LIST OF APPENDICES

Appendix 1:
Specification of type of personal data and categories of data subjects processed in addition to the nature and purpose of the processing‍

Appendix 2:
Description of VEO’s technical and organizational security measures ‍

Appendix 3:
Sub-processors used by VEO

1. BACKGROUND AND PURPOSE OF AGREEMENT

1.1.
The Publisher and Veo Technologies ApS, company registration no. 37240834, ("VEO") have entered into an agreement about provision of certain services (the “Services”) to Publisher as specified in VEO's Software License Terms and VEO's Terms of Use (the "Main Contract"). Unless otherwise defined herein, capitalised terms used in this Agreement shall have the same meanings as those defined in the Main Agreement.

1.2.As part of the provision of the Services, Publisher will grant VEO access to or entrust personal data to VEO and/or VEO will as part of the Services collect and process personal data on behalf of Publisher (the “Personal Data”). A further specification of the type of personal data and category of data subjects processed as well as the nature and purpose of the processing specified in Appendix 1 to this Agreement.

1.3.Be entering into this Agreement the Parties wish to establish their respective obligations and rights in relation to the processing of Personal Data.

1.4.The Parties are mutually obliged to comply with EU data protection legislation in force at any time whenever they process personal data; i.e. currently regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR") as well as any national legislation supplementing the GDPR or otherwise setting out rules on processing of personal data to the extent applicable to the Parties (jointly the ”Data Protection Legislation”).

2. PUBLISHER'S INSTRUCTION TO VEO

2.1.
VEO is the data processor of the Personal Data, which VEO processes for and on behalf of Publisher.

2.2.VEO may only process Personal Data to the extent necessary to provide the Services in accordance with the Main Agreement and Appendix 1 and in accordance with any documented instruction from Publisher (the “Instruction”). The Main Agreement, together with this Agreement with appendices, sets out the Instruction at the time of signing.

2.3.VEO must notify Publisher immediately if in VEO’s opinion the Instruction is in violation of the Data Protection Legislation.

2.4.Changes in or expansions of the Instruction as well as the implementation hereof must in reasonable time before the implementation be discussed by the Parties.

2.5.VEO may process the Personal Data beyond the Instruction if required by EU or national law to which VEO is subject. In case the processing of Personal Data goes beyond the Instruction, VEO must inform Publisher unless prohibited from doing so by EU or national law.

3. PUBLISHER’S OBLIGATIONS

3.1.
Publisher is the data controller in respect of VEO.

3.2.
It is Publisher’s responsibility to ensure that the processing of Personal Data carried out under the Instruction has a legal basis according to the Data Protection Legislation.

3.3.
It is Publisher’s responsibility to fulfil the data subjects’ rights according to the Data Protection Legislation. Should VEO receive requests from the persons concerned, VEO must immediately inform Publisher hereof.

3.3.1
VEO must assist Publisher in fulfilling Publisher’s obligations to answer requests on the exercise of the data subjects' rights, including access, rectification, restriction, erasure, objection and data portability.

3.3.2.
VEO is entitled to charge Publisher for any such assistance applying any agreed upon hourly rates.     ‍

4. SECURITY OF PROCESSING

4.1.
VEO shall implement appropriate technical and organisational measures to protect the Personal Data against a) accidental or unlawful destruction, loss or alteration, b) unauthorized disclosure of, access to, misuse of, or c) other unlawful processing. VEO guarantees to implement the appropriate technical and organisational measures in a manner that ensures that the processing meets the requirements of the Data Protection Legislation.

4.2.
At the time of signing, VEO has implemented the technical and organisational security measures described in Appendix 2 and Publisher agrees that these security measures are appropriate, c.f. Section 4.1 above.

4.3.
VEO must without undue delay inform Publisher of any breach of security that could potentially lead to accidental or unlawful destruction, loss, alteration, unauthorized transmission of or access to the Personal Data processed on behalf of Publisher (“Security Breach”).

4.3.1.
The information must include a description of i) the nature of the Security Breach, including where possible the categories and approximate number of data subjects concerned as well as the categories of and approximate number of personal data records concerned, ii) the likely consequences of the Security Breach, and iii) the measures taken or proposed to be taken by VEO to alleviate the Security Breach, including if relevant measures to minimize the potential harm.  

4.3.2.VEO must upon request assist Publisher in fulfilling its obligations to notify and inform the competent supervisory authority and/or data subjects.

4.3.3.VEO must to a necessary extent and upon Publisher's request assist Publisher in carrying out an impact assessments and prior consultation with the supervisory authority.

4.3.4.In case any of the activities mentioned are not, in whole or in part, caused by a breach of the Agreement by VEO, VEO may charge Publisher for such activities applying its standard hourly rates, otherwise not.‍

5. DEMONSTRATION OF COMPLIANCE

5.1.
VEO must upon Publisher’s request provide Publisher with the necessary documentation enabling Publisher to ensure that VEO fulfils i) it’s obligations according to this Agreement, and ii) the provisions of the Data Protection Legislation in force at any given time, insofar as it concerns the Personal Data processed by VEO on behalf of Publisher.

