API license Agreement
STUBHUB DEVELOPERS PROGRAM
Thank you for your interest in the StubHub Developers Program (the “Program”). Through the Program, StubHub offers various tools content, and services (the “Developer Tools”), including certain StubHub Application Programming Interfaces (“APIs”), to manage and facilitate the development of applications that use content from and interact with StubHub-branded marketplaces around the world.
If you reside in the United States, your contract is with StubHub Inc. If you reside in Canada, your contract is with StubHub Canada Ltd. If you reside in the United Kingdom, your contract is with StubHub (UK) Limited. If you reside in any other country, your contract is with Ticketbis S.L. By signing this Agreement below, you are representing and warranting that you have the authority to bind the party being issued an Access Key (defined below) and you, and that party, are collectively referred to as “you” or “your” in this Agreement.
1.1 Access Keys means the confidential security keys provided by StubHub to you for your use of the API, including the developer ID, certificate ID, and application ID.
1.2 Application means the software application, website or other interface that you develop, own or operate to interact with the API.
1.3 Developers Program Tools means the StubHub Application Programming Interface (API), SDKs, Documentation, developer websites and portals, technical support and all other tools and information made available to you by StubHub.
1.4 Documentation means all written information provided or made available to you by StubHub including information related to the StubHub Site, Developers Program Tools, Developer’s guides and reference guides. Documentation may be provided on StubHub’s Developer websites and/or webpages.
1.5 Personal Information means any information that directly or indirectly identifies a StubHub User that you obtain through your participation in the Program and your use of the Developer Tools, including information that you collect directly from Your Users in connection with your Application, information that is included in StubHub Content, or information that you otherwise receive from StubHub about Your Users or other StubHub Users and their trading activities.
1.5 Sandbox means any StubHub test environment and any related products and services available to you.
1.6 StubHub Content means all of the information, data, content, images, and other material stored by and retrieved from StubHub. StubHub Content does not include information that you obtain independent of StubHub and the API.
1.7 StubHub Logos has the meaning defined in Section 2.3.
1.8 StubHub Services means StubHub sites, including any StubHub content therein, and all other services, applications and tools StubHub offers to StubHub Users.
1.9 StubHub Site(s) means any or all of the websites, mobile websites and mobile applications that provide a platform for the purchase or sale of tickets and other items where such sites are owned, operated, and controlled by StubHub Inc. or its subsidiaries.
1.10 StubHub User means any person who accesses any StubHub Service, directly or through the Developer Tools.
1.11 StubHub User Agreement means the terms and policies on the StubHub Site (including the User Agreement, User Privacy Notice, Seller Policies and any other policies) and incorporated herein by this reference.
1.12 Your Users means end-users of your Application, your service providers, and anyone who sublicenses your Application.
2 DEVELOPERS PROGRAM CONDITIONS
2.1 Participation in the Developers Program. You may participate in the program and use the Developers Tools to create and use Applications that access and/or interact with StubHub Services consistent with the Authorized Use and these Terms. You agree that you are solely responsible for the Applications that you develop. You agree to provide and maintain accurate contact information and you will inform us promptly of any updates to your contact information.
2.1.1 Application Guidelines. Applications that you develop, display or distribute that interact with the API must comply with StubHub’s Compatible Application Check requirements, incorporated herein by reference.
2.1.1 Permitted Uses. Your use of the StubHub Developer Program Tools is permitted only for the purpose of facilitating your own or Your Users’ use of StubHub’s sites and services.
2.1.3 Additional Certifications. Access to certain APIs, StubHub Content and increase API call limits may require special certifications. You may be responsible for any costs associated with such certifications, as well as any modifications necessary for your Application to meet certification criteria.
2.2 API License
2.2.1 Using the API. StubHub grants you a non-exclusive, non-transferable, and non-sublicensable (except as expressly permitted herein) license to use the API solely to do the following and subject to the restrictions set forth in this Agreement:
220.127.116.11 Enable your Application to interact with StubHub’s functionality and data services to retrieve information necessary to facilitate your own or Your Users use of StubHub Sites and services through your Application;
18.104.22.168 Rearrange or reorganize StubHub Content within your Application;
22.214.171.124 Display StubHub Content consistent with this Agreement and the API Logo Usage Requirements (defined in Section 2.3); and
126.96.36.199 Use, display or modify StubHub Content as expressly authorized by an authenticated StubHub User.
2.2.2 Access Keys. StubHub will provide you with Access Keys that permit you to access StubHub’s functionality and data services. The Access Keys are the property of StubHub and may be revoked if you share them with any third party (other than as allowed under this Agreement), if they are compromised, if you violate any term of this Agreement, or if StubHub terminates this Agreement.
2.2.3 API Call Limitations. The number of API calls you will be permitted to make during any given period may be limited. StubHub will determine call limits based on various factors, including the ways your Application may be used or the anticipated volume of use associated with your Application. StubHub may, in its sole discretion, charge you for API calls that exceed the call limits or terminate your access to the API in accordance with Section 14.2. Unused API calls will not roll over to the next day or month, as applicable.
2.3 Developers Program Logos. StubHub grants you a non-exclusive, non-transferable and non-sublicensable license to display certain StubHub logos as set forth in the “API Logo Usage Requirements” made available to you either via email linked on the StubHub Developer Site, such requirements incorporated herein by this reference. You must display logos in accordance with such API Logo Usage Requirements, which may be updated from time to time and you must ensure compliance with current standards. StubHub has final approval over the placement of API logos on your Application and may terminate this trademark license at any time for any reason and you must remove the logo(s) immediately. StubHub may update the API logos from time to time, and you will display the current logo.
2.4 Certification. In its discretion, StubHub may require or offer Certification for certain Applications. Certification will consist of confirmation by StubHub or an independent third party it designates that your Application’s technology complies with a particular set of StubHub’s guidelines. You will be responsible for all costs associated with Certification and any modifications necessary to meet the Certification criteria and you will not be permitted to access the public functionality or data services in certain cases until Certification is complete. Future modifications of your Application or your use or display of the StubHub Content are subject to re-Certification, if applicable. If StubHub requires Certification, failure by you to maintain Certification is cause for immediate termination of this Agreement.
3 STUBHUB CONTENT
3.1 Using and Displaying StubHub Content. You may use and display StubHub Content only within your Application and in accordance with the following guidelines:
3.1.1 Authentication. If your Application will enable Your Users to interact with StubHub Sites and services in a way that requires sign-in to their StubHub accounts (for example, buying, listing or access to accounts), you may provide this access only after “Authentication” which occurs when a StubHub User grants the Application access to that StubHub User’s StubHub Content via a StubHub-controlled sign-in and consent page. An “Authenticated User” is a StubHub User who has granted such access to your Application. You warrant that Your Users may revoke Authentication at any time for any reason.
3.1.2 Public Display. You may display StubHub Content that any StubHub User makes publicly available on the StubHub Site to everyone during the time that such StubHub Content is publicly available to promote StubHub and enable Your Users to search and browse listings (“Public Display”). When the StubHub Content is no longer publicly available, you must delete it from your Application. For example, when a StubHub User ID is publicly available in connection with a listing on the StubHub Site, you may display the StubHub User ID through your Application; but if and when that StubHub User ID is no longer viewable in connection with the listing or is otherwise anonymized, you may no longer display the StubHub User ID in a Public Display of the listing.
