Customer Agreement

Rev. March 3, 2020
See latest version >

Your use of Conviva Products and Services is governed by this Customer Agreement and such other commercial terms as set forth in the applicable Order Form(s) that reference this Customer Agreement and that you accept by clicking, signing or otherwise accept through an exchange of forms, or the like (all together, the “Agreement”). Your Affiliates may enter into Order Forms with Conviva, in which case the Products and Services ordered shall be provided solely to the contracting Affiliate (unless specifically agreed otherwise in the applicable Order Form) and the Affiliate, which shall be the customer for purposes of this Customer Agreement, shall be responsible for compliance with the terms of the Order Form and this Customer Agreement.

If you use the Conviva Products and Services as an employee of or for the benefit of your company, you represent that you have the power and authority to accept this Customer Agreement on behalf of your company. Your company will be the customer under this Customer Agreement. By accepting (electronically or otherwise) the terms of this Customer Agreement, or by accessing or using the Conviva Products or Services, you consent to the terms and conditions of this Customer Agreement on behalf of yourself and the company on whose behalf you will use the Conviva Products and Services. The effective date of this Customer Agreement is the date that you accept (electronically or otherwise) the terms of this Customer Agreement or the date of your first access to or use of the Conviva Products or Services, whichever occurs first. If you do not agree to the terms and conditions of this Customer Agreement or if you do not have the power and authority to accept the terms and conditions of this Customer Agreement on behalf of your company, you may not use the Conviva Products and Services and Conviva is unwilling to provide you with access to them.

PART I: TERMS

1.1 Services. Subject to the terms and conditions of this Agreement, Conviva will provide you with access to and use of the Services listed in the applicable Order Form in accordance with the terms thereof. To the extent any application program interfaces (“APIs”), libraries, software development kits (“SDKs”) or other software (collectively, “Software”) are provided or made available to you in connection with the Services, Conviva hereby grants you a limited, personal, non-exclusive, non-transferable (except as otherwise expressly permitted herein), worldwide, royalty-free license, without the right of sublicense, to use the Software for the applicable Order Form Term and for the sole purpose of integrating your player(s) (as specified in each Order Form) with the Services. You agree to work in good faith with Conviva to integrate the player(s) with the Services and to use commercially reasonable efforts to make all of your latest production player integrations accessible to Conviva solely for test purposes during the applicable Order Form Term. You may not permit a Subcontractor to access or use the Software without Conviva’s prior written consent (email sufficient by an authorized representative of Conviva), and you shall be fully responsible for and liable to Conviva for your Subcontractor’s use of the Software in compliance with the terms of this Customer Agreement.

1.2 Products. If you have ordered any Conviva data products (“Products”) as listed in the applicable Order Form, Conviva will provide you with the Products and you are hereby granted a limited, personal, non-exclusive, nontransferable, worldwide, royalty-free right and license, without the right of sublicense, to use the Products for the applicable Order Form Term and for your internal analysis purposes only.

1.3 You will establish a password or other procedures for verifying that only your designated employees have access to any administrative and other functions of the Services. You are responsible for maintaining the security of your account, passwords (including administrative and user passwords) and files, and for all uses of your account and any Software provided. You shall not share with, nor allow access to, any third party any such account or passwords, or the Software, Products or Services, without the prior written consent of Conviva.

1.4 You may not knowingly provide to any person, or export or re-export, or allow the export or re-export of, the Software, Products or Services or anything related thereto or any direct product thereof, in violation of any applicable laws or regulations or otherwise.

1.5 Authentication for Social Insights Services Only. When you register for a Social Insights Services account, you will have the ability to authenticate one or more of your social accounts (each, a “Social Account”). This will enable Conviva to import data from the Social Account(s) in order to analyze and add certain metrics and to deliver the Social Insights Services. At all times, you shall remain responsible for complying with the terms of service and other policies of the Social Account. Authentication is necessary to provide the Social Insights Services. If your Social Account is not authenticated or for any reason your Social Account is terminated, suspended or inoperable, then Conviva will be unable to provide you with the Social Insights Services, for which Conviva bears no responsibility. You shall remain the owner of the data transferred from its Social Account(s) (“User Content”), and you hereby grant Conviva a worldwide, non-exclusive, perpetual, transferable, royalty-free and sublicensable right and license to use, copy, distribute, prepare derivative works of, modify, transfer and publish the User Content, in whole or in part, to provide you with the Social Insights Services and to use anonymized and aggregated aspects of the User Content, such that you are not identified or identifiable, to provide industry-level research and benchmark data across pre-defined industry categories. The rights you grant in this section, including the license, survive the termination of this Agreement and your use of the Social Insights Services.

