Effective from 16 June 2026
Client’s use of the Services is subject to the Vista Cloud Standard Terms located at https://cloud.vista.co/vista-cloud-agreement, in addition to these following Data Processing Terms (“Terms”). By executing the Vista Key Terms or otherwise accessing and using the Services, the Client agrees to be bound by these Terms. Any capitalised terms used by not otherwise defined below have the meaning given to those terms in the Vista Cloud Standard Terms.
1.1. For the purposes of these Terms, the following capitalised words have the following meanings:
Data Protection Laws means applicable legislation governing the protection of Personal Data collected by Client and Processed by Vista under the Agreement, including the following (as amended and replaced from time to time):
• Australian Privacy Act 1988 (Cth) and the associated Australian Privacy Principles;
• Canadian Privacy Laws, including the Personal Information Protection and Electronic Documents Act (Canada) and any applicable provincial privacy legislation;
• U.S. Privacy Laws, including California Consumer Privacy Act of 2018 (California Civil Code §§1798.100 et seq.), as amended (including the California Privacy Rights Act), and implementing regulations and any comparable applicable U.S. state privacy laws;
• Swiss Federation Act on Data Protection (FADP);
• GDPR, which means Regulation (EU) 2016/679 (EU GDPR) or UK GDPR, as applicable;
• UK GDPR, which means the EU GDPR as incorporated into UK law under the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);
• Brazilian General Data Protection Law (LGPD) (Law No. 13,709/2018),
together with any binding regulations, guidance, determinations, or codes of practice issued by competent Supervisory Authorities, and any other applicable local data protection laws governing the Processing of Personal Data under the Agreement.
Protected Area means any country, territory, sector or international organisation recognised by the competent authority under applicable Data Protection Laws - including under the GDPR - as providing an adequate level of protection for Personal Data such that a transfer of Personal Data is permitted without the need for additional transfer mechanisms.
Sensitive Data means: (a) Personal Data that is classified as sensitive, special category, sensitive personal information, or an analogous term under applicable Data Protection Laws; or (b) Sensitive Authentication Data (which means the data that a PCI DSS prohibits from storing after authorisation, including card verification values or codes, full magnetic-stripe or equivalent data, PINs and PIN blocks, and any authentication data used to verify the cardholder at the point of transaction).
Transfer Mechanism means any legally recognised instrument or safeguard under applicable Data Protection Laws that permits the cross-border transfer of Personal Data to a country, territory, sector, or international organisation that does not provide an adequate level of protection, including:
(a) Standard Contractual Clauses (SCCs) adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 (EU SCCs);
(b) the UK International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner in accordance with s.119A of the Data Protection Act 2018;
(c) adaptations or addenda to the EU SCCs required under the FADP;
(d) SCCs issued by the Brazilian National Data Protection Authority (ANDP) under LGDP; and
(e) any equivalent contractual clauses, binding corporate rules, or other approved transfer mechanisms under applicable Data Protection Laws.
Vista means the relevant Vista entity as set out in the Key Terms.
The terms “Business”, “Business Purposes”, “Consumer”, "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach", “Process, Processed or Processing” “Sell”, “Service Provider”, “Sub-Processor”, “Supervisory Authority” and “Third Party” have the same meaning given to them (or equivalent expressions) in the Data Protection Laws.
2.1. To the extent that Vista Processes Personal Data on behalf of Client, Client acknowledges Vista acts as Data Processor in relation to the Processing of Personal Data, and Client remains the Data Controller. In carrying out their respective obligations under the Agreement, and to the extent Client Data or Generated Data includes Personal Data, the parties agree to act in accordance with their respective obligations under these Terms and to comply with their respective obligations under Data Protection Laws.
2.2. Notwithstanding anything to the contrary herein:
(a) Pursuant to the CCPA, Vista may operate as a Business, Service Provider, or a Third Party with respect to Personal Data, when providing Services to Client.
