TERMS OF SERVICE

EFFECTIVE DAY Friday, April 11, 2025

These WeConvene Terms of Service (the “Agreement”) are entered into by and between the WeConvene entity set forth below (“WeConvene”) and the entity or person placing an order for, or accessing, any Services (“Customer” or “you”). If you are accessing or using the Services on behalf of your company, you represent that you are authorized to accept this Agreement on behalf of your company, and all references to “you” or “Customer” reference your company.

This Agreement permits Customer to purchase subscriptions to online software­ as-a-service products and other services from WeConvene pursuant to Enterprise Agreement(s) (defined herein) and sets forth the terms and conditions under which those products and services will be provided. This Agreement includes the Additional Product Terms, incorporated by reference herein.

The “Effective Date” of this Agreement is the date that is the earlier of: (a) Customer’s initial access to any Services (as defined below) through any online registration or order process or (b) the effective date of the first Enterprise Agreement referencing this Agreement.

As used in this Agreement, “WeConvene” means (a) WeConvene, Inc., a Delaware corporation with offices at 99 Wall Street, Ste. 5353, New York, NY 10005, USA.

Modifications to this Agreement: From time to time, WeConvene may modify this Agreement. Unless otherwise specified by WeConvene, changes become effective for Customer upon renewal of Customer’s current Subscription Term (as defined below), or entry into a new Enterprise Agreement. WeConvene will use reasonable efforts to notify Customer of the changes through communications via Customer’s account, email or other means. Customer may be required to click to accept or otherwise agree to the updated Agreement before renewing a Subscription Term or entering
into a new Enterprise Agreement, but in any event continued use of the Services after the updated version of this Agreement will constitute Customer’s acceptance of such updated version.

By indicating your acceptance of this agreement or accessing or using any services, you agree to be bound by all terms, conditions, and notices contained or referenced in this agreement. If you do not agree to this agreement, please do not use any services. For clarity, each party expressly agrees that this agreement is legally binding upon it. This agreement contains mandatory arbitration provisions that require the use of arbitration to resolve disputes, rather than jury trials.

1. Definitions

“Affiliate” means any entity under the control of Customer where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity.

“AUP” means WeConvene’s Acceptable Use Policy, available at https://WeConvene.com/acceptable-use-policy or a successor URL, incorporated into these terms by this reference.

“Contractor” means an independent contractor or consultant.

“Customer Data” means any data, content or other information of any type that is submitted to the Services by or on behalf of Customer, including without limitation: (a) data, content or other information submitted, uploaded, instructed to be used for or imported to the Services by Customer (including from Third Party Platforms) and (b) data, content or other information provided by or about People (including support chat logs) that are collected from the Customer Properties using the Services.

“Dashboard” means WeConvene’s user interface for accessing and administering the Services that Customer may access via the web.

“Documentation” means the technical user documentation provided with the Services.

“Feedback” means comments, questions, suggestions or other feedback relating to any WeConvene product or service, including, without limitation, integrations with Third Party Apps. Feedback does not include any Customer Data.

“Intellectual Property Rights” include all valid patents, trademarks, copyrights, trade secrets, moral rights, and other intellectual property rights, as may exist now or hereafter come into existence, and all renewals and extensions thereof, and all improvements to any of the foregoing, regardless of whether any such rights arise under the laws of any state, country or other jurisdiction.

“WeConvene Apps” means any integrations and applications created or developed by WeConvene or its Affiliates that are made available in WeConvene’s App.

“WeConvene Code” means certain any software programming code, software development kits (SDKs), application programming interfaces (APls), other code or libraries provided by WeConvene for deployment by Customer as part of the use of the Services.

“Laws” means all applicable local, state, federal and international laws, regulations and conventions, including, without limitation, those related to data privacy and data transfer, international communications, and the exportation of technical or personal data.

“Enterprise Agreement” means a written or electronic form referencing this Agreement that is used to order the Services. The Enterprise Agreement may contain details about your order, the applicable service plan, contracted usage quantity (e.g. usage quantity metric identified in the Enterprise Agreement) and Subscription Term. Upon execution by the parties, each Enterprise Agreement will be subject to the terms and conditions of this Agreement.

“People” (in the singular, “Person”) means Customer’s end user customers, potential end user customers, and other users of and visitors to Customer Properties.

“Permitted User” means an employee or Contractor of Customer or its Affiliate who is authorized to access the Service.

“Sensitive Personal Information” means any of the following: (i) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards (“PCI DSS”); or (ii) any other personal data of an EU citizen deemed to be in a “special category” (as identified in EU General Data Protection Regulation or any successor directive or regulation).

“Services” means WeConvene’s proprietary software-as-a-service solution(s), including the Web App, Public API, WeConvene Code, Invitations and Tokenized Web Pages and, if applicable, those services and features covered by the Additional Product Terms, as described in the applicable Enterprise Agreement.

“Taxes” means any sales, use, GST, value-added, withholding, or similar taxes or levies, whether domestic or foreign, other than taxes based on the income of WeConvene.

“Third Party Messaging App(s)” means a separate, stand-alone application or service accessible apart from the generally available Services to which Customer subscribes. A Third Party Messaging App allows Customer to integrate Customer’s WeConvene App account(s) with Customer’s Third-Party Messaging App services account(s) including but not limited to Intercom, OpenExchange, Zoom.

“Third-Party Platform(s)” means any software, software-as-a-service, data sources or other products or services not provided by WeConvene that are integrated with or otherwise accessible through the Services.

2. WeConvene Services

2.1. Services Overview. WeConvene’s Services are a suite of event management-oriented software-as-a-service solutions offered through an online platform. The Services are designed to enable Customer to create, manage, promote, schedule and execute a broad range of event types. Including also the ability to manage engagement with attendees and participants throughout the entire event lifecycle and manage an ongoing relationship through the platform’s CRM capabilities.

2.2. Provision of Services. Each Service is provided on a subscription basis for a set term designated on the Enterprise Agreement (each, a “Subscription Term”). Customer will purchase and WeConvene will provide the specific Services as specified in the applicable Enterprise Agreement.

Some Services may be subject to Additional Product Terms. By accessing or using a product or feature covered by the Additional Product Terms, Customer hereby agrees that their use of those Services is governed by the applicable Additional Product Terms.

2.3. Access to Services. Customer may access and use the Services solely for its own benefit (and for the benefit of People) and in accordance with the terms and conditions of this Agreement, the Documentation and any scope of use restrictions designated in the applicable Enterprise Agreement (including, without limitation, the usage quantity tracked). Use of and access to the Services is permitted only by Permitted Users. If Customer is given API keys or passwords to access the Services on WeConvene’s systems, Customer will require that all Permitted Users keep API keys, user ID and password information strictly confidential and not share such information with any unauthorized person. User IDs and related credentials are granted to individual, named persons and may not be shared. If Customer is accessing the Services using credentials provided by a third party (e.g., SSO), then Customer will comply with all applicable terms and conditions of such third-party regarding provisioning and use of such credentials. Customer will be responsible for any and all actions taken using Customer’s accounts and passwords. If any Permitted User who has access to a user ID is no longer an employee (or Contractor, as set forth below) of Customer, then Customer will promptly delete such user ID and otherwise terminate such Permitted User’s access to the Service. WeConvene reserves the right to suspend access to any Services or features (including, without limitation, in-app messaging and integrations with Third Party Platforms and Third Party Apps) if Customer has exceeded applicable usage limits (if any) or if WeConvene otherwise determines, in its sole discretion, that Customer is using the applicable Service in a manner that has become excessive, including, but not limited to, storage and bandwidth consumption) and/or negatively impacts the operability, integrity, or security of the Service until usage is reduced to reasonable levels, as determined by WeConvene and/or such impact is resolved to WeConvene’s satisfaction. We may change usage limits at any time, in our sole discretion, without notice.

2.4. WeConvene Apps. To the extent WeConvene provides WeConvene Apps for use with the Services, subject to all of the terms and conditions of this Agreement (unless otherwise indicated in the specific WeConvene App), WeConvene grants to Customer a limited, non-transferable, non-sublicensable, non-exclusive license during any applicable Subscription Term to use the object code form of the WeConvene Apps internally, but only in connection with Customer’s use of the Service and otherwise in accordance with the Documentation and this Agreement.

2.5. WeConvene Code. The right to use the Services includes the right to deploy WeConvene Code within on Customer applications and systems to enable various integrations (email, CRM, etc.) for use with the Services as further described herein. Subject to all of the terms and conditions of this Agreement, WeConvene grants to Customer a limited, non-transferable, non-sublicensable, non-exclusive license during any applicable Subscription Term to implement the WeConvene Code in the form provided by WeConvene in Customer applications and systems solely to support Customer’s use of the Service and otherwise in accordance with the Documentation and this Agreement. Where Customer must implement WeConvene Code to utilize the relevant features of the Services, Customer will implement all necessary WeConvene Code in strict accordance with

the Documentation and other instructions provided by WeConvene. Customer acknowledges that any changes made to the Customer applications and systems after initial implementation of WeConvene Code may cause the Services to cease working or to function improperly and that WeConvene will have no responsibility for the impact of any such Customer changes.

2.6. Contractors and Affiliates. Customer may permit its employees and Contractors and its Affiliates’ employees and Contractors to serve as Permitted Users, provided Customer remains responsible for compliance by such individuals with all of the terms and conditions of this Agreement and any use of the Services by such Permitted Users is for the sole benefit of Customer.

2.7. General Restrictions. Customer will not (and will not permit any third party to): (a) rent, lease, provide access to or sublicense the Services to a third party; (b) use the Services to provide, or incorporate the Services into, any product or service provided to a third party other than the Customer applications; (c) reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code or non-public APls to the Services, except to the extent expressly permitted by applicable law (and then only upon advance notice to WeConvene); (d) copy or modify the Services or any Documentation, or create any derivative work from any of the foregoing; (e) remove or obscure any proprietary or other notices contained in the Services and/or on any reports or data printed from the Services (unless otherwise expressly permitted by WeConvene in advance); (f) publicly disseminate information regarding the performance of the Services; (g) use the Services for competitive analysis purposes; or (h) otherwise violate our AUP.

2.8. WeConvene APls. If WeConvene makes access to any APls available as part of the Services, WeConvene reserves the right to place limits on access to such APls (e.g., limits on numbers of calls or requests). Further, WeConvene may monitor Customer’s usage of such APls and limit the number of calls or requests Customer may make if WeConvene believes that Customer’s usage is in breach of this Agreement or may negatively affect the security, operability, or integrity of the Services (or otherwise impose liability on WeConvene).

