Data processing agreement

General terms

1. Definitions

   All capitalised words used herein and not otherwise expressly defined below shall have the meaning assigned thereto in the Agreement.

   “Agreement” refers to an indivisible whole consisting of the Purchase Order (if any), the GTC, the Privacy Policy, and this DPA, accepted by the Subscriber before using api.video Services.

   “Applicable Data Protection Law” means, all laws, regulations and other national and European standards applicable to the processing of personal data implemented under the Agreement, including in particular Regulation (EU) No. 2016/679 of 27 April 2016 on the protection of personal data (hereinafter "GDPR") and all national laws of the Member States of the European Union adopted in addition to or in application of the provisions of the GDPR such as, and not limited to, the law n°78-17 of January 6, 1978 relating to data processing, files and freedoms, as well as, where applicable, laws, regulations and other national, European and international standards applicable to the processing of electronic communications data, the use of tracking technologies such as cookies and direct marketing (commonly known as "e-Privacy" rules).

   “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State Law. For the purposes of this DPA, the Subscriber acts as Data Controller.

   “Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. For the purposes of this DPA, API.VIDEO acts as Data Processor.

   “Personal Data” or “Subscriber’s Personal Data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

   “Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

   “Services” or “api.video Services” means all services provided by API.VIDEO to Subscribers under the terms of the Agreement.

   “Sub-processor” means any other Data Processors engaged by API.VIDEO to Process Subscriber’s Personal Data.

2. Purpose of the DPA

   2.1. General Purpose. The purpose of this DPA is to define the terms and conditions applicable to the Processing by API.VIDEO of Personal Data within the use of api.video Services by the Subscriber in accordance with Applicable Data Protection Law (article 28(3) and (4) of GDPR). 2.3. Details of the Processing operations. The details of the Processing operations, including the categories of Personal Data and the purposes of Processing for which the Personal Data are processed on behalf of the Subscriber are detailed in Appendix I.

3. Obligations of the Subscriber as Data Controller

   3.1. Subscriber’s undertakings. The Subscriber undertakes to: (i) record in writing any instructions regarding the Processing of Personal Data by API.VIDEO within the Services; (ii) supervise the Processing, including conducting audits and inspections of API.VIDEO if necessary. 3.2. Subscriber’s Liability. The Subscriber remains solely responsible for the lawfulness of the Processing entrusted to API.VIDEO, particularly regarding the principles and obligations provided for by the Applicable Data Protection Law.

4. Obligations of API.VIDEO as Data Processor

   4.1.** Instructions of the Subscriber**. API.VIDEO undertakes to process Personal Data only on documented instructions from the Subscriber, as set out in the Agreement and this DPA, unless required to do so by Union or Member State law to which API.VIDEO is subject. In this case, API.VIDEO shall inform the Subscriber of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Subscriber throughout the duration of the Processing of Personal Data. These instructions shall always be documented. API.VIDEO shall immediately inform the Subscriber if, in its opinion, instructions given by the latter infringe Applicable Data Protection Law. 4.2. Purpose Limitation. API.VIDEO shall process the Personal Data only for the specific purpose(s) of the Processing, as set out in Appendix I, unless it receives further instructions from the Subscriber. 4.3. Duration of the Processing of Personal Data. Processing by API.VIDEO shall only take place for the duration detailed in Appendix I. 4.4. Security of Processing. API.VIDEO implements the technical and organizational measures listed in Appendix II to ensure the security of the Personal Data. This includes protecting the Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the Personal Data (“Personal Data Breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the Data Subjects. 4.5. Access to Personal Data. API.VIDEO shall grant access to the Personal Data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the Agreement. API.VIDEO shall ensure that persons authorized to process the Personal Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   4.6. Documentation and compliance. The Parties shall be able to demonstrate compliance with this DPA. API.VIDEO shall: (i) deal promptly and adequately with inquiries from the Subscriber about the Processing of Personal Data in accordance with this DPA, (ii) make available to the Subscriber all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from Applicable Data Protection Law.
   4.7. Assistance to the Subscriber. i. API.VIDEO shall promptly notify the Subscriber of any request it has received from the Data Subject. It shall not respond to the request itself, unless authorized to do so by the Subscriber. ii. API.VIDEO shall assist the Subscriber in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, considering the nature of the Processing. In fulfilling its obligations in accordance with section 4.7.(i) and 4.7. (ii), API.VIDEO shall comply with the Subscriber’s instructions. iii. In addition to API.VIDEO’s obligation to assist the Subscriber pursuant to section 4.7(ii), API.VIDEO shall furthermore assist the Subscriber in ensuring compliance with the following obligations, taking into account the nature of the Data Processing and the information available to API.VIDEO : (iii.i) the obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (a ‘data protection impact assessment’) where a type of Processing is likely to result in a high risk to the rights and freedoms of Data Subjects; (iii.ii) the obligation to consult the competent supervisory authority/ies prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the Subscriber to mitigate the risk; (iii.iii) the obligation to ensure that Personal Data is accurate and up to date, by informing the Subscriber without delay if API.VIDEO becomes aware that the Personal Data it is Processing is inaccurate or has become outdated. The Parties shall set out in Appendix II the appropriate technical and organizational measures by which API.VIDEO is required to assist the Subscriber in the application of this clause as well as the scope and the extent of the assistance required. 4.8. Cookies. If the Services provided by API.VIDEO include the deposit of cookies on the device of the Subscriber’s clients, API.VIDEO undertakes to inform the Subscriber in advance regarding: (i) the exhaustive list of cookies implemented on the device of the Internet user, (ii) the purpose of said cookies, (iii) the duration of validity of the said cookies, it being understood that this duration cannot exceed the duration recommended by the CNIL, as from their first date of implementation on the terminal of the Internet user. In the same way, API.VIDEO will communicate to the person in charge of processing the aforementioned information in case of modification or deletion of any of the implemented cookies.

