Conviva Products and Services (as defined below) are provided by Conviva Inc., located at 989 East Hillsdale Blvd., Fourth Floor, Foster City, California 94404 USA (“Conviva” or “Us”). You have purchased Conviva Products and/or Services either indirectly through a Conviva Partner (as defined below) or directly through Conviva. Your use of Conviva Products and Services, however obtained, is governed by this EULA and such other commercial terms, if any, as may be set forth in the applicable Partner or Conviva Order Form(s) that reference this EULA and that you accepted by clicking, signing or otherwise accepting through an exchange of forms, or the like (all together, the “Agreement”).
If you use the Conviva Products and Services as an employee of or for the benefit of your company, you represent that you have the power and authority to accept this EULA on behalf of your company. Your company will be the customer under this EULA. By accepting (electronically or otherwise) the terms of this EULA, or by accessing or using the Conviva Products or Services, you consent to the terms and conditions of this EULA on behalf of yourself and the company on whose behalf you will use the Conviva Products and Services. The effective date of this EULA is the date that you accept (electronically or otherwise) the terms of this EULA or the date of your first access to or use of the Conviva Products or Services, whichever occurs first. If you do not agree to the terms and conditions of this EULA or if you do not have the power and authority to accept the terms and conditions of this EULA on behalf of your company, you may not use the Conviva Products and Services and Conviva is unwilling to provide you with access to them.
PART I: TERMS
1.1 Services. Subject to the terms and conditions of this Agreement, Conviva will provide you with access to and use of the Services listed in the applicable Order Form in accordance with the terms thereof. To the extent any application program interfaces (“APIs”), libraries, software development kits (“SDKs”) or other software (collectively, “Software”) are provided or made available to you in connection with the Services, Conviva hereby grants you a limited, personal, non-exclusive, non-transferable (except as otherwise expressly permitted herein), worldwide, royalty-free license, without the right of sublicense, to use the Software for the applicable Order Form Term and for the sole purpose of integrating your Player(s) (as specified in each Order Form) with the Services. You agree to work in good faith with Partner or Conviva, as applicable, to integrate the Player(s) with the Services and to use commercially reasonable efforts to make all of your latest production Player integrations accessible to Conviva solely for test purposes during the applicable Order Form Term. You may not permit a Subcontractor to access or use the Software without Conviva’s prior written consent (email sufficient by an authorized representative of Conviva), and you shall be fully responsible for and liable to Conviva for your Subcontractor’s use of the Software in compliance with the terms of this Agreement.
1.2 Products. If you have ordered any Conviva data products (“Products”) as listed in the applicable Order Form, Conviva will provide you with the Products and you are hereby granted a limited, personal, non-exclusive, nontransferable, worldwide, royalty-free right and license, without the right of sublicense, to use the Products for the applicable Order Form Term and for your internal analysis purposes only.
1.3 You will establish a password or other procedures for verifying that only your designated employees have access to any administrative and other functions of the Services. You are responsible for maintaining the security of your account, passwords (including administrative and user passwords) and files, and for all uses of your account and any Software provided. You shall not share with, nor allow access to, any third party any such account or passwords, or the Software, Products or Services, without the prior written consent of Conviva.
1.4 You may not knowingly provide to any person, or export or re-export, or allow the export or re-export of, the Software, Products or Services or anything related thereto or any direct product thereof, in violation of any applicable laws or regulations or otherwise.
2. Professional Services; Service Incidents. As part of the Services, Conviva shall remotely provide integration assistance for initial integration of your Player(s) as specified in the applicable Order Form, including setup, validation and revalidation (“Professional Services”). You may request Conviva’s assistance with a Service incident (“Incident”) by submitting a support ticket at https://support.conviva.com. The Incident will be classified according to the applicable Incident Level definition, and Conviva will use commercially reasonable efforts to address the Incident in accordance with this classification and the following:
|Incident Level||Target Response Time|
|Platinum Premium: 30 min. (24x7x365)
Gold Premium: 30 min. (24x7x365)
Basic Support: 30 min. (24x7x365)
|Platinum Premium: 1 business hour
Gold Premium: 2 business hours
Basic Support: 4 business hours
|Platinum Premium: 8 business hours
Gold Premium: 12 business hours
Basic Support: 16 business hours
Business hours are 8:00am to 6:00pm in your time zone, Monday through Friday, excluding standard Conviva holidays. You may view the status of Conviva’s response to your Service Incident reports online at https://support.conviva.com.