2.9. Trial Subscriptions. If Customer receives free access or a trial or evaluation subscription to the Service (a “Trial Subscription”), then Customer may use the Services in accordance with the terms and conditions of this Section (and any other supplemental trial terms agreed by Customer) for a period of fourteen (14) days or such other period granted by WeConvene (the “Trial Period”). Trial Subscriptions are permitted solely for Customer’s evaluation to determine whether to purchase a paid subscription to the Services or an upgrade to a service plan. Trial Subscriptions may not include all functionality and features accessible as part of a paid Subscription Term and may be subject to usage limits. If Customer does not enter into a paid Subscription Term prior to the expiration of the Trial Period, this Agreement and Customer’s right to access and use the Services will terminate at the end of the Trial Period, except as otherwise set forth herein. If stated in the Enterprise Agreement for a specific Service or otherwise communicated in advance by WeConvene to Customer, a paid Subscription Term will commence automatically once the Trial Period expires, and Customer will be charged for any continued use of the Services. WeConvene has the right to terminate a Trial Subscription at any time for any reason.

Notwithstanding anything to the contrary in this agreement, WeConvene will have no warranty, indemnity, support, service level agreement (“SLA”), or other obligations with respect to trial subscriptions.

3. Customer Data and Customer Obligations

3.1. Data Processing by WeConvene. All data processing activities carried out as part of the Services will be governed by the Data Processing Addendum (“DPA”) incorporated by reference herein.

3.2. Rights in Customer Data. As between the parties, Customer will retain all of Customer’s Intellectual Property Rights in and to the Customer Data provided to WeConvene. Subject to the terms of this Agreement, Customer hereby grants to WeConvene a non-exclusive, worldwide, royalty-free right to access, use and display the Customer Data to provide the Services to Customer.

3.3. Storage of Customer Data. WeConvene does not provide an archiving service. WeConvene agrees only that it will not intentionally delete any Customer Data from the Services prior to termination of Customer’s applicable Subscription Term and expressly disclaims all other obligations with respect to storage, except where for regulatory reasons WeConvene is required to retain data, where such retention will not be less than seven (7) years.

3.4. Usage Data and Anonymized Data. In addition to the rights contained in Section 3.2, Customer agrees that WeConvene may use certain technical and other data about Customer’s and People’s use of the Services (“Usage Data”) and/or Customer Data, which is anonymized to remove any personal data of People (“Anonymized Data”) to analyze, improve, support and operate our Services during and after the term of this Agreement, and Customer agrees that WeConvene is permitted to anonymize Customer Data to use for the aforementioned purposes. WeConvene retains all ownership in and to Usage Data and Anonymized Data.

3.5. Customer Obligations.

a. In General. Customer is solely responsible for the accuracy, content and legality of all Customer Data. Customer represents and warrants to WeConvene that Customer has all necessary rights, consents and permissions to collect, share and use all Customer Data as contemplated in this Agreement (including granting WeConvene the rights under Section 3) and that no Customer Data will violate or infringe: (i) any third party Intellectual Property Rights or, publicity, privacy, or other rights, (ii) any Laws, or (iii) any terms of service, privacy or other policies and/or any other agreements governing the Customer Properties or Customer’s accounts with any Third-Party Platforms. Customer will be fully responsible for any Customer Data submitted to the Services by any Person as if it was submitted by Customer.

b. No Sensitive Personal Information. Except as otherwise expressly agreed between the Parties, Customer specifically agrees not to use the Services to collect, store, process or transmit any Sensitive Personal Information. Customer acknowledges that WeConvene is not a payment card processor and that the Services are not PCI DSS compliant. Except for WeConvene’s obligations under any business associate agreement entered into with Customer, Customer shall be responsible for any Sensitive Personal Information it submits to the Service, and Customer acknowledges that WeConvene is not subject to any additional obligations that may apply to any Sensitive Personal Information submitted to the Services.

c. Compliance with Laws. Customer agrees to comply with all applicable Laws in its use of the Services. Without limiting the generality of the foregoing, Customer will not engage in any unsolicited advertising, marketing, or other activities using the Services, including, without limitation, any activities that, to the extent applicable, violate the Telephone Consumer Protection Act of 1991, CAN-SPAM Act of 2003 or any other applicable anti-spam laws and regulations.

d. Disclosures on Customer Applications and Systems. Customer acknowledges that the WeConvene Code may in certain circumstances cause a unique cookie ID to be associated with each Person who accesses the Customer Properties. Where utilized this cookie ID is necessary for WeConvene to provide the Services. Customer acknowledges that where such cookies are utilized as part of the services it will not remove any links to WeConvene’s privacy policy that discloses use of third-party tracking technology to collect data about People and how, and for what purposes, the data collected will be used or shared with third parties where such activity occurs in connection with the Services and as required by applicable Laws. Further, as between Customer and WeConvene, if links to WeConvene’s Privacy Policy are removed by Customer then Customer will be solely responsible for obtaining the necessary clearances, consents and approvals from People under all applicable Laws. Customer can find information about how cookies and similar web technologies are used within the Services in the Privacy Policy. Customer acknowledges that they have read and understand the information in our Privacy Policy, which is hereby incorporated by reference.

3.6 Indemnification by Customer. Customer will indemnify, defend and hold harmless WeConvene from and against any and all third party (including, without limitation, People) claims, costs, damages, losses, liabilities and expenses (including reasonable attorneys’ fees and costs) arising from or relating to any Customer Data, Customer’s use of a Third-Party Platform or breach or alleged breach by Customer of Section 3.5 (Customer Obligations). This indemnification obligation is subject to Customer receiving (i) prompt written notice of such claim (but in any event notice in sufficient time for Customer to respond without prejudice); (ii) the exclusive right to control and direct the investigation, defense, or settlement of such claim; and (iii) all necessary cooperation of WeConvene at Customer’s expense. Notwithstanding the foregoing sentence, (a) WeConvene may participate in the defense of any claim by counsel of its own choosing, at its cost and expense and (b) Customer will not settle any claim without WeConvene’s prior written consent, unless the settlement fully and unconditionally releases WeConvene and does not require WeConvene to pay any amount, take any action, or admit any liability.

4. Security

WeConvene agrees to use commercially reasonable technical and organizational measures designed to prevent unauthorized access to or use of the Services, as described in WeConvene’s Security Policy attached as Schedule 2 to the DPA. However, WeConvene will have no responsibility for errors in transmission, unauthorized third-party access or other causes beyond WeConvene’s control.

5. Third-Party Platforms and Third-Party Apps

5.1. Integration with Third Party Platforms. The Services may support and or offer integrations with certain Third-Party Platforms. Customer may import and export Customer Data between the Services and certain Third-Party Platforms through supported integrations. For the Services to communicate with such Third­ Party Platforms, Customer may be required to input credentials for the Services to access and receive relevant information from such Third-Party Platforms. By enabling use of the Services with any Third-Party Platform, Customer authorizes WeConvene to access Customer’s accounts with such Third­ Party Platform for the purposes described in this Agreement. Customer is solely responsible for complying with any relevant terms and conditions of the Third­ Party Platforms and maintaining appropriate accounts in good standing with the providers of the Third-Party Platforms. Customer acknowledges and agrees that WeConvene has no responsibility or liability for any Third-Party Platform, including, without limitation, any beta releases or pre-release features of a Third-Party Platform, or how a Third-Party Platform uses or processes Customer Data after it is exported to such Third-Party Platform. WeConvene does not guarantee that the Services will maintain integrations with any Third-Party Platform, and WeConvene may disable integrations of the Services with any Third-Party Platform at any time with or without notice to Customer. For clarity, this Agreement governs Customer’s use of and access to the Services, even if accessed through an integration with a Third-Party Platform.

6. Ownership

6.1. WeConvene Technology. This is a subscription agreement for access to and use of the Services. Customer acknowledges that it is obtaining only a limited right to the Services and that irrespective of any use of the words “purchase”, “sale” or like terms in this Agreement, no ownership rights are being conveyed to Customer under this Agreement. Customer agrees that WeConvene or its suppliers retain all right, title and interest (including all Intellectual Property Rights) in and to the Services and all Documentation, integrations with the Services, and any and all related and underlying technology and documentation and any derivative works, modifications or improvements of any of the foregoing, including any Feedback (collectively, “WeConvene Technology”). Except as expressly set forth in this Agreement, no rights in any WeConvene Technology are granted to Customer.

6.2. Feedback. Customer, from time to time, may submit Feedback to WeConvene. WeConvene may freely use or exploit Feedback in connection with the Services and WeConvene Technology. Customer hereby grants to WeConvene a perpetual, non­ exclusive, transferable, irrevocable, worldwide, royalty-free license (with rights to sublicense) to make, use, sell, offer to sell, reproduce, modify, distribute, make available, publicly display and perform, disclose and otherwise commercially exploit the Feedback.

7. Subscription Term, Fees & Payment

7.1. Subscription Term and Renewals.

a. Monthly Subscription Term. For a month-to-month subscription, the Subscription Term will automatically renew on a monthly basis. Each successive contract month will be considered a “renewal term.” Customer may cancel a month-to-month subscription at any time by contacting support@weconvene.com.

b. Yearly or Multi-Year Subscription Term. For a yearly or multi-year subscription, the initial Subscription Term is set forth in the Enterprise Agreement. The Subscription Term will automatically renew for additional, successive twelve-month periods (each, a “renewal term”), unless either party gives the other written notice of intent not to renew at least ninety (90) days prior to expiration of the initial Subscription Term or then-current renewal term. Customer must send written notice of intent not to renew to ar@weconvene.com.