188.8.131.52 StubHub Content in a Public Display may not be co-mingled or combined with the content of any third party. All StubHub Content must be segregated from non-StubHub content (for example, third-party listings or other non-StubHub information) and visually separated from non-StubHub Content (for example, with lines or color changes).
184.108.40.206 StubHub Content that is available only to a registered StubHub User after signing in to a StubHub account may only be displayed to that user after Authentication. Such StubHub Content may not be used for Public Display without the explicit consent of the data subject.
3.1.3 Age of Listings. Displayed item listing information may not be more than six hours older than information displayed on the StubHub Site, and other StubHub Content must be no more than twenty-four hours older than content displayed on the StubHub Site. If your displayed item listing is not as current as the listing on the StubHub Site, you will disclose on your Application how much older your displayed item listing is than the same listing on StubHub.
3.1.4 Derivative Information.
220.127.116.11 You must have StubHub’s express written permission to use or display StubHub Content in any way that enables derivation of any of the following information:
18.104.22.168.1 Any site-wide statistics across StubHub Sites or within any StubHub Site;
22.214.171.124.2 The gross ticket sales of any StubHub Sites or services, or other statistics relating to the performance (financial or otherwise) of any StubHub Site or service; or
126.96.36.199.3 Average selling price or gross tickets sold for any StubHub tickets or category of tickets.
188.8.131.52 You must have StubHub’s express written permission to use or display StubHub Content in any way that enables derivation of the following information (other than an Authenticated StubHub User’s access to his or her own information):
184.108.40.206.1 Information relating to specific StubHub Users or types of StubHub Users; or
220.127.116.11.2 Conversion, completion or success rates;
3.1.5 StubHub Listings. If your application will display StubHub listings for buyers to purchase, your application must display at a minimum all information that is legally required under applicable laws and regulations.
3.2 Protecting User Privacy
3.2.1 Collecting and Using Personal Information. Your participation in the Developers Program and your use of the Developers Program Tools may allow you to collect Personal Information from and about StubHub Users. “Personal Information” is any information pertaining to a directly or indirectly identifiable individual. It may include information that you collect directly from users in connection with your Application and information that is included in the StubHub Content, or that you otherwise receive from StubHub, about Your Users or other StubHub Users and their purchasing activities.
18.104.22.168 You will delete Personal Information when it is no longer necessary for your performance of the Agreement or when you cease to participate in the Developers Program. This provision does not apply to information you collect directly from Your Users, unrelated to the StubHub site and services.
22.214.171.124 Unless you get the express consent of the StubHub User, you will not under any circumstances collect or store StubHub User IDs and passwords.
3.2.2 Compliance with Privacy Laws. At all times, your Application and your use of the Developers Program Tools and StubHub Content will comply with all applicable laws, regulations and best practices concerning privacy, data protection and on demand or downloadable software.
3.2.4 Information About Other StubHub Users. You may receive information about StubHub Users, who may or may not be Your Users, that is either publicly available from StubHub or that is provided by StubHub after Authentication about Your Users’ transaction partners (“Other User Information”). Any Other User Information StubHub provides to you will be limited to information reasonably necessary to perform activities permitted under this Agreement.
126.96.36.199 Using Other User Information. You will not collect, store, use or disclose Other User Information for any purpose other than facilitating the use of StubHub’s sites and services as permitted under this Agreement.
188.8.131.52 Public Information. You may engage in the Public Display of Other User Information (for example, StubHub listings) only in accordance with Section 3.1.2. You may not display any other Personal Information to the public without the explicit consent of the data subject.
184.108.40.206 StubHub Sandbox Environment. As a Developer, StubHub may provide you with a StubHub Sandbox where you may test your API calls. When testing in the Sandbox, you may only use anonymous, non-live data. You agree that all use of the Sandbox will be in accordance with StubHub’s usage policies for Developers Program Tools which are subject to change from time to time. StubHub may post on the Developer site and/or Developer blog, and/or send an email to you with notices of any changes. You agree that StubHub will not be liable to you or any third party for any modification or cessation of Developers Program Tools, including the Sandbox. All accounts and transactions made in the Sandbox are not real. The Sandbox is provided to you on an “as-is” basis and StubHub does not guarantee up-time or availability.
3.2.5 Communication. You will not use Personal Information from Your Users or from StubHub Users that you received from StubHub to send or enable sending of unsolicited communications of any type. You may communicate with Your Users, or send communications initiated by and on behalf of Your Users to other StubHub Users, to facilitate a StubHub transaction. You may also send communications that users have explicitly consented to receive.
4 RESTRICTED ACTIVITIES
You may not use or access (nor facilitate or enable others to use or access) the Developers Program Tools or StubHub Content in any way not expressly permitted under this Agreement. For example, you will not and you will not facilitate or enable others to:
4.1 Distribute, publish, or allow access or linking to the API or StubHub Content from any location or source other than your Application.
4.2 Enable or permit the disclosure of StubHub Content other than as authorized under this Agreement.
4.3 Use the StubHub Content to establish StubHub User identities or user profiles.
4.4 Commercialize (that is, sell, rent, trade or lease), copy or store the StubHub Content, other than for the intermediate purposes allowed by this Agreement;
4.5 Use, copy, distribute or modify the API or StubHub Content in any "service bureau" or "timesharing" business;
4.6 Enable StubHub Users to set or change StubHub User preferences, registration preferences or privacy preferences with your Application. This prohibition does not apply to listing preferences or item cross-promotion preferences.
4.7 Collect Personal Information (defined in Section 3.2.1) of any StubHub User other than as provided in this Agreement.
4.8 Modify, decompile, reverse engineer or otherwise alter the Developers Program Tools, API or StubHub Content.
4.9 Knowingly create an Application that may be used to violate the StubHub User Agreement or any other StubHub policy or applicable law.
4.10 Use the API in a manner that exceeds reasonable request volume, constitutes excessive or abusive usage or otherwise fails to comply or is inconsistent with any developer documentation provided to you by StubHub.
4.11 Have your Application or your use of StubHub Content or any of the Developers Program Tools: (i) be false, inaccurate or misleading; (ii) infringe on any third party's copyright, patent, trademark, trade secret or other property rights or rights of publicity or privacy; (iii) violate any law, statute, ordinance, contract, regulation or generally accepted practice in all relevant jurisdictions (including without limitation those governing trade and export, financial services, consumer protection, unfair competition, antidiscrimination or false advertising); (iv) be defamatory, trade libelous, threatening or harassing; (v) contain any viruses or other computer programming routines that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system or data; or (vi) create liability for us or cause us to lose (in whole or in part) the services of our ISPs or other suppliers;
4.12 Provide any data or information to StubHub unless you represent and warrant that it is accurate and you have all rights necessary to provide such data or information to StubHub, and for StubHub to use it.