3. Confidentiality; Restrictions.
3.1 Confidentiality Obligations. Each party agrees to abide by the following confidentiality obligations with respect to the other party’s Confidential Information: (a) do not disclose it to any third party unless (i) the other party has given its specific and express prior written approval, (ii) the disclosure is expressly allowed under this Agreement, or (iii) the disclosure is necessary to comply with a valid court order, subpoena or is required to be disclosed by law or any regulatory or administrative body; (b) do not use it for any reason other than to exercise its rights and perform its obligation under this Agreement; and (c) protect it from unauthorized dissemination in the same manner as that party protects its own Confidential Information, and in any event with reasonable precautions (which include limiting access to employees and permitted Subcontractors on a “need-to-know” basis). If you believe you must disclose Conviva’s Confidential Information in accordance with 3.1 (a)(iii), then prior to disclosure you shall, to the extent legally permitted, promptly notify Conviva and cooperate with Conviva if Conviva chooses to contest the disclosure requirement, seek confidential treatment of the information to be disclosed, or limit the nature or scope of the information to be disclosed. Conviva will do the same if it believes it must disclose your Confidential Information in these circumstances. Each Party acknowledges that the unauthorized disclosure or use of Confidential Information may cause irreparable harm to the other Party for which recovery of money damages would be inadequate, and the other Party will therefore be entitled to apply as a right for injunctive relief to protect its rights under this Agreement, in addition to any and all remedies available at law.
3.2 Restrictions. You will not, and will not permit any third party to, reverse engineer or otherwise attempt to discover the source code or underlying structure or algorithms of the Software, Products or Services (except to the extent such restrictions are contrary to applicable law), modify or create derivative works based on the Products, Services or Software, or otherwise use the Products, Services or Software except as expressly permitted by this Agreement.
4. Intellectual Property Rights. As between the Parties, Conviva and/or its licensors own and will retain all Intellectual Property Rights in and to the Products, Services (including Service Statistics) and Software. You are hereby granted a limited, personal, non-exclusive, nontransferable, worldwide, royalty-free right and license, without the right of sublicense, to use the Service Statistics contained in the analysis exported by the Services, for the applicable Order Form Term and for your internal analysis purposes only. You shall not disclose or provide, or provide access, to any third party any Products, Services (including without limitation the Service Statistics) or Software without Conviva’s prior written consent. Your only rights in the Products, Services (including without limitation the Service Statistics) and Software are the rights expressly granted in this Agreement, and all other rights are reserved by Conviva.
5. Payment of Fees. The fees are specified in the applicable Order Form (“Fees”) and shall be due and payable to the entity that issued the quotation for such Fees and that signed the applicable Order Form for the Order. You are expected to pay the Fees to Partner in a Partner transaction, and to Conviva in a direct transaction, net thirty (30) days of receipt of Conviva’s invoice, in the case of Conviva. If the Fees are due to Conviva, interest shall accrue on Fees that are unpaid after the date that they are due at a rate of 1.5% per month or the highest rate permitted by law, and Conviva will be solely responsible for its income taxes in connection with this Agreement and you will be responsible for all sales, use and similar taxes, levies and duties imposed by the taxing authorities, if any. All Fees are exclusive of all such taxes, levies and duties. Without prejudice to any of its other rights or remedies, Conviva may restrict or suspend your access to further Software, Products and Services if payment is not made within five (5) business days of notice that payment is past due. All Order Forms are non-cancellable, and all Fees are non-refundable and non-creditable unless otherwise expressly stated in the applicable Order Form.
6. Termination. The term of this Agreement will begin on the Effective Date and will end when the last Order Form expires, unless this Agreement is terminated sooner by either party as permitted herein. Each Order Form will have its own Order Form Term. Without affecting any other right or remedy available to it, either party may terminate this Agreement or an Order Form on written notice if the other party materially breaches this Agreement or the Order Form and (where such breach is remediable) does not cure such breach within thirty (30) days after notice of such breach. In addition, either party may terminate this Agreement or an Order Form without notice upon: (a) the institution by or against the other party of insolvency, receivership or bankruptcy proceedings, (b) the other party’s making an assignment for the benefit of creditors, or (c) the other party’s dissolution or ceasing to do business. Termination of this Agreement or any Order Form shall not affect any rights, remedies, liabilities or obligations of the Parties, including the payment of amounts due or the right to claim damages in respect of any breach of the Agreement and/or Order Form, which have accrued up to the date of such termination. Upon any such termination or expiration, the provisions of Sections 3, 4, 5, 6, 7.2, 8, 9, 12, 13 and 14 shall survive and shall continue in full force and effect in accordance with their terms. For the avoidance of doubt, termination of an Order Form shall not terminate any other Order Form in effect or this Agreement, which shall continue in full force and effect in accordance with these terms.