5. Audit

   5.1. Subscriber’s request. At the Subscriber’s request, API.VIDEO shall permit and contribute to audits of the Processing activities covered by this DPA or if there are indications of non-compliance. In deciding on a review or an audit, the Subscriber may consider relevant certifications held by API.VIDEO. The Subscriber may only carry out a maximum of one (1) audit per contract year. 5.2. API.VIDEO undertakings. API.VIDEO undertakes to allow and facilitate the performance of such audits, by providing access to any information strictly required to carry out the verifications, and by making available the personnel and all documentation necessary and useful for the proper implementation of the audit operations. 5.3. Audit organization. Audit will be implemented during business hours, and subject to thirty (30) days’ written notice to API.VIDEO including the designation of the persons or entities assigned to perform the audit. The Subscriber may choose to conduct the audit by itself or mandate an independent auditor at its exclusive costs. In the latter case, the Subscriber shall ensure that the auditor : (i) has committed itself to confidentiality or is under an appropriate statutory obligation of confidentiality; (ii) is not a competitor of API.VIDEO.

6. Use of sub-processors

   6.1. General authorization. API.VIDEO has the Subscriber’s general authorization for the engagement of Sub-processors from an agreed list, available through the following link https://api.video/sub-processors/ (hereinafter referred to as the “Sub-processors’ List”). Any changes of that list through the addition or replacement of Sub-processors will result in an electronic written notice sent to the Subscriber and warning about the update of the Sub-processors’ List at least two (2) weeks in advance, thereby giving the Subscriber sufficient time to be able to reasonably object to such changes prior to the engagement of the concerned Sub-processor(s). If Subscriber objects to the update of the Sub-processors’ List, Subscriber may terminate the use of api.video Services by providing written notice, without prejudice to any fees incurred prior to the termination pursuant to the Agreement.
   6.2. Details. Where API.VIDEO engages a Sub-processor for carrying out specific processing activities, it shall do so by way of a contract which imposes on the Sub-processor, in substance and to the extent possible, the same data protection obligations as the ones imposed on API.VIDEO in accordance with this DPA. API.VIDEO shall ensure that the Sub-processor complies with the obligations to which API.VIDEO is subject pursuant to this DPA and Applicable Data Protection Law.
   6.3. Liability. API.VIDEO shall remain fully responsible to the Subscriber for the performance of the Sub-processor’s obligations in accordance with its contract with API.VIDEO. API.VIDEO shall notify the Subscriber of any failure by the Sub-processor to fulfill its contractual obligations.

7. Security

   API.VIDEO undertakes to process the Personal Data in compliance with safety measures as set forth in Appendix II.

