Conviva Leadership
End User License Agreement (“EULA”)
Rev. March 19, 2024
See previous versions >
Conviva Products and Services (as defined below) are provided by Conviva Inc., located at 989 East Hillsdale Blvd., Fourth Floor, Foster City, California 94404 USA (“Conviva” or “Us”). You have purchased Conviva Products and/or Services either indirectly through a Conviva Partner (as defined below) or directly through Conviva. Your use of Conviva Products and Services, however obtained, is governed by this EULA and such other commercial terms, if any, as may be set forth in the applicable Partner or Conviva Order Form(s) that reference this EULA and that you accepted by clicking, signing or otherwise accepting through an exchange of forms, or the like (all together, the “Agreement”).
If you use the Conviva Products and Services as an employee of or for the benefit of your company, you represent that you have the power and authority to accept this EULA on behalf of your company. Your company will be the customer under this EULA. By accepting (electronically or otherwise) the terms of this EULA, or by accessing or using the Conviva Products or Services, you consent to the terms and conditions of this EULA on behalf of yourself and the company on whose behalf you will use the Conviva Products and Services. The effective date of this EULA is the date that you accept (electronically or otherwise) the terms of this EULA or the date of your first access to or use of the Conviva Products or Services, whichever occurs first. If you do not agree to the terms and conditions of this EULA or if you do not have the power and authority to accept the terms and conditions of this EULA on behalf of your company, you may not use the Conviva Products and Services and Conviva is unwilling to provide you with access to them.
PART I: TERMS
1.1 Services. Subject to the terms and conditions of this Agreement, Conviva will provide you with access to and use of the Services listed in the applicable Order Form in accordance with the terms thereof. To the extent any application program interfaces (“APIs”), libraries, software development kits (“SDKs”) or other software (collectively, “Software”) are provided or made available to you in connection with the Services, Conviva hereby grants you a limited, personal, non-exclusive, non-transferable (except as otherwise expressly permitted herein), worldwide, royalty-free license, without the right of sublicense, to use the Software for the applicable Order Form Term and for the sole purpose of integrating your player(s) (as specified in each Order Form) with the Services. You agree to work in good faith with Partner or Conviva, as applicable, to integrate the player(s) with the Services and to use commercially reasonable efforts to make all of your latest production player integrations accessible to Conviva solely for test purposes during the applicable Order Form Term. You may not permit a Subcontractor to access or use the Software without Conviva’s prior written consent (email sufficient by an authorized representative of Conviva), and you shall be fully responsible for and liable to Conviva for your Subcontractor’s use of the Software in compliance with the terms of this Agreement.
1.2. Products. If you have ordered any Conviva data products (“Products”) as listed in the applicable Order Form, Conviva will provide you with the Products and you are hereby granted a limited, personal, non-exclusive, nontransferable, worldwide, royalty-free right and license, without the right of sublicense, to use the Products for the applicable Order Form Term and for your internal analysis purposes only.
1.3. You will establish a password or other procedures for verifying that only your designated employees have access to any administrative and other functions of the Services. You are responsible for maintaining the security of your account, passwords (including administrative and user passwords) and files, and for all uses of your account and any Software provided. You shall not share with, nor allow access to, any third party any such account or passwords, or the Software, Products or Services, without the prior written consent of Conviva.
1.4 You may not knowingly provide to any person, or export or re-export, or allow the export or re-export of, the Software, Products or Services or anything related thereto or any direct product thereof, in violation of any applicable laws or regulations or otherwise.
1.5 Authentication for Social Insights Services Only. When you register for a Social Insights account, you will be required to authenticate your social media account(s). If you do not authenticate your social media account(s), then Conviva will not be able to deliver Social Insights. Conviva will not be liable for any deficiency in providing Social Insights to the extent you do not authenticate your social media account(s). You shall remain the owner of the data transferred from your social media accounts (“User Content”). During the term of your subscription to Social Insights and thereafter, Conviva may use anonymized and aggregated extracts of the User Content solely for the purpose of providing industry-level benchmark data across pre-defined industry categories In which you and your User Content is not identified or identifiable.
2. Professional Services; Service Incidents. As part of the Services, Conviva shall remotely provide integration assistance for initial integration of your player(s) as specified in the applicable Order Form, including setup, validation and revalidation (“Professional Services”). You may request Conviva’s assistance with a Service incident (“Incident”) by submitting a support ticket at https://support.conviva.com. The Incident will be classified according to the applicable Incident Level definition, and Conviva will use commercially reasonable efforts to address the Incident in accordance with this classification and the following:
| Incident Level | Target Response Time |
| P0
(Critical) |
Platinum Premium: 30 min. (24x7x365)
Gold Premium: 30 min. (24x7x365) Basic Support: 30 min. (24x7x365) |
| P1
(Urgent) |
Platinum Premium: 1 business hour
Gold Premium: 2 business hours |
| P2
(Moderate) |
Platinum Premium: 8 business hours
Gold Premium: 12 business hours |
Business hours are 8:00am to 6:00pm in your time zone, Monday through Friday, excluding standard Conviva holidays. You may view the status of Conviva’s response to your Service Incident reports online at https://support.conviva.com.
3. Confidentiality; Restrictions.
3.1. Confidentiality Obligations. Each party agrees to abide by the following confidentiality obligations with respect to the other party’s Confidential Information: (a) do not disclose it to any third party unless (i) the other party has given its specific and express prior written approval, (ii) the disclosure is expressly allowed under this Agreement, or (iii) the disclosure is necessary to comply with a valid court order, subpoena or is required to be disclosed by law or any regulatory or administrative body; (b) do not use it for any reason other than to exercise its rights and perform its obligation under this Agreement; and (c) protect it from unauthorized dissemination in the same manner as that party protects its own Confidential Information, and in any event with reasonable precautions (which include limiting access to employees and permitted Subcontractors on a “need-to-know” basis). If you believe you must disclose Conviva’s Confidential Information in accordance with 3.1 (a)(iii), then prior to disclosure you shall, to the extent legally permitted, promptly notify Conviva and cooperate with Conviva if Conviva chooses to contest the disclosure requirement, seek confidential treatment of the information to be disclosed, or limit the nature or scope of the information to be disclosed. Conviva will do the same if it believes it must disclose your Confidential Information in these circumstances. Each Party acknowledges that the unauthorized disclosure or use of Confidential Information may cause irreparable harm to the other Party for which recovery of money damages would be inadequate, and the other Party will therefore be entitled to apply as a right for injunctive relief to protect its rights under this Agreement, in addition to any and all remedies available at law.
3.2. Restrictions. You will not, and will not permit any third party to, reverse engineer or otherwise attempt to discover the source code or underlying structure or algorithms of the Software, Products or Services (except to the extent such restrictions are contrary to applicable law), modify or create derivative works based on the Products, Services or Software, or otherwise use the Products, Services or Software except as expressly permitted by this Agreement.