7. Warranties; Disclaimer.
7.1 Conviva warrants that (a) the Services will operate in conformity with the description of the Services set forth in the applicable Order Form, (b) it will perform the Professional Services in a professional and workmanlike manner with employees having a level of skill commensurate with the requirements of this Agreement, (c) it will use commercially reasonable and industry standard methods to prevent the introduction of any viruses, disabling devices, Trojans, time bombs or other malicious code in the Software.
7.2 Except for the warranties in Section 7.1, Conviva hereby disclaims all warranties, conditions, representations or other terms, whether oral or written, express or implied, including without limitation all implied warranties and/or conditions of satisfactory quality, merchantability and fitness for a particular purpose.
8. Limitation of Liability.
8.1 In no event will either party, under any circumstances or any theory of liability, be liable to the other party for any indirect, punitive, incidental, special or consequential damages of any kind, arising from this Agreement, or the use of the Software, Products or Services provided to you hereunder, or the delay or inability to use the Services (including any lost revenue, sales, profits or business opportunities).
8.2 Each party’s total aggregate liability arising out of or in connection with this Agreement shall be limited to an amount equal to the Fees paid or payable by you to Conviva hereunder in the twelve (12) month period ending on the date that a claim or demand is first asserted, in each case whether based in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution, strict liability or otherwise, and even if either party has been advised of the possibility of damages. The foregoing limitations will apply notwithstanding any failure of essential purpose of any limited remedy and to the maximum extent permitted under applicable law.
8.3 The exclusions of liability in Sections 8.1 and 8.2 shall not apply to either party’s breach of Section 3.
9.1 Conviva will, at its own expense, defend (or at its sole option, settle) any claim, suit or proceeding asserted against you by a third party that any Product, Service or Software obtained from Conviva under this Agreement directly infringes any patent, copyright, trademark or trade secret of such third party (“Claim”). Conviva will indemnify you for any damages suffered and costs reasonably incurred by you that are directly attributable to such Claim and that are assessed against you in a final, non-appealable judgment from a court of competent jurisdiction or agreed upon by Conviva in a settlement.
9.2 Notwithstanding the foregoing, Conviva will have no obligation under this Section 9 or otherwise to defend or indemnify you with respect to any Claim to the extent such Claim is based on any of the following: (i) any unauthorized use, reproduction, or distribution of any Product, Service or Software, or any breach of this Agreement by you, (ii) Conviva’s compliance with any specifications supplied by you which cannot be reasonably implemented in a non-infringing manner, (iii) any combination of any Product, Service or Software with other products, equipment, software, uses or data not supplied, authorized or required in writing by Conviva, if the Claim would have been avoided without such combination, (iv) any modification of any Product, Service or Software by any person other than Conviva or its authorized agents or contractors, if the Claim would have been avoided without such modification, or (v) continued use of the unmodified Product, Service or Software after Conviva has provided you with a work-around or modification that would have avoided the Claim without materially adversely affecting the functionality or availability of the Product, Service or Software. Further, if Conviva reasonably believes that all or any portion of any Product, Service or Software, or the use thereof, is likely to become the subject of a Claim, Conviva may elect at its discretion: (a) to procure, at Conviva’s expense, the right for you to continue using the Product, Service or Software in accordance with the terms hereof, (b) to replace or modify the allegedly infringing Product, Service or Software to make it non-infringing with at least equivalent functionality or performance, or (c) in the event the preceding is infeasible or not commercially practicable, Conviva may, in its sole discretion, terminate this Agreement or the applicable Order Form upon notice to you and refund any prepaid amounts for the affected unused Product, Service and/or Software.