2. Service Level Agreement; Professional Services; Service Incidents. Conviva shall provide the Services in accordance with the terms of the Service Level Agreement stated in Part II below (“Service Level Agreement”), which is incorporated by reference herein. In addition, as part of the Services, Conviva shall remotely provide integration assistance for initial integration of your player(s) as specified in the applicable Order Form, including setup, validation and revalidation (“Professional Services”). You may request Conviva’s assistance with a Service incident (“Incident”) by submitting a support ticket at https://support.conviva.com. The Incident will be classified according to the applicable Incident Level definition, and Conviva will use commercially reasonable efforts to address the Incident in accordance with this classification and the following:

Incident Level	Target Response Time
P0 (Critical)	Platinum Premium: 30 min. (24x7x365) Gold Premium: 30 min. (24x7x365) Basic Support: 30 min. (24x7x365)
P1 (Urgent)	Platinum Premium: 1 business hour Gold Premium: 2 business hours Basic Support: 4 business hours
P2 (Moderate)	Platinum Premium: 8 business hours Gold Premium: 12 business hours Basic Support: 16 business hours

Business hours are 8:00am to 6:00pm in your time zone, Monday through Friday, excluding standard Conviva holidays. You may view the status of Conviva’s response to your Service Incident reports online at https://support.conviva.com.

3. Confidentiality; Restrictions.

3.1 Confidentiality Obligations. Each party agrees to abide by the following confidentiality obligations with respect to the other party’s Confidential Information: (a) do not disclose it to any third party unless (i) the other party has given its specific and express prior written approval, (ii) the disclosure is expressly allowed under this Agreement, or (iii) the disclosure is necessary to comply with a valid court order, subpoena or is required to be disclosed by law or any regulatory or administrative body; (b) do not use it for any reason other than to exercise its rights and perform its obligation under this Agreement; and (c) protect it from unauthorized dissemination in the same manner as that party protects its own Confidential Information, and in any event with reasonable precautions (which include limiting access to employees and permitted Subcontractors on a “need-to-know” basis). If you believe you must disclose Conviva’s Confidential Information in accordance with 3.1 (a)(iii), then prior to disclosure you shall, to the extent legally permitted, promptly notify Conviva and cooperate with Conviva if Conviva chooses to contest the disclosure requirement, seek confidential treatment of the information to be disclosed, or limit the nature or scope of the information to be disclosed. Conviva will do the same if it believes it must disclose your Confidential Information in these circumstances. Each Party acknowledges that the unauthorized disclosure or use of Confidential Information may cause irreparable harm to the other Party for which recovery of money damages would be inadequate, and the other Party will therefore be entitled to apply as a right for injunctive relief to protect its rights under this Agreement, in addition to any and all remedies available at law.

3.2 Restrictions. You will not, and will not permit any third party to, reverse engineer or otherwise attempt to discover the source code or underlying structure or algorithms of the Software, Products or Services (except to the extent such restrictions are contrary to applicable law), modify or create derivative works based on the Products, Services or Software, or otherwise use the Products, Services or Software except as expressly permitted by this Agreement.

4. Intellectual Property Rights. As between the Parties, Conviva and/or its licensors own and will retain all Intellectual Property Rights in and to the Products, Services (including Service Statistics) and Software. You are hereby granted a limited, personal, non-exclusive, nontransferable, worldwide, royalty-free right and license, without the right of sublicense, to use the Service Statistics contained in the analysis exported by the Services, for the applicable Order Form Term and for your internal analysis purposes only. You shall not disclose or provide, or provide access, to any third party any Products, Services (including without limitation the Service Statistics) or Software without Conviva’s prior written consent. Your only rights in the Products, Services (including without limitation the Service Statistics) and Software are the rights expressly granted in this Agreement, and all other rights are reserved by Conviva.

5. Payment of Fees. The fees are specified in the applicable Order Form (“Fees”), which shall be invoiced as of the Order Form Effective Date. Fees are due and payable within thirty (30) days of receipt of invoice, unless specified otherwise in the Order Form. Fees unpaid after the date due are subject to a finance charge of the lesser of one and one-half percent (1.5%) per month or the maximum permitted by law. Conviva will be solely responsible for its income taxes in connection with this Agreement and you will be responsible for all sales, use and similar taxes, levies and duties imposed by the taxing authorities, if any. All Fees are exclusive of all such taxes, levies and duties. Without prejudice to any of its other rights or remedies, Conviva may restrict or suspend your access to further Software, Products and Services if payment is not made within five (5) business days of notice that payment is past due. All Order Forms are non-cancellable, and all Fees are non-refundable and non-creditable unless otherwise expressly stated in the applicable Order Form.

6. Termination. The term of this Agreement will begin on the Effective Date and will end when the last Order Form expires, unless this Agreement is terminated sooner by either party as permitted herein. Each Order Form will have its own Order Form Term. Without affecting any other right or remedy available to it, either party may terminate this Agreement or an Order Form on written notice if the other party materially breaches this Agreement or the Order Form and (where such breach is remediable) does not cure such breach within thirty (30) days after notice of such breach. In addition, either party may terminate this Agreement or an Order Form without notice upon: (a) the institution by or against the other party of insolvency, receivership or bankruptcy proceedings, (b) the other party’s making an assignment for the benefit of creditors, or (c) the other party’s dissolution or ceasing to do business. Termination of this Agreement or any Order Form shall not affect any rights, remedies, liabilities or obligations of the Parties, including the payment of amounts due or the right to claim damages in respect of any breach of the Agreement and/or Order Form, which have accrued up to the date of such termination. Upon any such termination or expiration, the provisions of Sections 3, 4, 5, 6, 7.2, 8, 9, 12, 13 and 14 shall survive and shall continue in full force and effect in accordance with their terms. For the avoidance of doubt, termination of an Order Form shall not terminate any other Order Form in effect or this Agreement, which shall continue in full force and effect in accordance with these terms.

