Each party shall comply with the legal requirements under Data Protection Laws. “Data Protection Laws” means all applicable laws, rules, regulations, or implementing legislation that relate to the data privacy or security of personal data of individuals, including, as applicable: (A) the General Data Protection Regulation 2016/679 (“GDPR”), as well as any other applicable national rule and legislation on the protection of personal data in the European Union or any Member State that is already in force or that will come into force during the term of this DPA; (B) the United Kingdom Data Protection Act of 2018 and the GDPR as it forms part of UK domestic law under the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”); and (C) the California Consumer Privacy Act (“CCPA”), and any other data protection laws substantially amending, replacing, or superseding the CCPA. The terms “personal data,” “processing,” “personal data breach,” and “data subject”, or similar terms, have the meaning given in the Data Protection Laws.
1. Controller hereby instructs Processor to process personal data for providing the Services described in the Agreement and Annex 1 to this DPA.
Processor will process personal data only on behalf of Customer to deliver Services in accordance with the Agreement or Customer’s other documented instructions. Specifically, Processor shall only process personal data for the purpose of Processor providing the agreed upon Services under the Agreement. Processor shall not retain, use, or disclose Customer’s personal data: (a) for any purpose (including, but not limited to, any commercial purpose) other than to perform the Agreement or any related exhibits, schedules or statements of work; or (b) outside of the direct business relationship between Customer and Processor. Processor further warrants and represents that Processor will not: (i) sell (as defined in the CCPA) any personal data; (ii) retain, use, or disclose any personal data for any purpose other than for the specific purpose of providing the Services and as otherwise permitted by the CCPA, including not retaining, using, or disclosing personal data for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (iii) retain, use, or disclose the personal data outside of the direct business relationship between Customer and Processor. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Processor’s access to personal data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
Processor certifies that it understands the restrictions set forth under this Section 1 and will at all times comply with them.
2. Processor undertakes to take the technical, organizational and structural measures necessary to ensure the security, integrity and confidentiality of the personal data it processes in connection with this DPA as described in Annex 2 to the DPA and this Section 2. In particular, Processor will take security measures to prevent any personal data breach, including with respect to:
a. destruction, alteration, misuse or loss of the personal data made accidentally or without authorization of the Controller;
b. disclosure of or access to the personal data in an accidental or non-authorized manner; or
c. any form or purpose of processing of the personal data which would be unlawful, unauthorized or not provided for in this DPA.
Security measures shall provide in particular that:
a. premises where personal data is processed are secured;
b. authentication/identification mechanisms to access personal data on information systems are in place;
c. a password policy is implemented and enforced;
d. the network and the information systems are protected against intrusions and other attacks;
e. backups of personal data are regularly performed; and
f. the personnel and the staff of the third party processors processing personal data are properly trained on confidentiality, integrity, and availability measures.
3. Controller agrees that Processor may use subprocessors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. Annex 3 to the DPA lists sub-processors that are currently engaged by Processor or its affiliates to carry out processing activities with respect to Customer’s personal data. Controller generally authorizes Processor or its affiliates to engage subprocessors, provided that Processor or its affiliate:
a. provides 10 days’ prior advance notice to Controller and gives Controller an opportunity to object to the addition or replacement of subprocessors (provided that Controller will not object except with reasonable cause);
b. executes a written contract with each subprocessor with the similar or more protective obligations and data protection measures contained in this DPA and Annex 2 to this DPA, and provide a copy of such contracts to Controller upon Controller’s written request; and
c. remains fully responsible and liable for any actions and omissions of subprocessors.
4. Processor will comply with all requirements of this DPA and Data Protection Laws with respect to all personal data received from or processed for Controller. Without limiting the generality of the foregoing, Processor will:
a. ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
b. take all measures required to protect Customer’s personal data, including, without limitation, implementing and maintaining reasonable safeguards appropriate to protect Customer’s personal data;
c. process Customer’s personal data only on documented instructions from Customer, unless required to do so by law to which Vendor is subject; in such a case, the Vendor will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
d. taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Laws; and
e. assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.
Processor will immediately inform the Controller if, in its opinion, an instruction from Controller infringes Data Protection Laws, or if Processor believes that it cannot comply with any instruction or any requirements under this DPA.