9.3 Conviva’s obligations to defend and indemnify you with respect to a particular Claim are subject to the following conditions: (a) you must promptly give Conviva written notice of the Claim; (b) you must give Conviva sole control and authority over the defense and settlement of the Claim, provided that you is entitled to participate in its own defense at its sole expense; (c) you must provide Conviva with all information it has regarding the Claim and cooperate with Conviva when Conviva defends or attempts to settle the Claim; and (d) you shall whenever and wherever possible take all reasonable steps to mitigate your losses that are the subject of the Claim. Conviva may, without your consent, settle a Claim that (i) creates no liability to you, (ii) does not impair your rights hereunder, and (iii) does not require you to make any admission of liability. Except as expressly stated in this Section 9, Conviva has no obligation or liability to you for any actual or alleged infringement related to the Software, Products or Services provided by Conviva under this Agreement.
10. Publicity/Use of Trademarks. Conviva may disclose to third parties that you are a customer of Conviva pursuant to this Agreement, but the details of this Agreement and any Order Form hereunder will be treated as Confidential Information. In connection with its permitted activities under this Agreement, each party may use the trademarks of the other party, but only in the form and manner approved in advance in writing by the other party, and in accordance with the quality standards and usage guidelines of the other party, and only in connection with the Products and Services provided to you under the Agreement.
11. Assignment. You may not transfer or assign your rights under this Agreement to any other person in any manner (by assignment, operation of law or otherwise) unless you have obtained written consent from Conviva. If you attempt to transfer or assign any of your license rights without Conviva’s consent, the transfer or assignment will be ineffective, null, and void (and you will be in material breach of this Agreement).
12. Notices. Any notice, approval, consent or other communication intended to have legal effect under this Agreement must be given to the other party in writing and delivered by email, by express courier delivery service or by certified mail, and in each instance will be deemed given upon dispatch, provided proof of actual delivery is retained. In the event of email notice, one of the two (2) follow-up hard copy methods specified above shall be commenced within two (2) business days, and delivery is effective on email dispatch, provided proof of actual delivery of the follow-up hard copy method is retained. All notices or approvals that you send to Conviva shall be sent to its General Counsel at the address specified above, or as otherwise specified by Conviva in writing. Conviva will send all notices and approvals to you at the email address specified in the applicable Order Form. If your email address is not set forth on the applicable Order Form, then notice may be made to the email address for the primary business contact then-noticed under the Agreement, on file with either Partner or Conviva.
13. Governing Law. This Agreement and any dispute or claim (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by the laws of the State of California, without regard to its conflicts of law provisions. Each party irrevocably agrees that the state courts located in San Mateo County, California, USA, or the federal courts located in the Northern District of California, USA, shall have exclusive venue and jurisdiction to settle all actions and disputes relating in any manner to this Agreement. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover reasonable costs and attorneys’ fees.
14. General. For all purposes under this Agreement each party shall be and act as an independent contractor and shall not bind nor attempt to bind the other to any contract. Without limiting anything herein, and except for payment obligations, neither party shall have any liability for any failure or delay resulting from any condition beyond its reasonable control, including without limitation governmental action, acts of terrorism, earthquake or other acts of God, labor conditions, power failures and utilities or telecommunications failures (collectively, “Force Majeure Events”). This Agreement and any applicable attachments and Order Forms are the entire agreement between the Parties concerning its subject matter, and supersede any prior or contemporaneous agreements, communications, or understandings (whether written or oral). Each party acknowledges that it does not rely upon any representation (whether negligent or innocent), statement or warranty made or agreed to by any person (whether a party to this Agreement or not) except those expressly set out in this Agreement and that the only remedy available in respect of any misrepresentation or untrue statement made to it shall be a claim for damages for breach of contract under this Agreement. However, any confidentiality or nondisclosure agreements that Conviva previously entered into with you will remain in effect (according to their terms) with respect to the confidential information disclosed thereunder. No waiver, change or modification to this Agreement or any Order Form will be effective unless in writing signed by both Parties. This Agreement may be amended only by means of a written instrument signed by authorized representatives of both Parties that specifically refers to this Agreement and states the Parties’ intention to amend it. No additional or inconsistent terms on any purchase order or similar document you submit to Conviva will be binding on Conviva or have any legal effect. The Parties agree that this Agreement may be signed by manual or electronic signatures and in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. In the event any provision of this Agreement shall be determined to be void, illegal or unenforceable, that provision will be limited or eliminated so that this Agreement shall otherwise remain in full force and effect and enforceable.