7. Warranties; Disclaimer.

7.1 Conviva warrants that (a) the Services will operate in conformity with the description of the Services set forth in the applicable Order Form, (b) it will perform the Professional Services in a professional and workmanlike manner with employees having a level of skill commensurate with the requirements of this Agreement, (c) it will use commercially reasonable and industry standard methods to prevent the introduction of any viruses, disabling devices, Trojans, time bombs or other malicious code in the Software.

7.2 Except for the warranties in Section 7.1, Conviva hereby disclaims all warranties, conditions, representations or other terms, whether oral or written, express or implied, including without limitation all implied warranties and/or conditions of satisfactory quality, merchantability and fitness for a particular purpose.

8. Limitation of Liability.

8.1 In no event will either party, under any circumstances or any theory of liability, be liable to the other party for any indirect, punitive, incidental, special or consequential damages of any kind, arising from this Agreement, or the use of the Software, Products or Services provided to you hereunder, or the delay or inability to use the Services (including any lost revenue, sales, profits or business opportunities).

8.2 Each party’s total aggregate liability arising out of or in connection with this Agreement shall be limited to an amount equal to the Fees paid or payable by you to Conviva hereunder in the twelve (12) month period ending on the date that a claim or demand is first asserted, in each case whether based in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution, strict liability or otherwise, and even if either party has been advised of the possibility of damages. The foregoing limitations will apply notwithstanding any failure of essential purpose of any limited remedy and to the maximum extent permitted under applicable law.

8.3 The exclusions of liability in Sections 8.1 and 8.2 shall not apply to either party’s breach of Section 3.

9. Indemnification.

9.1 Conviva will, at its own expense, defend (or at its sole option, settle) any claim, suit or proceeding asserted against you by a third party that any Product, Service or Software obtained from Conviva under this Agreement directly infringes any patent, copyright, trademark or trade secret of such third party (“Claim”). Conviva will indemnify you for any damages suffered and costs reasonably incurred by you that are directly attributable to such Claim and that are assessed against you in a final, non-appealable judgment from a court of competent jurisdiction or agreed upon by Conviva in a settlement.

9.2 Notwithstanding the foregoing, Conviva will have no obligation under this Section 9 or otherwise to defend or indemnify you with respect to any Claim to the extent such Claim is based on any of the following: (i) any unauthorized use, reproduction, or distribution of any Product, Service or Software, or any breach of this Agreement by you, (ii) Conviva’s compliance with any specifications supplied by you which cannot be reasonably implemented in a non-infringing manner, (iii) any combination of any Product, Service or Software with other products, equipment, software, uses or data not supplied, authorized or required in writing by Conviva, if the Claim would have been avoided without such combination, (iv) any modification of any Product, Service or Software by any person other than Conviva or its authorized agents or contractors, if the Claim would have been avoided without such modification, or (v) continued use of the unmodified Product, Service or Software after Conviva has provided you with a work-around or modification that would have avoided the Claim without materially adversely affecting the functionality or availability of the Product, Service or Software. Further, if Conviva reasonably believes that all or any portion of any Product, Service or Software, or the use thereof, is likely to become the subject of a Claim, Conviva may elect at its discretion: (a) to procure, at Conviva’s expense, the right for you to continue using the Product, Service or Software in accordance with the terms hereof, (b) to replace or modify the allegedly infringing Product, Service or Software to make it non-infringing with at least equivalent functionality or performance, or (c) in the event the preceding is infeasible or not commercially practicable, Conviva may, in its sole discretion, terminate this Agreement or the applicable Order Form upon notice to you and refund any prepaid amounts for the affected unused Product, Service and/or Software.

9.3 Conviva’s obligations to defend and indemnify you with respect to a particular Claim are subject to the following conditions: (a) you must promptly give Conviva written notice of the Claim; (b) you must give Conviva sole control and authority over the defense and settlement of the Claim, provided that you are entitled to participate in your own defense at your sole expense; (c) you must provide Conviva with all information you have regarding the Claim and cooperate with Conviva when Conviva defends or attempts to settle the Claim; and (d) you shall whenever and wherever possible take all reasonable steps to mitigate its losses that are at the subject of the Claim. Conviva may, without your consent, settle a Claim that (i) creates no liability to you, (ii) does not impair your rights hereunder, and (iii) does not require you to make any admission of liability. Except as expressly stated in this Section 9, Conviva has no obligation or liability to you for any actual or alleged infringement related to the Software, Products or Services provided by Conviva under this Agreement.