7.2. Fees and Payment. All fees are set forth in the applicable Enterprise Agreement and will be paid by Customer within thirty (30) days of invoice, unless (a) Customer is paying via a Recurring Payment Method (as defined below) or (b) otherwise specified in the applicable Enterprise Agreement. WeConvene reserves the right to adjust pricing for any service plan and/or any Services to the then-current list price upon the start of any renewal term.

a. Baseline Fee (non-Enterprise Agreement). WeConvene will charge Customer the applicable subscription fee in advance of each billing period. The monthly subscription fee will be based on the contracted quantity of licenses purchased for the applicable service plan plus any upgrades (e.g., Conference functionality), if applicable. Customer’s invoice will also include any fees for one-time services (e.g., additional onboarding services) ordered by Customer.

b. Changes to Contracted Usage (non-Enterprise Agreement). If the contracted usage quantity (e.g., number of licenses, type of license) or service plan is changed during a billing period, Customer’s monthly subscription fee will be prorated accordingly as of the effective date of the change.

c. Services (non-Enterprise Agreement). For any Services that are subject to additional usage charges, the applicable charges will be calculated based on the actual amount of usage of each Service in the given contract month. These additional usage charges will be billed in arrears in the next invoice that Customer receives following the date when the charges were incurred.

d. Licenses (non-Enterprise Agreement). With respect to charges for licenses specifically, if Customer exceeds the originally contracted quantity, the additional licenses activated by Customer will be billed as additional usage charges. In the month the additional licenses are activated, these charges will be prorated as of the effective date of the change and included in the next invoice that Customer receives. Thereafter, these additional usage charges will be pre-billed for each month so that the additional licenses remain activated. At any time, Customer may reduce the then-current full license quantity (but no lower than the originally contracted quantity).

e. Taxes. Except as expressly set forth in this Agreement, all fees are non-refundable. Customer is responsible for paying all Taxes, and all taxes are excluded from any fees set forth in the applicable Enterprise Agreement. WeConvene will invoice Customer for Taxes as well as any legally required fees arising from Customer’s use of Services if WeConvene believes it has a legal obligation to do so, and Customer will pay such Taxes and fees if invoiced. If Customer is required by Law to withhold any Taxes from Customer’s payment, the fees payable by Customer will be increased as necessary so that after making any required withholdings, WeConvene receives and retains (free from any liability for payment of Taxes) an amount equal to the amount it would have received had no such withholdings been made. Any late payments will be subject to a service charge equal to 1.5% per month of the amount due or the maximum amount allowed by law, whichever is less.

7.3. Payment Via Recurring Payment Method. If you are purchasing the Services via credit card, debit card or any other recurring payment method accepted by WeConvene (“Recurring Payment Method”), the following terms apply:

a. Recurring Billing Authorization. By providing Recurring Payment Method information and agreeing to purchase any Services, Customer hereby authorizes WeConvene (or its designee) to automatically charge Customer’s Recurring Payment Method on the same date of each calendar month (or the closest prior date, if there are fewer days in a particular month) during the Subscription Term for all fees accrued as of that date (if any) in accordance with the applicable Enterprise Agreement. Customer acknowledges and agrees that the amount billed and charged each month may vary depending on Customer’s usage of the Services and may include adjustments to monthly subscription fee, upgrade fees, one-time service fees, additional usage charges, taxes and other fees as described above.

b. Foreign Transaction Fees. Customer acknowledges that for certain Recurring Payment Methods, the provider/issuer may charge a foreign transaction fee or other charges.

c. Invalid Payment. If a payment is not successfully settled due to expiration of a Recurring Payment Method, insufficient funds, or otherwise, Customer remains responsible for any amounts not remitted to WeConvene and WeConvene may, in its sole discretion, either (i) invoice Customer directly for the deficient amount, (ii) continue billing the Recurring Payment Method once it has been updated by Customer (if applicable) or (iii) terminate this Agreement.

d. Changing Recurring Payment Method Information. At any time, Customer may change its Recurring Payment Method information by entering update information via the “Settings” page on the Dashboard.

e. Payment of Outstanding Fees. Upon any termination or expiration of the subscription, WeConvene will charge Customer’s Recurring Payment Method (or invoice Customer directly) for any outstanding fees for Customer’s use of the Services during the Subscription Term, after which payment, WeConvene will not charge Customer’s Recurring Payment Method for any additional fees.

7.4. Suspension of Service. If Customer’s account is fifteen (15) days or more overdue, in addition to any of its other rights or remedies (including but not limited to any termination rights set forth herein), WeConvene reserves the right to suspend Customer’s access to the applicable Service (and any related services) without liability to Customer until such amounts are paid in full. WeConvene also reserves the right to suspend Customer’s access to the Services, without liability, if Customer’s use of the Services is in violation of the AUP or this Agreement.

8. Term and Termination

8.1. Term. This Agreement is effective as of the Effective Date and expires on the date of the last to expire Subscription Term under any Enterprise Agreement, unless earlier terminated as set forth herein.

8.2. Termination for Cause. Either party may terminate this Agreement (including all related Enterprise Agreements) if the other party (a) fails to cure any material breach of this Agreement (including a failure to pay fees) within thirty (30) days after written notice; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors’ arrangement, composition, or comparable proceeding, or if any such proceeding is instituted against that party (and not dismissed within sixty (60) days thereafter).

8.3. Effect of Termination. Upon any expiration or termination of this Agreement, Customer will immediately cease any and all use of and access to all Services (including any and all related WeConvene Technology) and delete (or, at WeConvene’s request, return) any and all copies of the Documentation, any WeConvene passwords or access codes and any other WeConvene Confidential Information in its possession. Customer acknowledges that after termination, it will have no further access to any Customer Data input into any Service, and that WeConvene may delete any such data as may have been stored by WeConvene at any time. Except where an exclusive remedy is specified, the exercise by either party of any remedy under this Agreement, including termination, will be without prejudice to any other remedies it may have under this Agreement, by law or otherwise.

8.4. Survival. The following Sections will survive any expiration or termination of this Agreement: 2.7 (General Restrictions), 2.9 (Trial Subscriptions), 2.10 (Beta Offerings), 3.3 (Storage of Customer Data), 3.4 (Anonymized Data), 3.6 (Indemnification by Customer), 6 (Ownership), 7.2 (Fees and Payment), 7.3 (Payment Via Recurring Payment Method), 8.3 (Effect of Termination), 8.4 (Survival), 9.2 (Warranty Disclaimer), 12 (Limitation of Liability), 13 (Indemnification), 14 (Confidential Information) and 16 (General Terms).

9. Limited Warranty

9.1. Limited Warranty. WeConvene warrants, for Customer’s benefit only, that each Service will operate in substantial conformity with the applicable Documentation. WeConvene’s sole liability (and Customer’s sole and exclusive remedy) for any breach of this warranty will be, at no charge to Customer, for WeConvene to use commercially reasonable efforts to correct the reported non-conformity, or if WeConvene determines such remedy to be impracticable, either party may terminate the applicable Subscription Term and Customer will receive as its sole remedy a refund of any fees Customer has pre-paid for use of such Service for the terminated portion of the applicable Subscription Term. The limited warranty set forth in this Section 9.1 will not apply: (i) unless Customer makes a claim within thirty (30) days of the date on which Customer first noticed the non-conformity, (ii) if the error was caused by misuse, unauthorized modifications or third-party hardware, software or services, or (iii) if Services are provided to Customer to use on a no-charge, trial, beta or evaluation basis.

9.2. Warranty Disclaimer. Except for the limited warranty in section 9.1, all services are provided “as is”. Neither WeConvene nor its suppliers make any other warranties, express or implied, statutory or otherwise, including but not limited to warranties of merchantability, title, fitness for a particular purpose or non-infringement. WeConvene does not warrant that customers’ use of the services will be uninterrupted or error­ free, nor does weconvene warrant that it will review the customer data for accuracy. WeConvene shall not be liable for the results of any communications sent or any communications sent or any communications that failed to be sent using the services. WeConvene shall not be liable for delays, interruptions, service failures or other problems inherent in use of the internet and electronic communications, third-party platforms, third party apps, or other systems outside the reasonable control of weconvene. Customer may have other statutory rights, but the duration of statutorily required warranties, if any, shall be limited to the shortest period permitted by law.

10. Availability

10.1. The Services are available subject to WeConvene’s Service Level Agreement (“SLA”).

11. Support

11.1. During the Subscription Term of each Service, WeConvene will provide end user support in accordance with WeConvene’s Support Policy (“Support Policy”).

12. Limitation of Liability

12.1. Consequential Damages Waiver. Except for excluded claims (defined below), neither party (nor its suppliers) shall have any liability arising out of or related to this agreement for any loss of use, lost data, lost profits, failure of security mechanisms, interruption of business, or any indirect, special, incidental, reliance, or consequential damages of any kind, even if informed of the possibility of such damages in advance.

12.2. Liability Cap. Except for excluded claims (defined below), each party’s entire liability to the other arising out of or related to this agreement shall not exceed the amount actually paid or payable by customer to weconvene under the agreement giving rise to the liability in the twelve (12) months immediately preceding the claim.

12.3. Excluded Claims. means any claim arising (a) from Customer’s breach of Section 2.7 (General Restrictions); (b) under Section 3.5 (Customer Obligations) or 3.6 (Indemnification by Customer); or (c) from a party’s breach of its obligations in Section 14 (Confidential Information) (but excluding claims arising from operation or non-operation of any Service or relating to Customer Data).

12.4. Nature of Claims and Failure of Essential Purpose. The parties agree that the waivers and limitations specified in this Section 12 apply regardless of the form of action, whether in contact, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose.

12.5. Applicable Law. The limitations on liability under this Section 12 will not apply to the extent such liability cannot be limited under applicable law.

13. Indemnification

WeConvene will defend Customer from and against any claim by a third party alleging that a Service when used as authorized under this Agreement infringes any Intellectual Property Rights and will indemnify and hold harmless Customer from and against any damages and costs finally awarded against Customer or agreed in settlement by WeConvene (including reasonable attorneys’ fees) resulting from such claim, provided that WeConvene will have received from Customer: (i) prompt written notice of such claim (but in any event notice in sufficient time for WeConvene to respond without prejudice); (ii) the exclusive right to control and direct the investigation, defense and settlement (if applicable) of such claim; and (iii) all reasonable necessary cooperation of Customer. If Customer’s use of a Service is (or in WeConvene’s opinion is likely to be) enjoined, if required by settlement or if WeConvene determines such actions are reasonably necessary to avoid material liability, WeConvene may, in its sole discretion: (a) substitute substantially functionally similar products or services; (b) procure for Customer the right to continue using such Service; or if (a) and (b) are not commercially reasonable, (c) terminate this Agreement and refund to Customer the fees paid by Customer for the portion of the Subscription Term that was paid by Customer but not rendered by WeConvene. The foregoing indemnification obligation of WeConvene will not apply: (1) if such Service is modified by any party other than WeConvene, but solely to the extent the alleged infringement is caused by such modification; (2) if such Service is combined with products or processes not provided by WeConvene, but solely to the extent the alleged infringement is caused by such combination; (3) to any unauthorized use of such Service; (4) to any action arising as a result of Customer Data or any third-party deliverables or components contained within such Service; (5) to any action arising from Customer’s use of Third Party Apps or Third-Party Platforms; or (6) if Customer settles or makes any admissions with respect to a claim without WeConvene’s prior written consent. This section 13 sets forth intercom’s and its suppliers’ sole liability and customer’s sole and exclusive remedy with respect to any claim of intellectual property infringement.