PART II: DEFINITIONS
“Agreement Term” means the Term of this Agreement, which shall be co-extensive with the Order Form(s) under which Product(s) or Services have been ordered.
“Confidential Information” of Conviva means (a) the Products (in any form), Services, Service Statistics, Software, documentation, data sheets, Feedback, and all ideas and information (such as algorithms) contained or embodied in any of the foregoing; (b) the prices, discounts, payment terms, and other information in or attached to the Order Forms; and (c) any other confidential or proprietary information that Conviva provides to you in connection with this Agreement. Your “Confidential Information” means any confidential or proprietary information in (i) written form that you provide to Conviva for Conviva to fulfill your orders and its obligations under this Agreement, and (ii) oral form that you provide to Conviva in order to receive the Software, Products and Services; as long as you notify Conviva at the time of disclosure that such information is to be treated as confidential under this Agreement. Also, Confidential Information of either party does not include any of the following: (1) information that has become generally available to the public, through no fault by you (in the case of Conviva Confidential Information) or Conviva (in the case of your Confidential Information) and that is not still regarded as a trade secret under laws governing information that was negligently or maliciously distributed; (2) information that the receiving party had already obtained in a tangible form, through lawful means, before obtaining it under this Agreement; (3) information that the receiving party developed independently, without the use of any materials or information obtained from the other party in connection with this Agreement; (4) information that the receiving party has lawfully obtained, in a tangible form, from a third party that had the right to provide it to the receiving party; or (5) information that the disclosing party releases for publication in writing.
“Feedback” means any ideas or suggestions you voluntarily provide to Conviva (in any manner, whether in writing, orally or otherwise) regarding any Software, Product or Service, including possible enhancements or improvements thereto.
“Incident Level: P0 (Critical)” means the Services are completely unavailable and/or you cannot use the Services due solely to a Services failure.
“Incident Level: P1 (Urgent)” means a significant functional component of the Services is unavailable and/or your use of such component is impaired due solely to a Services failure.
“Incident Level: P2 (Moderate)” means a non-significant functional component of the Services is unavailable and/or your use of such component is impaired due solely to a Services failure.
“Intellectual Property Rights” means all patent rights, copyrights, trade secret rights, database rights, and trademark rights (including service marks and trade names), and any applications for these rights, in all countries.
“Order Form” means a mutually-agreed writing signed by you and Partner or Conviva, as the case may be, that provides for the purchase and sale of any Product or Service and that references this Agreement.
“Order Form Effective Date” is the date of last signature on an Order Form, unless expressly identified otherwise in the Order Form.
“Order Form Term” commences on the Order Form Effective Date and expires at the end of the Subscription Term identified on the Order Form.
“Products” means the data reports and other products of Conviva listed in an applicable Order Form.
“Services” means the Conviva services listed in an Order Form.
“Service Statistics” means all statistics computed by the Services.
“Subcontractor” is a third party that (a) is bound by a contract with you to provide services to you, and (b) has been approved by Conviva to have access to any Software, Products, Services or other Confidential Information of Conviva in compliance with the terms of this Agreement.
“Subscription Term” means the duration indicated in each Order Form of the subscription to use the Products and Services ordered under that Order Form.
“You” (and variations thereof) means the person or entity that accepts (electronically or otherwise) the terms and conditions of this EULA as the Customer (i.e., you or the company on behalf you use or access the Conviva Products and Services).
PART III: THE FOLLOWING ADDITIONAL TERMS APPLY TO THE CONVIVA SOCIAL INSIGHTS SERVICES
Authentication. When you register for a Social Insights Services account, you will have the ability to authenticate one or more of your social accounts (each, a “Social Account”). This will enable Conviva to import data from the Social Account(s) in order to analyze and add certain metrics and to deliver the Social Insights Services. At all times, you remain responsible for complying with the terms of service and other policies of the Social Account. Authentication is necessary to provide the Social Insights Services. If you do not authenticate a Social Account or for any reason your Social Account is terminated, suspended or inoperable, then Conviva will be unable to provide you with the Social Insights Services, for which Conviva bears no responsibility. You remain the owner of the data transferred from your Social Account(s) (“User Content”), and you hereby grant Conviva a worldwide, non-exclusive, perpetual, transferable, royalty-free and sublicensable right and license to use, copy, distribute, prepare derivative works of, modify, transfer and publish the User Content, in whole or in part, to provide you with the Social Insights Services and to use anonymized and aggregated aspects of the User Content for its own commercial purposes. The rights you grant in this section, including the license, survive the termination of the Customer Agreement and your use of the Social Insights Services.