10. Publicity/Use of Trademarks. The parties agree to work together in good faith to create and release a joint press release announcing your use of Conviva’s Products and/or Services. Also, both parties may disclose the relationship to third parties, but the details of this Customer Agreement and any Order Form hereunder will be treated as Confidential Information. In connection with its permitted activities under this Agreement, each party may use the trademarks of the other party, but only in the form and manner approved in advance in writing by the other party, and in accordance with the quality standards and usage guidelines of the other party, and only in connection with the Products and Services provided to you under the Agreement.

11. Assignment. Neither party shall have the right to assign this Agreement, except that either party may assign its rights and obligations without consent to a successor to substantially all its relevant assets or business.

12. Who You Are Contracting With, Notices, Governing Law and Jurisdiction.

12.1 General. Who you are contracting with under this Customer Agreement, who you should direct notices to under this Customer Agreement, what law will apply in any dispute or lawsuit arising out of or in connection with this Customer Agreement, and which courts have jurisdiction over any such dispute or lawsuit, depend on where you are domiciled.

If you are domiciled in:	You are contracting with (“Conviva”):	Notices should be addressed to:	The governing law is:	The courts having exclusive jurisdiction are:
People’s Republic of China, excluding Hong Kong, Macao and Taiwan	Beijing Conviva Technology Company Limited	Room 110916, Unit 1, Floor 8, Building 3, No. 1 Futong East Road, Chaoyang District, Beijing, China, post code 100000	People’s Republic of China	The people’s court with jurisdiction in Conviva’s domicile
Any member country of the European Union	Conviva Inc.	989 E. Hillsdale Blvd., Suite 400, Foster City, California 94404, USA	England and Wales	Courts of England and Wales
All other countries, territories and regions of the world	Conviva Inc.	989 E. Hillsdale Blvd., Suite 400, Foster City, California 94404, USA	California state law and controlling United States federal law	State courts located in San Mateo County, California, USA, or federal courts located in the Northern District of California, USA

12.2 Notices. Any notice, approval, consent or other communication intended to have legal effect under this Agreement must be given to the other party in writing and delivered by email, by express courier delivery service or by certified mail, and in each instance will be deemed given upon dispatch, provided proof of actual delivery is retained. In the event of email notice, one of the two (2) follow-up hard copy methods specified above shall be commenced within two (2) business days, and delivery is effective on email dispatch, provided proof of actual delivery of the follow-up hard copy method is retained. All notices or approvals that you send to Conviva shall be sent to its General Counsel at the address specified above, or as otherwise specified by Conviva in writing. Conviva will send all notices and approvals to you at the email address specified in the applicable Order Form. If your email address is not set forth on the applicable Order Form, then notice may be made to the email address for the primary business contact then-noticed under the Agreement, on file with either Partner or Conviva.

12.3 Governing Law and Jurisdiction. Each party agrees to the applicable governing law above without regard to choice or conflicts of law rules, and to the exclusive jurisdiction of the applicable courts above. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover its reasonable costs and attorneys’ fees.

13. Data Protection.

13.1 You acknowledge and agree that through the installation or implementation of Conviva software development kits and/or libraries, Conviva may collect and process Personal Information in the performance of the Services for you. You further instruct and authorize Conviva, in order to perform the Services, to (i) collect and process the Personal Information, including to anonymize, aggregate and/or de-identify Personal Information to develop and enhance Conviva’s machine-learning algorithms, and (ii) share the Personal Information with its Third-Party Subprocessors. Conviva shall not retain or use Personal Information other than as instructed by You or as needed to perform the Services. Conviva shall not sell or otherwise disclose Personal Information, except that Conviva may disclose Personal Information to Third-Party Subprocessors needed to perform the Services. Further, You are responsible for (a) obtaining all necessary consents from the Individuals (where applicable) and providing all applicable privacy notices and disclosures to the Individuals (as required under the Data Protection Laws) to enable Conviva to collect, process and share the Personal Information as anticipated under this Agreement, and (b) providing Conviva with instructions for processing the Personal Information that are in compliance with the Data Protection Laws. You shall indemnify, defend and hold harmless Conviva and its affiliated companies, employees, directors and agents from any claims, losses, damages, liabilities, including legal fees and expenses, arising out of or related to your violation of this Section 13.1.

13.2 Each party acknowledges that it has read and understands the Data Protection Laws and that it shall comply with the provisions and obligations imposed on them by the Data Protection Laws and this Agreement with respect to the processing of Personal Information thereunder, which processing shall be in respect of the types of Personal Information, categories of data subjects, nature and purposes, and duration, set out in this Agreement or other written instructions from you. For purposes of the California Consumer Privacy Act (“CCPA”), Conviva shall be a “Service Provider” and You shall be a “Business,” as those terms are defined in the CCPA.

13.3 You acknowledge that Conviva is reliant on you for direction regarding Conviva’s use and processing of the Personal Information. If you instruct Conviva to process Personal Information in a manner or to an extent that differs from or supplements Conviva’s standard requirements for rendering the Services, Conviva will not be liable for any claim brought by an Individual (including under the Data Protection Laws) related to such instruction. You shall be responsible for ensuring that your instructions comply with all applicable laws and regulations.