5.2.
Publisher is entitled to audit the VEO's compliance with this Agreement including to conduct inspections in the VEO's offices. Publisher shall pay all costs in connection with any audit performed, including VEO's reasonable costs connected thereto.

5.3.
If the Publisher wants to audit VEO as described in this clause 5, the Publisher must always inform VEO hereof by giving a notice of minimum 10 working days, unless the Publisher has reasons to believe that VEO is in breach of the Agreement. In this case, the Publisher can perform an immediately supervision.  ‍

6. USE OF SUB-PROCESSORS

6.1.
If at the time of signing the Agreement VEO uses sub-processors, this is specified in Appendix 3. Publisher has approved that the use of these sub-processors are included in the Instruction.

6.2.
VEO will notify Publisher of any planned additions to or replacements of any sub-processors and grant Publisher a reasonable amount of time to object to any such alterations.

6.3.
If VEO uses a sub-processor in connection with specific processing activities on behalf of Publisher, data protection responsibilities corresponding to those stated in this Agreement must be imposed on the sub-processor, either by contract or another legal act guaranteeing, in particular that the sub-processor will implement appropriate and technical measures to ensure that the processing fulfils the requirements of the Data Protection Legislation.

6.4.
VEO remains fully responsible to Publisher for the fulfilment of the sub-processors’ obligations.‍

7. TRANSFERS TO THIRD COUNTRIES

7.1.
VEO may not cause or allow the transfer of Personal Data to countries outside the European Economic Area (EEA) unless such transfer is included in the Instruction or Publisher has given its prior written consent to such a transfer. ‍

7.2.
Insofar as Publisher has allowed a transfer in accordance with Section 7.1, VEO must ensure that there is a legal basis for the transfer according to the Data Protection Legislation. ‍

8. OBLIGATION OF CONFIDENTIALITY

8.1.
VEO must process Personal Data in confidence. VEO must ensure that the persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.2.
VEO undertakes to limit its employees' access to the Personal Data to employees for whom it is necessary to process the Personal Data in order to fulfil VEO’s obligations.

8.3.
VEO’s responsibilities under Section 8 are not limited by nor contingent upon the Parties’ continued or discontinued cooperation. ‍

9. DURATION AND TERMINATION

9.1
This Agreement comes into effect upon the Publisher acceptance hereof and is effective until the termination of the Main Agreement.

9.2.
Regardless of Section 9.1, the Agreement stays in effect as long as VEO is in possession of any of Publisher’s Personal Data.

9.3.
In case of termination of this Agreement, regardless of the reason, VEO must, at Publisher’s sole discretion, either delete or return to Publisher all Personal Data and delete any existing copies, unless the Data Protection Legislation prescribes storing of the Personal Data or unless otherwise agreed.

9.4.
VEO is not entitled to exercise a lien in Personal Data for claims, such as payment of invoices etc., which VEO may have in relation to Publisher.  ‍

10. LIABILITY

10.1.
The Parties are liable under the common regulations of Danish law with the limitations specified in this Section.‍

10.2.
The Parties are not liable for indirect losses and derived damage, including operating losses and loss of data that may arise in association to this Agreement. Further, the Parties' mutual liability for breach of this Agreement is limited to the total amount of subscription fees paid by the Publisher to VEO during the twelve (12) months immediately preceding the event of damage.  

10.2.1.
The limited responsibility in this Section 10.2 does not include losses resulting from the other Party’s gross or intentional negligence.‍

10.3.Notwithstanding the above, Publisher must indemnify VEO for any claims for damages or compensation raised by third party against VEO due to circumstances exceeding the limitation of liability stated in clause 10.2.

11. PRECEDENCE

11.1.
In case of conflict between the Main Agreement and this Agreement’s provisions on processing of Personal Data, the latter has precedence.‍

Appendix 1

1. Description of the Main Agreement
As further described in the Main Agreement the purpose of the processing is to allow the Publisher to upload and publish its Content on the VEO Website and to interact with Fans on the Publisher's Account on the VEO Website. The set up of the Publisher's Account, including a description of how fans may access the Publisher's Account is further described in the Terms of Use.‍

1.2. Processing activities
Uploading, publishing and storing of Personal Data on the VEO Website‍

1.3. Categories of data subjects
a) Sport players playing at a sport event at the Publisher b) Spectators to the sport eventc) Fansc) Employees of the Publisher ‍

1.4. Type of personal data
Types of personal data processed in connection with the delivery of the Main Service:Re. a): Video recordings of sport eventsRe. b): Name/user name and e-mails of UsersRe. c): Comments to sport event by Users, club names, match time, location and date. ‍

1.5. Sensitive personal data
No sensitive data is being processed.

Appendix 2

Description of the security measures taken. Below are a few suggestions for security measures to be taken for the processing of non-sensitive or non-confidential data. They are not exhaustive and must always be aligned with the actual processing.