PART IV: ADDITIONAL TERMS FOR THE UNITED KINGDOM AND EU COUNTRY MEMBERS
If you are domiciled in the United Kingdom or any member country of the European Union, then the following additional terms apply:
1. Governing Law. Notwithstanding Section 13 of Part I above, the Agreement and any dispute or claim (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by the laws of England and Wales, without regard to its conflicts of law provisions. Each party irrevocably agrees that the courts of England and Wales shall have exclusive venue and jurisdiction to settle all actions and disputes relating in any manner to this Agreement.
2. Termination. In addition to Section 6 of Part I above, either party may terminate the Agreement or an Order Form without notice if the other party suspends or threatens to suspend payment of its debts or is unable to pay its debts as and when they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986, or an any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the aforementioned events.
3. Compliance with Anti-Bribery Laws. Each party acknowledges its responsibilities under the Bribery Act 2010 of the United Kingdom and represents and covenants that it has not and will not offer, give, solicit or accept any bribe from any person, organization or company with the intent to coerce or induce the other party, or an employee or agent of the other party, to act improperly in the course of its duties under the Agreement.
4. Data Protection.
4.1 In the performance of the Services, Conviva shall process Customer Personal Data on behalf of the Customer. As between Customer and Conviva, Customer is the Data Controller and Conviva is the Data Processor in relation to the processing of any such Customer Personal Data.
4.2 Conviva shall, if processing Customer Personal Data as a Data Processor: (i) only process Customer Personal Data for the duration of the Agreement; (ii) only process Customer Personal Data on behalf of Customer to provide the Products and Services; (iii) only process Customer Personal Data on and in accordance with Customer’s instructions and as set forth in this Agreement; (iv) keep Customer Personal Data confidential and ensure that appropriate technical and organizational measures are taken to protect against the accidental, unauthorized or unlawful destruction, loss, alteration, access or disclosure of such Customer Personal Data; (v) not transfer Customer Personal Data outside the European Economic Area (“EEA“) to countries whose laws the European Union has acknowledged do not ensure an adequate level of data privacy protection, without the prior written consent of the Customer; (vi) not transfer Customer Personal Data outside the United Kingdom to countries whose laws the United Kingdom has acknowledged do not ensure an adequate level of data privacy protection, without the prior written consent of the Customer; (vii) delete or return the Customer Personal Data according to Customer´s instructions (except to the extent that Conviva is required to continue to store the Customer Personal Data); (viii) ensure that all its personnel who have access to Customer Personal Data are subject to obligations of confidentiality when processing such Customer Personal Data; (ix) promptly inform Customer if any Customer Personal Data is (while within the Conviva’s possession or control) subject to a personal data breach (as defined in the Data Protection Laws); (x) provide Customer and any DP Regulator all information and assistance necessary to demonstrate compliance with the obligations in this Agreement; and (xi) permit Customer’s chosen independent auditor (at Customer’s sole cost) to access any relevant premises, personnel or records of Conviva on no less than 30 days prior written notice to audit and verify compliance with Conviva’s data protection obligations under this Agreement.
4.3 For purposes of section 4.2(v) above, the Parties acknowledge and agree that the provision of the Products, Services and/or Software may involve a transfer of Customer Personal Data from Conviva to its Affiliates (if any) and third-party data processors engaged in the provision of the Services and located outside the EEA. In respect of such transfers and where no Alternative Adequate Level of Protection applies, each Party: (i) enters into the Standard Contractual Clauses attached to this Agreement; and (ii) shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.
4.4 For purposes of section 4.2(vi) above, the Parties acknowledge and agree that the provision of the Products, Services and/or Software may involve a transfer of Customer Personal Data from Conviva to its Affiliates (if any) and third-party data processors engaged in the provision of the Services and located outside the United Kingdom. In respect of such transfers and where no Alternative Adequate Level of Protection applies, each Party: (i) hereby enters into the Standard Contractual Clauses attached to this Agreement; and (ii) shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.
4.5 Customer acknowledges that Conviva is reliant on Customer for direction as to the extent to which Conviva is entitled to use and process the Customer Personal Data. Consequently, Conviva will not be liable for any claim brought by a Data Subject (including under the Data Protection Laws) to the extent that such action or omission resulted directly from Customer’s instructions. Customer shall be responsible for ensuring that its instructions comply with all applicable laws and regulations.