5. Processor will without undue delay, and within the period specified by applicable law, inform the Controller of any personal data breach. Processor will, at a minimum, provide the following details:
a. the nature of the personal data breach; and
b. an estimation of the number of data subjects involved, and, where possible, their names.
Processor will promptly investigate such personal data breach and will provide Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify data protection authorities or data subjects) of Controller in relation to such personal data breach.
6. Upon termination of the Agreement (in whole or in part) or earlier upon Controller’s request, and at Controller’s choice, Processor will, unless any applicable law, competent court, or supervisory or regulatory body prevents Processor from returning or destroying the personal data transferred:
a. destroy all personal data processed and any copies thereof and certify to Controller on request that Processor has done so; or
b. in accordance with Controller’s instructions, return all personal data processed and the copies thereof to Controller or other recipient identified by Controller.
7. Processor may monitor and audit (either through self-audit or third-party audit) its own compliance with its obligations under Data Protection Laws and this DPA (“Company Audit”) and will provide Controller with such Company Audit (if one is performed) upon Controller’s written request (except that Processor will provide such Company Audit no more than once per calendar year).
8. Upon Controller’s request, Processor shall, no more than once per calendar year make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the processing of Controller’s personal data. To the extent required by Data Protection Laws and if Controller requires information in addition to such reports, Processor shall make available to Controller on request all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Controller or an auditor mandated by Controller, not being competitors of Processor (“Mandated Auditor”) of any premises where the processing of Customer’s personal data takes place in order to assess compliance with this DPA (a “Customer Audit”). Processor shall provide reasonable cooperation to Controller with respect to a Customer Audit. Controller agrees that: (a) a Customer Audit may only occur during normal business hours, and where possible only after reasonable notice to Processor (not less than 20 days’ advance written notice); (b) a Customer Audit will be conducted in a manner that does not have any adverse impact on Processor’s normal business operations; (c) Controller and any Mandated Auditor will comply with Processor’s standard safety, confidentiality, and security procedures in conducting any Customer Audit; (d) any records, data, or information accessed by Controller or any Mandated Auditor in the performance of any Customer Audit will be deemed to be the Confidential Information of Processor; and (e) a Customer Audit shall be at the Customer’s sole cost and expense. If the controls or measures to be assessed in a request for a Customer Audit are addressed in a Company Audit, Controller agrees to accept such Company Audit in lieu of requesting a Customer Audit.
9. Processor will assist Controller, to the extent reasonably possible, to comply with applicable law in a reasonable time. Without limiting the generality of the foregoing, Processor will assist Controller with any data protection impact assessment and consultation procedures, if any that relate to the Services provided by Processor to Controller and the personal data that Processor handles for Controller.
10. Processor will assist Controller with any data subject access, portability, correction, erasure or blocking requests and objections. If Processor receives any request from data subjects, data protection authorities, or others relating to its data processing, Processor will immediately inform Controller and assist Controller with developing a response (but Processor will not itself respond, except per instructions from Controller). Processor will also assist Controller with the resolution of any request or inquiries that Controller receives from data protection authorities relating to Processor and, if and to the extent requested by Controller, cooperate with any authorities’ requests.
11. Processor will notify Controller without undue delay:
a. about any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and
b. about any complaints and requests received directly from data subjects (e.g., regarding access, rectification, erasure, data portability, objection to processing of data, automated decision-making), and assist Controller with a response and resolution of the request, but not respond until Controller provides instructions.
12. With respect to any transfers of personal data originating from the European Economic Area or Switzerland to Processor in a country whose laws have not been deemed by the European Commission to provide an adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws, the parties agree to comply with the relevant terms of the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Transfer controller to processor) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are incorporated into this DPA by reference (the “EU SCCs”). The parties hereby agree that details in Annex 1 to this DPA will be used to complete Annex I of the EU SCCs, and details in Annex 2 to this DPA will be used to complete Annex II of the EU SCCs. In accordance with Clause 2 of the EU SCCs, the parties wish to supplement the EU SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to contradict the EU SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the EU SCCs, including without limitation the following:
a. The instructions described in Clause 8.1(a) are as set forth in Sections 1 and 4(c) of this DPA.