14. Confidential Information

Each party (as “Receiving Party”) agrees that all code, inventions, know-how, business, technical and financial information it obtains from the disclosing party (“Disclosing Party”) constitute the confidential property of the Disclosing Party (“Confidential Information”), provided that it is identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure. Any WeConvene Technology, performance information relating to any Service, and the terms and conditions of this Agreement will be deemed Confidential Information of WeConvene without any marking or further designation. Except as expressly authorized herein, the Receiving Party will (1) hold in confidence and not disclose any Confidential Information to third parties and (2) not use Confidential Information for any purpose other than fulfilling its obligations and exercising its rights under this Agreement. The Receiving Party may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know (including, for WeConvene, the subcontractors referenced in Section 16.8 (Subcontractors)), provided that such representatives are bound to confidentiality obligations no less protective of the Disclosing Party than this Section 14 and that the Receiving Party remains responsible for compliance by any such representative with the terms of this Section 14. The Receiving Party’s confidentiality obligations will not apply to information that the Receiving Party can document: (i) was rightfully in its possession or known to it prior to receipt of the Confidential Information; (ii) is or has become public knowledge through no fault of the Receiving Party; (iii) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (iv) is independently developed by employees of tne receiving Party who has no access to such information. The Receiving Party may make disclosures to the extent required by law or court order, provided the Receiving Party notifies the Disclosing Party in advance and cooperates in any effort to obtain confidential treatment. The Receiving Party acknowledges that disclosure of Confidential Information would cause substantial harm for which damages alone would not be a sufficient remedy, and therefore that upon any such disclosure by the Receiving Party the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law.

15. Publicity

WeConvene may, upon Customer’s prior written consent, use Customer’s name to identify Customer as an WeConvene customer of the Services, including on WeConvene’s public website. WeConvene agrees that any such use shall be subject to WeConvene complying with any written guidelines that Customer may deliver to WeConvene regarding the use of its name and shall not be deemed Customer’s endorsement of the Services.

16. General Terms

16.1. Assignment. This Agreement will bind and inure to the benefit of each party’s permitted successors and assigns. Neither party may assign this Agreement without the advance written consent of the other party, except that either party may assign this Agreement in connection with a merger, reorganization, acquisition or other transfer of all or substantially all of such party’s assets or voting securities. Any attempt to transfer or assign this Agreement except as expressly authorized under this Section 16.1 will be null and void.
16.2. Severability. If any provision of this Agreement will be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision will be limited to the minimum extent necessary so that this Agreement will otherwise remain in effect.

16.3. Governing Law; Dispute Resolution.

a. Direct Dispute Resolution. In the event of any dispute, claim, question, or disagreement arising from or relating to this agreement, whether arising in contract, tort or otherwise, (“Dispute”), the parties shall first use their best efforts to resolve the Dispute. If a Dispute arises, the complaining party shall provide written notice to the other party in a document specifically entitled “Initial Notice of Dispute,” specifically setting forth the precise nature of the dispute (“Initial Notice of Dispute”). If an Initial Notice of Dispute is being sent to WeConvene it must be emailed to support@weconvene.com.

Following receipt of the Initial Notice of Dispute, the parties shall consult and negotiate with each other in good faith and, recognizing their mutual interest, attempt to reach a just and equitable solution of the Dispute that is satisfactory to both parties (“Direct Dispute Resolution”). If the parties are unable to reach a resolution of the Dispute through Direct Dispute Resolution within thirty (30) days of the receipt of the Initial Notice of Dispute, then the Dispute may subsequently be resolved in a court of law as set forth below.

b. Choice of Law and Jurisdiction. For any claim which is not subject to this dispute resolution provision, customer agrees to submit and consent to the personal and exclusive jurisdiction in, and the exclusive venue of, the state and federal courts located within New York county, New York. In any dispute, New York law shall apply.

16.4. Counterparts. This Agreement may be executed in counterparts, each of which will be deemed an original and all of which together will be considered one and the same agreement.

PRIVACY STATEMENT

EFFECTIVE DAY Tuesday, April 15, 2025

1. PURPOSE AND SCOPE

1.1 At WeConvene, we respect your privacy and data protection rights and recognize the importance of protecting the personal data we collect and process. This Privacy Policy is designed to help you to understand what personal data we collect about you and how we use and share it.

1.2 When we refer to WeConvene, we mean WeConvene Group Limited (Cayman) and WeConvene Inc, with its address at 99 Wall Street, Ste 5353, New York, NY, 10005.

1.3 This Privacy Policy applies to you if you:

• interact with any of WeConvene’s websites (including www.weconvene.com and www.app.weconvene.com or our social media pages (collectively, the “Sites”) (“website users”);
• visit any of WeConvene’s premises (“office visitors”);

• attend any WeConvene events or any events which WeConvene sponsors (“event attendees”);
• use WeConvene’s communication and messaging products, and our other applications and services (collectively, the “WeConvene Services”) (“customers”)
• are a prospect, who is anyone whose data WeConvene processes for the purposes of assessing customer eligibility (“prospect”); or
• receive marketing communications from WeConvene.

Our Privacy Policy applies to you irrespective of where you are based. There are certain additional parts of the Privacy Policy that will apply to you where you are a resident of the EEA, UK, Switzerland, or California. These additional parts do not apply to everyone.

1.4 For the purposes of the General Data Protection Regulation (or any successor or equivalent legislation in the UK) (“GDPR”), either WeConvene Group Limited or WeConvene, Inc., WeConvene Australia Pty Ltd, or any other WeConvene group company from time to time, is the controller of your personal data.

2. PERSONAL DATA COLLECTED BY WECONVENE

2.1 PERSONAL DATA WE COLLECT AND RECEIVE

The personal data that we collect about you broadly falls into the categories set out in the following table. Some of this information you provide voluntarily when you interact with the WeConvene Services and Sites, or when you attend an event or visit our premises. Other types of information may be collected automatically from your device, such as device data and service data. From time to time, we may also receive personal data about you from third party sources (as further described in the table).

We may collect the following personal data about:
1. our website and application users;
2. recipients of marketing communications; and
3. relevant prospects.

Registration, contact, and company information:

• first and last names;
• email addresses;
• phone numbers;
• avatars;
• company name;
• your role in your company.

Device data:
• operating system type and version number, manufacturer and model;
• browser type;
• screen resolution;
• IP address;
• unique device identifiers.

Service data:

• the website you visited before browsing to the WeConvene Services;
• how long you spend on a page or screen;
• how you interact with our emails;
• navigation paths between pages or screens;
• date and time;
• pages viewed;
• links clicked.

We may collect the following personal data about event attendees:

Registration, contact and company information:

• first and last names;
• email addresses;
• phone numbers;
• company name;
• your role in your company.

We may collect the following personal data about our customers and end-users (to the extent applicable):

Registration and contact information:

• first and last names;
• email addresses;
• phone numbers;
• mailing addresses;
• company name;
• your role in your company.

Device data:

• operating system type and version number, manufacturer and model;
• browser type and language;
• screen resolution;
• IP address;
• unique device identifiers.

Service data:
• the website you visited before browsing to the services;
• how long you spend on a page or screen;
• navigation paths between pages or screens;
• session date and time;
• activity status (including first seen, last seen, last heard from – and last contacted);
• pages viewed;
• links clicked;
• language preferences
• tags applied within customer accounts
• WeConvene assigned user identifier.

2.2 COOKIES AND OTHER TRACKING TECHNOLOGIES

Some device data, service data and third-party source data is collected through the use of first or third party cookies and similar technologies. The WeConvene Support Chat service does not collect, retain, or share data regarding a particular user’s activity across multiple websites or applications that are not owned by WeConvene. WeConvene does assign each user a unique user ID within the scope of an individual website but does not collect or retain IP or any information that would allow WeConvene to identify the same user on more than one website. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals.

3. HOW AND WHY, WE USE YOUR PERSONAL DATA

3.1 We only collect and process your personal data from your sign-up and registration or onboarding (for enterprise clients) we do not process or use your personal data where it is added to the platform by one of our enterprise customers for their own use. The data that we do collect and process we do so for the following purposes and, if you are from the European Economic Area (EEA), the UK or Switzerland, on the following legal bases:

• Providing and facilitating delivery of WeConvene Services and Sites: We process your personal data to perform our contract with you for use of our Services and Sites and to fulfill our obligations under applicable terms of service. Where we have not entered into a contract with you, we process your personal data in reliance on our legitimate interests to operate and administer the WeConvene Services and Sites. For example, to create, administer and manage your account.
• Communicating with you about WeConvene Services and providing customer support: We may send you service, technical and other administrative messages in reliance on our legitimate interests in administering the WeConvene Services. For example, we may send you messages about the availability or security of the WeConvene Services. We also process your personal data to respond to your comments and questions and to provide customer care and support. When we have entered into an agreement with you, we will process your personal data as necessary to meet our contractual obligations to you.
• Improving WeConvene Services and Sites: We process your personal data to improve and optimize WeConvene Services and Sites and to understand how you use WeConvene Services and Sites, including monitor usage or traffic patterns and to analyze trends and to develop new products, services, features and functionality in reliance on our legitimate interests or, where necessary, to the extent you have provided your consent.
• Sending marketing communications: We process your personal data to send you marketing communications via email about our products, services and upcoming events that might interest you in reliance on our legitimate interests or where we seek your consent. Please see the “Your Privacy Rights and Choices” section below to learn how you can control your marketing preferences.
• Managing event registrations and attendance: We process your personal data to plan and host events for which you have registered or that you attend, including sending related communications to you. This processing is based on our legitimate interest in ensuring the successful organization of the event, as well as providing you with relevant information regarding your participation.
• Maintaining security of WeConvene Services and Sites: We process your personal data to control unauthorized use or abuse of WeConvene Services and Sites, or otherwise detect, investigate or prevent activities that may violate WeConvene policies or applicable laws, in reliance on our legitimate interests to maintain and promote the safety and security of the WeConvene Sites and Services.

• Displaying personalized Events: We process your personal data to advertise to you and to provide personalized information, including by serving and managing Events on our Sites and on third party sites.
• Carrying out other legitimate business purposes: including invoicing, audits, fraud monitoring and prevention. This processing is based on our legitimate interest in ensuring efficient business operations and on the necessity to comply with legal obligations.
• Complying with legal obligations: We process your personal data when cooperating or complying with public and government authorities, courts or regulators in accordance with our obligations under applicable laws and to protect against imminent harm to our rights, property or safety, or that of our users or the public, as required or permitted by law.