13.4 You shall promptly (and, in any event, within 7 days) notify Conviva following the receipt of: (i) a complaint, communication or notice which relates directly or indirectly to the processing of Personal Information by Conviva; or (ii) a request from an Individual to exercise its rights under the Data Protection Laws in relation to the Personal Information (“Access Requests“), and you shall verify the Access Requests before submitting them to Conviva and shall provide sufficient information to enable Conviva to take action in response to such Access Requests. If Conviva receives any Access Requests directly from Individuals, Conviva will notify you and provide reasonable assistance to you in respect of such Access Requests, and you shall be solely responsible for responding to such Access Requests. Conviva shall not be liable for any enforcement action by a DP Regulator, losses, damages or costs suffered or incurred by you in connection with any Access Request, where such enforcement action by a DP Regulator, losses, damages or costs are in any way attributable to your failure to comply with this section.

13.5 Conviva may authorize the Third-Party Subprocessors to process the Personal Information in connection with the Services and its obligations hereunder. Conviva shall ensure that any such Third-Party Subprocessors only process Personal Information on the basis of a written contract which imposes on and secures from such Third-Party Subprocessors obligations in compliance with applicable Data Protection Laws and that are substantially the same as those contained in and imposed on Conviva under this Section 13.

14. General. For all purposes under this Agreement each party shall be and act as an independent contractor and shall not bind nor attempt to bind the other to any contract. Without limiting anything herein, and except for payment obligations, neither party shall have any liability for any failure or delay resulting from any condition beyond its reasonable control, including without limitation governmental action, acts of terrorism, earthquake or other acts of God, labor conditions, power failures and utilities or telecommunications failures (collectively, “Force Majeure Events”). This Agreement and any applicable attachments and Order Forms are the entire agreement between the Parties concerning its subject matter, and supersede any prior or contemporaneous agreements, communications, or understandings (whether written or oral). Each party acknowledges that it does not rely upon any representation (whether negligent or innocent), statement or warranty made or agreed to by any person (whether a party to this Agreement or not) except those expressly set out in this Agreement and that the only remedy available in respect of any misrepresentation or untrue statement made to it shall be a claim for damages for breach of contract under this Agreement. However, any confidentiality or nondisclosure agreements that Conviva previously entered into with you will remain in effect (according to their terms) with respect to the confidential information disclosed thereunder. No waiver, change or modification to this Agreement or any Order Form will be effective unless in writing signed by both Parties. This Agreement may be amended only by means of a written instrument signed by authorized representatives of both Parties that specifically refers to this Agreement and states the Parties’ intention to amend it. No additional or inconsistent terms on any purchase order or similar document you submits to Conviva will be binding on Conviva or have any legal effect. The Parties agree that this Agreement may be signed by manual or electronic signatures and in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. In the event any provision of this Agreement shall be determined to be void, illegal or unenforceable, that provision will be limited or eliminated so that this Agreement shall otherwise remain in full force and effect and enforceable.

PART II: SERVICE LEVEL AGREEMENT

1. Availability (Uptime) Target. Conviva shall use commercially reasonable efforts to provide Availability of the Services at least 99.9% of each month (“Availability Target”).

2. Availability Calculation. “Availability” is calculated as follows: ([# of minutes in month] – [# of minutes per month Services are Unavailable]) / [# of minutes in month].

3. Notice for Planned and Emergency Unavailability. Except as otherwise agreed by the parties, Conviva will provide you with at least 72 hours advance notice (via e-mail) of all planned maintenance activities, which maintenance shall occur during a maintenance window between 10:00 PM and 02:00 AM Pacific Time on one day per week, between Monday through Thursday (primarily on Wednesday). In addition, Conviva reserves the right to undertake emergency maintenance on notice that is commercially practicable under the circumstances. Conviva shall not be liable for Unavailability during such emergency maintenance periods provided that such emergency maintenance is reasonably circumscribed.

4. Service Credits. Your sole and exclusive remedy, and Conviva’s sole and exclusive liability, in the event Conviva fails to meet the Availability Target is that Conviva will provide you with a Service Credit in accordance with the terms of this Section. To receive Service Credits, you must submit a written request to finance.ar@conviva.com within fifteen (15) days after the end of the month in which the Services were Unavailable. Conviva will credit you (or refund to you, where credit is not possible (such as for the last month of a Term)) a percentage of your effective monthly Services fee for the month affected, based on the following chart:

Availability per Month	Service Credit (as % of Effective Monthly Services Fee)
<99.9%-99.0%	5%
<99.0%-98.5%	12.5%
<98.5%-98.0%	25%
<98.0%	50%

PART III: DEFINITIONS

“Affiliate” means an entity that is controlled by, controls or is under common control with a party, where “control” means the direct or indirect ownership of more than fifty percent (50%) of the shares or interests entitled to vote for the directors thereof or the equivalent, for so long as such entitlement exists, or equivalent power over management thereof.

“Confidential Information” of Conviva means (a) the Products (in any form), Services, Service Statistics, Software, documentation, data sheets, Feedback, and all ideas and information (such as algorithms) contained or embodied in any of the foregoing; (b) the prices, discounts, payment terms, and other information in or attached to the Order Forms; and (c) any other confidential or proprietary information that Conviva provides to you in connection with this Agreement. Your “Confidential Information” means any confidential or proprietary information in (i) written form that you provide to Conviva for Conviva to fulfill your orders and its obligations under this Agreement, and (ii) oral form that you provide to Conviva in order to receive the Software, Products and Services; as long as you notify Conviva at the time of disclosure that such information is to be treated as confidential under this Agreement. Also, Confidential Information of either party does not include any of the following: (1) information that has become generally available to the public, through no fault by you (in the case of Conviva Confidential Information) or Conviva (in the case of your Confidential Information) and that is not still regarded as a trade secret under laws governing information that was negligently or maliciously distributed; (2) information that the receiving party had already obtained in a tangible form, through lawful means, before obtaining it under this Agreement; (3) information that the receiving party developed independently, without the use of any materials or information obtained from the other party in connection with this Agreement; (4) information that the receiving party has lawfully obtained, in a tangible form, from a third party that had the right to provide it to the receiving party; or (5) information that the disclosing party releases for publication in writing.

“Data Protection Laws” means any laws and regulations applicable in any relevant jurisdiction relating to privacy or the use or processing of data relating to natural persons, including without limitation: (a) any state or federal laws or regulations in the United States including without limitation the CCPA; (b) EU Directive 2002/58/EC (as amended by 2009/139/EC) and any legislation implementing or made pursuant to such directive, including (in the UK) the Privacy and Electronic Communications Regulations 2003 (“EU Directive and Legislation”); and (c) EU Regulation 2016/679 (“GDPR“); and (d) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR including (in the UK) the Data Protection Act 2018; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.

“Feedback” means any ideas or suggestions you voluntarily provide to Conviva (in any manner, whether in writing, orally or otherwise) regarding any Software, Product or Service, including possible enhancements or improvements thereto.

“Incident Level: P0 (Critical)” means the Services are completely unavailable and/or you cannot use the Services due solely to a Services failure.
“Incident Level: P1 (Urgent)” means a significant functional component of the Services is unavailable and/or your use of such component is impaired due solely to a Services failure.

“Incident Level: P2 (Moderate)” means a non-significant functional component of the Services is unavailable and/or your use of such component is impaired due solely to a Services failure.

“Individual” means a data subject or a viewer or end user of your video services.

“Intellectual Property Rights” means all patent rights, copyrights, trade secret rights, database rights, and trademark rights (including service marks and trade names), and any applications for these rights, in all countries.

“Order Form” means a mutually-agreed writing signed by each party that provides for the purchase and sale of any Product or Service and that references this Customer Agreement, including, among other things, the licensed scope of viewer hours or views available for consumption and the licensed total peak concurrent usage (“Capacity”).
“Order Form Effective Date” is the date of last signature on an Order Form, unless expressly identified otherwise in the Order Form.

“Order Form Term” commences on the Order Form Effective Date and expires at the end of the Subscription Term identified on the Order Form.

“Personal Information” means data or information that, alone or in combination with other data or information collected, received or processed by the Services, is considered “personal data,” “personal information,” “personally identifiable information” or other such similar term as defined under the applicable Data Protection Laws, and may include, but is not limited to, IP addresses, viewer and/or subscriber identifiers (such as viewer ID, subscriber ID, household ID and profile ID), device advertising identifiers (such as Google Advertising ID (GAID), Apple ID for Advertising (IDFA), Roku ID, Samsung ID and Vizio ID), geolocation information (such as latitude, longitude and cell tower ID), and other such information or data related to an Individual’s use of your video services.

“Products” means the data reports and other products of Conviva listed in an applicable Order Form.

“Services” means the Conviva services listed in an Order Form.

“Service Statistics” means all statistics computed by the Services.

“Subcontractor” is a third party that (a) is bound by a contract with you to provide services to you, and (b) has been approved by Conviva to have access to any Software, Products, Services or other Confidential Information of Conviva in compliance with the terms of this Agreement.

“Subscription Term” means the duration indicated in each Order Form of the subscription to use the Products and Services ordered under that Order Form.

“Third-Party Subprocessors” means the sub-processors listed on Conviva’s website at https://www.conviva.com/conviva-subprocessors/.

“Unavailable” (and variations thereof) mean the Services are not available for access and use through your Internet connection, excluding the time that the Services are not available due to (a) maintenance as set forth in Section 3 of the Service Level Agreement; (b) reasons of a force majeure event or events outside Conviva’s reasonable control; (c) issues arising from misuse or mis-configuration of the Services by you or your agents, end customers or third-party contractors; and (d) your exceeding the Capacity that you have reserved in advance.

“You” (and variations thereof) means the person or entity that accepts (electronically or otherwise) the terms and conditions of this Customer Agreement as the Customer (i.e., the person or entity that uses or accesses the Conviva Products and Services).

PART IV: ADDITIONAL TERMS FOR THE UNITED KINGDOM OR EU COUNTRY MEMBERS

If you are domiciled in the United Kingdom or any member country of the European Union, then the following additional terms apply:

1. Termination. In addition to Section 6 of Part I above, either party may terminate the Customer Agreement or an Order Form without notice if the other party suspends or threatens to suspend payment of its debts or is unable to pay its debts as and when they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986, or if any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the aforementioned events.

2. Compliance with Anti-Bribery Laws. Each party acknowledges its responsibilities under the Bribery Act 2010 of the United Kingdom and represents and covenants that it has not and will not offer, give, solicit or accept any bribe from any person, organization or company with the intent to coerce or induce the other party, or an employee or agent of the other party, to act improperly in the course of its duties under the Customer Agreement.

3. Data Protection.

3.1 In performing the Services, Conviva shall process Personal Information on your behalf. As between you and Conviva, you are the data controller and Conviva is the data processor in relation to the processing of any such Personal Information. Conviva shall: (i) only process Personal Information for the duration of the Agreement; (ii) only process Personal Information on your behalf to provide the Products and Services; (iii) only process Personal Information on and in accordance with your instructions and as set forth in this Agreement; (iv) keep Personal Information confidential and ensure that appropriate technical and organizational measures are taken to protect against the accidental, unauthorized or unlawful destruction, loss, alteration, access or disclosure of such Personal Information; (v) not transfer Personal Information outside the European Economic Area (“EEA”) to countries whose laws the European Union has acknowledged do not ensure an adequate level of data privacy protection, without your prior written consent; (vi) not transfer Personal Information outside the United Kingdom to countries whose laws the United Kingdom has acknowledged do not ensure an adequate level of data privacy protection, without your prior written consent; (vii) delete or return the Personal Information according to your instructions (except to the extent that Conviva is required to continue to store the Personal Information); (viii) ensure that all its personnel who have access to Personal Information are subject to obligations of confidentiality when processing such Personal Information; (ix) promptly inform you if any Personal Information is (while within the Conviva’s possession or control) subject to a Personal Information breach (as defined in the Data Protection Laws); (x) provide you and any DP Regulator all information and assistance necessary to demonstrate compliance with the obligations in this Agreement; and (xi) permit your chosen independent auditor (at your sole cost) to access any relevant premises, personnel or records of Conviva on no less than 30 days prior written notice to audit and verify compliance with Conviva’s data protection obligations under this Agreement.

3.2 For purposes of Section 3.1(v) above, the parties acknowledge and agree that the provision of the Products, Services and/or Software may involve a transfer of Personal Information from Conviva to its Affiliates (if any) and Third-Party Subprocessors engaged in the provision of the Services and located outside the EEA. In respect of such transfers and where no Alternative Adequate Level of Protection applies, each party shall: (i) enter into the Standard Contractual Clauses attached to this Agreement; (ii) maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request. For purposes of Section 3.1(vi) above, the parties acknowledge and agree that the provision of the Products, Services and/or Software may involve a transfer of Personal Information from Conviva to its Affiliates (if any) and Third-Party Subprocessors engaged in the provision of the Services and located outside the United Kingdom. In respect of such transfers and where no Alternative Adequate Level of Protection applies, each Party: (a) hereby enters into the Standard Contractual Clauses attached to this Agreement; and (b) shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.

4. Additional Definitions.

4.1 “Alternative Adequate Level of Protection” means: (i) the country where Conviva or a Third-Party Sub-processor is located is recognized by the European Union (if the Personal Information is transferred from the European Union) and/or the United Kingdom (if the Personal Information is transferred from the United Kingdom) to have an adequate level of protection of personal data as described in the Data Protection Laws; or (ii) Conviva or the Third-Party Sub-processor has fully implemented binding corporate rules which provide adequate safeguards as required by the Data Protection Laws; or (iii) Conviva or the Third-Party Sub-processor has implemented any other similar program, or appropriate safeguards that are recognized by the European Union (if the Personal Information is transferred from the European Union) and/or the United Kingdom (if the Personal Information is transferred from the United Kingdom) or by the Data Protection Laws or applicable DP Regulator as providing an adequate level of protection.

4.2 “DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.

4.3 In this Agreement, the terms “data subject“, “personal data“, “data controller“, “data processor” and “processing” shall have the meanings set out in the applicable Data Protection Laws.
5.

STANDARD CONTRACTUAL CLAUSES

Commission Decision C (2010)593

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Data exporter:

Name of the data exporting organisation: Customer

Address:                                                                                                                                  

Tel.                                                      ; fax:                                                                

e-mail:                                                             

Other information needed to identify the organisation: N/A

And

Data importer:

Name of the data importing organisation:  Conviva Inc.

Address: 989 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, USA

Tel: +1 (650) 401-8282

Email: legal@conviva.com

Other information needed to identify the organisation: N/A

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 

Clause 1

Definitions For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter: Customer

Name (written out in full):                                                                      

Position:                                                                      

Address:                                                                      

Other information necessary in order for the contract to be binding (if any):

 

Signature……………………………………….