b. In the event a data subject requests a copy of the EU SCCs or this DPA in accordance with Clause 8.3 of the EU SCCs, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
c. Certification of deletion of personal data under Clause 8.5 and Clause 16(d) of the EU SCCs shall be provided upon the written request of data exporter.
d. Data importer shall be deemed in compliance with Clause 8.8 of the EU SCCs to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
e. Any information requests or audits provided for in Clause 8.9 of the EU SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.
f. Pursuant to Clause 9(a) Option 2 of the EU SCCs, data exporter agrees that data importer may engage new subprocessors as described in Section 3 of this DPA. With respect to Clause 9 of the EU SCCs, the parties select the time period set forth in Section 3 of this DPA.
g. The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the EU SCCs.
h. The parties agree that, for purposes of Clause 13 of the EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
i. Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clause 14(f) or Clause 16 of the EU SCCs.
j. With respect to Clause 17 of the EU SCCs, the parties select the law of Ireland.
k. With respect to Clause 18 of the EU SCCs, the parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Ireland.
l. With respect to transfers of personal data originating from Switzerland: (i) the term “member state” as used in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland of suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs; (ii) the EU SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Act of Data Protection (FADP) on or about 1 January 2023; (iii) references to the GDPR or other governing law contained in the EU SCCs shall also be interpreted to include the FADP; and (iv) the parties agree that the supervisory authority as indicated in Clause 13 and Annex I.C of the EU SCCs shall be the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland.
In the event of a direct conflict between the terms of this DPA and the terms of the EU SCCs, the EU SCCs will control. The EU SCCs shall automatically terminate once the Customer’s personal data transfer governed thereby becomes lawful under Data Protection Laws in the absence of such EU SCCs on any other basis and acknowledged by the parties.
13. With respect to any transfers of personal data originating from the United Kingdom to Processor in a country whose laws have not been deemed by the government of the United Kingdom to provide an adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws, the parties agree to comply with the relevant terms of the United Kingdom’s standard contractual clauses for international transfers from controllers to processors (available at: https://ico.org.uk/media/for-organisations/documents/2620100/uk-sccs-c-p-202107.docx), which are incorporated into this DPA by reference (the “UK SCCs”). The parties hereby agree that details in Annex 1 to this DPA will be used to complete Appendix 1 of the UK SCCs, and details in Annex 2 to this DPA will be used to complete Appendix 2 of the UK SCCs. In accordance with Clause 10 of the UK SCCs, the parties wish to supplement the UK SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to overlap or contradict the UK SCCs (whether directly or indirectly), reduce the level of protection that the data importer is required to provide for personal data, or to reduce the rights of data subjects or make it more difficult for them to exercise their rights. Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the UK SCCs, including without limitation the following:
a. In the event a data subject requests a copy of the UK SCCs or this DPA in accordance with Clause 4(h) of the UK SCCs, data exporter data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
b. The instructions described in Clause 5(a) are as set forth in Section 1 of this DPA.
c. Any information requests or audits provided for in Clauses 5(f) and 12(2) of the UK SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.
d. Pursuant to Clause 5(h) of the UK SCCs, data exporter acknowledges and expressly agrees that data importer may engage new subprocessors as described in Section 3 of this DPA.
e. Copies of any subprocessor agreements required to be sent to data exporter under Clause 5(j) of the UK SCCs shall only be sent upon data exporter’s written request. The parties agree that data importer may remove or redact all commercial information unrelated to the UK SCCs or their equivalent beforehand.
f. Certification of deletion of personal data as described in Clause 12(1) of the UK SCCs shall be provided upon the written request of data exporter.
g. Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clauses 5(a) and 5(b) of the UK SCCs.
h. The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 6(2) of the UK SCCs.
In the event of a direct conflict between the terms of this DPA and the terms of the UK SCCs, the UK SCCs will control. The UK SCCs shall automatically terminate once the Customer’s personal data transfer governed thereby becomes lawful under Data Protection Laws in the absence of such UK SCCs on any other basis and acknowledged by the parties.
14. All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.
15. In case of any conflict or inconsistency, the order of precedence in respect of the processing of personal data shall be: the Annexes to this DPA, this DPA, and then the Agreement.