8. Transfer of Personal Data

   8.1. Information. The Subscriber acknowledges that API.VIDEO and/or its Sub-processors may transfer and/or maintain data Processing operations in countries outside of the European Economic Area (“EEA”). 8.2. Instructions. Any transfer of data to a third country or an international organization by API.VIDEO and/or its Sub-processors shall be done only based on documented instructions from the Subscriber or to fulfill a specific requirement under Union or Member State law to which API.VIDEO is subject and shall take place in compliance with Applicable Data Protection Law. 8.3. Conditions. The Subscriber agrees that where API.VIDEO engages a Sub-processor in accordance with the previous section 6 “Use of Sub-processors” for carrying out specific processing activities and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of GDPR, API.VIDEO and the Sub-processor can ensure compliance with Chapter V of GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of GDPR, provided the conditions for the use of those standard contractual clauses are met.

9. Notification of personal data breach

   9.1. Cooperation. In the event of a Personal Data Breach, API.VIDEO shall cooperate with and assist the Subscriber for the Subscriber to comply with its obligations under Articles 33 and 34 of GDPR or under Articles 34 and 35 of GDPR, where applicable, considering the nature of processing and the information available to API.VIDEO. 9.2. Personal Data Breach concerning Personal Data processed by the Subscriber. In the event of a Personal Data Breach concerning data processed by the Subscriber, API.VIDEO shall assist the Subscriber: in notifying the Personal Data Breach to the competent supervisory authority/ies, without undue delay after the Subscriber has become aware of it, where relevant (unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons); in obtaining the following information which, pursuant to Applicable Data Protection Law, shall be stated in the Subscriber’s notification, and must at least include: (ii.i) the nature of the Personal Data including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii.ii) the likely consequences of the Personal Data Breach; (ii.iii) the measures taken or proposed to be taken by the Subscriber to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay. in complying, pursuant to Applicable Data Protection Law, with the obligation to communicate without undue delay the Personal Data Breach to the Data Subject, when the Personal Data breach is likely to result in a high risk to the rights and freedoms of natural persons. 9.3. Personal Data Breach concerning Personal Data processed by API.VIDEO. In the event of a Personal Data breach concerning Personal Data processed by API.VIDEO, API.VIDEO shall notify the Subscriber without undue delay after API.VIDEO having become aware of such breach. Such notification shall contain informations set forth in article 33 of the GDPR and at least: a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned); the details of a contact point where more information concerning the Personal Data breach can be obtained; its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects; Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

10. Miscellaneous

    10.1. Termination. Following termination of the Agreement, API.VIDEO shall, at the choice of the Subscriber, delete all Personal Data processed on behalf of the Subscriber and certify on demand to the latter that it has done so or, return all the personal data to the controller and delete existing copies, unless Union or Member State law requires storage of the Personal Data. Until the Personal Data is deleted or returned, API.VIDEO shall continue to ensure compliance with this DPA. 10.2. Modification. Any amendment or modification of this DPA shall be notified by API.VIDEO to the Subscriber. 10.3. Confidentiality. The terms and conditions of this DPA are confidential and each Party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, that each Party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and may disclose such information as necessary to comply with an order or subpoena of any administrative agency or a court of competent jurisdiction, or as reasonably necessary to comply with any applicable law or regulation. 10.4. Integrality. Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the Parties and their respective successors and assigns. This DPA constitutes the entire understanding between the Parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the Parties relating to that subject-matter. 10.5. Limitation of Liability. Each Party’s liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. 10.6. Governing law and Jurisdiction. This DPA is governed by the laws of France and is subject to the exclusive jurisdiction of the courts of Paris (France).

APPENDIX 1. DATA PROCESSING ACTIVITIES

1. Nature and Purposes of the Processing:

   Provision of api.video Services

   • Provision and playback of online videos
   • Statistics on the performance and use of the videos
   • Optimisation and maintenance of api.video Services
   • Security of Api.video Services

2. Processing Operations

   • collection,
   • recording,
   • organization,
   • structuring,
   • storage,
   • consultation,
   • use,
   • disclosure by transmission,
   • dissemination or otherwise making available,
   • erasure or destruction.

3. Duration of the Processing

   during term of the Agreement

4. Data Subjects

   • Subscriber’s Client
   • Subscriber’s account administrator

5. Categories of Personal Data

   a. Subscriber’s Client

   • Geolocation data (city and country)
   • Traffic / connection data : IP address - browser user agent (browser, operating system, type of access terminal) - HTTP referrer of the domain name. b. Subscriber’s account administrator
   • Professional data (position, employing company, industry, logs)
   • Geolocation data (address)
   • Identification data (email address, first and last name).
   • Traffic / connection data (IP address)

6. Special Categories of Data

   NA

APPENDIX 2. TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA