Data Processing Agreement
This Data Processing Agreement (“DPA”) is hereby entered by and between Wochit, Inc. (“Wochit” or “Company”) and you, the customer, Publisher (as defined in the applicable master services agreement “MSA” or “Agreement” signed between the parties) on behalf of itself and its Affiliates (collectively “Customer”), each a “party” and collectively, the “parties“.
This DPA forms an integral part of the binding Agreement, and sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data, during the course of the Agreement. This DPA amends any previous terms relating to the Processing of Personal Data. This DPA shall be effective as of the date both parties sign the below (“Effective Date”).
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
This DPA applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Agreement, including if:
- the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or
- the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party.
Notwithstanding the above, this DPA and the obligations hereunder does not apply to aggregated reporting or statistical information.
- “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
- “Customer Data” means any and all Data Subject’s Personal Data processed by Company through the course of the Agreement or shared between the parties, all as detailed in Annex 1 attached herein.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
- “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach”, “Special Categories of Personal Data” and “Supervisory Authority” shall have the meanings given in EU Data Protection Law.
- “EU Data Protection Law” means the (i) General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- “Security Incident” means any security breach relating any Personal Data elements leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data within, Personal Data transmitted, stored or otherwise processed; including without limitation the meaning assigned to it under paragraph 12 of Article 4 of the GDPR. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Breach.
- “Services” means the Wochit online video creation platform used by Customer for the purpose of creating and producing customized and marketing videos.
2. RELATIONSHIP OF THE PARTIES
The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, Wochit is the Data Processor and the Customer is the Data Controller. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the Data Protection Law. The subject-matter and duration of the Processing carried out by the Company as a Processor, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex A attached herein.
3. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
In performing its obligations under the Agreement, the Customer may provide or upload through the Service Personal Data to the Company. The Customer shall collect, process and share Personal Data in compliance with the Data Protection Law, industry standards and its obligations herein. Further, the parties shall treat such Personal Data as Confidential Information. Without derogating from the aforesaid, the Customer hereby warrants and represents it is in compliance with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data. The Company represents and warrants that it shall Process Personal Data, as set forth under Article 28(3) of the GDPR and Annex 1 attached herein, on behalf of the Customer, solely to provide the Services and solely in accordance with the Customer’s instructions. Notwithstanding the above, in the event required under applicable laws, Wochit may Process Personal Data other than as instructed by the Customer, in such event Wochit shall make best efforts to inform the Customer of such requirement unless prohibited under applicable law.
Each party shall identify and provide contact details for the applicable contact point within its organization, authorized to respond to inquiries concerning Processing of the Personal Data or its Data Protection Officer (“DPO”), as applicable. In the event of a change of the below contact person or DPO’s identity, each party shall provide updated contact details.
5. CONSENT REQUIREMENTS & RIGHTS OF THE DATA SUBJECT
As between the parties, the Customer undertakes, accepts and agrees that Wochit relies on Customer’s lawful basis (as required under Data Protection Law) to Process the Customer Data. In the event consent is required under Data Protection Law, the Customer shall: (i) ensure that it obtains consent from Data Subjects and displays all necessary and applicable notices in accordance with the Data Protection Law as well as enable lawful transfer of the Personal Data to Wochit; (ii) maintain a record of all consents obtained from Data Subject, including the time and date on which consent was obtained, the information presented to Data Subject; and (iii) record of the withdrawals of consent by Data Subject. The Customer shall make these records available to Wochit promptly upon request.
It is agreed that where either party receives a request from a Data Subject or an applicable Supervisory Authority in respect of Personal Data Controlled or Processed by the other party, where relevant, the party receiving such request will direct the Data Subject or the Supervisory Authority to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request. Each party shall reasonably cooperate and assist the other party in handling of a Data Subject’s or a Supervisory Authority’s request, to the extent permitted under Data Protection Law.
Customer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Customer hereby, authorizes Wochit to engage and appoint such Sub-Processors to Process Personal Data. Wochit may continue its engagement with its current Sub-Processors as of the date of this DPA as detailed in Annex 2 attached hereto. In the event Wochit shall appoint a new Sub-Processor, it shall provide a written notice, whether by general or specific reference to such Sub-Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub-Processor (“Sub-Processor Notice”). Wochit will enter into separate contractual arrangements with such Sub-Processors binding them to comply with obligations in accordance with Data Protection Law and this DPA. Notwithstanding the above, the Customer may object the appointment of the new Sub-Processor, as follows: (i) Customer shall provide Wochit with prior written notice no later than seven (7) days following the receipt of the Sub-Processor Notice, detailing the Customer’s objection, based on reasonable grounds, to the appointment of the New Sub-Processor; (ii) Wochit shall take reasonable steps to address the objections raised by Customer and shall report these steps in writing to the Customer; and (iii) Within three (3) days of receipt of Wochit notice regarding the steps taken, the Customer may notify Wochit it does not find such steps taken sufficient to settle its objections. In the event the Customer did not provided such notification, it will constitute as its approval of the Sub- Processor. In the event the Customer further objects, each party may terminate the relationship upon a written notification effective immediately, without liability.
7. DELETION OF PERSONAL DATA
As the Processor, the Company shall promptly, and no later than within sixty (60) days of termination, delete or pseudonymize all copies of the Personal Data obtained through the Customer, except such copies as authorized or required to be retained in accordance with applicable law or regulation and except for the applicable video content which will be kept and stored on the Company’s servers until deleted directly by the Customer. In addition, Wochit may retain the Personal Data to the extent authorized or required by applicable laws.
8. TECHNICAL AND SECURITY MEASURES
Each party shall implement appropriate technical and organizational measures to protect the Personal Data and its security, confidentiality and integrity and the Data Subject’s rights, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing the Personal Data, as well as the risk of varying likelihood and severity for the consumer’s rights, in order to ensure a level of security appropriate to that risk, including measures such as access control, auditing, encrypted transmission of data, encrypted storage and physical protections in line with industry best practices, all in accordance with the Data Protection Laws. Description of the technical and organizational measures implemented by Wochit, are available at: https://www.wochit.com/security (“Security Information Page”). Wochit may update or modify the Security Information Page from time to time, provided that such updates and modifications will not result in the degradation of the overall security of the Personal Data. Wochit takes reasonable steps to ensure that its personnel’s access to the Personal Data is limited on a need to know or access basis, and that its personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access or use of the Personal Data.
9. SECURITY INCIDENT
In the event either party suffers a confirmed Security Incident, then such party shall notify the other party, by means of any applicable communication, without undue delay. The parties shall cooperate in good faith to agree and take applicable actions as may be necessary to mitigate or remedy the effects of the Security Incident. A notification of a Security Incident by Wochit shall not constitute an acknowledgement by Wochit of any liability with respect to applicable Personal Data related to the Security Incident.
10. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Following written request by Customer, Wochit shall provide reasonable assistance, at Customer’s expense, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Data Protection Laws. Such assistance shall be solely in relation to Processing of Personal Data provided by Wochit.
11. AUDIT RIGHTS
Wochit shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Personal Data (“Audit”). The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). Wochit may object in writing to an auditor appointed by the Customer in the event Wochit reasonably believes, the auditor is not suitably qualified or independent, a competitor of Wochit or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, the Customer will appoint a different auditor or conduct the Audit itself. The Customer shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Wochit’s premises, equipment, personnel and business while its personnel are on such premises in the course of such Audit. Wochit will reasonably cooperate with the Customer by providing available additional information concerning the security measures, in the event further information is needed by the Customer in order to comply with a competent Supervisory Authority’s request, the Customer will inform Wochit in writing to enable it to provide such information or to grant needed access, at Wochit sole discretion. In the event the Audit will discover non-compliance activity by Wochit, the Customer shall promptly notify Wochit with such conclusion.
12. DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.
Each party shall take out and maintain insurance policies to the value sufficient to meet their respective liabilities under or in connection with this DPA and the Agreement. Upon a party’s request, the other party will provide evidence that such insurance is in place. The total combined liability of either party towards the other party and its Affiliates under or in connection with the DPA will be limited to any liability cap set between the parties.
Details of Processing of Personal Data
This Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Duration of the Processing of Personal Data
The term of this DPA shall commence and terminate along with the term of the Agreement.
The nature and purpose of the Processing of Personal Data
To provide the Services as set forth in the Agreement
The types of Personal Data Processed
Customer data (e.g. title, name, address, and contact details of Customer)
Contact data (e.g. Full name and email address)
Personal Data of the Customer’s employees.
Personal Data included in the content uploaded to the Services
The categories of Data Subject to whom the Personal Data relates
Customers employee based in the EEA or users of the Services established in the EEA.
The obligations and rights of the Customer and its Affiliates
As set forth in the Agreement and this DPA.
Amazon Web Services – Cloud server provider