16. This DPA shall not restrict the Data Protection Laws. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
17. This DPA shall commence on the date that the Agreement is deemed agreed to by the Customer.
Annex 1: Subject Matter and Details of the Data Processing
|Full description of the Services provided by the Processor||Processor provides Controller hosted data storage, sharing, and collaboration services during the term of the Controller’s subscription for Services.|
|Types of data subject whose personal data is Processed||The data subjects may include Controller or third party’s customers, employees, suppliers, end-users, and other third-parties.|
|Types of personal data processed||Workspace Content (to the extent to which in contains “personal data”) that is uploaded by Controller or its invited End Users to Controller’s Online Room created using the Services.|
|The purpose, nature and subject matter of the processing||The purpose, nature and subject matter of the processing of personal data by Processor, under this DPA, are those processing operations which are necessary to provide the Services which are referred to herein.|
|Duration of processing||The term of the Controller’s subscription to the Services.|
|Frequency of the transfer||Continuous basis during the term of the Agreement.|
|The period for which the personal data will be retained||Duration of performance of the Services, except as required by applicable law or if related Workspace Content is earlier deleted by Controller or authorized end-user.|
|Sensitive Data||No sensitive data expected by the parties.|
Annex 2: Security Measures
“Security Measures” shall be defined as:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
• the encryption of Customer’s personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to Customer’s personal data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
In furtherance of the above definition and the measures described in Section 2 of the DPA, Processor shall take the following specific Security Measures set forth below.
1. Physical access control
Measures to prevent unauthorized persons from gaining access to data processing systems for processing or using Customer’s personal data:
• Definition of persons who are granted physical access;
• Electronic access control;
• Issuance of access IDs;
• Implementation of policy for external individuals;
• Security doors (electronic door opener, ID reader); and
• Implementation of measures for on-premise security (e.g. intruder alert/notification).
2. Logical access control
Measures to prevent unauthorized persons from using data processing equipment and procedures:
• Definition of persons who may access data processing equipment;
• Implementation of policy for external individuals; and
• Password protection of personal computers.
3. Data access control
Measures that ensure that persons entitled to use a data processing system gain access only to such Customer’s personal data as they are entitled to accessing in accordance with their access rights:
• Allocation of separate terminals/work stations and of ID-parameters exclusively to specific functions;
• Implementation of partial access rights for respective data and functions;
• Requirement of identification vis-à-vis the data processing system (e.g. via ID and authentication)
• Implementation of policy on access- and user-roles; and
• Evaluation of protocols in case of damaging incidents.
4. Data transfer control
Measures to ensure that Customer’s personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Customer’s personal data by means of data transmission facilities can be established and verified.
5. Entry control
Measures to ensure that it is possible to check and ascertain whether Customer’s personal data have been entered into, altered or removed from data processing systems and if so, by whom:
• Logging of data entry.
6. Control of instructions
Measures to ensure that Customer’s personal data are processed strictly in compliance with Customer’s instructions:
• Documentation of distinction of competences and obligations between Customer and Processor;
• Formal assignment process; and
• Control of work results.
7. Availability control
Measures to ensure that Customer’s personal data is protected against accidental destruction or loss:
• Realization of a regular backup schedule;
• Control of condition and respective labelling of data carriers for data backup purposes;
• Implementation and regular control of emergency power systems and overvoltage protection systems;
• Implementation of an emergency plan; and
• Protocol on the initiation of crisis- and/or emergency management.
8. Control of data set separation
Logical separation of data of each of Processor’s customers.
9. Strong encryption
Strong encryption for the transport and storage of personal data (transport encryption and data-at-rest encryption). Strong encryption includes:
• Transport encryption is used for which it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of the third country;
• Encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and to be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them;
• Strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved; and
• Encryption algorithm is implemented by properly maintained software in accordance with industry standards.
Processor: (a) has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, except as required for Processor’s regular management of the system or personal data; (b) has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, except as required for Processor’s regular management of the system or personal data; and (c) is not aware of any national law or government policy that would require the importer to create or maintain back doors or to facilitate access to personal data or systems or for the Processor to hand over the encryption key.
Annex 3: Subprocessors
Processor uses the following subprocessors in the performance of the Service.
|Amazon AWS||Seattle, WA USA|
|Brightcove||Boston, MA USA|
|Google Workspaces||Mountain View, CA USA|