Data Processing Agreement
This Data Processing Agreement (“DPA”) is hereby entered by and between Wochit, Inc., its Affiliated companies and subsidiaries (“Wochit” or “Company”) and you, Wochit’s customer (as defined in the applicable master services agreement “MSA” or “Agreement” signed between the parties) on behalf of itself and its Affiliates (collectively “Customer”), each a “party” and collectively, the “parties“.
This DPA forms an integral part of the binding Agreement, and sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data, during the course of the Agreement. This DPA shall be effective as of the effective date of the Agreement (“Effective Date”).
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
This DPA applies, among others, to the extent that:
- EU Data Protection Law (as defined below) applies to the Processing of Personal Data under the Agreement, including if:
- the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or
- the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party.
- the Personal Data relates to California Consumers, as defined below.
Notwithstanding the above, this DPA and the obligations hereunder does not apply to aggregated reporting or statistical information.
- “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
- CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
- “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall have the meanings assigned to them under EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA. “Personal Data” shall also mean and refer to “Personal Information”, as such terms defined in the CCPA.
- “Customer Data” means any and all Data Subject’s Personal Data processed by Company through the course of the Agreement or shared between the parties.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
- “EU Data Protection Law” means the (i) General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party.
- “Services” means the Wochit online video creation platform used by Customer for the purpose of creating and producing customized and marketing videos.
- RELATIONSHIP OF THE PARTIES
- PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law, and the Customer acknowledges that, taking into account the nature of the Processing, Wochit is not in a position to determine whether the Customer’s instructions infringe applicable Data Protection Law; and (ii) it will comply with EU Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data, as well as the CCPA provisions. Wohit represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s instructions including the Agreement and this DPA. Notwithstanding the above, in the event Wochit is required under applicable laws to Process Customer Data other than as instructed by Customer, Wochit shall make its best efforts to inform the Customer of such requirement prior to Processing such Customer Data, unless prohibited under applicable law.The Customer shall not share with Wochit Special Categories of Data, as well as any Personal Data that contains data relating to children under 16 years old.
- DATA SUBJECT RIGHTS
As between the parties, the Customer undertakes, accepts and agrees that Wochit relies on Customer’s lawful basis (as required under Data Protection Law) to Process the Customer Data. In the event consent is required under Data Protection Law, the Customer shall: (i) ensure that it obtains consent from Data Subjects and displays all necessary and applicable notices in accordance with the Data Protection Law as well as enable lawful transfer of the Personal Data to Wochit; (ii) maintain a record of all consents obtained from Data Subject, including the time and date on which consent was obtained, the information presented to Data Subject; and (iii) record of withdrawals of consent by Data Subject. The Customer shall make these records available to Wochit promptly upon request.
It is agreed that where Wochit receives a request from a Data Subject or an applicable Supervisory Authority in respect of Customer Data, it will direct the Data Subject or the Supervisory Authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or applicable authority’s request, unless otherwise required or prohibited under applicable laws. Wochit shall reasonably cooperate and assist the Company in handling of a Data Subject’s or a Supervisory Authority’s request, to the extent permitted under Data Protection Law.
- NO SALE OF PERSONAL INFORMATION
It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and Wochit does not receive or process any Personal Data in consideration for the Services. Thus, such Processing of Personal Data shall not be considered as a Sell, as defied under the CCPA.
Each party shall provide contact details for the applicable contact point within its organization, authorized to respond to inquiries concerning Processing of the Personal Data or its Data Protection Officer (“DPO”), as applicable. Wochit DPO can be contacted at: firstname.lastname@example.org
Customer acknowledges that the Wochit may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Customer hereby, authorizes Wochit to engage and appoint such Sub-Processors to Process Personal Data. Wochit may continue its engagement with its current Sub-Processors as of the date of this DPA as detailed in Annex 1 attached hereto. In the event Wochit shall appoint a new Sub-Processor, it shall provide a written notice, whether by general or specific reference to such Sub-Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub-Processor (“Sub-Processor Notice”). Wochit will enter into separate contractual arrangements with such Sub-Processors binding them to comply with obligations in accordance with Data Protection Law. Notwithstanding the above, the Customer may object the appointment of the new Sub-Processor, as follows: (i) Customer shall provide Wochit with prior written notice no later than three (3) days following the receipt of the Sub-Processor Notice, detailing the Customer’s objection, based on reasonable grounds, to the appointment of the new Sub-Processor; (ii) Wochit shall take reasonable steps to address the objections raised by Customer and shall report these steps in writing to the Customer; and (iii) within three (3) days of receipt of Wochit notice regarding the steps taken, the Customer may notify Wochit it does not find such steps taken sufficient to settle its objections. In the event the Customer did not provided such notification, it will constitute as its approval of the Sub- Processor. In the event the Customer further objects, each party may terminate the relationship upon a written notification effective immediately, without liability.
- TECHNICAL AND SECURITY MEASURES
Wochit shall implement appropriate technical and organizational measures to protect the Customer Data and its security, confidentiality and integrity and the Data Subject’s rights, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing the Customer Data, as well as the risk of varying likelihood and severity for the consumer’s rights, in order to ensure a level of security appropriate to that risk. Description of the technical and organizational measures implemented by Wochit, are available at: https://www.wochit.com/security (“Security Information Page”). Wochit may update or modify the Security Information Page from time to time, without notice. Wochit takes reasonable steps to ensure that its personnel’s access to the Personal Data is limited on a need to know or access basis, and that its personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access or use of the Personal Data.
- SECURITY INCIDENT
In the event Wochit suffers a confirmed Security Incident, Wochit shall notify the Customer, by means of applicable communication. Wochit shall cooperate in good faith to agree and take applicable actions as may be necessary to mitigate or remedy the effects of the Security Incident. A notification of a Security Incident by Wochit shall not constitute an acknowledgement by Wochit of any liability with respect to applicable Personal Data related to the Security Incident.
- DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Upon written request by Customer, Wochit shall provide reasonable assistance, at Customer’s expense, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Data Protection Laws.
- AUDIT RIGHTS
Wochit shall make available, upon reasonable prior written notice of at least thirty (30) days and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Personal Data (“Audit”). The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). Wochit may object in writing to an auditor appointed by the Customer in the event Wochit reasonably believes, the auditor is not suitably qualified or independent, a competitor of Wochit or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, the Customer will appoint a different auditor or conduct the Audit itself. The Customer shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to Wochit’s premises, equipment, personnel and business. Wochit will reasonably cooperate with the Customer by providing available additional information concerning the security measures, in the event further information is needed by the Customer in order to comply with a competent Supervisory Authority’s request, the Customer will inform Wochit in writing to enable it to provide such information or to grant needed access, at Wochit sole discretion. In the event the Audit will discover non-compliance activity by Wochit, the Customer shall promptly notify Wochit with such conclusion.
- DATA TRANSFER
Where EU Data Protection Law applies, the Processor shall not transfer to a territory outside of the EEA unless the Processor has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, EU standard contractual clauses or US Privacy Shield. The Customer hereby acknowledge and approve that during the course of the Services, the Company may transfer and store Personal Data in servers located in the US, to the extent that the transfer is in compliance with EU data protection law.
The total combined liability of either party towards the other party and its Affiliates under or in connection with the DPA will be limited to any liability cap set between the parties.
In the event of inconsistencies between the provisions of this DPA and the Agreement, the terms of this DPA shall prevail. This DPA is not intended to and does not in any way limit or derogate from Customer’s own obligations and liabilities towards Wochit under the Agreement or pursuant to the Data Protection Laws. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
ANNEX 1 – SUB PROCESSORS
Amazon Web Services – Cloud server provider