4. Intellectual Property Rights. As between the Parties, Conviva and/or its licensors own and will retain all Intellectual Property Rights in and to the Products, Services (including Service Statistics) and Software. You are hereby granted a limited, personal, non-exclusive, nontransferable, worldwide, royalty-free right and license, without the right of sublicense, to use the Service Statistics contained in the analysis exported by the Services, for the applicable Order Form Term and for your internal analysis purposes only. You shall not disclose or provide, or provide access, to any third party any Products, Services (including without limitation the Service Statistics) or Software without Conviva’s prior written consent. Your only rights in the Products, Services (including without limitation the Service Statistics) and Software are the rights expressly granted in this Agreement, and all other rights are reserved by Conviva.
5. Payment of Fees. The fees are specified in the applicable Order Form (“Fees”) and shall be due and payable to the entity that issued the quotation for such Fees and that signed the applicable Order Form for the Order. You are expected to pay the Fees to Partner in a Partner transaction, and to Conviva in a direct transaction, within thirty (30) days of receipt of Conviva’s invoice. If the Fees are due to Conviva and are unpaid after the date due, then they are subject to a finance charge of the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by law. Conviva will be solely responsible for its income taxes in connection with this Agreement and you will be responsible for all sales, use and similar taxes, levies and duties imposed by the taxing authorities, if any. All Fees are exclusive of all such taxes, levies and duties. Without prejudice to any of its other rights or remedies, Conviva may restrict or suspend your access to further Software, Products and Services if payment is not made within five (5) business days of notice that payment is past due. All Order Forms are non-cancellable, and all Fees are non-refundable and non-creditable unless otherwise expressly stated in the applicable Order Form.
6. Termination. The term of this Agreement will begin on the Effective Date and will end when the last Order Form expires, unless this Agreement is terminated sooner by either party as permitted herein. Each Order Form will have its own Order Form Term. Without affecting any other right or remedy available to it, either party may terminate this Agreement or an Order Form on written notice if the other party materially breaches this Agreement or the Order Form and (where such breach is remediable) does not cure such breach within thirty (30) days after notice of such breach. In addition, either party may terminate this Agreement or an Order Form without notice upon: (a) the institution by or against the other party of insolvency, receivership or bankruptcy proceedings, (b) the other party’s making an assignment for the benefit of creditors, or (c) the other party’s dissolution or ceasing to do business. Termination of this Agreement or any Order Form shall not affect any rights, remedies, liabilities or obligations of the Parties, including the payment of amounts due or the right to claim damages in respect of any breach of the Agreement and/or Order Form, which have accrued up to the date of such termination. Upon any such termination or expiration, the provisions of Sections 3, 4, 5, 6, 7.2, 8, 9, 12, 13 and 14 shall survive and shall continue in full force and effect in accordance with their terms. For the avoidance of doubt, termination of an Order Form shall not terminate any other Order Form in effect or this Agreement, which shall continue in full force and effect in accordance with these terms.
7. Warranties; Disclaimer.
7.1. Conviva warrants that (a) the Services will operate in conformity with the description of the Services set forth in the applicable Order Form, (b) it will perform the Professional Services in a professional and workmanlike manner with employees having a level of skill commensurate with the requirements of this Agreement, (c) it will use commercially reasonable and industry standard methods to prevent the introduction of any viruses, disabling devices, Trojans, time bombs or other malicious code in the Software.
7.2. Except for the warranties in Section 7.1, Conviva hereby disclaims all warranties, conditions, representations or other terms, whether oral or written, express or implied, including without limitation all implied warranties and/or conditions of satisfactory quality, merchantability and fitness for a particular purpose.
8. Limitation of Liability.
8.1. In no event will either party, under any circumstances or any theory of liability, be liable to the other party for any indirect, punitive, incidental, special or consequential damages of any kind, arising from this Agreement, or the use of the Software, Products or Services provided to you hereunder, or the delay or inability to use the Services (including any lost revenue, sales, profits or business opportunities).
8.2. Each party’s total aggregate liability arising out of or in connection with this Agreement shall be limited to an amount equal to the Fees paid or payable by you to Conviva hereunder in the twelve (12) month period ending on the date that a claim or demand is first asserted, in each case whether based in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution, strict liability or otherwise, and even if either party has been advised of the possibility of damages. The foregoing limitations will apply notwithstanding any failure of essential purpose of any limited remedy and to the maximum extent permitted under applicable law.
8.3. The exclusions of liability in Sections 8.1 and 8.2 shall not apply to either party’s breach of Section 3.
9. Indemnification.
9.1. Conviva will, at its own expense, defend (or at its sole option, settle) any claim, suit or proceeding asserted against you by a third party that any Product, Service or Software obtained from Conviva under this Agreement directly infringes any patent, copyright, trademark or trade secret of such third party (“Claim”). Conviva will indemnify you for any damages suffered and costs reasonably incurred by you that are directly attributable to such Claim and that are assessed against you in a final, non-appealable judgment from a court of competent jurisdiction or agreed upon by Conviva in a settlement.
9.2. Notwithstanding the foregoing, Conviva will have no obligation under this Section 9 or otherwise to defend or indemnify you with respect to any Claim to the extent such Claim is based on any of the following: (i) any unauthorized use, reproduction, or distribution of any Product, Service or Software, or any breach of this Agreement by you, (ii) Conviva’s compliance with any specifications supplied by you which cannot be reasonably implemented in a non-infringing manner, (iii) any combination of any Product, Service or Software with other products, equipment, software, uses or data not supplied, authorized or required in writing by Conviva, if the Claim would have been avoided without such combination, (iv) any modification of any Product, Service or Software by any person other than Conviva or its authorized agents or contractors, if the Claim would have been avoided without such modification, or (v) continued use of the unmodified Product, Service or Software after Conviva has provided you with a work-around or modification that would have avoided the Claim without materially adversely affecting the functionality or availability of the Product, Service or Software. Further, if Conviva reasonably believes that all or any portion of any Product, Service or Software, or the use thereof, is likely to become the subject of a Claim, Conviva may elect at its discretion: (a) to procure, at Conviva’s expense, the right for you to continue using the Product, Service or Software in accordance with the terms hereof, (b) to replace or modify the allegedly infringing Product, Service or Software to make it non-infringing with at least equivalent functionality or performance, or (c) in the event the preceding is infeasible or not commercially practicable, Conviva may, in its sole discretion, terminate this Agreement or the applicable Order Form upon notice to you and refund any prepaid amounts for the affected unused Product, Service and/or Software.
9.3. Conviva’s obligations to defend and indemnify you with respect to a particular Claim are subject to the following conditions: (a) you must promptly give Conviva written notice of the Claim; (b) you must give Conviva sole control and authority over the defense and settlement of the Claim, provided that you are entitled to participate in your own defense at your sole expense; (c) you must provide Conviva with all information you have regarding the Claim and cooperate with Conviva when Conviva defends or attempts to settle the Claim; and (d) you shall whenever and wherever possible take all reasonable steps to mitigate its losses that are the subject of the Claim. Conviva may, without your consent, settle a Claim that (i) creates no liability to you, (ii) does not impair your rights hereunder, and (iii) does not require you to make any admission of liability. Except as expressly stated in this Section 9, Conviva has no obligation or liability to you for any actual or alleged infringement related to the Software, Products or Services provided by Conviva under this Agreement.
10. Publicity/Use of Trademarks. The parties agree to work together in good faith to create and release a joint press release announcing your use of Conviva’s Products and/or Services. Also, both parties may disclose the relationship to third parties, but the details of this Agreement and any Order Form hereunder will be treated as Confidential Information. In connection with its permitted activities under this Agreement, each party may use the trademarks of the other party, but only in the form and manner approved in advance in writing by the other party, and in accordance with the quality standards and usage guidelines of the other party, and only in connection with the Products and Services provided to you under the Agreement.
11. Assignment. Neither party shall have the right to assign this Agreement, except that either party may assign its rights and obligations without consent to a successor to substantially all its relevant assets or business. Any attempted transfer or assignment except as permitted hereunder will be ineffective, null, and void.
12. Who You Are Contracting With, Notices, Governing Law and Jurisdiction.
12.1. General. Who you are contracting with under this Agreement, who you should direct notices to under this Agreement, what law will apply in any dispute or lawsuit arising out of or in connection with this Agreement, and which courts have jurisdiction over any such dispute or lawsuit, depend on where you are domiciled.
| If you are domiciled in: | You are contracting with (“Conviva”): | Notices should be addressed to: | The governing law is: | The courts having exclusive jurisdiction are: |
| People’s Republic of China, excluding Hong Kong, Macao and Taiwan | Beijing Conviva Technology Company Limited | Room 110916, Unit 1, Floor 8, Building 3, No. 1 Futong East Road, Chaoyang District, Beijing, China, post code 100000 | People’s Republic of China | The people’s court with jurisdiction in Conviva’s domicile |
| United Kingdom or any member country of the European Union | Conviva Inc. | 989 E. Hillsdale Blvd., Suite 400, Foster City, California 94404, USA | England and Wales | Courts of England and Wales |
| All other countries, territories and regions of the world | Conviva Inc. | 989 E. Hillsdale Blvd., Suite 400, Foster City, California 94404, USA | California state law and controlling United States federal law | State courts located in San Mateo County, California, USA, or federal courts located in the Northern District of California, USA |
12.2. Notices. Any notice, approval, consent or other communication intended to have legal effect under this Agreement must be given to the other party in writing and delivered by email, by express courier delivery service or by certified mail, and in each instance will be deemed given upon dispatch, provided proof of actual delivery is retained. In the event of email notice, one of the two (2) follow-up hard copy methods specified above shall be commenced within two (2) business days, and delivery is effective on email dispatch, provided proof of actual delivery of the follow-up hard copy method is retained. All notices or approvals that you send to Conviva shall be sent to its General Counsel at the address specified above, or as otherwise specified by Conviva in writing. Conviva will send all notices and approvals to you at the email address specified in the applicable Order Form. If your email address is not set forth on the applicable Order Form, then notice may be made to the email address for the primary business contact then-noticed under the Agreement, on file with either Partner or Conviva.
12.3 Governing Law and Jurisdiction. Each party agrees to the applicable governing law above without regard to choice or conflicts of law rules, and to the exclusive jurisdiction of the applicable courts above. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover reasonable costs and attorneys’ fees.
13. Data Protection. To the extent that Conviva collects and processes Customer Personal Data in order to perform the Services, the terms of the Data Processing Addendum (“DPA”) in Part IV below shall apply.
14. General. For all purposes under this Agreement each party shall be and act as an independent contractor and shall not bind nor attempt to bind the other to any contract. Without limiting anything herein, and except for payment obligations, neither party shall have any liability for any failure or delay resulting from any condition beyond its reasonable control, including without limitation governmental action, acts of terrorism, earthquake or other acts of God, labor conditions, power failures and utilities or telecommunications failures (collectively, “Force Majeure Events”). This Agreement and any applicable attachments and Order Forms are the entire agreement between the Parties concerning its subject matter, and supersede any prior or contemporaneous agreements, communications, or understandings (whether written or oral). Each party acknowledges that it does not rely upon any representation (whether negligent or innocent), statement or warranty made or agreed to by any person (whether a party to this Agreement or not) except those expressly set out in this Agreement and that the only remedy available in respect of any misrepresentation or untrue statement made to it shall be a claim for damages for breach of contract under this Agreement. However, any confidentiality or nondisclosure agreements that Conviva previously entered into with you will remain in effect (according to their terms) with respect to the confidential information disclosed thereunder. No waiver, change or modification to this Agreement or any Order Form will be effective unless in writing signed by both Parties. This Agreement may be amended only by means of a written instrument signed by authorized representatives of both Parties that specifically refers to this Agreement and states the Parties’ intention to amend it. No additional or inconsistent terms on any purchase order or similar document you submits to Conviva will be binding on Conviva or have any legal effect. The Parties agree that this Agreement may be signed by manual or electronic signatures and in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. In the event any provision of this Agreement shall be determined to be void, illegal or unenforceable, that provision will be limited or eliminated so that this Agreement shall otherwise remain in full force and effect and enforceable.
PART II: DEFINITIONS
“Affiliate” means an entity that is controlled by, controls or is under common control with a party, where “control” means the direct or indirect ownership of more than fifty percent (50%) of the shares or interests entitled to vote for the directors thereof or the equivalent, for so long as such entitlement exists, or equivalent power over management thereof.
“Confidential Information” of Conviva means (a) the Products (in any form), Services, Service Statistics, Software, documentation, data sheets, Feedback, and all ideas and information (such as algorithms) contained or embodied in any of the foregoing; (b) the prices, discounts, payment terms, and other information in or attached to the Order Forms; and (c) any other confidential or proprietary information that Conviva provides to you in connection with this Agreement. Your “Confidential Information” means any confidential or proprietary information in (i) written form that you provide to Conviva for Conviva to fulfill your orders and its obligations under this Agreement, and (ii) oral form that you provide to Conviva in order to receive the Software, Products and Services; as long as you notify Conviva at the time of disclosure that such information is to be treated as confidential under this Agreement. Also, Confidential Information of either party does not include any of the following: (1) information that has become generally available to the public, through no fault by you (in the case of Conviva Confidential Information) or Conviva (in the case of your Confidential Information) and that is not still regarded as a trade secret under laws governing information that was negligently or maliciously distributed; (2) information that the receiving party had already obtained in a tangible form, through lawful means, before obtaining it under this Agreement; (3) information that the receiving party developed independently, without the use of any materials or information obtained from the other party in connection with this Agreement; (4) information that the receiving party has lawfully obtained, in a tangible form, from a third party that had the right to provide it to the receiving party; or (5) information that the disclosing party releases for publication in writing.
“Feedback” means any ideas or suggestions you voluntarily provide to Conviva (in any manner, whether in writing, orally or otherwise) regarding any Software, Product or Service, including possible enhancements or improvements thereto.
“Incident Level: P0 (Critical)” means the Services are completely unavailable and/or you cannot use the Services due solely to a Services failure.
“Incident Level: P1 (Urgent)” means a significant functional component of the Services is unavailable and/or your use of such component is impaired due solely to a Services failure.
“Incident Level: P2 (Moderate)” means a non-significant functional component of the Services is unavailable and/or your use of such component is impaired due solely to a Services failure.
“Intellectual Property Rights” means all patent rights, copyrights, trade secret rights, database rights, and trademark rights (including service marks and trade names), and any applications for these rights, in all countries.
“Order Form” means a mutually-agreed writing signed by you and Partner or Conviva, as the case may be, that provides for the purchase and sale of any Product or Service and that references this Agreement.
“Order Form Effective Date” is the date of last signature on an Order Form, unless expressly identified otherwise in the Order Form.
“Order Form Term” commences on the Order Form Effective Date and expires at the end of the Subscription Term identified on the Order Form.
“Products” means the data reports and other products of Conviva listed in an applicable Order Form.
“Services” means the Conviva services listed in an Order Form.
“Service Statistics” means all statistics computed by the Services.
“Subcontractor” is a third party that (a) is bound by a contract with you to provide services to you, and (b) has been approved by Conviva to have access to any Software, Products, Services or other Confidential Information of Conviva in compliance with the terms of this Agreement.
“Subscription Term” means the duration indicated in each Order Form of the subscription to use the Products and Services ordered under that Order Form.
“Unavailable” (and variations thereof) mean the Services are not available for access and use through your Internet connection, excluding the time that the Services are not available due to (a) maintenance as set forth in Section 3 of the Service Level Agreement; (b) reasons of a force majeure event or events outside Conviva’s reasonable control; (c) issues arising from misuse or mis-configuration of the Services by you or your agents, end customers or third-party contractors; and (d) your exceeding the Capacity that you have reserved in advance.
“You” (and variations thereof) means the person or entity that accepts (electronically or otherwise) the terms and conditions of this EULA as the Customer (i.e., the person or entity that uses or accesses the Conviva Products and Services).
PART III: ADDITIONAL TERMS FOR THE UNITED KINGDOM OR EU COUNTRY MEMBERS
If you are domiciled in the United Kingdom or any member country of the European Union, then the following additional terms apply:
1. Termination. In addition to Section 6 of Part I above, either party may terminate the Agreement or an Order Form without notice if the other party suspends or threatens to suspend payment of its debts or is unable to pay its debts as and when they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986, or if any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the aforementioned events.
2. Compliance with Anti-Bribery Laws. Each party acknowledges its responsibilities under the Bribery Act 2010 of the United Kingdom and represents and covenants that it has not and will not offer, give, solicit or accept any bribe from any person, organization or company with the intent to coerce or induce the other party, or an employee or agent of the other party, to act improperly in the course of its duties under the Agreement.
PART IV: DATA PROCESSING ADDENDUM (“DPA”)
To the extent that Conviva may collect and process Customer Personal Data in order to perform the Services, then the terms of the following DPA apply:
This Data Processing Addendum (“DPA“) is incorporated into the Customer Agreement and all related Order Forms between you and Conviva (together, the “Customer Agreement”). In addition, if you are domiciled in the United Kingdom or any member country of the European Union and an EU Directive and Legislation, the GDPR, UK GDPR and/or DPA 2018 apply(ies) to this Customer Agreement and/or the Services provided hereunder, then this DPA includes the Standard Contractual Clauses (as defined below).
WHEREAS:
A. You requested that Conviva supply the Services (as defined below) as described in and on the terms of the Customer Agreement.
B. Conviva agreed, or concurrently herewith agrees, to provide the Services.
C. In providing the Services, Conviva may Process Customer Personal Data (as defined below).
D. As between You and Conviva, You are the Data Controller of Customer Personal Data that may be Processed by Conviva on your behalf when Conviva provides the Services.
THE PARTIES AGREE AS FOLLOWS:
1. DEFINITIONS & INTERPRETATION
1.1 In this DPA, unless otherwise defined, all capitalized words and expressions will have the same meanings as are assigned to them in the Customer Agreement. In the event of conflict or inconsistency between this DPA and the Customer Agreement, the terms of this DPA shall apply to the extent of that conflict or inconsistency. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall apply to the extent of that conflict or inconsistency.
1.2. DEFINITIONS
1.2.1. Alternative Adequate Level of Protection means: (i) the country where Conviva or a Third-Party Sub-processor is located is recognized by the European Union (if the Customer Personal Data is transferred from the EEA) and/or the United Kingdom (if the Customer Personal is transferred from the United Kingdom) to have an adequate level of protection of Personal Data as described in the Data Protection Laws; or (ii) Conviva or the Third-Party Sub-processor has fully implemented binding corporate rules which provide adequate safeguards as required by the Data Protection Laws; or (iii) Conviva or the Third-Party Sub-processor has implemented any other similar program, or appropriate safeguards that are recognized by the European Union (if the Customer Personal Data is transferred from the EEA) and/or the United Kingdom (if the Customer Personal Data is transferred from the United Kingdom) or by the Data Protection Laws or applicable DP Regulator as providing an adequate level of protection.
1.2.2. CCPA means the California Consumer Privacy Act, as amended and together with its implementing regulations.
1.2.3. Customer means You, you, or the entity that is a party to the Customer Agreement or the Customer Affiliate that enters into any Order Form (as applicable).
1.2.4. Customer Personal Data means Personal Data collected, received or processed by the Services and which shall be limited to IP addresses and Customer-generated user and/or viewer identifiers of Customer’s end users’ devices, and Conviva account login credentials (including name, email address and password) of Customer’s personnel.
1.2.5. Data Controller means the person (either alone or jointly or in common with others) that determines the purposes for which and the manner in which any Personal Data is, or is to be, Processed.
1.2.6. Data Processor means any person (other than an employee of the Data Controller) who Processes Personal Data on behalf of the Data Controller.
1.2.7. Data Protection Laws means any laws and regulations applicable in any relevant jurisdiction relating to privacy or the use or processing of data relating to natural persons, including without limitation: (a) any state or federal laws or regulations in the United States including without limitation the CCPA; (b) EU Directive 2002/58/EC (as amended by 2009/139/EC) and any legislation implementing or made pursuant to such directive, including (in the UK) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (c) GDPR; (d) UK GDPR; (e) the DPA 2018; and (f) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR, UK GDPR and/or the DPA 2018; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.
1.2.8. Data Subject means the person whose Customer Personal Data is, or is to be, Processed.
1.2.9. DPA 2018 means the Data Protection Act 2018 in the UK.
1.2.10. DP Regulator means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
1.2.11. GDPR means the General Data Protection Regulation (EU Regulation 2016/679).
1.2.12. EEA means the European Economic Area.
1.2.13. EU SCCs means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognised as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
1.2.14. Ex-EEA Transfer means as defined in Section 6.1.
1.2.15. Ex-UK Transfer means as defined in Section 6.2.
1.2.16 Personal Data means data or information that, alone or in combination with other data or information is considered “personal data,” “personal information,” “personally identifiable information” or other such similar term as defined under the applicable Data Protection Laws.
1.2.17. Process or Processing means any operation or set of operations which is performed upon Customer Personal Data, whether or not by automatic means, such as obtaining, recording, holding, organization, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction. Any derivative of the word Process has a corresponding meaning.
1.2.18. Prohibited Data means any: (a) special categories of data or sensitive Personal Data under Data Protection Laws; (b) patient, medical, or other protected health information regulated by the Health Insurance Portability and Accountability Act (as amended and supplemented) (“HIPAA”); (c) credit, debit, or other payment card data or financial account information, including bank account numbers; (d) credentials granting access to an online account (e.g. username plus password), other than Customer’s Conviva account; (e) social security numbers, driver’s license numbers, or other government identification numbers; (f) other information subject to regulation or protection under specific laws such as the Children’s Online Privacy Protection Act or Gramm-Leach-Bliley Act (or related rules or regulations); (g) precise geolocation data; or (h) any data similar to the above protected under foreign or domestic laws.
1.2.19. Services means the Products, Services and/or Software to be provided by Conviva to you in accordance with the Customer Agreement and the applicable Order Form(s).
1.2.20. Standard Contractual Clauses means the EU SCCs and/or the UK SCCs.
1.2.21. Third-Party Sub-processors means any third party or Conviva Affiliate engaged by Conviva or a Conviva Affiliate to Process Customer Personal Data including those listed at http://www.conviva.com/conviva-subprocessors/.
1.2.22. UK GDPR means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK.
1.2.23. UK SCCs means the United Kingdom Information Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022.
2. PROVISION OF CUSTOMER PERSONAL DATA
2.1 You will provide Customer Personal Data to Conviva, or Conviva will collect Customer Personal Data, pursuant to this DPA for the purpose of Conviva providing the Services to You, and Conviva will have access to the Customer Personal Data in the course of providing the Services.
2.2 For the avoidance of doubt, the parties hereby agree that the Standard Contractual Clauses become part of the Customer Agreement if you are domiciled in the United Kingdom or any member country of the European Union and an EU Directive and Legislation, the GDPR, UK GDPR and/or DPA 2018 apply(ies) to this Customer Agreement and/or the Services provided hereunder.
2.3 Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.
3. USE OF CUSTOMER PERSONAL DATA
3.1 In providing the Services to you pursuant to the Customer Agreement, Conviva may Process Customer Personal Data on your behalf. Each party acknowledges that it has read and understands the Data Protection Laws and that it will comply with the provisions and obligations imposed on them by the Data Protection Laws and this DPA with respect to the Processing of Customer Personal Data.
3.2 To the extent you, in your use of the Services, do not have the ability to correct, delete or block the Customer Personal Data being Processed under the Customer Agreement, as required by Data Protection Laws, Conviva shall comply with any commercially reasonable request by you to facilitate such actions to the extent Conviva is legally permitted to do so. If a Data Subject should request the correction or deletion of their data, Conviva shall promptly pass this request to the Customer, to the extent legally permitted. Delivery failures caused by such compliance with such requests will be the Customer’s responsibility. To the extent legally permitted, you shall be responsible for any costs arising from Conviva’s provision of the aforementioned assistance.
4. RIGHTS AND OBLIGATIONS OF CUSTOMER
4.1 The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, you are the Data Controller, Conviva is a Data Processor, and Conviva or its Affiliates may engage Third-Party Sub-processors pursuant to the requirements set out in Section 7. The parties further acknowledge and agree that, for purposes of the CCPA, Conviva is a “Service Provider” and you are a “Business,” as those terms are defined in the CCPA. Each party is solely responsible for complying with the obligations applicable to it under Data Protection Laws.
4.2 You instruct Conviva to Process Customer Personal Data as set forth in the Customer Agreement and this DPA, and as you may instruct Conviva in writing from time to time. You will not provide to Conviva, or cause Conviva to collect or receive, any Prohibited Data or any Personal Data other than Customer Personal Data. You acknowledge that Conviva is reliant on you for direction regarding Conviva’s use and processing of Customer Personal Data. If you instruct Conviva to process Customer Personal Data in a manner or to an extent that differs from or supplements Conviva’s standard requirements for rendering the Services and/or you provide additional Personal Data other than Customer Personal Data, Conviva will not be liable for any claim (including under the Data Protection Laws) related to such instruction. Your submission of Customer Personal Data to Conviva and instructions for Processing of Customer Personal Data will comply with all Data Protection Laws. Without limiting the generality of the foregoing, you acknowledge that you are responsible for obtaining all necessary consents from Data Subjects (where applicable) and providing all applicable privacy notices and disclosures to Data Subjects (as required under the Data Protection Laws) to enable Conviva to collect, use, disclose, and otherwise Process the Customer Personal Data as anticipated under this DPA and the Customer Agreement. You shall indemnify, defend and hold harmless Conviva and its affiliated companies, employees, directors and agents from any claims, losses, damages, liabilities, including legal fees and expenses, arising out of or related to your violation of this Section 4.2, including any claims brought by Data Subjects as a result of your instructions to Conviva. You shall promptly (and in any event, within 7 days) notify Conviva if it receives a complaint, communication or request which relates directly or indirectly to the processing of Customer Personal Information by Conviva;
4.3 Subject to Section 4.4 below, you or a third-party auditor of Customer’s choice (subject to reasonable and appropriate confidentiality undertakings) have the right, in relation to Customer Personal Data, to review, at your sole cost and expense and upon 30 days’ notice to Conviva, (a) the security measures taken by Conviva, (b) the compliance with Data Protection Laws by Conviva, and (c) the compliance with this DPA by Conviva.
4.4 Conviva’s obligations under Section 4.3 above will be satisfied by, and any audits (including those described in the Standard Contractual Clauses) will be carried out in accordance with, Sections 4.4 to 4.6 (inclusive). Conviva will make available for review (where available) its, and any Conviva Affiliates’ engaged in the Processing of Customer Personal Data, then-current ISO/IEC 27001:2013 certification (or comparable industry-standard third party report or certifications), that Conviva, or any such Conviva Affiliate, generally makes available to its or their customers at the time of such request, in response to any audit or inspection requests by or on behalf of you.
4.5 Subject to the restrictions set out in Section 4.6 below, Conviva shall allow you to conduct an on-site audit of Conviva and any Conviva Affiliates engaged in the Processing of Customer Personal Data, for compliance with Section 4.3 in the following limited circumstances: (a) following any notice from Conviva to you of an actual or reasonably suspected unauthorized disclosure of Customer Personal Data submitted to the Services; (b) upon your reasonable belief that Conviva is not in compliance with its obligations under this DPA regarding Customer Personal Data submitted to the Services; or (c) if such an audit is required by a data protection authority.
4.6 The on-site audit rights in Section 4.5 above may take place at any time during Conviva’s normal working days and normal working hours, subject to written notice given in advance with a reasonable notice period (which shall be at least thirty (30) days in advance). The review may take place at Conviva’s (or any Conviva Affiliate’s) place of business by inspecting the Processing activities taking place at those premises in accordance with Conviva’s (or the Conviva Affiliate’s) security and access policies.
4.7 You retain the right to take reasonable and appropriate steps to (a) ensure that Conviva Processes Customer Personal Data in a manner consistent with Data Protection Laws, and (b) upon notice, stop and remediate unauthorized Processing of Customer Personal Data.
5. RIGHTS AND OBLIGATIONS OF CONVIVA
5.1 Conviva shall only Process Customer Personal Data: (a) for the duration of the Customer Agreement; (b) on your behalf to provide the Services; and (c) pursuant to your written instructions as set forth in this DPA, the Customer Agreement or other written instructions from you.
5.2 You instruct and authorize Conviva, in order to provide the Services, to collect and otherwise Process Customer Personal Data: (a) in accordance with and for the limited and specific business purposes set forth in the Customer Agreement; (b) as part of any Processing initiated by you in your use of the Services; and (c) to comply with your reasonable instructions to the extent they are consistent with the terms of the Customer Agreement. You acknowledge and agree that Conviva may anonymize, aggregate and/or de-identify the Customer Personal Data to develop and enhance Conviva’s machine-learning algorithms, such that the aggregated or de-identified data is no longer Personal Data or Personal Information as defined by any applicable law.
5.3 Conviva will:
a) Process Customer Personal Data to provide the Services, as set forth in the Customer Agreement and this DPA;
b) Not “sell” or “share” Customer Personal Data, or Process Customer Personal Data for “targeted advertising” purposes, as such terms are defined in Data Protection Laws;
c) Not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) not set forth in the Customer Agreement or this DPA;
d) Not retain, use, or disclose Customer Personal Data outside of the direct business relationship with you unless otherwise permitted by Data Protection Laws;
e) Comply with applicable provisions of the Data Protection Laws, including providing the level of protection required by the Data Protection Laws and the requirement to assist with consumer requests;
f) Unless otherwise permitted by Data Protection Laws or instructed by you, not combine Customer Personal Data with Personal Data that Conviva receives from, or on behalf of, another person, or collects from its own, independent consumer interaction;
g) Notify you if Conviva can no longer comply with its obligations under Data Protection Laws.
5.4 Conviva will keep Customer Personal Data confidential and take appropriate technical, physical and organizational security measures to protect Customer Personal Data against accidental, unauthorized or unlawful destruction, damage, loss, alteration, access or disclosure. Conviva will provide Customer Personal Data with the level of protection required by Data Protection Laws, including without limitation the CCPA (for Customer Personal Data subject thereto).
5.5 Conviva is obliged to provide information and cooperate if you conduct a review as described in Section 4.3 or if a DP Regulator requests information necessary to demonstrate Conviva’s compliance with Data Protection Laws or this DPA. However, Conviva shall not be required to disclose any commercial or trade secrets (including, without limitation, algorithms, source code, etc.). Conviva will also reasonably assist you (at your expense) in the event of data protection checks or audits by a formally designated data protection authority with competent jurisdiction, to the extent that such checks or audits relate to the Processing under this DPA.
5.6 All persons under Conviva’s employ or control who can access Customer Personal Data in the course of performing their duties for Conviva must (i) be subject to obligations of confidentiality when processing such Customer Personal Data; and (ii) understand the obligations to keep the Customer Personal Data confidential. Conviva and you shall instruct their respective employees on their particular data protection obligations arising from this DPA and the existence of their duty to act as directed or for the purpose stipulated.
5.7 Conviva will promptly inform you of any personal data breach (as defined in the Data Protection Laws) involving Customer Personal Data (while within Conviva’s possession or control). To the extent the security breach is caused by a violation of the requirements of this DPA by Conviva, Conviva shall make all reasonable efforts to identify and remediate the cause of such security breach and will promptly provide you with all the relevant information and assistance as reasonably requested by you regarding the actual or suspected security breach.
5.8 Conviva shall inform you as soon as reasonably possible if: (a) a DP Regulator demands the access to Customer Personal Data, or (b) a DP Regulator has taken measures against Conviva, in each case, unless Conviva is prohibited by law from informing you about the request of such authority or the measures taken.
5.9 Upon your written request, Conviva shall delete or return the Customer Personal Data according to your instructions (except to the extent that Conviva is required to continue to store the Customer Personal Data pursuant to Conviva’s legal or regulatory compliance). You accept that any such requests may prevent Conviva from providing the Services in accordance with the Customer Agreement and acknowledge that Conviva shall not be liable for any such failure to perform.
5.10 You shall promptly (and, in any event, within 7 days) notify Conviva following the receipt of a request from a Data Subject to exercise their rights under the Data Protection Laws in relation to the Customer Personal Data (“Data Subject Requests”). You shall verify the Data Subject Requests before submitting them to Conviva and shall provide sufficient information to enable Conviva to supply any Customer Personal Data included in the Data Subject Requests. Conviva shall provide reasonable assistance to you in respect of any Data Subject Requests of which you notify Conviva in writing.
5.11 If Conviva receives any Data Subject Requests directly from a Data Subject, Conviva will notify you and provide reasonable assistance to you in respect of such Data Subject Requests, and you shall be solely responsible for responding to such Data Subject Requests.
5.12 Conviva shall not be liable for any enforcement action by a DP Regulator, losses, damages or costs suffered or incurred by you in connection with any Access Request, where such enforcement action by a DP Regulator, losses, damages or costs are in any way attributable to your failure to comply with Section 5.10.
6. ADDITIONAL REQUIREMENTS FOR TRANSFER OF PERSONAL DATA OUTSIDE THE EEA, SWITZERLAND, AND/OR THE UNITED KINGDOM
6.1 If you instruct Conviva to Process Customer Personal Data that is subject to the GDPR, you acknowledge and agree that the provision of the Services would involve a transfer of Customer Personal Data from you to Conviva outside the EEA (“ex-EEA Transfer“). In respect of ex-EEA Transfers and where no Alternative Level of Protection applies the terms of Schedule 1 shall apply.
