
• data subject rights requests (Clause 6 of this Agreement).

VenueOra may charge a reasonable fee for assistance that goes beyond routine Platform functionality, provided it notifies the Customer in advance.

The Customer grants VenueOra general written authorisation to engage the Sub-Processors listed in Schedule 2 for the purposes described therein. VenueOra shall not engage any additional Sub-Processor to process Personal Data without giving the Customer prior written notice as described in Clause 5.2.

If VenueOra intends to engage a new Sub-Processor or replace an existing one, it shall give the Customer at least 30 days' written notice (via dashboard notification and email) before the change takes effect, identifying the new Sub-Processor and the nature of the processing they will carry out.

If the Customer has a reasonable objection to the use of the new Sub-Processor based on data protection grounds, it shall notify VenueOra in writing within 14 days of receipt of the notice. VenueOra will use reasonable endeavours to address the objection. If the parties cannot resolve the objection within a further 30 days, either party may terminate the relevant affected services on 30 days' written notice.

VenueOra shall impose, by written contract, data protection obligations on each Sub-Processor that are no less protective than those imposed on VenueOra by this Agreement, including in respect of:

• processing only on VenueOra's instructions;
• implementing appropriate Technical and Organisational Measures;
• confidentiality obligations;
• restrictions on further sub-processing; and
• cooperation with audit rights.

VenueOra remains fully liable to the Customer for the performance of any Sub-Processor's data protection obligations to the extent that the Sub-Processor fails to fulfil them.

As the Data Controller, the Customer is primarily responsible for responding to any requests from Data Subjects exercising their rights under Applicable Data Protection Law (including requests to access, rectify, erase, restrict, or port Personal Data, or to object to processing). VenueOra is responsible for facilitating these requests at the Platform level.

If VenueOra receives a request directly from a Data Subject in relation to Personal Data processed on the Customer's behalf, VenueOra shall:

• promptly (and in any event within 5 working days) forward the request to the Customer; and
• not respond to the Data Subject directly except to confirm receipt and direct them to the Customer, unless the Customer has expressly authorised VenueOra to respond.

The Platform provides the following tools to assist the Customer in discharging its data subject rights obligations:

• Member profile management: Customers can view, edit, and delete individual member records via the dashboard;
• Data export: Personal data may be exported in structured, machine-readable format (CSV) from the dashboard;
• Account deletion: Member accounts can be fully deleted from the dashboard, subject to any data that VenueOra is required to retain by law; and
• Communication preferences: Customers can manage members' marketing consent records.

The Customer should use these tools as its first point of action when responding to data subject rights requests. For requests that require action beyond the Platform's standard tools, the Customer may contact VenueOra's support team for assistance.

VenueOra shall provide assistance requested under this Clause within a timeframe that enables the Customer to respond to the Data Subject's request within the applicable statutory period (ordinarily one calendar month under UK GDPR Article 12(3)).

VenueOra shall notify the Customer without undue delay, and in any event within 24 hours of becoming aware of a Personal Data Breach affecting Personal Data processed on the Customer's behalf, to allow the Customer to discharge its own notification obligations to the ICO (within 72 hours) and to affected Data Subjects where applicable.

VenueOra's notification shall, to the extent known at the time, include:

• a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; and
• a named contact point for further information.

If VenueOra is unable to provide all of this information in its initial notification, it shall provide the information in phases as it becomes available, without further undue delay.

The Customer is responsible for making its own assessment as to whether the breach requires notification to the ICO or to affected Data Subjects, and for making such notifications within the applicable statutory timeframes. VenueOra's notification under Clause 7.1 does not constitute an admission of fault or liability.

VenueOra shall co-operate fully with the Customer in the investigation and remediation of any Personal Data Breach and shall take reasonable steps to contain, mitigate, and remedy the breach without undue delay.

VenueOra stores Personal Data primarily within the United Kingdom and the European Economic Area. VenueOra will not transfer Personal Data outside the UK/EEA without ensuring that an appropriate transfer mechanism is in place as required by UK GDPR Chapter V.

Where VenueOra transfers Personal Data to a Sub-Processor located outside the UK/EEA, it shall ensure that one of the following safeguards is in place:

• the country of destination has been the subject of an adequacy decision by the UK Secretary of State;
• a UK International Data Transfer Agreement (IDTA) or equivalent Standard Contractual Clauses (SCCs) have been entered into with the recipient; or
• another appropriate safeguard permitted by UK GDPR Article 46 is in place.

The specific transfer mechanisms in place for each Sub-Processor are identified in Schedule 2.

Where the Customer itself transfers Personal Data to VenueOra from outside the UK for processing on the Platform, the Customer is responsible for ensuring that such transfer is lawful and that any applicable transfer mechanisms are in place between the Customer (as exporter) and VenueOra (as importer).

