This Data Processing Addendum (“Addendum”) reflects the parties’ agreement with respect to the terms governing the processing of Customer Personal Data under the Vidalytics Terms of Service found at https://www.vidalytics.com/terms; or (2) any applicable superseding written master agreement with Vidalytics. This Addendum is an amendment to the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an order, or an executed amendment to the Agreement. Upon its incorporation into the Agreement, this DPA will form part of the Agreement.
Except as modified below, the terms of the Agreement shall remain in full force and effect. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this Addendum and the Agreement, this Addendum will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses will control.
1. Definitions. The terms used in this Addendum shall have the meanings set forth in this Addendum or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement. The following terms have the meanings set forth below:
1.1 “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Vidalytics is subject, including, but not limited to, (a) the California Consumer Privacy Act of 2018, as amended (“CCPA”), (b) the EU General Data Protection Regulation 2016/679 including the applicable implementing legislation of each Member State (“EU GDPR”), (c) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992, as amended (“FADP”), (e) any other applicable law with respect to any Personal Data in respect of which the Vidalytics is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.
1.2 “Data Subject” shall mean an identified or identifiable natural person.
1.3 “EEA” means the European Economic Area.
1.4 “Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Vidalytics, on behalf of Customer, in connection with Vidalytics’ performance of the Services.
1.5 “Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters.
1.6 “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
1.7 “Security Breach” means a breach of Vidalytics’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Vidalytics’ possession, custody or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.8 “Services” shall mean the services as described in the Agreement or any related order form or statement of work.
1.9 “Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), and (b) with respect to restricted transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK SCCs”).
1.10 “Subprocessor” shall mean any subcontractor engaged by Vidalytics to Process Personal Data on behalf of Customer.
1.11 “Supervisory Authority” shall mean: (a) in the context of the UK GDPR the UK Information Commissioner’s Office; and (b) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.
2. Processing Requirements.
2.1 Vidalytics shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Customer’s instructions, and as may subsequently be agreed between the Parties in writing. Vidalytics shall promptly inform Customer if (a) in Vidalytics’ opinion, an instruction from Customer violates Applicable Privacy Law; or (b) Vidalytics is required by applicable law to otherwise Process Personal Data, unless Vidalytics is prohibited by that law from notifying Customer under applicable law. The details of processing are set forth in Exhibit A.
(a) updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Customer from time to time;
(b) canceling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Customer;
(c) otherwise facilitating Customer’s responses to Data Subject requests as required under Applicable Privacy Law; and
(d) Vidalytics shall promptly redirect any request from a Data Subject to exercise any of its Data Subject rights to Customer and shall not respond directly to the Data Subject unless instructed so by Customer in writing.
2.3 The parties acknowledge that Vidalytics has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Customer to Vidalytics under the Agreement relates only to Vidalytics’ provision of the Services. Vidalytics shall not (a) sell or share (as such terms are defined under the CCPA) Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services; (c) retain, use, or disclose Personal Data outside of the direct business relationship between the Customer and Vidalytics; or (d) combine the Personal Data with any other personal information, except as permitted under Applicable Privacy Law.
2.4 Vidalytics shall provide to Customer such cooperation, assistance and information as Customer may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Customer’s provision of the Services, and (b) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority.
2.5 To the extent Vidalytics receives deidentified data from Customer or the Services allow for the deidentification of Personal Data, Vidalytics shall not reidentify, attempt to reidentify, or direct any other party to reidentify any Personal Data that has been deidentified.
2.6 Vidalytics shall ensure that persons authorized to access Personal Data commit themselves to confidentiality or are under an appropriate obligation of confidentiality.
3. Security of Personal Data.
3.1 Vidalytics shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in Exhibit B.
3.2 Vidalytics shall ensure the reliability of any employees who Process Personal Data.
4. Customer Obligations.
(a) Customer’s Security Responsibilities. Customer is solely responsible for its use of the Services, including (a) obtaining any needed consents or authorizations for Vidalytics to Process Personal Data; (b) without limitation of Vidalytics’ obligations under Section 3 (Security of Personal Data), making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (c) securing the account authentication credentials, systems and devices Customer uses to access the Services; (d) securing Customer’s systems and devices that Vidalytics uses to provide the Services; and (e) backing up Personal Data.
(b) Prohibited Data. Customer represents and warrants to Vidalytics that Personal Data provided to Vidalytics under the Agreement does not and will not, without Vidalytics’ prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age; or any information that falls within any special categories of data (as defined in GDPR).