6.2 If you instruct Conviva to Process Customer Personal Data that is subject to the Swiss Federal Act on Data Protection (“FADP”), you acknowledge and agree that the provision of the Services would involve a transfer of Customer Personal Data from you to Conviva outside Switzerland (“ex-Switzerland Transfer“). In respect of ex-Switzerland Transfers and where no Alternative Level of Protection applies the terms of Schedule 1 shall apply as modified by Section 2 of Schedule 1.
6.3 If you instruct Conviva to Process Customer Personal Data that is subject to the UK GDPR and the DPA 2018, you acknowledge and agree that the provision of the Services would involve a transfer of Customer Personal Data from you to Conviva outside the United Kingdom (“ex-UK Transfer“). In respect of ex-UK Transfers and where no Alternative Level of Protection applies, the terms of Schedule 2 shall apply.
6.4 In respect of any ex-EEA Transfers, ex-Switzerland Transfers, or ex-UK Transfers, the following supplementary measures shall apply:
a) Conviva represents and warrants that, at the time of the transfer, it has not received any formal legal requests from any government intelligence agencies in the country to which the relevant Customer Personal Data is being exported, for access to (or for copies of) Customer Personal Data that has been transferred to Conviva pursuant to this DPA (“Government Agency Requests“);
b) If, after the date of this DPA, Conviva receives any Government Agency Requests which concerns Customer Personal Data, it will (unless prohibited by law from doing so) inform you in writing as soon as reasonably practicable and you and Conviva shall (as soon as reasonably practicable) discuss and determine (as permitted by law) whether all or any transfers of Customer Personal Data pursuant to this DPA should be suspended in the light of the such Government Agency Requests; and
c) You and Conviva will meet at the Customer’s reasonable request as necessary to review whether:
(i) the protection afforded by the laws of the country in which Conviva is located to Data Subjects whose Customer Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA and the UK;
(ii) additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Laws; and
(iii) it is still appropriate for Customer Personal Data to be transferred to Conviva, taking into account all relevant information available to the parties, together with guidance provided by the DP Regulators.
7. SUB-PROCESSORS
7.1 You acknowledge and expressly agree that Conviva or Conviva Affiliates may engage Third-Party Sub-processors to provide support, including processing of Customer Personal Data, in connection with the Services. Conviva may engage Conviva Affiliates as Third-Party Sub-processors.
7.2 Conviva’s current list of Third-Party Sub-processors is set forth in Annex 3 of this DPA. At least thirty (30) days before Conviva engages any new Third-Party Sub-processor, Conviva will update its list of Third-Party Sub-Processors. You acknowledge and agree that in order to receive email notice of updates to Conviva’s Third-Party Sub-processor list, you must sign up at https://pages.conviva.com/WP_Conviva_Subprocessor_List_Gated_LP.html. Conviva is not liable for your failure to obtain notice of an update to Conviva’s Third-Party Sub-processor list due to your failure to sign up at the link provided here.
7.3 If you object to Conviva’s use of a new Third-Party Sub-processor, you shall notify Conviva promptly in writing within ten (10) business days after receipt of Conviva’s notice pursuant to Section 7.2 of this DPA. In the event you object to a new Third-Party Sub-processor, Conviva will use commercially reasonable efforts to make available to you a change in the affected Services or recommend a commercially reasonable change to your configuration or use of the affected Services to avoid processing of Customer Personal Data by the objected-to new Third-Party Sub-processor without unreasonably burdening you. If Conviva is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, you may terminate the applicable elements of the Services which cannot be provided by Conviva without the use of the objected-to new Third-Party Sub-processor, by providing written notice to Conviva. You shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated elements of the Services. You consent to Conviva’s use of Third-Party Sub-processors as described in this Section.
7.4 All Third-Party Sub-processors will be subject to data protection obligations at least equivalent to those contained in this DPA under a written agreement, and such Third-Party Sub-processors shall be obliged to comply with applicable Data Protection Laws. Where the Third-Party Sub-processor fails to fulfill its data protection obligations under such written agreement, Conviva shall remain fully liable to the data exporter for the performance of the Third-Party Sub-processor’s obligations under such agreement.
7.5 Pursuant to the Standard Contractual Clauses, Conviva agrees to promptly make available to you a copy of an applicable Third-Party Sub-processor data processing agreement executed in relation to this DPA, provided that Conviva may redact the text of such agreement to the extent necessary to protect business secrets or other Confidential Information, including personal data contained in such agreement. Conviva may also make available to you a summary of the security measures of the agreement. In all cases such agreement or summary shall be treated by you as Confidential Information of Conviva.
8. DURATION
8.1. This DPA will enter into effect on the Effective Date and will expire and terminate immediately upon termination of the Customer Agreement for any reason.
8.2 Conviva may terminate the Standard Contractual Clauses if Customer Personal Data is located in the European Economic Area and Conviva offers an Alternative Adequate Level of Protection to you for the transfer of Customer Personal Data outside the EEA or to any country not deemed by the European Commission as providing an adequate level of protection.
8.3 Conviva may terminate the Standard Contractual Clauses if Customer Personal Data is located in the United Kingdom and Conviva offers an Alternative Adequate Level of Protection to you for the transfer of Customer Personal Data outside the United Kingdom or to any country not deemed by the United Kingdom as providing an adequate level of protection.
8.4 Your remedies, including remedies of any Customer Affiliate, arising from any breach by Conviva of this DPA will be subject to the aggregate limitation of liability that applies under the Customer Agreement.
8.5 To the extent required by applicable Data Protection Laws, this DPA shall be governed by the applicable law of the applicable jurisdiction. In all other cases, this DPA will be governed by the laws of the same jurisdiction as governs the Customer Agreement.
Schedule 1
(ex-EEA Transfers and ex-Switzerland Transfers)
1. Ex-EEA Transfers
1.1 To the extent legally required, Schedule 1, Section 1 applies to Customer Personal Data subject to the GDPR that is the subject of an ex-EEA Transfer. The ex-EEA Transfer shall be governed by the EU SCCs and references in the EU SCCs and in this Schedule 1 to the data exporter shall be Customer and references to the data importer shall be Conviva.