VenueOra shall maintain, in writing, all records of processing activities carried out on behalf of the Customer as required by UK GDPR Article 30(2), including the categories of processing, Sub-Processors engaged, and transfer mechanisms in use. These records are available to the ICO on request.

VenueOra shall make available to the Customer all information reasonably necessary to demonstrate its compliance with this Agreement and UK GDPR Article 28, and shall allow for and contribute to audits and inspections conducted by the Customer or an auditor appointed by the Customer, provided that:

• the Customer gives VenueOra at least 30 days' written notice of any such audit, except in the case of a genuine regulatory emergency;
• audits are conducted no more than once per calendar year (absent reasonable cause to suspect a breach);
• audits are conducted during normal business hours and in a manner that minimises disruption to VenueOra's operations;
• the auditing party signs a confidentiality agreement acceptable to VenueOra before accessing VenueOra's systems or records; and
• the Customer bears the reasonable costs of any on-site audit.

VenueOra may satisfy the Customer's audit requirements by providing copies of relevant third-party audit reports, certifications (including PCI DSS compliance attestations), or summaries of security assessments, to the extent these cover the relevant compliance requirements. The Customer agrees to accept such materials as a reasonable substitute for an on-site audit where they adequately address the Customer's specific compliance concerns.

Each party shall cooperate with any investigation, audit, or inquiry conducted by the ICO or any other competent Supervisory Authority in relation to the processing activities covered by this Agreement. VenueOra shall promptly notify the Customer of any such investigation to the extent it relates to the Customer's Personal Data, unless prohibited from doing so by law.

Certain optional features of the Platform may involve the processing of Special Category Data on behalf of the Customer, including:

• Sexual orientation and relationship status: where the Customer enables integration with social platforms or operates venues that collect this information during member onboarding (e.g. event types, community affiliation);
• Health and dietary data: where the Customer collects dietary requirements or health information in connection with events or membership; and
• Biometric data: where the Customer enables facial recognition functionality for member check-in via kiosk or event access.

The Customer is solely responsible for ensuring that any processing of Special Category Data via the Platform is lawful. Before enabling any Platform feature that processes Special Category Data, the Customer must:

• identify a valid condition under UK GDPR Article 9 (and, where applicable, Part 2 of Schedule 1 to the Data Protection Act 2018);
• where relying on explicit consent, obtain that consent independently of VenueOra in a manner that satisfies the UK GDPR standard (freely given, specific, informed, unambiguous, and capable of withdrawal without detriment);
• conduct a Data Protection Impact Assessment (DPIA) where required by UK GDPR Article 35, including in all cases where biometric data is to be processed; and
• maintain records of the above as part of its own data protection documentation.

VenueOra processes Special Category Data strictly on the Customer's documented instructions and only to the extent necessary to deliver the requested Platform feature. VenueOra does not use Special Category Data for any purpose of its own. VenueOra applies additional technical controls to Special Category Data, including access restrictions and enhanced security measures.

The biometric check-in feature (where enabled) captures facial imagery solely for the purpose of matching an individual to their member record for the purpose of venue access or event check-in. Biometric templates are not retained beyond the event or session for which they were captured, and are deleted within 30 days of the event unless retained for a specific security or legal purpose with appropriate legal basis. The Customer is responsible for obtaining and evidencing explicit, specific consent from each individual prior to collection of biometric data, and for ensuring that an alternative, non-biometric access method is always available.

During the term of this Agreement, the Customer may export its Personal Data at any time using the Platform's export functionality. VenueOra provides data export in structured, machine-readable format (CSV) to support data portability.

Within 30 days of the termination or expiry of the Principal Agreement, VenueOra will, at the Customer's written election:

• Return: provide the Customer with an export of all Personal Data in its possession that was processed on the Customer's behalf, in a structured, commonly used, and machine-readable format; and/or
• Delete: securely delete or anonymise all Personal Data processed on the Customer's behalf, including any copies held in backup systems, within a reasonable further period not to exceed 60 days.

If the Customer does not make a written election within 30 days of termination, VenueOra shall proceed with deletion by default.

VenueOra may retain Personal Data beyond the periods set out in Clause 11.2 to the extent that it is required to do so by Applicable Data Protection Law or any other applicable law (including financial record-keeping and anti-money laundering obligations). Where data is retained under this exception, VenueOra shall isolate that data from active processing, restrict access to it, and delete it as soon as the legal retention obligation no longer applies. VenueOra shall inform the Customer of any such retention requirement and the specific data categories affected.

VenueOra shall provide the Customer with written confirmation of the completion of any deletion or export carried out under this Clause.