3.2 In certain circumstances, we may collect your personal data on a different legal basis. If we do, or if we use your personal data for purposes that are not compatible with, or are materially different than, the purposes described in this notice or the point of collection, we will explain how and why we use your personal data in a supplementary notice at or before the point of collection. Where we refer to legal bases in this section, we mean the legal grounds on which organizations can rely when processing personal data.
3.3 Please note these legal bases only apply to you if you are resident in the EEA, the UK or Switzerland.
3.4 If you have any questions about our legal bases for processing your personal data, please contact us through support@weconvene.com.

4. SHARING YOUR PERSONAL DATA
4.1 We may disclose some or all of the personal data we collect to the following third parties:

To WeConvene Group Companies:

• WeConvene Inc.;
• WeConvene Group Limited;
• WeConvene Australia Pty Ltd;
• Any such other group companies, as may be added to this list from time to time.
Service Providers:

• Consultants and vendors engaged by us to support our provision of the WeConvene Services and Sites and the operation of our business;
• Any such other Service Providers, as may be added to the Subprocessor list, from time to time.
Professional Advisors:
• Professional advisors, such as lawyers, auditors and insurers, in the course of the professional services that they render to us.

Compliance with Law Enforcement:

• Comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
• Protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
• Enforce the terms and conditions that govern the Services; and
• Prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

Business Transfers:

• Parties to transactions or potential transactions (and their professional advisors) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business, assets, or equity interests of WeConvene Group Companies (including, as part of a bankruptcy or similar proceeding).

4.2 Aggregated or anonymized information. We may also share aggregated or anonymized information with third parties for other purposes. Such information does not identify you individually, but may include usage, viewing and technical information, and performance metrics related to the use of our website and application which we collect through our technology, products and services. If we are required under applicable law to treat such information as personal data, then we will only disclose it as described above. Otherwise, we may disclose such information for any reason.

4.3 Third party websites. WeConvene Services may also contain links to third party websites. This Privacy Policy applies solely to information processed by us. You should contact the relevant third-party websites for more information about how your personal data is processed by them.

5. RETENTION OF YOUR PERSONAL DATA

5.1 We retain your personal data only for as long as necessary to fulfill the purposes set out in this Privacy Policy.
5.2 Note that content you post may remain on the Sites even if you cease using the Sites or we terminate access to the Sites.

6. TRANSFERS OF YOUR PERSONAL DATA
6.1 WeConvene Services and Sites, and our extended domains are provided and hosted in the United States. If you are located outside the United States, we may transfer, and process, your personal data outside of the country in which you are resident to other WeConvene Group Companies and our EU based service providers and other such countries as we deem appropriate from time to time. These countries may not have equivalent privacy and data protection laws (and, in some cases, may not be as protective). We will protect your personal data in accordance with this Privacy Policy wherever it is processed.
6.2 Certain recipients (our service providers and other companies) who process your personal data on our behalf may also transfer personal data outside the country in which you are resident. Where such transfers occur, we will make sure that an appropriate transfer agreement is put in place to protect your personal data.
6.3 If you are a resident of the EEA, the UK or Switzerland, we will protect your personal data when it is transferred outside of the EEA, the UK or Switzerland by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal data; or otherwise ensuring appropriate safeguards are in place to protect your personal data. For transfers of your personal data to:
• WeConvene Group Companies based in the US, we rely on the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK-U.S. DPF”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, visit htps://www.dataprivacyframework.gov/;
• other WeConvene Group Companies based outside of the US, we rely on the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA); and
• recipients who are located outside of the EEA, the UK or Switzerland, we rely on the EU-U.S. DPF, UK-U.S. DPF or Swiss-U.S. DPF where those recipients are located in the US or for onward transfers from the US, and otherwise we rely on the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA).

6.4 WeConvene, Inc. complies with the EU-U.S. DPF, the UK-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. WeConvene, Inc. has certified to the U.S. Department of Commerce that it adheres to (i) the EU­U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK-U.S. DPF and (ii) the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
6.5 In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, WeConvene, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your Personal Information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the EU-U.S. DPF, the UK Extension to the EU­U.S. DPF or the Swiss-U.S. DPF should first contact WeConvene through support@weconvene.com.
6.6 In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, WeConvene, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. Under certain conditions, it may be possible to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, see here for additional information.

WeConvene Inc. remains responsible if its service provider, when acting on its behalf, processes personal data in a manner inconsistent with the DPFPrinciples, unless it is not responsible for the event, giving rise to the damage.

The Federal Trade Commission has jurisdiction over WeConvene, lnc.’s compliance with the EU-U.S. Data Privacy Framework EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

7. HOW WE STORE AND SAFEGUARD PERSONAL DATA
We care about protecting personal data. That is why we put in place appropriate measures that are designed to secure your personal data. You can find out more about our technical and organizational safeguards on our Security page: https://www.WeConvene.com/security.

8. YOUR PRIVACY RIGHTS AND CHOICES
8.1 Depending on your location and subject to applicable laws, you may have certain data protection rights. If you are a resident of the EEA or the UK, you have the following data protection rights:

• If you wish to access, correct, update or request deletion of your personal data, you can do so at any time.
• You can object to processing your personal data, ask us to restrict processing of your personal data or request portability of your personal data.
• You have the right to opt-out of marketing communications we send you at any time. If you no longer wish to receive our newsletter and promotional communications, you may opt-out of receiving them by clicking on the “unsubscribe” or “opt-out” link in the communications we send you. Please note, however, that it may not be possible to opt-out of certain service­ related communications. You can let us know at any time if you do not wish to receive marketing messages by contacting us using the contact details below.
• Similarly, if we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
• You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority.

8.2 You can exercise any of these rights by submitting a request via support@weconvene.com

9. CHILDREN’S PRIVACY

Our Services and Sites are not intended for use by anyone under the age of 16. WeConvene does not knowingly collect personal data from anyone under the age of 16. If you are under 16, you may not attempt to register for our Services or send any information about yourself to us, including your name, address, telephone number, or email address. If we become aware that we have collected personal data from someone under the age of 16 without verification of parental consent, we will delete that information promptly. If you are a parent or legal guardian of a child under 16 and believe that a child has provided us with their personal data, please contact us through our Privacy Request Form.

10. CHANGES TO THIS NOTICE AND QUESTIONS

10.1 We may amend this Privacy Policy from time to time in response to changing legal, technical or business developments. When we update it, we will take appropriate measures to inform you consistent with the significance of the changes we make. If we make material updates to this Privacy Policy, we will update the effective date at the top of the Privacy Policy.
10.2 We have appointed a Data Protection Officer responsible for managing and addressing inquiries related to this Privacy Policy. If you have any questions, comments or concerns about this Privacy Policy or the way your personal data is being used or processed by WeConvene, please contact us through our Privacy Request Form or by using the Contact Us link in the footer of this page.

11. COLLECTION AND USE OF PERSONAL DATA OF CALIFORNIA RESIDENTS
11.1 Except as otherwise provided, this Section 11 applies only if you are a California resident. For purposes of this section, “Personal Information” has the meaning given in the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), and any regulations promulgated under either law, in each case, as amended from time to time.

Section 11 does not apply to;

• information exempted from the scope of the CCPA;
• activities governed by a different privacy notice, such as notices we give to California personnel or job candidates; or
• Personal Information we collect, use, and share on behalf of our customers as a “service provider” under the CCPA.

11.2 YOUR CALIFORNIA PRIVACY RIGHTS

• Right to Information/Know You can request whether we have collected your Personal Information, and in certain cases, the following information about how we have collected and used your Personal Information during the past 12 months:
• The categories of Personal Information we have collected.
• The categories of sources from which we collected Personal Information.
• The business or commercial purpose for collecting, sharing, and/or selling Personal Information.
• The categories of Personal Information that we sold or disclosed for a business purpose.
• The categories of third parties to whom Personal Information was sold, shared, or disclosed for a business purpose.
• Right to Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.
• Right to Correction. You can request that we correct inaccurate Personal Information that we have collected about you.
• Right to Deletion. You can ask us to delete the Personal Information that we have collected from you.
• Right to Opt-Out of Tracking for Targeted Advertising Purposes. While we do not sell Personal Information for money, like many companies, we use services that help deliver targeted ads (also known as interest-based ads) to you, as we have described in the “How and Why We Use Your Personal Data” section above. The CCPA classifies our use of some of these services as “sharing” your Personal Information with the advertising partners that provide the services from which you have the right to opt-out.
• Right to Nondiscrimination. You are entitled to exercise the rights described above free from discrimination prohibited by the CCPA.

11.3 HOW TO EXERCISE YOUR RIGHTS

• Right to Information/Know, Access, Correction, and Deletion. You can exercise any of these rights by submitting a request through support@weconvene.com

SECURITY POLICY

Security Policy

Effective day Tuesday, April 22, 2025
Overview

All members of the WeConvene team take the protection of customer data extremely seriously. This WeConvene Security Policy describes the organizational and technical measures WeConvene implements across its entire application ecosystem and company infrastructure designed to prevent unauthorized access, use, alteration or disclosure of customer data. WeConvene services operate on Amazon Web Services (“AWS”); this policy describes activities of WeConvene within its instance on AWS unless otherwise specified. As you continue to learn more about WeConvene we recommend you also review our Terms of Service and Privacy Policy.

Best Practices

Incident Response Plan
• We have implemented a formal procedure for security events and have educated all our staff on our policies.
• When security events are detected, they are escalated to our executive team, development teams are notified and assembled to rapidly address the event.
• After a security event is fixed, we write up a post-mortem analysis.
• The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
• WeConvene will promptly notify you in writing upon verification of a security breach of the WeConvene services that affects your data. Notification will describe the breach and the status of WeConvene’s investigation.
Build Process Automation
• We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.

Infrastructure
• All of our services run in the cloud. WeConvene does not run our own routers, load balancers, DNS servers, or physical servers.
• All of our services and data are hosted in AWS facilities and protected by AWS security, as described at http://aws.amazon.com/security/sharing-the­ security-responsibility. WeConvene services have been built with disaster recovery in mind.
• All of our infrastructure is spread across 2 AWS data centers and is designed to continue to work should any one of those data centers fail unexpectedly. Amazon does not disclose the location of its data centers. As such, WeConvene builds on the physical security and environmental controls provided by AWS. See http://aws.amazon.com/security for details of AWS security infrastructure.
• All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
• WeConvene uses a backup solution for datastores that contain customer data.