5 STUBHUB POLICIES
You and your Application will comply with the StubHub User Agreement and all applicable StubHub Site policies. In the event of a conflict between this Agreement and the StubHub User Agreement regarding your use of the API, this Agreement will control. If you are participating in a StubHub affiliate program or any other StubHub program, you are subject to and must comply with the applicable terms (for example, participation in the Top Seller Program.
6.1 Modification of the API, Sites and Services. StubHub may modify the Developers Program Tools, permitted API calls, its functionality or data services, the permitted uses under this Agreement, any StubHub Site or service, or any of the benefits and/or features provided in connection with your use of the API at any time with or without notice to you. Modifications may affect your Application and may require you to make changes to your Application at your own cost to continue to be compatible with or interface with the API or StubHub Sites or services.
6.2 Modification of this Agreement. StubHub may from time to time change the terms of this Agreement. We will notify you of the amended terms ny posted such modified Agreement on the developer portal or via email. Except where stated otherwise herein, all amended terms will be effective thirty days after they are posted or emailed to you. IF ANY MODIFICATION IS UNACCEPTABLE TO YOU, YOUR ONLY RECOURSE IS TO TERMINATE YOUR PARTICIPATION IN THE DEVELOPER PROGRAM AND THIS AGREEMENT BY SENDING A TERMINATION NOTICE TO DL-SH-api-license@StubHub.com (“AMENDMENT TERMINATION NOTICE”) BEFORE THE EFFECTIVE DATE OF THE AMENDMENT(S). The amendment termination notice will be effective on the date it is received by StubHub. The most current version of the agreement will be available on the developer portal and will supersede all previous versions of the agreement. YOUR USE OF THE DEVELOPER PROGRAM TOOLS OR API AFTER THE DATE ON WHICH CHANGES BECOME EFFECTIVE WILL CONSTITUTE YOUR ACCEPTANCE OF SUCH CHANGES.
7 MONITORING AND ENFORCEMENT
7.1 Right to Monitor and Audit. You agree that StubHub may monitor or audit your Application or activities relating to your use of Developers Program Tools. At StubHub’s request, you will provide StubHub free access to your Application for the purpose of monitoring or auditing your Application. You will not seek to block or otherwise interfere with the monitoring or audit, and StubHub may use technical means to overcome any methods you may use to block or interfere with such monitoring. Audits may include requests for documents and information and visits to your facilities. Your failure to reasonably comply with StubHub’s efforts to audit your compliance with this Agreement shall constitute a material breach of this Agreement.
7.2 Remedy for Breach. If StubHub, in its sole discretion, believes that you or your service providers have breached this Agreement, or that you or your service providers have engaged in fraudulent activity, StubHub may take any and all steps it deems appropriate, including suspending your license to use the APIs, discontinuing your participation in the Program, terminating your access to the Developer Tools, and/or reducing your access to all or some APIs.
7.3 Corrective Action. In addition to any other available remedies, StubHub may, at its sole discretion, seek specific performance, injunctive relief or attorneys' fees. StubHub reserves the right to take other corrective action as StubHub sees fit in the event that StubHub receives complaints from StubHub Users about your Application or your actions.
8 OWNERSHIP AND LICENSING
8.1 Ownership. As between StubHub and you except for the limited licenses granted by these Terms: (i) StubHub retains all rights, title and interest in and to all intellectual property rights embodied in or associated with the Developers Program Tools, StubHub Content, StubHub Logos, StubHub Site, any and all StubHub services, and any content StubHub created or derived therefrom; and (ii) you retain all rights, title and interest in and to all intellectual property rights embodied in or associated with your Application, excluding the aforementioned rights in this Section 8.1(i) above owned by or licensed to StubHub. There are no implied licenses under this Agreement, and any rights not expressly granted to you hereunder are reserved by StubHub or its suppliers. You will not take any action inconsistent with StubHub’s ownership of the Developers Program Tools, StubHub Site, StubHub Content and/or StubHub Logos. Neither party will exceed the scope of the licenses granted hereunder.
8.2 Trademark and Copyright License. You agree that StubHub, in its sole discretion, may use your trade names, trademarks, service marks, logos, and domain names for the purpose of advertising or publicizing your participation in the Program and use of the API. If you submit an Application for inclusion on a StubHub site or to be hosted by StubHub, you direct and authorize StubHub and its affiliates to host, link to, and otherwise incorporate the Application into StubHub Services and to carry out any copying, modification, distribution, internal testing, or other processes StubHub deems necessary.
8.3 Competitive or Similar Materials. In no event will StubHub be precluded from discussing, reviewing, developing for itself, having developed, acquiring, licensing or developing for third parties, as well as marketing and distributing, materials which are competitive with your Application or other products or services provided by you, irrespective of their similarity to your current products or products that you may develop.
9 WORKING WITH THIRD PARTIES
9.1 Service Providers. You may work with service providers as necessary to facilitate your performance under this Agreement only if you subject your service providers to all of the conditions and restrictions of this Agreement. You acknowledge and agree that any act or omission by your service provider(s) amounting to a breach of this Agreement will be deemed a breach by you.
9.2 Sublicensing. Except as set forth in this Section 9.2, all license rights (under any applicable intellectual property right) granted to you by StubHub are not sublicensable, transferable or assignable. You may sublicense your right to display the StubHub Content and the API Logos to Your Users solely to enable them to display StubHub Content and the API Logos on their computer screens or websites through your Application; provided that:
9.2.1 You will not disclose your Access Keys to Your Users.
9.2.2 All calls initiated by Your Users will be made through your Access Keys.
9.2.3 All API calls initiated by Your Users will count towards the maximum number of calls (if any) permitted under the API licensing.
9.2.4 All fees due (if any) for all API calls initiated by Your Users will be paid by you.
9.2.5 Your Users will have no programmatic control over the API.
9.2.6 You will enter into a binding agreement with each of Your Users that includes the following terms:
220.127.116.11 It will bind Your Users to this Agreement (excluding the right to sublicense and indemnification obligations).
18.104.22.168 It will require Your Users to acknowledge StubHub’s rights in the Developers Program intellectual property as laid out in this Agreement
22.214.171.124 It will make StubHub a third-party beneficiary to your agreement
126.96.36.199 It will make the sublicense terminable at any time.
9.3 Breach by Your Users. As a third-party beneficiary to all sublicenses pursuant to this Agreement, StubHub will have the right, in its sole discretion, to directly enforce any term of the sublicense agreement against Your Users, including termination. You acknowledge and agree that any act or omission by Your User(s) amounting to a breach of this Agreement will be deemed a breach by you.
10 FEES AND PAYMENTS
10.1 Fees. You agree to pay any applicable fees charged under this Agreement, as set forth in the developer portal or in an order form. StubHub reserves the right to change the fees at any time, in our sole discretion, including by discontinuing any service(s). Unless otherwise specified in an invoice or order form, changes to fees will be effective thirty days after posting the modified fees in the developer portal. Fees will be invoiced on a monthly basis for activity from the previous calendar month. If you fail to make payment by the due date, StubHub will have the right to charge interest at the maximum rate permitted by applicable law until you pay all amounts due. In addition to any applicable fees associated with your use of StubHub’s APIs or the Developer Tools, you will be responsible for all other fees associated with use of any StubHub Site or service. All fees made by you under this Agreement will exclude, and you will pay, any taxes associated with such fees, your Application, or this Agreement.
10.2 Payments. All fees are due and payable within thirty days of the invoice date; StubHub may terminate this Agreement without notice to you if you fail to pay. All payments are non-refundable, whether or not you use the service or API purchased.
11 AVAILABILITY, SECURITY AND STABILITY
11.1 StubHub makes no guarantees with respect to the performance, availability or uptime of any Developers Program Tools, StubHub Sites or services. StubHub may conduct maintenance on or stop providing any the Developers Program Tools, or its sites or services, at any time with or without notice to you. StubHub may change the method of access to the Developers Program Tools at any time.
11.2 It is in the best interests of both parties that StubHub maintain a secure and stable environment. In the event of degradation or instability of StubHub’s system or an emergency, StubHub may, in its sole discretion, temporarily suspend your access to the Developers Program Tools or StubHub’s sites and services under this Agreement. Your continued access to the Developers Program Tools and StubHub Content is subject to your compliance with the API Security Standards in Exhibit A and the StubHub Data Protection Addendum in Exhibit B, incorporated herein by this reference.
12 DISCLAIMER OF WARRANTIES & LIMITATION OF LIABILITY
12,1 SOME JURISDICTIONS DO NOT ALLOW CERTAIN WARRANTY DISCLAIMERS OR LIMITATIONS ON LIABILITY. ONLY DISCLAIMERS OR LIMITATIONS THAT ARE LAWFUL IN THE APPLICABLE JURISDICTION WILL APPLY TO YOU AND STUBHUB’S LIABILITY WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW.
12.2 EXCEPT AS EXPRESSLY STATED HEREIN, STUBHUB DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALL STUBHUB LOGOS, PRODUCTS AND SERVICES PROVIDED BY STUBUB HEREUNDER ARE PROVIDED “AS IS” AND “AS AVAILABLE” AND STUBHUB DOES NOT REPRESENT OR WARRANT THAT ANY STUBHUB SERVICES, INCLUDING THE DEVELOPER TOOLS, WILL OPERATE SECURELY OR WITHOUT INTERRUPTION. YOU ACKNOWLEDGE THAT YOU HAVE NOT ENTERED INTO THIS AGREEMENT IN RELIANCE UPON ANY WARRANTY OR REPRESENTATION EXCEPT THOSE SPECIFICALLY SET FORTH HEREIN.
12.3 STUBHUB WILL HAVE NO DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT, EXEMPLARY, PUNITIVE, OR OTHER LIABILITY WHETHER IN CONTRACT, TORT OR ANY OTHER LEGAL THEORY, UNDER THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH LIABILITY AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY.
12.4 IN THE EVENT THAT THE ABOVE IS NOT ENFORCEABLE, STUBHUB'S AGGREGATE LIABILITY UNDER THIS AGREEMENT IS LIMITED TO AMOUNTS PAID OR PAYABLE TO STUBHUB BY YOU FOR THE DEVELOPERS PROGRAM TOOLS IN THE MONTH PRECEDING THE CLAIM. IN THE EVENT THAT THE FORMER LIMITATION OF LIABILITY IS HELD UNENFORCEABLE BY A COMPETENT COURT, STUBHUB’S AGGREGATE LIABILITY IS IN ANY CASE LIMITED TO $25,000 PER EVENT, A SERIES OF EVENTS BEING CONSIDERED AS ONE SINGLE EVENT.
You will indemnify, defend and hold StubHub, its employees, agents, consultants, subsidiaries, partners, affiliates, and licensors harmless against any and all claims, costs, losses, damages, liabilities, judgments and expenses (including reasonable fees of attorneys and other professionals) (collectively, “Claims”) that may arise from or are related to (i) use of the Developers Program Tools; (ii) the development, maintenance, use and contents of your Application, including but not limited to any infringement of any third-party proprietary rights; and (iii) your negligence or willful misconduct.StubHub will: (i) give you prompt notice of any Claim; provided, however, that failure to provided such notice shall not relieve you of your liabilities or obligations hereunder, except solely to the extent of any material prejudice as a direct result of such failure; (ii) cooperate with you, at your sole cost and expense, in connection with the defense and settlement of the Claim; provided that you may not settle any Claim or take any other action to the extent such settlement or other action would materially adversely impact StubHub’s rights, obligations or business operations without StubHub’s prior written consent. StubHub, at its cost and expense, may participate in the defense of the Claim through counsel of its own choosing. Notwithstanding the foregoing, if you fail to assume the defense of any Claim within thirty (30) calendar days after you receive a request for indemnification under this Section 13, StubHub shall control its own defense and follow such course of action as it reasonably deems necessary to protect its interests and you shall fully indemnify StubHub for a ll costs (including attorneys’ fees and settlement payments) reasonably incurred in such course of action.
14 TERM AND TERMINATION
14.1 Term. The term of this Agreement will begin on the date you register for an account. It will continue until terminated in accordance with this Agreement.
14.2 Termination. STUBHUB RESERVES THE RIGHT TO TERMINATE THIS AGREEMENT OR SUSPEND OR DISCONTINUE YOUR ACCESS TO THE DEVELOPER TOOLS, INCLUDING YOUR LICENSE TO USE THE API, OR ANY PORTION OR FEATURE THEREOF, FOR ANY OR NO REASON AND AT ANY TIME WITH OR WITHOUT NOTICE TO YOU AND WITHOUT LIABILITY TO YOU. Notwithstanding the foregoing, StubHub will provide fifteen days prior written notice of termination for any service for which you pay a fee.
14.3 If you wish to terminate this Agreement, you must email a termination notice to DL-SH-api-license@StubHub.com or such other email address as you are provided; any other methods used by you to terminate this Agreement will be void and will not result in a termination. Your termination notice will be effective when it is received by StubHub for any free services and thirty days after notice is received for any paid services.
14.4 Effect of Termination. Upon the termination of this Agreement, you will immediately stop using the APIs. Your Access Keys will be revoked and all licenses granted hereunder will terminate. You will still be liable for all past-due fees. You will destroy all intermediate copies of StubHub Content and Personal Information within ten (10) days after termination and provide written proof of destruction to StubHub upon StubHub’s request.
14.5 Survival. The following Sections will survive any termination of this Agreement: 1 Definitions, 3 StubHub Content, 4 Restricted Activities, 5 StubHub Policies, 8.1 Ownership and Licensing, 10 Fees and Payments, 12 Disclaimer of Warranties & Limitation of Liability, 13 Indemnification, 14.4 Effect of Termination, 15 Confidentiality, 16 Publicity and 17 Miscellaneous.
“Confidential Information” includes all information provided by StubHub to you under these Terms , including without limitation, Developers Program Tools, StubHub Content, Personal Information and Access Keys. You will not use or disclose Confidential Information other than as required to perform under and permitted by these Terms. Your confidentiality obligations will survive the termination of this Agreement. You acknowledge that monetary damages may not be a sufficient remedy for unauthorized use or disclosure of Confidential Information and that StubHub will be entitled (without waiving any other rights or remedies) to such injunctive or equitable relief as may be deemed proper by a court of competent jurisdiction, without obligation to post any bond. Any information provided by you to StubHub hereunder is considered by StubHub to be non-confidential. You acknowledge and agree that you have no expectation that such information will be held confidential by StubHub, and that StubHub has no duty, express or implied, to pay any compensation for the disclosure or use of any such information.
Absent the prior written approval of StubHub, you will not directly or indirectly issue or permit the issuance of any public statement concerning any aspect of, the StubHub Developers Program. You permit StubHub to make public statements about your use of the Developers Program Tools or participation in the StubHub Developers Program.
17 LAW AND VENUE
The rights and obligations of you and StubHub shall be governed by, and these Terms shall be construed and enforced in accordance with, the Laws of the State of California, excluding its conflict of laws rules to the extent such rules would apply the Law of another jurisdiction. The Parties consent to the jurisdiction of all federal and state courts in California, and agree that venue shall lie exclusively in Santa Clara County, California.
You acknowledge and agree that this Agreement constitutes the entire agreement between you and StubHub (the “Parties”) and supersede all prior understanding and agreements of the parties. Any notices to StubHub must be sent to our corporate headquarters address as set forth in the StubHub User Agreement via first class or air mail or overnight courier, and is deemed given upon receipt. A waiver of any default is not a waiver of any subsequent default. Unenforceable provisions will be modified to reflect the parties' intention, and remaining provisions of these Terms will remain in full effect. Neither party may assign these Terms without the prior express written permission of the other party. Notwithstanding the foregoing, your consent shall not be required for StubHub’s assignment or transfer (1) due to operation of law, or (2) to an entity that acquires substantially all of StubHub’s stock, assets or business, or (3) to a related entity (e.g., parent or subsidiary of parent). You and StubHub are independent contractors, and nothing in these Terms creates a partnership, agency, joint venture, or employer-employee relationship between StubHub and you. There are no third-party beneficiaries to these Terms.
API Security Standards
You will comply with the following API Security Standards (“Security Standards”):
1 Security Audits
1.1 Audit. StubHub reserves the right to periodically audit the Systems to ensure compliance with the requirements of this Exhibit. Non-intrusive network and application security scans may be performed randomly without prior notice.
1.2 Audit After a Security Breach Incident. For purposes of these Security Standards, a “Security Breach” is defined as a breach of security of your facility, systems or site where StubHub Content or StubHub User Data has been acquired by an unauthorized person. In the event of a Security Breach, StubHub may suspend or terminate your access to the API and StubHub Content and StubHub may conduct a security audit.
1.3 StubHub Results and your Response. StubHub will provide you with detailed results of any security audit performed by StubHub pursuant to these Security Standards. You will be granted thirty (30) days to resolve any issues StubHub has identified through a security audit. Should you fail to resolve such identified issues, StubHub may immediately suspend or terminate your access to the API and StubHub Content without notice to you.
2 Security Incidents and Response
2.1 Notification and Timing. Notwithstanding any other legal obligations you may have, you agree to immediately notify StubHub in writing upon your discovery of a Security Breach. You agree to use commercially reasonable efforts to notify StubHub of your detection of a Security Breach no more than twenty-four (24) hours after detection of a Security Breach. Notwithstanding the foregoing, under no circumstances will more than two (2) days pass between your detection of a Security Breach and StubHub being notified.
2.2 Notification Format. Your notification of a Security Breach in accordance with the requirements set forth above will take the form of an email to DL-SH-api-license@StubHub.com. Such notification email will include: a problem statement, expected resolution time (if known), and the name and phone number of your representative that StubHub can contact to obtain incident updates.
3 Security Precautions: Best Practices. You agree to adhere at all times to reasonable security practices, as specified in current industry literature on topics relevant to your interaction with StubHub. In the event such best practices conflict with these Security Standards, you will comply with these Security Standards.
4 Data Security: Data Storage. You agree to maintain reasonable safeguards to protect the security of the following information, whether provided by an StubHub User to you or obtained from StubHub through the API:
- StubHub User Email Addresses
- Auth&Auth Tokens
- StubHub User ID (includes API Developer ID, Application ID, and Certificate ID)
- Any other StubHub User data
At no time will you collect or store StubHub User passwords, credit card numbers, financial information, Social Security Numbers, Driver's License numbers, or State Identification Card numbers, in any form. StubHub User IDs used to authenticate access to the API must be kept secret and confidential and under no circumstances be exposed to the public. If StubHub believes that StubHub User IDs have been compromised, StubHub reserves the right to immediately terminate access and issue a new StubHub User ID to you.
Exhibit B: StubHub Data Protection Requirements Addendum
- Purpose and Scope:
Capitalized terms used but not defined herein shall have the meaning set forth in the Terms.
- “Applicable Law” means any applicable data protection, privacy, or information security laws, codes, and regulations or other binding restrictions governing Processing of StubHub Data.
- “Cardholder Information” means credit or debit card information regulated by the Payment Card Industry Security Council.
- “Data Centers” means locations at which you provide data Processing or transmission functions in support of your Application. Data Centers can be owned by you or by a third party.
- “Data Controller” means the party that determines the purposes of the Processing of Personal Data.
- “Data Processor” means the party that Processes Personal Data on behalf of, and under the instruction of, the Data Controller.
- “Data Subject” means the identified or identifiable person who is the subject of Personal Data.
- “StubHub Data” means data or information (regardless of form, e.g., electronic, paper copy, etc.) transmitted through the StubHub API(s). StubHub Data may be classified as:
- “Confidential Data”: Information that is intended only for a limited audience within StubHub or whose release would likely have an adverse financial or reputational effect on StubHub, StubHub customers, or StubHub clients. Examples include, but are not limited to: customer or client customer individual names, email addresses, physical addresses and any other information that correlates to a person, software source code, customer personal contact information, customer email addresses, etc.; or
- “Personal Data”: data or information that makes a natural person identified or identifiable or is a numerical, physical, physiological, cultural, economic, mental or other factor of identity relating to an identified or identifiable person.
StubHub Data specifically excludes data classified by StubHub as “Restricted Data,” which includes highly sensitive or regulated information that is intended only for a limited audience within StubHub or whose release would likely have a material adverse financial or reputational effect on StubHub or any Data Subject. Examples include but are not limited to: (i) Government issued identification numbers for specific countries (e.g., USA Social Security number; Germany Shufa ID, Canada Social Insurance number, driver’s license number; state identification number); (ii) Bank account numbers and related bank wire transfer financial information; and (iii) customer date of birth.
You agree that you will not attempt to access, receive, transmit, Process or store any “Restricted Data” with the exception of Payment Card Industry (PCI) regulated data pursuant to Section 11 if authorized by the cardholder.
- “Incident” means any impairment to the security of StubHub Data, including, but not limited to: any (i) alleged or confirmed misuse of StubHub Data; or (ii) unauthorized access to or attempt to access StubHub Data.