1.2 The EU SCCs are hereby incorporated into this DPA with the following amendments (with references in this paragraph 1.2 to Clauses being to Clauses of the EU SCCs):
(1) All footnotes and explanatory notes in the EU SCCs are deleted;
(2) As the ex-EEA Transfer is a Data Controller to Data Processor transfer, only the provisions relating to Module 2 apply to such ex-EEA Transfer, and the provisions relating only to Modules 1, 3 and 4 are deleted and shall not apply to such ex-EEA Transfer;
(3) In respect of Clause 7 (docking clause), this clause is not used;
(4) In respect of Clause 9 (sub-processors), ‘Option 2: General Written Authorisation’ applies, and the minimum time period for the data importer to specifically inform the data exporter in writing of any intended changes to that list in accordance with Clause 9 shall be thirty (30) days;
(5) In respect of Clause 13(a) (supervision), the following wording shall apply: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority;
(6) In respect of Clause 17 (governing law), Option 2 shall apply and the Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The parties agree that this shall be the law of Ireland; and
(7) In respect of Clause 18 (choice of forum and jurisdiction), the relevant courts shall be those of the EU Member State whose law governs the Clauses in accordance with Clause 17.
1.3 Annex I of the EU SCCs shall be completed with the information set out in Annex 1 of this DPA.
1.4 Annex II of the EU SCCs shall be completed with the information set out in Annex 2 of this DPA.
1.5 Annex III of the EU SCCs shall be completed with the information set out in Annex 3 of this DPA.
2. Ex-Switzerland Transfers
2.1 To the extent legally required, Schedule 1, Section 1 applies to Customer Personal Data subject to the FADP that is the subject of an ex-Switzerland Transfer, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR, and references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of FADP revisions that eliminate this broader scope; (2) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (3) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
Schedule 2
(ex-UK Transfers)
1.1 The ex-UK Transfer shall be governed by the UK SCCs which are hereby incorporated into this DPA with the following amendments (with references in this paragraph 1.1 to Clauses being to Clauses of the UK SCCs) and references in the UK SCCs and in this Schedule 2 to the data exporter shall be Customer and references to the data importer shall be Conviva.
1.2 Table 1 of the UK SCCs shall be completed as follows:
(1) The parties’ details shall be the parties and their affiliates to the extent any of them are involved in such a transfer, including those set forth in Annex 1 of this DPA.
(2) The Key Contact shall be the contacts set forth in Annex 1 of this DPA.
1.3 Table 2 of the UK SCCs shall be completed as follows: the Approved EU SCCs referenced in Table 2 shall be the EU SCCs as set forth in Schedule 1 of this DPA.
1.4 Table 3 of the UK SCCs shall be completed as follows: Annexes 1A and 1B shall be set forth in Annex 1 of this DPA. Annex II shall be set forth in Annex 2 of this DPA. Annex III shall be set forth in Annex 3 of this DPA.
1.5 Table 4 of the UK SCCs shall be completed as follows: Conviva may end this Schedule 2 as set out in Section 19 of the UK SCCs.
2. Scope
The provisions of this Schedule 2 shall apply only in respect of Customer Personal Data which is subject to the regulation of the UK GDPR and DPA 2018.
Annex 1
A. LIST OF PARTIES
1. Data exporter(s):
Name: As set out in the Order Form (or as otherwise set forth below where completed)
_____________________________________
Address: As set out in the Order Form (or as otherwise set forth below where completed)
_____________________________________
Contact person’s name, position and contact details: As set out in the Order Form (or as otherwise set forth below where completed)
_________________________________________
Activities relevant to the data transferred under these Clauses: Data exporter’s receipt of the data importer’s Services, as set forth in the Customer Agreement and applicable Order Form.
Signature and date: Executed in accordance with the first paragraph of this Customer Agreement.
Role (controller/processor): Controller.
2. Data importer:
Name: Conviva Inc.
Address: 989 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, USA
Contact person’s name, position and contact details: Bradley M. Kancigor, General Counsel, +1 (650) 401-8282, legal@conviva.com
Activities relevant to the data transferred under these Clauses: Data importer’s provision of the Services, as set forth in the Customer Agreement and applicable Order Form.
Signature and date: Executed in accordance with the first paragraph of this Customer Agreement.
Role (controller/processor): Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Data exporter’s end users that use data exporter’s online video services that are integrated with the data importer’s services, and, for the data importer’s Social Insights services, data exporters’ end users that post videos and other content on social platform services, from which data importer obtains data and analytics via API calls.
Data exporter’s employees that log into the data importer’s website to access the data and analytics computed by the data importer’s services.
Categories of personal data transferred:
Data exporter’s end users: IP addresses and user and/or viewer identifiers generated by data exporter.
Data exporter’s employees: Conviva account login credentials including name, email address and password.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Not applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Data will be transferred on a continuous basis as required by the data exporter to receive the data importer’s services.
Nature of the processing
Customer Personal Data will be subject to the Processing activities that Conviva needs to perform in order to provide the services pursuant to the Customer Agreement and Order Forms.
Purpose(s) of the data transfer and further processing
The purpose of the data transfer and further processing is for the data importer to provide the services as described in the Customer Agreement and Order Forms.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data importer retains personal data collected from the data exporter in connection with its use of Conviva’s services, such as account login information, for as long as the data exporter’s account is active or as needed for the data importer to provide the services to the data exporter, or as required by law. The data importer retains personal data collected from the data exporter’s end users (such as IP addresses and viewer ID numbers) for up to thirteen months after collection, unless otherwise directed by the data exporter and/or as needed for system backup archival use or required by law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Same as above.
C. COMPETENT SUPERVISORY AUTHORITY
The supervisory authority of the EU Member State in which the data exporter is established.
Annex 2
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
- The data importer (Conviva) manages and maintains its internal systems, processes, security and system alerts pursuant to industry-best practices and is ISO/IEC 27001:2013 certified. All personal data collected by the data importer is transmitted over SSL and stored using logical separation for each Customer. Encryption is used to transmit data from endpoint devices to the data importer. The only ports open for inbound data are HTTP (80) and HTTPS (443) for the data importer’s SaaS application. Requests to the HTTP endpoint are redirected to the HTTPS endpoint to enforce client security. Any personal data stored in the database is encrypted utilizing AES encryption and AES hashes where possible. Industry-best practice access controls, both physical and virtual, are maintained by the data importer and its vendors for data center hosting and data access. Administrative access is performed over SSH using private keys, and/or SSL for web portals using passwords. Administrator accounts are granted only to those who need privileged access and revoked once it is no longer needed. Further, the data importer’s website used to access its SaaS application employs industry best practices for secure authentication. User access is via single sign-on and multi-factor authentication, built in a high-availability configuration, and passwords are converted to irreversible and unique hashes.
- In addition, the data exporter (Customer) shall cooperate with the data importer in establishing a password or other procedures for verifying that only designated employees of the data exporter have access to any administrative functions of the data importer’s services. The data exporter will be responsible for maintaining the security of its account, passwords (including administrative and user passwords) files, and for all uses of the data exporter’s account. The data exporter shall not share with any third party (other than its Affiliates) any such account or password without the prior written consent of the data importer.
- Additional details regarding Conviva’s security measures can be found at https://www.conviva.com/security/.
ANNEX 3
LIST OF SUB-PROCESSORS
The Customer has authorised the use of the sub-processors listed at https://www.conviva.com/conviva-subprocessors/.