Introduction
This appendix describes the minimum security measure requirements made by the Publisher to the physical, technical and organizational security in connection with VEO's delivery of services under the Main Agreement.

Physical safety
Fire, power failure, flooding etc.‍
The general security measures are taken against fire so that the operation can continue. This also applies in connection with power failure of a certain duration as well as protection against flooding.When equipment and mobile units are not in use, the equipment and the units must be locked and/or locked up.

Access control
VEO must protect its facilities with general burglar alarms. Only relevant staff will have access to the VEO's facilities.‍

Technical safety
Firewalls and antivirus‍
VEO must ensure that all machines and servers are equipped with antivirus programs in order to prevent virus, malware etc. The network must be protected by firewalls as protection against unauthorized access.

Encryption
VEO must ensure that all communication regarding the personal data takes place through secure connections. The personal data which is transferred outside a secure network controlled by VEO must be protected by encryption.‍

Storing of data and backup
VEO must regularly make a security backup of the personal data. The backup must be stored separately and securely so that the personal data can be restored. Instructions on deletion of personal data include deletion of personal data in backups.‍

Organisational safety
Access rights‍
VEO must ensure that employees at VEO only have access to the systems which are relevant for the individual employee.

All employees must have unique user names and passwords. User names and passwords must be created and changed according to generally accepted principles. Registration of all rejected access attempts must be made. After several rejected access attempts from the same work station or with the same user ID, the access must be blocked for further attempts.

Confidentiality
All employees at VEO with access to the personal data must be bound by confidentiality agreements.

Logging
Logging must be performed of all access to the services. The logging registers the time, which employee is accessing the services and the purpose of the access.

Deletion and discarding
IT storing media‍
Hard disks and other storing media which are discarded from operation must be destroyed in a way that makes it impossible to restore the data. All reused discs must be formatted in accordance with current industry practices.

Appendix 3

Use of sub-data processors

COMPANY NAME
PURPOSE
ADDRESS / COUNTRY

Intercom
Intercom is a customer service tool that gives us one unified place to gather all conversations with customers/leads.
Intercom R&D Unlimited Company, an Irish company with offices at 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland

Trello
Trello is a tool for keeping track of projects and tasks
Trello Inc.
55 Broadway New York, NY 10006 United States

Slack
Slack is a tool used for internal communications, through a number of either public of hidden channels
Slack , One Park Place, 4th floor, Hatch Street Upper, Saint Kevin's, Dublin 2, Ireland

G-Suite
G-Suite is our main email and virtual harddrive provider
Alphabet Inc. HQ 1600 Amphitheatre Parkway in Mountain View, California, United States.

Analytics
We use Analytics to gather stats about the usage of our websute
Alphabet Inc. HQ 1600 Amphitheatre Parkway in Mountain View, California, United States.


Heroku
Is our hosting partner for storing the website
Heroku (Salesforce)
50 Fremont St.
Suite 300
San Francisco, CA 94105
United States

Amazon S3
Is our hosting partner for storing customer videos
Amazon Web Services, Inc. (HQ)
410 Terry Avenue North, Seattle, WA 98109-5210
United States

Shopify
Shopify is an ecommerce tool that handles our online store
Shopify
150 Elgin Street, 8th Floor
Ottawa, ON K2P 1L4
Canada

Pipedrive
Pipedrive is a tool for managing and maturing potential customers
Pipedrive
Paldiski mnt 80
Tallinn 10617
Estonia

Typeform
Typeform is a conversational survey tool for asking customers/leads various questions
TYPEFORM SL
Carrer Bac de Roda, 163, local, 08018 - Barcelona
Spain

Webflow
A tool for visually building websites
Webflow, Inc., 398 11th St., Floor 2, San Francisco, CA 94103
United States

Zapier
Zapier connect al the tools that we use and shares information between them
Zapier, Inc. 548 Market St. #62411. San Francisco, CA 94104-5401
United States

Toky
Virtual phone system for calling leads
Toky, Inc.
530 Lytton Ave. 2nd Fl., Palo Alto, California, 94301, United States

Coda
Tool for building own sheets
Coda Project, Inc.
San Francisco Bay Area, West Coast, Western US
United States

Webshipper
Used in connection with shipping
Webshipper ApS
Søndergade 2B, 1. sal
DK-8600 Silkeborg
Denmark

Shiphero
Used in connection with shipping
ShipHero, LLC
P.O. Box 307, Garnerville, New York, 10923, United States

Economic
Accounting system provider
Visma e-conomic A/S
CVR: 29403473
Langebrogade 1
1411 Copenhagen
Denmark

Danløn
Salary system provider
Danske Lønsystemer A/S
Engholm Parkvej 8
3450 Allerød
Denmark
CVR 15611472

Calendly
Tool for booking appointments (e.g. phone calls or demos)
271 17th St NW, Atlanta, GA 30363, USA

Financial Outsourcing
External provider of financial assistance
Financial Outsourcing ApS
CVR-nr 37127906
Bernhard Bangs Alle 25
2000 Frederiksberg, Denmark