Date:                                                               

(stamp of organisation)

 

On behalf of the data importer: Conviva Inc.

Name (written out in full):                                                                      

Position:                                                                      

Address: 989 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, USA

Other information necessary in order for the contract to be binding (if any): N/A

 

Signature……………………………………….

Date:                                                               

(stamp of organisation)

 

 

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Customer, whose online video services are integrated with the Conviva software and services.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Conviva, which provides software products and SaaS-based services for analyzing and optimizing the quality of Customer’s online video streaming services.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Customer’s end users that use Customer’s online video services that are integrated with the Conviva services, and, for Conviva’s Social Insights services, Customer’s end users that post videos and other content on social platform services, from which Conviva obtains data and analytics via API calls; and Customer’s employees that log into Conviva’s website to access the data and analytics computed by the Conviva services.

Categories of data

The personal data transferred concern the following categories of data (please specify):

Customer’s end users: IP addresses and, at Customer’s discretion and direction, viewer and/or subscriber identifiers (such as viewer ID, subscriber ID, household ID and profile ID), device advertising identifiers (such as Google Advertising ID (GAID), Apple ID for Advertising (IDFA), Roku ID, Samsung ID and Vizio ID), geolocation information (such as latitude, longitude and cell tower ID), and other personal data related to Customer’s end users’ use of Customer’s online video services; and, for Conviva’s Social Insights services, the captions, comments and/or tweets that contain personal data, and other personal data and/or identifiers related to Customer’s use of the social platform services.

Customer’s employees: website login credentials including name, email address and password.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Not applicable or appropriate.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The Conviva Insights Service is a passive, statistical analytics solution, with Conviva Insights software libraries and/or APIs integrated by Customer as a plug-in to Customer’s video player(s). This service enables quality of experience insights into video playback on Customer’s video players. When a video stream is initiated, the Conviva software computes raw technical information at the player level into service statistics and transmits these service statistics to Conviva’s SaaS platform, for Customer to view in Conviva’s front-end interface, Pulse, according to certain metrics and filters. The service statistics are initially identified to an IP address on initiation of the video stream. The IP address is deleted after it is anonymously converted to an instance ID number, which is randomly generated and cannot be related back to the IP address, unless otherwise requested by Customer. The IP address is not stored in any persistent storage.

The Conviva Social Insights Service is an analytics solution that provides consumption and audience intelligence for video playback on social platforms. Through API calls to social platforms (including Facebook, Instagram, YouTube, Twitter and Snapchat), metrics and metadata are obtained regarding videos posted by Customer on these social platforms.

The Conviva Precision Service is an active solution, with Conviva Precision software libraries and/or APIs integrated by Customer as a plug-in to Customer’s video player(s). This service optimizes quality of experience of video playback on Customer’s video player(s) using the Insights service statistics. Such optimization occurs by choosing a suitable CDN provider and optimal bitrate and resolution for the video playback under current technical and other circumstances prevailing at the time in the relevant ecosystem.

Customer’s employees may access the applicable service statistics, metrics and metadata by securely logging into Conviva’s website. Such login credentials include name, email address and password.

 

DATA EXPORTER: CUSTOMER

Name:                                                             

Title:                                                                

 

Authorized Signature                                                               

Date:                                                               

 

DATA IMPORTER:  CONVIVA INC.

 

Name:                                                             

Title:                                                                

 

Authorized Signature                                                               

Date:                                                               

 

 

 

 

APPENDIX 2 TO THE STANDARD CONTRACTUALCLAUSES

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

• The data importer (Conviva) manages and maintains its internal systems, processes, security and system alerts pursuant to industry best practices. All personal data collected by the data importer is transmitted over SSL and stored using logical separation for each Customer.  Encryption is used to transmit data from endpoint devices to the data importer.  The only ports open for inbound data are HTTP (80) and HTTPS (443) for the data importer’s SaaS application.  Requests to the HTTP endpoint are redirected to the HTTPS endpoint to enforce client security.   Any personal data stored in the database is encrypted utilizing AES encryption and SHA-256 hashes where possible. Industry best practice access controls, both physical and virtual, are maintained by the data importer and its vendors for data center hosting and data access. Administrative access is performed over SSH using private keys, and/or SSL for web portals, using passwords.  Administrator accounts are granted only to those who need privileged access and revoked once it is no longer needed. Further, the data importer’s website used to access its SaaS application employs industry best practices for secure authentication.  User access is via single sign-on and multi-factor authentication, built in a high-availability configuration, and passwords are converted to irreversible and unique hashes.
• In addition, the data exporter (Customer) shall cooperate with the data importer in establishing a password or other procedures for verifying that only designated employees of the data exporter have access to any administrative functions of the data importer’s services. The data exporter will be responsible for maintaining the security of its account, passwords (including administrative and user passwords), files, and for all uses of the data exporter’s account. The data exporter shall not share with any third party (other than its Affiliates) any such account or password without the prior written consent of the data importer.