- “Industry Standard Encryption Algorithms and Key Strengths” means encryption should at least meet the following standard encryption algorithm (note: The algorithm and key strengths may change depending upon the new and most up-to-date industry standard encryption practice):
- Symmetric encryption: AES (≥ 128-bit);
- Asymmetric encryption: RSA (≥ 2048-bit);
- Hashing: SHA-2 (≥ 224-bit) with “salt” shall be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.
- “Industry Recognized Framework” means a global industry recognized information security management system (“ISMS”), such as ISMS standard ISO/IEC 27001:2013 and ISO/IEC 27002:2013 – Information technology – Security techniques – Information security management systems – Requirements, as published by the International Organization for Standardization and the International Electrotechnical Commission (“ISO 27001”) or equivalent information security standard as mutually agreed upon by StubHub and you.
- “Processing” or “Processes” means any operation or set of operations which is performed upon StubHub Personal Data, whether by automatic means or not, including but not limited to collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Security Breach” means a compromise of the systems in which StubHub Data has been accessed or acquired by one or more unauthorized parties, or you or StubHub reasonably suspects that such a breach of security may have occurred, or any act that violates any Applicable Law. For the avoidance of doubt, “a compromise of the systems” includes, but is not limited to: misuse, loss, destruction, unauthorized access, collection, retention, storage, or transfer.
- “Sub-Processor” means any of your Affiliates, agents or assigns that Processes StubHub Personal Data subject to the Terms, and any unaffiliated Data Processor engaged by you or by your Affiliates.
3. Security Management:
3.1 Scope and Contents. You will develop, implement, maintain and enforce a written information privacy and security program (“Security Program”) that (i) aligns with an Industry Recognized Framework; (ii) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of StubHub Data; (iii) is appropriate to the nature, size and complexity of your business operations; and (iv) complies with any Applicable Laws that are applicable for the geographic region in which you do business.
a. Security Program Changes. You will provide details of any major changes to your Security Program that may adversely affect the security of any StubHub Data. Such details must be communicated in writing to the StubHub Security Operations Center (as provided in Section 8 below) within ten (10) business days prior to the effectiveness of any changes.
b. Security Officer. You will designate a senior employee to be responsible for overseeing and carrying out your Security Program and for communicating with StubHub on information security matters (the “Security Officer”). Upon StubHub’s request, the Security Officer will provide StubHub with the contact information of one or more your representatives who will be available to discuss any security concerns (e.g., discovered vulnerability, exposed risk, reported concern) with StubHub and to communicate the level of risk associated with such concerns and any remediation thereof. Your representative must be available during normal business hours. Any changes to the contact information of the Security Officer or designated representatives must be communicated to the StubHub Security Operations Center (as provided in Section 8 below) within twenty-four (24) hours via e-mail or telephone.
c. Training. You certify that your personnel will be provided with a clear understanding of procedures and controls reasonably necessary to comply with this DPRA prior to their being granted access to StubHub Data. Your personnel will, upon hiring, and at least annually thereafter, participate in security awareness training. This training will cover, at a minimum, your security policies, including acceptable use, password protection, data classification, incident reporting, the repercussions of violations, and brief overviews of Applicable Law. You will also provide training regarding data privacy and protection if you or your personnel accesses StubHub Personal Data.
d. Due Diligence over Subcontractors. You will maintain a security process to conduct appropriate due diligence prior to utilizing subcontractors, including Sub-Processors, to provide any services under the Terms. You will assess the security capabilities of any such subcontractors on an annual basis to ensure subcontractor’s ability to comply with this DPRA and the Terms. The due diligence process will provide for the identification and resolution of significant security issues prior to engaging a subcontractor, written information security requirements that oblige subcontractor to adhere to your key information security policies and standards within all contracts, and for the identification and resolution of any security issues. You will maintain subcontractor audit reports, subcontractor information security controls, and/or any assessment work for a minimum of three (3) years from the date of the assessment.
4.1 General. The logical security processes in this Section 4 apply to all of your systems or your agents’ or your assigns’ systems and supporting networks used to provide services under the Terms and on which StubHub Data is accessed, Processed, stored, transferred or maintained.
4.2 Systems Access Control and Network Access Control.
(a. Access Controls. You certify that you employ access control mechanisms that:
i. prevent unauthorized access to StubHub Data;
ii. limit access to your personnel with a business need to know;
iii. follow the principle of least privilege allowing access to only the information and resources that are necessary under the terms of the Terms; and
iv. have the capability of detecting, logging, and reporting access to the system or network or attempts to breach security of the system or network.
v. You will revoke your personnel’s access to physical locations, systems, and applications that contain or Process StubHub Data within twenty-four (24) hours of the cessation of such personnel’s need to access the system(s) or application(s);
vi. All personnel must have an individual account that authenticates that individual’s access to StubHub Data. You will not allow sharing of accounts; and
vii. Access controls and passwords must be configured in accordance with industry standards and best practices. Passwords will be hashed with industry standard algorithms per Section 9 below.
(b. Regular Review of Access Controls. You will maintain a process to review access controls on a minimum annual basis for all of your systems that contain StubHub Data, including any system that, via any form of communication interface, can connect to the system on which StubHub Data is stored. These access processes and the process to establish and delete individual accounts will be documented in, and will be in compliance with your security policies and standards referenced in Section 3.1 above. You will maintain the same processes of review and validation for any third party hosted systems you use that contain StubHub Data.
- Remote Access Authentication. You will configure remote access to all networks storing, transmitting, or containing StubHub Data to require two-factor authentication for such access by your Personnel.
4.3 Telecommunication and Network Security.
(a. Firewalls. You will deploy reasonably appropriate firewall technology in the operation of your sites. Traffic between StubHub and you will be protected and authenticated by industry standard cryptographic technologies.
(b. Firewall Maintenance. At a minimum, you will review firewall rule sets annually to ensure that legacy rules are removed and active rules are configured correctly.
(c. Intrusion Detection and Prevention. You will deploy intrusion detection or preferably prevention systems (NIDS/NIPS) in order to generate, monitor, and respond to alerts which could indicate potential compromise of the network and/or host.
(d. Log Management. You shall deploy a log management solution and retain logs produced by firewalls and intrusion detection systems for a minimum period of one (1) year.
e. Network Segmentation. You shall establish and maintain appropriate network segmentation, including the use of virtual local area networks (VLANS) where appropriate, to restrict network access to systems storing StubHub Data. You will proxy all connections from public networks into the your internal network using DMZ or equivalent. You will not allow direct connections from public networks into any network segment storing StubHub Data.