As the Data Controller, the Customer accepts that it is primarily liable to Data Subjects for any damage caused by processing that infringes Applicable Data Protection Law. VenueOra, as Processor, shall only be liable to a Data Subject where it has not complied with obligations under Applicable Data Protection Law specifically directed to Processors, or where it has acted outside or contrary to the Customer's lawful instructions.

Each party shall indemnify and hold harmless the other party in respect of any fines, penalties, awards, damages, or costs awarded against the other party by a court or the ICO that arise solely and directly from the indemnifying party's breach of its obligations under this Agreement or Applicable Data Protection Law, subject to the limitations set out in the Principal Agreement.

The total aggregate liability of each party to the other under or in connection with this Agreement shall not exceed the liability cap set out in the Principal Agreement. Nothing in this Agreement excludes or limits either party's liability for:

• death or personal injury caused by negligence;
• fraud or fraudulent misrepresentation; or
• any other matter that cannot be excluded or limited by applicable law.

Where a fine or penalty is imposed by the ICO or any other regulatory authority on either party as a result of a breach of this Agreement, each party shall bear the fine or penalty imposed on it directly. Where a fine is imposed jointly, the parties shall apportion responsibility for that fine in proportion to their respective culpability for the underlying breach, failing agreement, as determined by a court of competent jurisdiction.

This Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement.

In the event of any conflict between this Agreement and the Principal Agreement concerning the processing of Personal Data, this Agreement shall prevail to the extent of the conflict. In all other respects, the Principal Agreement shall govern.

VenueOra may amend this Agreement to reflect changes in Applicable Data Protection Law, guidance from the ICO, or changes to the Platform's processing activities. VenueOra shall provide at least 30 days' notice of any material amendment via the Platform dashboard and by email. Continued use of the Platform after the notice period constitutes acceptance of the amended Agreement. Where an amendment materially increases the Customer's data protection obligations, the Customer may terminate the Principal Agreement on 30 days' written notice.

This Agreement, together with the Principal Agreement and all incorporated Schedules, constitutes the entire agreement between the parties in relation to the subject matter hereof and supersedes all prior agreements, understandings, representations, and warranties relating to data processing between VenueOra and the Customer.

If any provision of this Agreement is held to be invalid, unenforceable, or illegal, the remaining provisions shall continue in full force and effect.

Failure by either party to enforce any provision of this Agreement shall not constitute a waiver of that party's right to enforce that provision or any other provision in the future.

The provision of the VenueOra SaaS platform for ticketing, event management, membership management, locker management, kiosk access, and related operational features, together with integrated payment facilitation, communications, and analytics tools.

For the duration of the Principal Agreement, plus any post-termination retention period required by Applicable Data Protection Law (see Clause 11.3).

• The Customer's members and club/venue attendees;
• ticket purchasers and event attendees;
• the Customer's staff users and administrators;
• KYC applicants (business owners, directors, shareholders);
• affiliates and referral partners; and
• any other individuals whose Personal Data the Customer loads onto the Platform.

• User access to the Platform is controlled through secure, authenticated accounts with automatic session expiry after inactivity;
• passwords are never stored in recoverable form — only a secure, irreversible representation is retained;
• multi-factor authentication is available for administrative accounts;
• VenueOra staff access to production data is controlled through role-based access controls, with access limited to what is necessary for each role; and
• VenueOra's highest-privilege system functions are accessible only through secured, network-restricted channels.

• all data transmitted between users and the Platform is encrypted in transit using industry-standard encryption protocols;
• sensitive documents and files, including KYC identity materials, are stored in encrypted form; and
• access to sensitive stored files is controlled through expiring, purpose-specific access tokens rather than permanent URLs.

• the Platform is hosted on enterprise-grade cloud infrastructure with physical and environmental security controls;
• network-level controls including firewalls and monitoring are in place to protect against unauthorised access;
• system and application activity is logged and monitored for anomalous behaviour; and
• regular security assessments and vulnerability reviews are conducted.

• each Customer's data is logically isolated from other Customers' data at the application level;
• VenueOra applies a principle of data minimisation — only data necessary for the provision of the Platform is collected and retained; and
• Special Category Data is subject to additional access restrictions.

• the Platform infrastructure is designed for high availability with automated failover capabilities;
• regular data backups are maintained and tested; and
• incident response procedures are in place to manage and recover from disruptions to services.

• all VenueOra staff are subject to confidentiality obligations and receive appropriate data protection training;
• data protection responsibilities are clearly assigned within the organisation;
• a documented incident response and personal data breach notification procedure is in place; and
• VenueOra conducts Data Protection Impact Assessments where required before introducing new or significantly changed processing activities.

VenueOra does not store, process, or transmit raw payment card data. All card transactions are handled directly by VenueOra's PCI DSS Level 1-certified Payment Processor. VenueOra retains only payment confirmation references and tokenised identifiers necessary for reconciliation purposes.