• Customer data is stored in multi-tenant datastores; we do not have individual datastores for each customer. However strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation). We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
• Each WeConvene system used to process customer data is using commercially reasonable methods according to industry-recognized system-hardening standards.
• WeConvene engages certain sub processors to process customer data. These sub processors are listed at https://www.WeConvene.com/security-third-parties, as may be updated by WeConvene from time to time.

Data Transfer
• All data sent to or from WeConvene is encrypted in transit using 256-bit encryption.
• Our API and application endpoints are TLS/SSL only and score an “A+” rating on SSL Labs’ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.
• We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Authentication
• WeConvene is served 100% over https. WeConvene runs a zero-trust corporate network.
• There are no corporate resources or additional privileges from being on WeConvene’s network.
• We have two-factor authentication (2FA) and strong password policies on AWS, WeConvene and all other third-party applications used by WeConvene to ensure access to cloud services are protected.
Permissions and Administrative Controls
• WeConvene enables permission levels to be set for any employees with access to WeConvene.
• Permissions and access can be set to include app settings, billing, user data, or the ability to send/edit manual messages and auto messages.
Application Monitoring
• On an application level, we produce audit logs for all activity.
• All access to WeConvene applications is logged and audited.
• All actions taken on production consoles or in the WeConvene application are logged.

Security Audits and Certifications
• We annually engage with well-regarded third-party auditors to audit our code-base, and work with them to resolve potential issues.
• We use technologies to provide an audit trail over our infrastructure and the WeConvene application. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.
• Information about AWS security certifications and obtaining copies of security reports from AWS is available at http://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc­fedramp-faqs/

Payments
All payment instrument processing for purchase of the WeConvene services is performed by Stripe. For more information on Stripe’s security practices, please see https://stripe.com/docs/security/stripe.
Customer Responsibilities

• Managing your own user accounts and roles from within WeConvene services.
• Protecting your own account and user credentials by using two-factor authentication for all of your employees accessing WeConvene services.
• Compliance with the terms of your services agreement with WeConvene, including with respect to compliance with laws.
• Promptly notify WeConvene if a user credential has been compromised or if you suspect possible suspicious activities that could negatively impact security of the WeConvene services or your account.
• You may not perform any security penetration tests or security assessment activities without the express advance written consent of WeConvene.

Subprocessors List

Effective day April 23, 2025

Security, Privacy and Compliance Information for WeConvene

WeConvene is a data processor and engages certain onward sub processors that may process personal data submitted to WeConvene’s services by the controller. These sub processors are listed below, with a description of the service and the location where data is hosted. By default, hosting occurs in the United States. For WeConvene’s regional data hosting services that customers may have elected to use, scroll further down the page to see the specific sub processors list for the designated region. These lists may be updated by WeConvene from time to time in accordance with the terms of the Data Processing Addendum.

Third Party Sub- Processor Purpose Applicable Service US Data Center Sub- Processor Location EU Data Center Sub-Processor Location
Amazon Web Services, Inc.
Hosting & Infrastructure
Used for cloud computing platforms and APIs
United States
UK
Twilio Inc.
Email distribution
Email delivery
United States
NA
Bloomberg LLP
Content distribution
WeConvene to Bloomberg (Optional for clients)
United States*
NA
OpenExchange Inc.
Integrated service
Schedule feed
United States*
NA
Intercom
Engagement tool
Customer engagement
United States
NA
Mix Panel
Analytics
Analytics
United States
NA
Zendesk
Customer Support
Customer Support
United States
NA

Data Processing Agreement

Last updated: Thursday, April 24, 2025

 

This WeConvene Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the WeConvene Enterprise SaaS Agreement between you and us (also referred to in this DPA as the “Agreement”) and general the provisions included in the Terms Of Service.

 

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

 

We update these terms from time to time. If you have an active WeConvene subscription, we will let you know when we do via email.

 

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

 

  1. Definitions
  2. Customer Responsibilities
  3. WeConvene Obligations
  4. Data Subject Requests
  5. Sub-Processors
  6. Data Transfers
  7. Additional Provisions for European Data
  8. Additional Provisions for California Personal Information
  9. General Provisions
  10. Parties to this DPA

 

Annex 1 – Details of Processing

Annex 2 – Security Measures

Annex 3 – List of Sub-Processors

Annex 4 – Standard Contractual Clauses

 

1.    Definitions

 

“California Personal Information” means Personal Data that is subject to the protection of the CCPA.

 

“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).

 

“Consumer”, “Business”, “Sell” and “Service Provider” will have the meanings given to them in the CCPA.

 

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

 

“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time.

 

“Data Subject” means the individual to whom Personal Data relates.

 

“Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

 

“European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

 

“European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms part of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.

 

“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

 

 

“Permitted Affiliates” means any of your Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by us, and (iii) are subject to European Data Protection Laws.

 

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.

 

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services.

 

“Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

 

“Privacy Shield” means the EU-U.S. and Swiss-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July, 12 2016 and by the Swiss Federal Council on January 11, 2017 respectively; as may be amended, superseded or replaced.

 

“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July, 12 2016; as may be amended, superseded or replaced.

 

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

 

“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

 

“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision

(EU) 2021/914 of 4 June 2021, in the form set out at Annex 4; as may be amended, superseded or replaced.

 

“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any WeConvene employee or consultant.

 

 

 

2.    Customer Responsibilities

 

  1. Compliance with Laws. Within the scope of the Agreement and in its use of the services, you will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to us. In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which you acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of the Agreement (including this DPA); (iv) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. You will inform us without undue delay if you are not able to comply with your responsibilities under this ‘Compliance with Laws’ section or applicable Data Protection Laws.

 

  1. Controller Instructions. The parties agree that the Agreement (including this DPA), together with your use of the Subscription Service in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data, so long as you may provide additional instructions during the subscription term that are consistent with the Agreement, the nature and lawful use of the Subscription Service.

 

  1. You are responsible for independently determining whether the data security provided for in the Subscription Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service (including to securely backup or encrypt any such Personal Data).

 

3.    WeConvene Obligations

 

  1. Compliance with Instructions. We will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us.

 

  1. Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Subscription Services until such time as you issue new lawful Instructions with regard to the Processing.

 

  1. We will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA (“Security Measures”). Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

 

  1. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

 

  1. Personal Data Breaches. We will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.

 

  1. Deletion or Return of Personal Data. We will delete or return all Customer Data, including Personal Data (including copies thereof) Processed pursuant to this DPA, on termination or expiration of your Subscription Service in accordance with the procedures set out in our Product Specific Terms. This term shall apply except where we are required by applicable law to retain some or all of the Customer Data, or where we have archived Customer Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices. You may request the deletion of your WeConvene account after expiration or termination of your subscription by sending a request here. You may also cancel your account in accordance with the ‘Early Cancellation’ section of the Customer Terms of Service and request permanent deletion by following the instructions found here. You may retrieve your Customer Data from your account in accordance with our ‘Retrieval of Customer Data’ sections throughout our Product Specific Terms.

 

4.    Data Subject Requests

 

The Subscription Service provides you with a number of controls that you can use to retrieve, correct, delete or restrict Personal Data, which you can use to assist it in connection with its obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).

 

To the extent that you are unable to independently address a Data Subject Request through the Subscription Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You shall reimburse us for the commercially reasonable costs arising from this assistance.

 

If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

 

5.    Sub-Processors

 

You agree that we may engage Sub-Processors to Process Personal Data on your behalf. We have currently appointed, as Sub-Processors, the WeConvene Affiliates and third parties listed in Annex 3 to this DPA. We will notify you if we add or replace any Sub-Processors listed in Annex 3 prior to any such changes at least 30 days prior to any such changes.

 

Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.

 

6.    Data Transfers

 

You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by WeConvene, Inc. in the United States and to other jurisdictions where WeConvene Affiliates and Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

 

7.    Additional Provisions for European Data

 

  1. Scope. This ‘Additional Provisions for European Data’ section shall apply only with respect to European Data.
  2. Roles of the Parties. When Processing European Data in accordance with your Instructions, the parties acknowledge and agree that you are the Controller of European Data, and we are the Processor.
  3. Instructions. If we believe that your Instruction infringes European Data Protection Laws (where applicable), we will inform you without delay.
  4. Objection to New Sub-Processors. We will give you the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of notifying you in accordance with the ‘Sub-Processors’ section. If you do notify us of such an objection, the parties will discuss your concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, we will, at our sole discretion, either not appoint the new Sub-Processor, or permit you to suspend or terminate the affected Subscription Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by you prior to suspension or termination). The parties agree that by complying with this sub-section (d), WeConvene fulfils its obligations under Sections 9 of the Standard Contractual Clauses.
  5. Sub-Processor Agreements. For the purposes of Clause 9(c) of the Standard Contractual Clauses, you acknowledge that we may be restricted from disclosing Sub- Processor agreements, but we shall use reasonable efforts to require any Sub- Processor we appoint to permit it to disclose the Sub-Processor agreement to you and shall provide (on a confidential basis) all information we reasonably can.
  6. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent that the required information is reasonably available to us, and you do not otherwise have access to the required information, we will provide reasonable assistance to you with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws.
  7. Transfer Mechanisms for Data Transfers.

 

  1. WeConvene shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws.

 

Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

 

  1. You acknowledge that in connection with the performance of the Subscription Services, WeConvene, Inc. is a recipient of European Data in the United States. The parties acknowledge and agree the following:

 

  1. Standard Contractual Clauses: The parties agree to abide by and process European Data in compliance with the Standard Contractual Clauses.

 

  1. Privacy Shield: Although WeConvene, Inc. does not rely on the EU-US Privacy Shield as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as WeConvene, Inc. is self-certified to the Privacy Shield WeConvene Inc will process European Data in compliance with the Privacy Shield Principles and let you know if it is unable to comply with this requirement.