(f. Wireless Security. If you deploy a wireless network, you will configure and maintain the use, configuration and management of wireless networks to meet the following:
- Physical Access – All wireless devices shall be protected using appropriate physical controls to minimize the risk of theft, unauthorized use, or damage;
- Network Access – Network access to wireless networks should be restricted only to those authorized;
- Access points shall be segmented from an internal, wired LAN using a gateway device;
- The service set identifier (SSID), administrator user ID, password and encryption keys shall be changed from the default value;
- Encryption of all wireless connections will be enabled using Industry Standard Encryption Algorithms (i.e. WPA2/WPA with 802.1X authentication and AES encryption). WEP should never be used;
- If supported, auditing features on wireless devices shall be enabled and resulting logs shall be reviewed periodically by designated staff or a wireless intrusion prevention system. Logs should be retained for ninety (90) days or longer; and
vii. SNMP shall be disabled if not required for network management purposes. If SNMP is required for network management purposes, SNMP will be read-only with appropriate access controls that prohibit wireless devices from requesting and retrieving information and all default community strings will be changed.
viii. You will maintain a program to detect rogue access points at least quarterly to ensure that only authorized wireless access points are in place. If you have not deployed a wireless solution, you are still required to conduct this quarterly audit to ensure that user-deployed wireless access points are not in use.
- Malicious Code Protection. All workstations and servers will run the current version of industry standard anti-virus software with the most recent updates available on each workstation or server. Virus definitions must be updated within twenty-four (24) hours of release by the anti-virus software vendor. You will configure this equipment and have supporting policies to prohibit users from disabling anti-virus software, altering security configurations, or disabling other protective measures put in place to ensure the safety of StubHub’s or your computing environment.
5. Systems Development and Maintenance:
5.1 Documentation and Training. You must maintain documentation on overall system, network, and application architecture, data flows, process flows, and security functionality for all applications that process or store any StubHub Data. You must employ documented secure programming guidelines, standards, and protocols in the development of applications that process or store any StubHub Data. You shall be responsible for verifying that all development staff have been successfully trained in secure programming techniques. You should be trained on all current application vulnerabilities, including, but not limited to OWASP Top 10, WASC TCv2, and the CWE-25. You should know how to recognize these issues and how to remediate them.
(b) 5.2 Change Management. You will employ an effective, documented change management program with respect to services provided under the Terms as an integral part of your security profile. This includes logically or physically separate environments from production for all development and testing. No StubHub Data will be transmitted, stored or Processed in a non-production environment.
(c) 5.3 Vulnerability Management and Application Security Assessments. You must run internal and external network vulnerability scans at least quarterly and after any material change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Vulnerabilities identified and rated as high risk by you will be remediated within ninety (90) days of discovery.
i. a. For all Internet-facing applications that collect, transmit or display StubHub Data, you agree to conduct an application security assessment review to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities; CWE/SANS Top 25 vulnerabilities) annually or for all major releases, whichever occurs first. The scope of the security assessment will primarily focus on application security, including, but not limited to, a penetration test of the application, as well as a code review. At a minimum, it will cover the OWASP Top 10 vulnerabilities (https://www.owasp.org).
ii. b. For all mobile applications (i.e. running on Android, Blackberry, iOS, Windows Phone) that collect, transmit or display StubHub Data, you agree to conduct an application security assessment review to identify and remediate industry-recognized vulnerabilities specific to mobile applications.
iii. c. You should utilize a qualified third party to conduct the application security assessments. You may conduct the security assessment review yourself, provided that your personnel performing the review are sufficiently trained, follow industry standard best practices, and the assessment process is reviewed and approved by StubHub. Vulnerabilities identified and rated as high risk by you will be remediated within ninety (90) days of discovery.
(d) 5.4 Patch Management. You will patch all workstations and servers with all current operating system, database and application patches deployed in your computing environment according to a schedule predicated on the criticality of the patch. You must perform appropriate steps to help ensure patches do not compromise the security of the information resources being patched. All emergency or critical rated patches must be applied as soon as possible but at no time will exceed thirty (30) days from the date of release.
6. Email Security:
If you are sending emails to StubHub customers, appropriate email identity solutions, including but not limited to DKIM, SPF, and DMARC, will be utilized. If you utilize StubHub-owned domain names to send emails, you will adhere to the StubHub Email Security requirements, provided upon request.
7. StubHub Security Assessments and Audits:
7.1 You shall, upon reasonable notice, allow your data Processing facilities, procedures and documentation to be inspected by StubHub (or its designee) in order to ascertain compliance with Applicable Law, this DPRA, or any agreements between you and StubHub.
7.2. You shall fully cooperate with audit requests by providing StubHub access to relevant knowledgeable personnel, physical premises, documentation, infrastructure, and application software.
8. Incident Response and Notification Procedures:
8.1 You will maintain an Incident response function capable of identifying, mitigating the effects of, and preventing the recurrence of Incidents. Upon discovering or otherwise becoming aware of an Incident that may put StubHub Data at risk (“Security Breach”), you shall take all reasonable measures to mitigate the harmful effects of the Incident. You shall also notify StubHub of the Security Breach as soon as practicable, but in no event later than 24 hours after the Security Breach. Notice to StubHub shall be written to DL-SH-api-license@StubHub.com and shall include: (i) the identification of the StubHub Data which has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the incident; (ii) a description of what happened, including the date of the incident and the date of discovery of the incident, if known; (iii) the scope of the incident, including a description of the type of StubHub Data involved in the incident; (iv) a description of your response to the incident, including steps you have taken to mitigate the harm caused by the incident; and (v) other information as StubHub may reasonably request. You must ensure that affected third parties are notified of the Security Breach, at StubHub’s sole discretion, either by notifying such third parties after StubHub has reviewed and approved the language and method of notice, or by enabling StubHub to notify such third parties itself. You agree to cover the costs of any such notification, including reimbursing StubHub for any reasonable costs such as to provide credit monitoring to affected Data Subjects.
8.2 You will retain all data related to known and reported Incidents or investigations indefinitely or until StubHub notifies you that the image is no longer needed. Upon StubHub’s request, you will permit StubHub or its third party auditor to review and verify relevant video surveillance records, access logs and data pertaining to any Incident investigation. Upon conclusion of investigative, corrective, and remedial actions with respect to an Incident, you will prepare and deliver to StubHub a final report that describes in detail: (i) the extent of the Incident; (ii) the StubHub Data disclosed, destroyed, or otherwise compromised or altered; (iii) all supporting evidence, including, but not limited to, system, network, and application logs; (iv) all corrective and remedial actions completed; and (v) all efforts taken to mitigate the risks of further Incidents.
9. Storage, Handling, and Disposal:
9.1 Data Segregation. You will physically or logically separate and segregate StubHub Data from your other clients’ data.
9.2 Electronic Form Data. You will utilize Industry Standard Encryption Algorithms and Key Strengths (as defined in the “Definitions” section of this DPRA) to encrypt the following:
- All StubHub Data that is in electronic form while in transit over all public wired networks (e.g., Internet) and all wireless networks.
b. Passwords will be hashed with irreversible industry standard algorithms with randomly generated “salt” added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings. The randomly generated salt should be at least as long as the output of the hash function.
c. Any mobile devices used outside of a Data Center (e.g., laptop, desktop tablet) to perform any services under the Terms.
9.3 Data Centers. To the extent you are operating a Data Center or utilizing a Third Party Data Center, you will comply with physical security controls outlined in one or more of the following industry standards: ISO 27001, SSAE 16 or ISAE 3402, or PCI-DSS.