(b) Client acknowledges and agrees that in order to provide the Services described in the Agreement, Vista must Process and use Client Personal Data and other Personal Data.
2.3. Exhibit A sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of data subject as required by Article 28(3) of the GDPR or equivalent provisions of any Data Protection Laws.
3.1. Where Vista Processes Client Personal Data, Vista will:
(a) Process the Personal Data solely on Client’s documented instructions (whether in the Agreement or otherwise), for the purposes of providing the Service or as otherwise required by applicable law or the Agreement. If Vista is required by applicable law to Process the Personal Data for any other purpose, Vista will inform Client of this requirement first, unless such law(s) prohibit this;
(b) notify Client immediately if, in Vista's opinion, an instruction for the Processing of Personal Data given by Client infringes applicable Data Protection Laws, it being acknowledged that Vista will not be obliged to undertake additional work to determine if Client's instructions are compliant;
(c) take reasonable steps to ensure the reliability of any staff who may have access to such Personal Data, and their treatment of the Personal Data as confidential and otherwise in accordance with the Agreement;
(d) promptly refer to Client any requests, notices or other communication applicable to Client from Data Subjects or any Supervisory Authority or privacy commissioner, for Client to resolve and, subject to clause 3.4, provide reasonable assistance to Client to assist Client to respond to such communication;
(e) provide such information to Client as Client may reasonably require, and within the timescales reasonably specified by Client, to allow Client to comply with the rights of Data Subjects, including subject-access rights, or with notices served by the Supervisory Authority or privacy commissioner;
(f) within ninety (90) days of termination of the Agreement, (at Client’s option) return to Client or delete all Personal Data Processed under the Agreement unless Vista is required to continue Processing the data according to applicable law;
(g) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with Vista’s Processing of the Personal Data, including the minimum security measures set out in Exhibit B to these Terms;
(h) promptly notify Client upon becoming aware of any Personal Data Breach;
(i) on request and subject to clause 3.4, provide Client with reasonable assistance in carrying out its obligations under Articles 32 to 36 of the GDPR, and any equivalent provisions under other Data Protection Laws, where applicable;
(j) on reasonable prior notice, provide Client with information to demonstrate compliance with Vista's obligations under the Agreement and, at Client's expense, and subject to at least ten (10) days’ prior written notice, submit to audits conducted by Client under the GDPR (where applicable) provided always that:
i) any such audit is carried out within Vista’s normal business hours;
ii) no more than one such audit will be conducted per calendar year;
iii) Vista will not be required to provide or permit access to:
A. information relating to other Clients of Vista;
B. information relating to internal Vista pricing;
C. internal reports prepared by Vista internal audit function and non-public external reports; and
iv) any third party auditor engaged by Client to carry out such audit enters into such confidentiality obligations with Vista (or its Sub-Processor as the case may be) as may be necessary to respect the confidentiality of Vista (or its Sub-Processor's) business interests and any third party data or information that the auditor becomes aware of during an audit.
3.2. To the extent Vista Processes Personal Data for Client as a Service Provider under CCPA, Vista will not: (a) Sell such Personal Data; (b) retain, use, or disclose such Personal Data for any purpose other than performing the Services specified in this Agreement (or as otherwise permitted by the CCPA); or (c) retain, use, or disclose such Personal Data outside of the direct business relationship between Client and Vista. Vista certifies that it and each of its employees, agents, and representatives who will receive such personal information understand, and will comply with, the restrictions set forth in this clause 3.2. Client is responsible for determining whether its sharing of Personal Data under the Agreement is a Sale or otherwise impacts Client’s legal obligations. If Client deems the disclosure and usage of Personal Data as permitted under the Agreement constitutes a Sale or otherwise modifies Client’s notice and choice obligations to individuals under Data Protection Law, then Client agrees to provide such notice and choice as required under Data Protection Law.