 

  • The parties agree that for the purposes of the Standard Contractual Clauses, (i) WeConvene, Inc. will be the “data importer” and Customer will be the “data exporter” (on behalf of itself and Permitted Affiliates); (ii) the Annexes of the Standard Contractual Clauses shall be populated with the relevant information set out in Annex 1 and Annex 2 of this DPA; (iii) where the WeConvene contracting entity under the Agreement is not WeConvene, Inc., such contracting entity (not WeConvene, Inc.) will remain fully and solely responsible and liable to you for the performance of the Standard Contractual Clauses by WeConvene, Inc., and you will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity; and (iv) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

 

  1. To extent that and for so long as the Standard Contractual Clauses as implemented in accordance with this DPA cannot be relied on by the parties to lawfully transfer Personal Data in compliance with the UK GDPR, the applicable standard data protection clauses issued, adopted or permitted under the UK GDPR shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Annex 1 and Annex 2 of this DPA.
  2. If for any reason WeConvene cannot comply with its obligations under the Standard Contractual Clauses or is breach of any warranties under the Standard Contractual Clauses, and you intend to suspend the transfer of European Data to WeConvene or terminate the Standard Contractual Clauses, you agree to provide us with reasonable notice to enable us to cure such non-compliance and reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such non- compliance. If we have not or cannot cure the non-compliance, you may suspend or terminate the affected part of the Subscription Service in accordance with the Agreement without liability to either party (but without prejudice to any fees you have incurred prior to such suspension or termination).

 

  1. Demonstration of Compliance. We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, including inspections conducted by you or your auditor to assess compliance with this DPA and Clause 8.9 of the Standard Contractual Clauses. You acknowledge and agree that you will exercise your audit rights under this DPA by instructing us to comply with the audit measures described in this ‘Demonstration of Compliance’ section. You acknowledge that the Subscription Service is hosted by our data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001) and that our systems are regularly tested by independent third-party penetration testing firms. Upon request, we will supply (on a confidential basis) a summary copy of its penetration testing report(s) to you so that you can verify our compliance with this DPA. Further, at your written request, we will provide written responses (on a confidential basis) to all reasonable requests for information made by you necessary to confirm our compliance with this DPA, provided that you will not exercise this right more than once per calendar year unless you have reasonable grounds to suspect non-compliance with the DPA.

 

8.    Additional Provisions for California Personal Information

 

  1. Scope. The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information.
  2. Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business, and we are a Service Provider for the purposes of the CCPA.
  3. Responsibilities. The parties agree that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services and Consulting Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA, including as described in the ‘Data Practices and Service Data section of our Product Privacy Policy.

 

 

9.    General Provisions

 

  1. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment; No Waiver’ section of the Master Terms will apply.

 

  1. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

 

  1. Limitation of Liability. Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the ‘Limitation of Liability’ section of the Master Terms and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA). For the avoidance of doubt, if WeConvene, Inc. is not a party to the Agreement, the ‘Limitation of Liability’ section of the Master Terms will apply as between you and WeConvene, Inc., and in such respect any references to ‘WeConvene’, ‘we’, ‘us’ or ‘our’ will include both WeConvene, Inc. and the WeConvene entity that is a party to the Agreement. In no event shall either party’s liability be limited with respect to any individual’s data protection rights under this DPA (including the Standard Contractual Clauses) or otherwise.

 

  1. Governing Law. This DPA will be governed by and construed in accordance with the ‘Contracting Entity; ‘Applicable Law; Notice’ sections of the Jurisdiction Specific Terms, unless required otherwise by Data Protection Laws.

 

 

10.     Parties to this DPA

  1. Permitted Affiliates. By signing the Agreement, you enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer”, “you” and “your” will include you and such Permitted Affiliates.
  2. Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.
  3. Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.
  4. Other rights. The parties agree that you will, when reviewing our compliance with this DPA pursuant to the ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all its Permitted Affiliates in one single audit.

 

 

 

 

Annex 1 – Details of Processing

 

  1. List of Parties Data Exporter:

Name: The Customer, as defined in the WeConvene Terms of Service (on behalf of itself and Permitted Affiliates)

 

Address: The Customer’s address, as set out in the Order Form/Enterprise Agreement.

 

Contact person’s name, position and contact details: The Customer’s contact details, as set out in the Order Form.

 

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the WeConvene Subscription Services under the WeConvene Customer Terms of Service

 

Role (controller/processor): Controller

 

Data Importer:

 

Name: WeConvene, Inc.

 

Address: 99 Wall St, Ste 5353, New York, NY, 10005, USA

 

Contact person’s name, position and contact details: support@weconvene.com

 

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the WeConvene Subscription Services under the WeConvene Customer Terms of Service

 

Role (controller/processor): Processor

 

B.     Description of Transfer

 

Categories of Data Subjects whose Personal Data is Transferred

 

You may submit Personal Data while using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.

 

 

 

 

 

 

Categories of Personal Data Transferred

 

You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:

 

  1. Contact Information.

 

  1. Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.

 

Sensitive Data transferred and applied restrictions or safeguards

 

The parties do not anticipate the transfer of sensitive data.

 

Frequency of the transfer

 

Continuous

 

Nature of the Processing

 

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

 

  1. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or

 

  1. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable

 

Purpose of the transfer and further processing

 

We will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.

 

Period for which Personal Data will be retained

 

Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing and/or in accordance with Federal, State and International Laws.

 

 

 

 

 

 

C.     Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either:

 

  1. where Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer’s compliance with the GDPR;

 

  1. where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Customer’s representative is established; or

 

  1. where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. In relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable)

 

 

Annex 2 – Security Measures

 

This Annex forms part of the DPA.

We currently observe the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Master Terms.

A.     Access Control

  1. Preventing Unauthorized Product Access

 

Outsourced processing: We host our Service with AWS. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs to protect data where it is processed or stored by these vendors.

 

Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. Who attest to physical and environmental security controls which are audited for SOC 2 Type II and ISO 27001 compliance.

 

Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data. We also provide optional Multi Factor Authentication and SSO for all our customers.

 

Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure.

The authorization model in each of our products is designed to ensure that only the appropriately

 

 

 

 

assigned individuals can access relevant features, views, and customization options (logical separation). Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

 

Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

  1. Preventing Unauthorized Product Use

 

We implement industry standard access controls and detection capabilities for the internal networks that support its products.

 

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.

 

Penetration testing: We maintain relationships with industry recognized penetration testing service providers for annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack and potential abuse scenarios.

 

  1. Limitations of Privilege & Authorization Requirements

 

Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “timed” requests for access; all such requests are logged. Employees are granted access by role.

 

Background checks: All WeConvene employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All WeConvene employees are required to conduct themselves in a manner consistent with company guidelines, Non-Disclosure requirements, and ethical standards.

B.      Transmission Control

 

In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of the interfaces of the WeConvene Service. Our HTTPS implementation uses industry standard algorithms and certificates.

 

At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.

C.    Input Control

 

Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal

systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

 

 

 

 

Response and tracking: We maintain a record of known incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated relevant personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.

 

D.     Availability Control

 

Infrastructure availability: We use commercially reasonable efforts to ensure a minimum of 99.99% uptime. Our infrastructure providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

 

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

 

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

 

 

 

 

 

 

Annex 3 – List of Sub-Processors

 

 

Third Party Sub- Processor

Purpose

Applicable Service

US Data Center Sub- Processor Location: United States

EU Data Center Sub-Processor Location: EU or Other

Amazon Web Services, Inc.

Hosting & Infrastructure

Used for cloud computing platforms and APIs

United States

UK

Twilio Inc. (SendGrid)

Email functionality

Email delivery

United States

NA

Bloomberg LLP

Content Distribution

Event feed from WeConvene to Bloomberg (Optional for clients)

United States*

NA

OpenExchange Inc.

Integrated service partner

Schedule feed

United States*

NA

Intercomm

Engagement tool

Customer engagement

United States

NA

Mix Panel

Analytics

Analytics

United States

NA

Zendesk

Customer Support

Customer Support

United States

NA

*You may choose not to use the functionality provided by certain Sub-Processors

 

 

 

 

 

 

 

Annex 4 – Standard Contractual Clauses Module Two: Transfer Controller to Processor (C2P)

SECTION I

Clause 1

Purpose and scope

 

  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

 

  • The Parties:

 

  1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

 

  1. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).

 

  • These Clauses apply with respect to the transfer of personal data as specified in Annex B.

 

  • The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these

 

Clause 2

Effect and invariability of the Clauses

 

  1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
  2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

 

 

 

 

 

Clause 3

Third-party beneficiaries

 

  1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

 

  1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

 

  1. Clause 8 – Clause 1(b), 8.9(a), (c), (d) and (e);

 

  • Clause 9 – Clause 9(a), (c), (d) and (e);

 

  1. Clause 12 – Clause 12(a), (d) and (f);

 

  1. Clause 13;

 

  1. Clause 1(c), (d) and (e);

 

  • Clause 16(e);

 

  • Clause 18 – Clause 18(a) and (b).

 

  1. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

 

Clause 4

Interpretation

 

  1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that

 

  1. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

 

  1. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

 

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

 

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

 

 

 

Clause 7

Docking clause

 

  1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
  2. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
  3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a

 

 

SECTION II – OBLIGATIONS OF THE PARTIES

 

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

  • Instructions

 

  1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the
  2. The data importer shall immediately inform the data exporter if it is unable to follow those

 

  • Purpose limitation

 

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

 

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

 

 

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

  • Security of processing

 

  1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

 

  1. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

  1. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

 

 

 

Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

 

  1. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data

8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

 

  1. the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
  2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
  3. the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
  4. onward transfer is necessary in order to protect the vital interests of the data subject or of another natural

 

Any onward transfer is subject to compliance by the data importer with all the other safeguards  under these Clauses, in particular purpose limitation.

  • Documentation and compliance
  1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these
  2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data
  3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data

 

 

 

  1. The data exporter may choose to conduct the audit by itself or mandate an independent Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
  2. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on

 

Clause 9

Use of sub-processors

 

  1. The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 business days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

 

  1. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

 

  1. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a

 

  1. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that

 

  1. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

 

 

 

 

 

 

 

 

 

 

 

 

Clause 10

Data subject rights

 

  1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data
  2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, considering the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance
  3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data

 

Clause 11

Redress

  1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle It shall deal promptly with any complaints it receives from a data subject.
  2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
  3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
    1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
    2. refer the dispute to the competent courts within the meaning of Clause 18.

 

  1. The Parties accept that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

 

  1. The data importer shall abide by a decision that is binding under the applicable EU or Member State

 

  1. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable

 

 

 

 

 

 

 

 

 

 

 

Clause 12

Liability

  1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these

 

  1. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub- processor causes the data subject by breaching the third-party beneficiary rights under these

 

  1. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

 

  1. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

 

  1. Where more than one Party is responsible for any damage caused to the data subject because of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

 

  1. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

 

  1. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

 

Clause 13

Supervision

 

  1. The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

 

  1. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

 

 

 

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

 

Clause 14

Local laws and practices affecting compliance with the Clauses

 

  1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
  2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account of the following elements:

 

  1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
  2. the laws and practices of the third country of destination- including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant considering the specific circumstances of the transfer, and the applicable limitations and safeguards;
  • any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
  1. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these
  2. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
  3. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
  4. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g., technical, or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no

 

 

appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

 

Clause 15

Obligations of the data importer in case of access by public authorities

15.1Notification

 

  1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:

 

  1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
  2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

 

  1. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data

 

  1. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authorities, whether requests have been challenged and the outcome of such challenges, etc.).