9.4 Data Retention. Except where prohibited by law, upon the earliest to occur of: (i) the termination of the Terms; (ii) such time when StubHub Data is no longer required for the purposes of the Terms; (iii) upon written request from StubHub or an applicable data subject, or (iv) such time that your data retention period has exceeded industry best practices for the time/duration/age of the StubHub Data:
(a. You will promptly remove the StubHub Data from your environment and destroy it within a reasonable timeframe, but in no case longer than thirty (30) days thereafter,
(b. All media used to store StubHub Data will be sanitized or destroyed as required in the “Destruction of Data” Section 9.5, and
(c. You will provide StubHub with a written certification regarding such removal, destruction, and/or cleaning upon request.
Destruction of Data. You will dispose of StubHub Data at such time as outlined in the “Data Retention” Section 9.4. StubHub StubHubData should be disposed of in a method that prevents any recovery of the data in accordance with industry best practices for shredding of physical documents and wiping of electronic media (e.g. current version of NIST SP 800-88). You will destroy any equipment containing StubHub Data that is damaged or non-functional. All StubHub Data must be rendered unreadable and unrecoverable regardless of the form (physical or electronic).
10. Ownership; Use:
You acknowledge and agree that you have no ownership of, or right to use, StubHub Data other than as expressly permitted under the Terms or as authorized by StubHub in writing. For the avoidance of doubt, you have no right to copy, use, reproduce, display, perform, modify or transfer StubHub Data or any derivative works thereof, except as expressly provided in the Terms or as expressly authorized by StubHub in writing. You acknowledge and agree that you will not use (or permit any third party to use) the StubHub Data for any use other than as expressly provided in the Terms.
11. Payment Card Industry (“PCI”) Compliance:
11.1 Section 11 applies whenever you are “PCI Relevant.” “PCI Relevant” means you will be transmitting, Processing, handling, accessing, maintaining, or storing credit or debit card information regulated by the Payment Card Industry Security Council (“Cardholder Information”) in the course of providing Services under the Terms.
11.2 You will validate your compliance with the Payment Card Industry Data Security Standard (“PCI-DSS”) according to the standards set forth by the PCI Security Standards Council, including completion of any required assessments. If you will be transferring, Processing and/or storing credit card account information, you must provide audit evidence that they comply with the PCI-DSS prior to accessing relevant StubHub API(s).
11.3 You will maintain such compliance at all times during the term of the Terms. This requirement will survive the duration of the Terms until you return, destroy, or cause the destruction of any and all Cardholder Information in your possession, custody, or control.
11.4 You will provide StubHub with evidence of full compliance with the PCI-DSS upon request.
Your obligations and StubHub’s rights under this DPRA shall become effective on the Effective Date of the Terms and will continue in effect so long as you possess StubHub Data.
If and to the extent language in this DPRA conflicts with the Terms, this DPRA shall control.
14. Processing of Personal Data:
The following additional terms shall apply to the Processing of Personal Data by you:
14.1 Processing Instructions: You shall Process Personal Data only to deliver services in accordance with the Terms and/or StubHub’s written instructions. For the avoidance of doubt, StubHub’s written instructions for the Processing of Personal Data shall comply with Applicable Law. In the event you reasonably believe there is a conflict amongst Applicable Law or that StubHub’s instructions conflict with any Applicable Law, you will inform StubHub immediately and shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
- Use of Sub-Processors:
- Contractual Privity. Your obligations under this DPRA shall apply to Sub-Processors. You are authorized to use Sub-Processors, provided that you represent and warrant that any approved Sub-Processor is contractually bound to meet all data protection obligations required by the Terms, StubHub’s Processing instructions, and by Applicable Law. Proof of these contractual obligations, in which commercially sensitive terms may be redacted, shall be provided to StubHub promptly upon request. In the event that StubHub reasonably believes a Sub-Processor Processes StubHub Personal Data without having entered into a contractual agreement with you containing data protection obligations required by the Terms, StubHub’s Processing instructions or by Applicable Law, StubHub will promptly inform you and you shall cooperate in good faith to resolve the conflict and achieve the goals of such instruction.
- List Maintenance. You shall maintain a list of all Sub-Processors you have engaged to Process StubHub Personal Data. Where required by law, you shall (i) inform StubHub of any intended changes concerning the addition or replacement of Sub-Processors with access to StubHub Personal Data and give StubHub the opportunity to object to such changes, and (ii) obtain the prior written consent of StubHub before entering into any such agreement StubHub(unless expressly waived in a written agreement).
- Organizational, Technical, and Physical Safeguards. You must restrict through organizational, technical, and physical safeguards the Sub-Processor’s access to StubHub Personal Data to that which is only strictly necessary to perform its subcontracted Processing services to you (which shall be consistent with the Processing Instructions issued to you by StubHub). Additionally, you will prohibit through organizational, technical and physical safeguards the Sub-Processor from Processing StubHub Personal Data for any other purpose. Sub-Processors must similarly implement appropriate organizational, technical and physical measures to ensure that the Processing of StubHub Data occurs in strict accordance with the Terms, StubHub’s Processing instructions and Applicable Law and Regulations.
- Sub-Processor Liability. You shall remain liable for any act or omission of a Sub-Processor that does not comply with the Terms, any Processing instructions or the requirements of Applicable Law.
Transfer of Personal Data: You shall not cause or permit any Personal Data to be transferred across borders in breach of Applicable Law. Cross-border transfers of Personal Data subject to legal restrictions by Applicable Law shall require StubHub’s prior written consent. For the avoidance of doubt, this transfer restriction does not pertain to StubHub personnel access to Personal Data.
14.4 Limitation on Disclosure of Personal Data: To the extent legally permitted, you shall immediately notify StubHub in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Personal Data to any third party. You shall not disclose Personal Data to the third party without providing StubHub at least forty-eight (48) hours’ notice, so that StubHub may, at its own expense, exercise such rights as it may have under Applicable Law to prevent or limit such disclosure. Notwithstanding the foregoing, you will exercise commercially reasonable efforts to prevent and limit any such disclosure and to otherwise preserve the confidentiality of Personal Data; additionally, you will cooperate with StubHub with respect to any action taken pursuant to such order, demand, or other document request, including to obtain an appropriate protective order or other reliable assurance that confidential treatment will be accorded to Personal Data.
14.5 Compliance with Applicable Law: You shall Process Personal Data in accordance with Applicable Law. You represent and warrant that you will maintain privacy policies sufficient to protect the Personal Data and compliant with the Applicable Law.
14.6 Liability and Indemnification: You shall be liable for any of your acts and/or omissions relating to the obligations in this DPRA that result in a Security Breach of StubHub’s Personal Data. You shall indemnify, defend and hold StubHub harmless from and against all liabilities, costs, damages, claims and expenses relating to Security Breaches that arise from or in connection with your breach of your obligations stated in this DPRA.
14. 7 Personal Data transmitted to StubHub: Prior to sharing any Personal Data with StubHub, you shall ensure that Data Subjects are appropriately notified of and have consented to StubHub’s privacy practices. You warrant that you have a legitimate basis and adequate title to collect and share Personal Data with StubHub.