3.3. To the extent that the disclosure of Personal Data as contemplated by the Agreement is deemed to be a Sale, the disclosing Party will inform the other Party of any “Do Not Sell” or opt-out request received from a Consumer requiring that the Party in receipt of the request refrain from selling that Consumer’s Personal Data. Upon notice of such a request, each Party will promptly cease any sale of that Consumer’s Personal Data.
3.4. Vista will be responsible for costs and expenses incurred by Vista in complying with its obligations as a Data Processor or Service Provider under these Terms unless otherwise agreed by the Parties. Client will be responsible for costs and expenses incurred by Client in complying with its obligations as a Data Controller or Business under these Terms unless otherwise agreed by the Parties. Unless stated otherwise in these Terms, Vista reserves its right to charge Client additional reasonable fees for any assistance provided by Vista to Client to assist Client to comply with its obligations as a Data Controller under these Terms which go beyond any reasonable level of support/assistance, such fees to be pre-agreed by the Parties in writing.
3.5. Client will not provide Sensitive Data to Vista via the Services or otherwise. Where Vista becomes aware that it has received Sensitive Data, Vista will promptly notify Client in writing and delete from its systems all Sensitive Data (unless Vista is required to continue Processing the Sensitive Data according to applicable law). Vista will have no liability to Client or any third party in respect of any Sensitive Data provided to Vista.
4.1. Vista will not, and will ensure that none of its Affiliates or Sub-Processors do not, transfer, access or use Personal Data outside of the Protected Area except in accordance with a valid Transfer Mechanism or with the Client’s prior written authorisation.
4.2. Client authorises Vista to use the Sub-Processors listed on the Vista Cloud Sub-Processors page available at https://www.vista.co/list-of-sub-processors (as updated in accordance with clause 5 of these Terms), including the related data transfers, and Vista will ensure that each authorised Sub-Processor implements an appropriate Transfer Mechanism.
4.3. If any Transfer Mechanism relied upon by the Parties is invalidated, withdrawn or otherwise become unusable, or if a Supervisory Authority requires the suspension of transfers made under that mechanism, the Parties will cooperate in good faith to implement an alternative Transfer Mechanism to ensure the lawful continuation of the relevant transfers.
5.1. Client authorises Vista to appoint third party Sub-Processors to assist in the management and provision of the Service provided Vista has entered into an agreement with the Sub-Processor which imposes obligations on the Sub- Processor no less onerous than as are imposed on Vista under these Terms. Vista’s use of Sub-Processors will not relieve it of any liability, and Vista will remain liable to Client for the performance of the Sub-Processors’ obligations. The list of current Sub-Processors used by Vista is set out on the Vista Cloud Sub-Processors page available at https://www.vista.co/list-of-sub-processors and Vista will notify Client of any additional Sub-Processor 10 days in advance. If Client reasonably objects to a new Sub-Processor, Client may inform Vista in writing of the reasons for Client’s objections. If Client objects to such additional Sub- Processor(s) within such notice period, Client should stop using the Service and providing data to Vista and Vista may terminate the Agreement by providing written notice to Client with immediate effect and the Parties obligations on termination will apply in accordance with clause 9.3 of the Standard Terms. Client hereby specifically consents to Vista's appointment of its Affiliates as Sub-Processors for the purposes of assisting Vista to provide the Service under the Agreement.
6.1. The provisions of these Terms are supplemental to the provisions of the Agreement and will not reduce either Party’s obligations under the Agreement in relation to the protection of Personal Data. In the event of inconsistencies between the provisions of these Terms and the provisions of the Agreement the provisions of these Terms will prevail.
6.2. The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to Data Protection Laws, including applicable regulatory or self-regulatory guidance.
1. Overview: This Exhibit A includes certain details of the Processing of the Personal Data as may be required by applicable Data Protection Laws.
2. Subject matter and duration of the Processing of the Personal Data: The subject matter and duration of the Processing of the Personal Data is the provision of the Services pursuant to the Agreement.