 

  1. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent suspensory authority on

 

  1. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these

 

15.2 Review of legality and data minimization

 

  1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law

 

 

 

 

and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits.

 

It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

 

  1. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

 

  1. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the

 

 

 

SECTION IV – FINAL PROVISIONS

 

Clause 16

Non-compliance with the Clauses and termination

  1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
  2. If the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
  3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
    1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
    2. the data importer is in substantial or persistent breach of these Clauses; or
  • the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these

 

In these cases, it shall inform the competent supervisory authority such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

 

 

 

 

  1. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these

 

In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

 

  1. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

 

Clause 17

Governing law

These Clauses shall be governed by the laws of the Republic of Ireland, provided such law allows for third-party beneficiary rights. The Parties agree that these Clauses shall be governed in accordance with the ‘Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms. (Without reference to conflicts of law principles)

 

Clause 18

Choice of forum and jurisdiction

 

  1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
  2. The Parties agree that those shall be the courts of the jurisdiction specified in Clause 17.
  3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
  4. The Parties agree to submit themselves to the jurisdiction of such courts.

 

 

 

 

 

 

UK AND SWISS ADDENDUM TO THE STANDARD CONTRACTUAL CLAUSES

 

  1. This Addendum amends the Standard Contractual Clauses to the extent necessary, so they operate for transfers made by the data exporter to the data importer, to the extent that the UK GDPR or Swiss DPA (as defined in the WeConvene Data Processing Addendum) apply to the data exporter’s processing when making that
  2. The Standard Contractual Clauses shall be amended with the following modifications:

 

  1. references to “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR or Swiss DPA (as applicable);
  2. references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the UK GDPR or Swiss DPA (as applicable);
  • references to Regulation (EU) 2018/1725 shall be removed;
  1. references to “EU”, “Union” and “Member State” shall be replaced with references to the “UK” or “Switzerland” (as applicable);
  2. Clause 13(a) and Part C of Annex II are not used and the “competent supervisory authority” shall be the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
  3. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Information Commissioner” and the “courts of England and Wales” or the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland” (as applicable);
  • in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
  • to the extent the UK GDPR applies to the processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”; and
  1. to the extent the Swiss DPA applies to the processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the competent courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts”.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix – Additional Safeguards Addendum

 

By this Additional Safeguards Addendum to the DPA (this “Addendum”), WeConvene provides additional safeguards to Customer for the processing of personal data, within the scope of the GDPR, by WeConvene on behalf of Customer and additional redress to the data subjects to whom that personal data relates.

 

This Addendum supplements and is made part of, but is not in variation or modification of, the DPA.

 

  1. Challenges to Orders. In the event WeConvene receives an order from any third party for compelled disclosure of any personal data processed under this DPA, WeConvene shall:

 

  1. use every reasonable effort to redirect the third party to request data directly from Customer;
  2. promptly notify Customer, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying Customer, use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible; and
  3. use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with applicable law of the European Union or applicable Member State law.

 

If, after the steps described in a. through c. above, WeConvene or any of its affiliates remains compelled to disclose personal data, WeConvene will disclose only the minimum amount of that data necessary to satisfy the order for compelled disclosure.

 

For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction. 

 

  1. Indemnification of Data Subjects. Subject to Sections 3 and 4, WeConvene shall indemnify a data subject for any material or non-material damage to the data subject caused by WeConvene’s disclosure of personal data of the data subject that has been transferred in response to an order from a non-EU/EEA government body or law enforcement agency in violation of WeConvene’s obligations under Chapter V of the GDPR (a “Relevant Disclosure”). Notwithstanding the foregoing, WeConvene shall have no obligation to indemnify the data subject under this Section 2 to the extent the data subject has already received compensation for the same damage, whether from WeConvene or otherwise.

 

  1. Conditions of Indemnification. Indemnification under Section 2 is conditional upon the data subject establishing, to WeConvene’s reasonable satisfaction, that:

 

  1. WeConvene engaged in a Relevant Disclosure;
  2. the Relevant Disclosure was the basis of an official proceeding by the non-EU/EEA government body or law enforcement agency against the data subject; and
  3. the Relevant Disclosure directly caused the data subject to suffer material or non-material damage. The data subject bears the burden of proof with respect to conditions a. though c. Notwithstanding the foregoing, WeConvene shall have no obligation to indemnify the data subject under Section 2 if WeConvene establishes that the Relevant Disclosure did not violate its obligations under Chapter V of the GDPR.

 

 

 

 

 

  1. Scope of Damages. Indemnification under Section 2 is limited to material and non material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from WeConvene’s infringement of the GDPR.

 

  1. Exercise of Rights. Rights granted to data subjects under this Addendum may be enforced by the data subject against WeConvene irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. The data subject may only bring a claim under this Addendum on an individual basis, and not part of a class, collective, group or representative action. Rights granted to data subjects under this Addendum are personal to the data subject and may not be assigned.

 

  1. Notice of Change. WeConvene agrees and warrants that it has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the data exporter and its obligations under this Addendum, the 2010 Standard Contractual Clauses, or the 2021 Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Addendum or the Standard Contractual Clauses, it will promptly notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.

 

Acceptable Use Policy

Effective Day April 23, 2025

This Acceptable Use Policy (“Policy”) is incorporated into, and forms part of, the WeConvene’s Terms of Service or WeConvene Enterprise SaaS Agreement between Customer and WeConvene (as applicable, the “Agreement”). Capitalized terms not defined herein have the meaning given to them in the Agreement. This Policy applies to all Customers, Permitted Users and People who use the Services. In the event of a conflict with this Policy and any other terms that apply to you when using a WeConvene Service, this Policy will control to the extent of the conflict.

General

  1. To keep the Services running safely and smoothly, you agree not to and not to permit or encourage anyone else to:
    1. use the Services for any illegal or prohibited purpose or in violation of any applicable laws (including without limitation data protection, privacy, artificial intelligence (AI) and export control laws) in connection with using the Services;
    2. probe, scan, or test the vulnerability of any system or network used with the Services;
    3. tamper with, reverse engineer or hack the Services, circumvent any security or authentication measures of the Services or attempt to gain unauthorized access to the Services (or any portion thereof) or related systems, networks or data (including through spoofing or social engineering);
    4. modify or disable the Services or use the Services in any manner that interferes with or disrupts the integrity or performance of the Services or related systems, network or data;
    5. access or search the Services by any means other than our publicly supported interfaces;
    6. copy, modify, create derivative works of, distribute, or disclose any part of the Services in any medium, including without limitation by any automated or non-automated “scraping”;
    7. access or use the Services in order to monitor its availability, performance, or functionality for competitive purposes;
    8. overwhelm or attempt to overwhelm our infrastructure by imposing an unreasonably large load on the Services that consume extraordinary resources, such as by: (i) using “robots,” “spiders,” “offline readers” or other automated systems to send more request messages to our servers than a human could reasonably send in the same period of time using a normal browser; or (ii) going far beyond the use parameters for any given Service (including WeConvene’s Public API Infrastructure) as described in its corresponding documentation;
    9. use the Services to generate or send unsolicited communications, advertising, phishing or spam, or otherwise cause WeConvene to become impaired in its ability to send communications on its own or on its customers’ behalf (e.g., by causing WeConvene to become registered on any Email DNS blocked list or otherwise be denied services by any other third-party communications service provider);
    10. misrepresent yourself or disguise the origin of any data, content or other information you submit (including by “spoofing”, “phishing”, manipulating headers or other identifiers, impersonating anyone else, or falsely implying any sponsorship or association with WeConvene or any third party) or access the Services via another user’s account without their permission;
    11. Submit (or post, upload, display, share, instruct to be used or otherwise provide) data, content, fonts or other information, that (i) you don’t have the right to utilize (including confidential or personal information you are not authorized to disclose) or which otherwise infringes WeConvene’s or a third party’s intellectual property or other rights; (ii) and/or is deceptive, manipulative, exploitative, fraudulent, bullying, threatening, misleading, illegal, obscene, defamatory, libelous, threatening, harmful to minors, pornographic, indecent, harassing, hateful, violent, encourages illegal or tortious conduct, is religiously, racially or ethnically offensive, or is otherwise inappropriate in WeConvene’s discretion; (iii) contains viruses, malware, bots, worms, scripting exploits or other similar materials; or (iv) could otherwise cause damage to WeConvene or any third party;
    12. use meta tags or any other “hidden text” including WeConvene’s or our suppliers’ product names or trademarks; or
    13. engage in any activity that may result in unlawful bias or discrimination of an individual or group of individuals.

 

Remedies

A violation of this Policy is a violation of the Agreement. Without affecting any other remedies available to us, WeConvene may permanently or temporarily terminate or suspend a user’s account or access to the Services without notice or liability if WeConvene (in its sole discretion) determines that a user has violated this Acceptable Use Policy.

European Digital Services Act Notice

Effective day April 23, 2025

This page includes information relevant to the EU Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC) (the “DSA”).

Compliance with the Digital Services Act

WeConvene complies with the DSA to ensure a safe and transparent online environment. We are committed to protecting user rights and data, adhering to the DSA’s requirements and cooperating with EU authorities.

Designated Point of Contact

Pursuant to Articles 11 and 12 of the DSA, the following alias has been designated as WeConvene’s single point of contact for communications with Member State authorities, the European Commission, the European Board for Digital Services, and recipients of the WeConvene Service.

  • Attn: DSA Notice, WeConvene Inc, 99 Wall Street, Ste 5353, New York, NY, 10005
  • Email: support@weconvene.com

Communications should be in English.

Report WeConvene Services content

WeConvene Services customers in the European Union and other countries are able to report prohibited or illegal content directly from within their WeConvene account.

WeConvene is committed to addressing concerns promptly and ensuring that all content adheres to our terms and policies.

We will assess reported content and take action, including removal, if it violates our terms and policies or applicable laws.

Transparency reports

In accordance with Article 15 DSA, we are obliged to publish an annual transparency report on any content moderation in which we engage. Such reports will be available here on request from support@weconvene.com.