5. Subprocessors
5.1 Customer hereby authorizes Vidalytics to appoint the Subprocessors specified in Exhibit C. Vidalytics shall provide Customer prior notice of any additional or replacement Subprocessors. After being notified, Customer must notify Vidalytics within fourteen (14) business days of any reasonable objection it has to such Subprocessors. In the event Customer provides a reasonable objection, Vidalytics will use commercially reasonable efforts to make a change in processing under the Agreement to avoid Processing of Personal Data by such Subprocessor. If Vidalytics is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the Services provided under the Agreement in respect only to those services which cannot be provided by Vidalytics without the use of the objected-to Subprocessor, by providing written notice to Vidalytics. Upon termination by Customer pursuant to this section, Vidalytics shall refund Customer any prepaid fees for the terminated portions of the Service that were to be provided after the effective date of termination.
5.2 Vidalytics shall remain liable for any Processing of Personal Data by each such Subprocessor as if it had undertaken such Processing itself.
5.3 Vidalytics will contractually impose data protection obligations on its Subprocessors that are no less onerous than those imposed on Vidalytics under this Addendum.
6. Breach Notification
6.1 Notification to Customer. Unless otherwise prohibited by applicable law, Vidalytics shall notify Customer without undue delay after Vidalytics confirms a Security Breach. Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned). In addition, Vidalytics shall communicate to Customer (i) the name and contact details of Vidalytics’ data protection officer or other point of contact where more information can be obtained, (ii) a description of the likely consequences of the Security Breach, (iii) a description of the measures taken or proposed to be taken by Vidalytics to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6.2 Investigation. Vidalytics shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.
7. Privacy Impact Assessment. Vidalytics shall, promptly upon receipt of written request by Customer (a) make available to Customer such information as is reasonably necessary to demonstrate Customer’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Customer in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Vidalytics. Vidalytics shall reasonably cooperate with Customer to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment. Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Customer shall not make any such request more than once in any 12-month period.
8. Audit Rights. Customer may audit Vidalytics’ compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Customer’s Supervisory Authority. Vidalytics will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance that Vidalytics considers appropriate in the circumstances and reasonably necessary to conduct the audit. Any audits are at Customer’s sole expense. Customer shall reimburse Vidalytics for any time expended by Vidalytics and any third parties in connection with any audits or inspections under this Section 8 at Vidalytics’ then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
9. Deletion of Personal Data. Vidalytics shall return and/or delete Personal Data in accordance with the applicable provisions in the Agreement.
10. Transfers out of the EEA. If Customer transfers Personal Data out of the EEA to Vidalytics in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the EU SCCs, the terms of which are hereby incorporated into this Addendum. In furtherance of the foregoing, the Parties agree that:
10.1 Customer will act as the data exporter and Vidalytics will act as the data importer under the EU SCCs;
10.2 For purposes of Annex I to the EU SCCs, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Exhibit A;
10.3 For purposes of Annex II to the EU SCCs, the technical and organizational measures shall be as set out in Exhibit B;
10.4 The optional docking clause in Clause 7 of the EU SCCs shall be included;
10.5 The audits described in Clause 8.9 of the EU SCCs shall be performed in accordance with Section 7 of this Addendum;
10.6 Section 4 (Subprocessors) of this Addendum shall constitute the procedures for Vidalytics to request general authorization for Subprocessors under Clause 9(a)(Option 2) of the EU SCCs;
10.7 The optional language in Section 11(a) of the EU SCCs shall not be included;
10.8 For Clause 13, the following language shall apply: The supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR shall act as competent supervisory authority;
10.9 Option 1 of Clause 17 shall apply, and the EU SCCs will be governed by the law of the Member State of the supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR; and
10.10 Any dispute arising from the EU SCCs shall be resolved by the courts of the Member State of the supervisory authority with responsibility for ensuring compliance by the data exporter with the GDPR.
11. Transfers out of the UK. If Customer transfers Personal Data out of the UK to Vidalytics in a country not deemed by the UK Government to have adequate data protection, such transfer will be governed by the UK SCCs, the terms of which are hereby incorporated into this Addendum. Vidalytics shall provide a copy of the signed version of the UK SCCs to Customer upon request. In furtherance of the foregoing, the parties agree that Tables 1 through 4 of the UK SCCs shall be satisfied by the following information:
11.1 Table 1: Reference to Table 1 shall be satisfied by the information in Exhibit A.
11.2 Table 2: For Table 2, the version of the Approved EU SCCs shall be the EU SCCs, Controller to Processor module.
11.3 Table 3: Reference to Table 3 shall be satisfied by the information in Exhibit A.
11.4 Table 4: For Table 4, the Exporter and Importer shall have the rights outlined in Section 19 of the UK SCCs.
12. Transfers out of Switzerland. For transfers from Switzerland, references in the EU SCCs shall be interpreted to include the following applicable terminology and statutory terms: (a) the Federal Data Protection and Information Commissioner is the competent supervisory authority; (b) Swiss law (or the law of a country that allows and grants rights as a third party beneficiary for contractual claims regarding data transfers pursuant to the FADP shall be the applicable law for contractual claims under Clause 17 of the EU SCCs; (c) Switzerland is to be considered as a Member State within the meaning of the EU SCCs; (d) data subjects with their regular place of residence in Switzerland are allowed to bring a lawsuit in Switzerland against either the data exporter or the data importer in accordance with Clause 18(c) of the EU SCCs; and (e) references to the GDPR are to be understood as references to the FADP.
13. Claims. Any claims brought under, or in connection with, this Addendum, shall be subject to the exclusions and limitations of liability set forth in the Agreement.
14. Amendments. The Parties acknowledge and agree that, to the extent the Services contemplate the processing of Personal Data that is subject to Applicable Privacy Laws that require additional terms in this Addendum, the Parties shall enter into an amendment to this Addendum that addresses such additional terms.
Data Exporter
The data exporter is the entity identified as the "Customer" in the Addendum in place between data exporter and data importer and to which this Exhibit is appended.
Data Importer
The data importer is the entity identified as “Vidalytics” in the Addendum in place between data exporter and data importer and to which this schedule is appended.
Subject Matter and Duration of the Processing
As between the parties, Customer shall be the Controller of certain Customer Personal Data provided to Vidalytics by Customer in connection to its use of Services. The duration of the processing shall be the term of the Agreement.
Purposes of the Processing
Processing is necessary to enable Vidalytics to provide the Services to Customer and exercise its rights and obligations under the Agreement.
Data Subjects
The data subjects may include Customer’s employees and other users authorized by Customer to use the Services, and prospects and customers of Customer.
Categories of Personal Data
Categories of personal data include identification and contact information such as name, email address, phone number, country of residence; browsing/viewing data; IP address; usage data; other data obtained through cookies; conversion data
Special categories of data (if appropriate)
Not applicable. Customer may not use the Services to process any data classified as “special category data” unless explicitly agreed in writing.
Processing Operations
Vidalytics shall process the Customer Personal Data only as necessary to provide the Services and exercise its rights and obligations as contained in the terms of the Agreement and this Addendum.
Vidalytics will implement and maintain the security measures set out in this Exhibit B. Vidalytics reserves the right to revise these security measures at any time, without notice, so long as such revisions do not materially reduce the protection provided for Personal Data that Vidalytics processes in the course of providing the Services.
Organizational management and staff responsible for the development, implementation and maintenance of Vidalytics’ information security controls. Executive leadership is involved in reviewing and approving all security policies.
Audit and risk assessment procedures for the purposes of periodic review and assessment of security risks to Vidalytics’ organization, monitoring compliance with Vidalytics’ policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
Logical separation of data, restricted (e.g., role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data.
Personal Data is encrypted in transit using Transport Layer Security. TLS is active on all accounts by default and cannot be disabled by end users. Personal Data (including backups) is encrypted at rest with Advanced Encryption Standard (AES).
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
User IDs and password configuration requirements have been established that are designed to prevent unauthorized access to production systems.
Vidalytics’ production resources are hosted in Google Cloud Platform. Physical and environmental security is handled entirely by Google and its vendors. Google has provided a list of compliance and regulatory security assurances, including representations of SOC 2 and ISO27001 compliance.
Operational procedures and controls to provide for application deployment and change management, capacity management, and separation of development, testing and production.
Incidents are handled in accordance with Vidalytics’ incident response plan. Designated personnel are responsible for managing the response process in accordance with the incident response plan, completing investigations, mitigation, and coordinating any external communications that may be necessary.
Vidalytics implements vulnerability assessment and threat protection technologies and scheduled monitoring procedures to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
Business continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
Google Cloud Platform: Cloud hosting provider
Bitmovin: Video BI
Zapier: Lead / customer data transfer to third party services, and tracking of viewer video events
ActiveCampaign: CRM
Intercom: Customer Support Software
Sendgrid: Emailing service for customer communications
AppCues: Product onboarding and announcements
Mixpanel: Customer analytics
FirstPromoter: Affiliate tracking platform
Chargify: Subscription processing
Google Analytics: Customer analytics, and tracking of viewer video events
Meta: Tracking of viewer video events
High Level: Tracking of viewer video events
Segment: Tracking of viewer video events
Hubspot: Tracking of viewer video events
Make: Tracking of viewer video events