3. The nature and purpose of the Processing of the Personal Data: Vista may access, collect and Process Client’s Personal Data where Vista provides the Services to Client pursuant to the Agreement, including where Client provides Vista with access to Client’s systems for the purposes of providing the Support Services. Where possible, the Parties will work together to ensure that Personal Data is anonymised by Client prior to any transfer to Vista for Processing. Vista may also Process the Personal Data for the applicable purposes set out in clause 7.2 of the Standard Terms and for any additional purposes applicable to the SaaS Service as specified in the Key Terms.
4. The categories of the Personal Data to be Processed: The types of Personal Data to be Processed commonly includes, but is not limited to, the following information uploaded by Client into the Services (as applicable):
(a) title; full name; address; email address; phone number(s);
(b) user account information, including: username; user ID; and transaction history;
(c) loyalty scheme member information - this is highly configurable by Client, but may include member name; member ID; gender; date of birth; email address; phone number; photo; preferences for contact, movie genres, locations;
(d) transactional and programme history (e.g. duration of membership, movies watched, sales channels where the customer transacted) (Movio Cinema EQ only)
(e) recognitions (rewards applied to that customer account such as points, free tickets, discounts) (Movio Cinema EQ only);
(f) payment card information, including:
i) credit card details: truncated PAN (first six and last four digits), cardholder’s name as recorded on the card, expiry tokens or network reference IDs, and card expiry date, but excluding Sensitive Authentication Data, which Client must not upload directly through the Services; and
ii) gift card details; and
(g) any additional Personal Data applicable to the Services as specified in the Key Terms or a Statement of Work; and
(h) any other information uploaded by Client into the SaaS Applications.
5. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.
6. The categories of Data Subject to whom the Personal Data relates: Client employees, end users, patrons, guests and Client business contacts.
7. Frequency of transfer (e.g. whether on a one-off or continuous basis) (EU standard contractual clauses only): Continuous (ad-hoc).
8. Sub-Processors: The Sub-Processors set out on the Vista Cloud Sub-Processors page available at https://www.vista.co/list-of-sub-processors may act as Sub-Processors in accordance with these Terms (as applicable)
1. Overview
1.1. This Exhibit B sets out the security measures which Vista will take to ensure a level of security for the Personal Data appropriate to the level of the risk.
1.2. Any SaaS Application delivered under the Agreement is installed within Vista’s subscription with the Cloud Service Providers.
1.3. Under the Agreement, Client may request assistance from Vista support personnel in providing the Support Services, which may include the use of Vista Affiliates in accordance with clause 4.1 of the Data Processing Terms above. In order to adequately provide the Support Services, Vista and its Affiliates may need (i) to access the SaaS Application located in Vista’s subscription with the Cloud Service Providers for the purpose of diagnosing the reason for the incident or issue; or (ii) a copy of the applicable SaaS Application’s database to be transferred to Vista premises to aid in further investigations.
2. Remote Support
2.1. For any SaaS Service, Client acknowledges and accepts that Vista’s support personnel will have access to the subscription and therefore data stored within, including Personal Data, for the purposes of delivering the Support Services.
3. Anonymised Database to Vista Offices
3.1. Where Vista is required to retrieve a copy of Client’s database back to Vista’s premises (the Database) to perform the requested Support Services and any Personal Data in that Database is not required to perform such Support Services, the Parties will work together in good faith to anonymise the Database prior to transfer as set out in this clause 3.
3.2. Prior to transferring the Database to Vista by uploading such Database on Vista’s servers, Client will, or Vista will on Client’s behalf:
(a) run a tool provided by Vista that identifies the type of Database and anonymises any Personal Data in the Database; and
(b) encrypt the Database. Only Vista can decrypt the Database to a useable state.
3.3. Where the Database is no longer required by Vista to carry out the requested Support Services, Vista will promptly and securely destroy the Database.
4. Non-anonymised database to Vista offices
4.1. In the rare event that Vista is required to retrieve a copy of a Database back to Vista’s premises and any Personal Data in that Database is required to perform the Support Services, Vista will only work on a non-anonymised Database with the written approval of Client’s nominated Representative(s) (email to suffice).
4.2. Vista will securely hold and destroy the non-anonymised Database in accordance with the prescribed methods outlined in paragraph 5 below.
5. Confidentiality and security
5.1. In addition to the security methods detailed above, Vista will implement the following common measures and Processes set out below. Vista will:
(a) ensure the use of role-based access and login to sections with Personal Data (including the option of follow-up on/adjustment of role-based access) and that only authorised devices and authorised relevant personnel with a work-related need for Processing have access to the Personal Data. For example, only Vista’s support personnel will connect to Vista’s subscription with the Cloud Service Providers;
(b) ensure that any employee who changes roles within Vista does not retain access to Personal Data unless such Personal Data is required for their new role. When an employee leaves Vista, Vista will ensure that they do not have access to, or take with them, any Personal Data or business critical information. Vista will ensure that no previous employees or external consultants have access rights to the Vista systems holding Personal Data;
(c) ensure use of pseudonymisation and encryption of Personal Data where reasonable feasible;
(d) use secure/encrypted transfer of Personal Data on the open internet;
(e) ensure appropriate physical security of Personal Data, including:
• fit appropriate locks or other physical controls to the doors and windows of rooms where computers are kept;
• destroy or remove all Personal Data from media such as CDs before disposing of them; and
• ensure that all Personal Data is removed from the hard drives of any used computers before disposing of them.
(f) implement best practice access controls, including:
• best practice password procedures must be in place, including using strong passwords; and
• industry standard hard drive encryption for internal or external hard drives; and
(g) ensure suitable firewall and infrastructure logging to ensure the ongoing logging of failed login attempts or attacks on Vista systems, including log of time, user, etc. and block access after a certain number of failed login attempts for each user.
6. Integrity and availability
6.1. Vista will protect Personal Data, Vista’s networks, systems and logs against tampering.
6.2. Vista will ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including by backing-up data.
7. Resilience
7.1. Vista will have a vulnerability management program, including regular monitoring of potential vulnerabilities and performance of penetration tests of networks and Vista systems.
7.2. The vulnerability management program will include, but is not limited to:
(a) performing vulnerability scans on internal and external perimeters at least quarterly;
(b) performing penetration tests on external network perimeters at least annually or more frequently where incidents disclose the need for such tests; and
(c) following up on and remedy of any weaknesses identified in connection with such scans and tests.
7.3. On an ongoing basis, Vista will keep networks and systems up to date with regard to new versions, updates, and patches.
7.4. Vista will keep Vista networks and systems up to date with regard to new versions, updates, and patches on an ongoing basis.
8. Awareness, training and security checks in relation to Vista representatives
8.1. Vista will perform appropriate reference checks on all new employees.
8.2. Vista will provide training to new employees regarding information security and ensure that they read and understand Vista’s internal policies related to information security and data protection. Vista will ensure that employees know where to find details of information security standards and procedures relevant to their role and responsibilities.
9. Incident response management and business continuity
9.1. Vista will ensure that employees understand what a Personal Data Breach and a security incident mean, and train employees to recognise the signs thereof and to respond appropriately.
9.2. Vista will have a Security Incident Response Plan (Plan) in place in the event of a serious security incident. The Plan will be regularly reviewed and will be reviewed after every Personal Data Breach and security incident in which the Plan is used and updated according to the lessons learned.
10. Monitoring
10.1. Vista will monitor and keep up to date all security measures, processes and risk analyses.
10.2. Vista will implement a process for periodical testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the Processing, including, but not limited to, the measures set out in these Terms.
10.3. Vista will implement procedures for effectively following up on non-compliance.