4.6 Customer is responsible for (a) obtaining all necessary consents from the Data Subjects (where applicable) and providing all applicable privacy notices and disclosures to the Data Subjects (as required under the Data Protection Laws) to enable Conviva to collect, process and share the Customer Personal Data as anticipated under this Agreement; and (b) providing Conviva with instructions for processing the Customer Personal Data that are in compliance with the Data Protection Laws.
4.7 Customer shall promptly (and, in any event, within 7 days) notify Conviva following the receipt of: (i) a complaint, communication or notice which relates directly or indirectly to the processing of Customer Personal Data by Conviva; or (ii) a request from a Data Subject to exercise their rights under the Data Protection Laws in relation to the Customer Personal Data (“Access Requests”) and shall provide sufficient information to enable Conviva to supply any Customer Personal Data included in the Access Requests.
4.8 Conviva shall provide reasonable assistance to the Customer in respect of any Access Requests that the Customer notifies to Conviva in writing. Conviva shall not be liable for any enforcement action by a DP Regulator, losses, damages or costs suffered or incurred by the Customer in connection with any Access Request, where such enforcement action by a DP Regulator, losses, damages or costs are in any way attributable to the Customer’s failure to comply with Section 4.6.
4.9 Each party shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this Agreement, which processing shall be in respect of the types of Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in this Agreement or other written instructions from Customer.
4.10 Conviva may authorize the Third-Party Subprocessors to process the Customer Personal Data in connection with the Services and its obligations hereunder. Conviva shall ensure that any such Third-Party Subprocessors only process Customer Personal Data on the basis of a written contract which imposes on and secures from such Third-Party Subprocessors obligations in compliance with applicable Data Protection Laws and that are substantially the same as those contained in and imposed on Conviva under this Section 4.
4.11 Conviva shall not retain, nor store in persistent storage, any IP addresses except as expressly instructed by Customer.
5. Additional Definitions.
5.1 “Alternative Adequate Level of Protection” means: (i) the country where Conviva or a Third-Party Sub-processor is located is recognized by the European Union (if the Customer Personal Data is transferred from the European Union) and/or the United Kingdom (if the Customer Personal Data is transferred from the United Kingdom) to have an adequate level of protection of Personal Data as described in the Data Protection Laws; or (ii) Conviva or the Third-Party Sub-processor has fully implemented binding corporate rules which provide adequate safeguards as required by the Data Protection Laws; or (iii) Conviva or the Third-Party Sub-processor has implemented any other similar program, or appropriate safeguards that are recognized by the European Union (if the Customer Personal Data is transferred from the European Union) and/or the United Kingdom (if the Customer Personal Data is transferred from the United Kingdom) or by the Data Protection Laws or applicable DP Regulator as providing an adequate level of protection.
5.2 “Customer Personal Data” means any Personal Data that is provided to Conviva, or collected by Conviva, for the purpose of Conviva providing the Services to Customer.
5.3 “Data Protection Laws” means any laws and regulations applicable in any relevant jurisdiction relating to privacy or the use or processing of data relating to natural persons, including: (a) EU Directive 2002/58/EC (as amended by 2009/139/EC) and any legislation implementing or made pursuant to such directive, including (in the UK) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (b) EU Regulation 2016/679 (“GDPR”); and (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR including (in the UK) the Data Protection Act 2018; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.
5.4 “DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
5.5 “Third-Party Subprocessors” means the sub-processors listed on Conviva’s website at https://www.conviva.com/conviva-subprocessors/.
5.6 In this Agreement, the terms “Data Subject”, “Personal Data”, “Data Controller”, “Data Processor” and “processing” shall have the meanings set out in the applicable Data Protection Laws.
6. STANDARD CONTRACTUAL CLAUSES
Commission Decision C (2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation:
Tel. ; fax:
Other information needed to identify the organisation: N/A
Name of the data importing organisation: Conviva Inc.
Address: 989 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, USA
Tel: +1 (650) 401-8282
Other information needed to identify the organisation: N/A
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Definitions For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
(stamp of organisation)
On behalf of the data importer:
Name (written out in full):
Address: 989 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, USA
Other information necessary in order for the contract to be binding (if any): N/A
(stamp of organisation)
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly your activities relevant to the transfer):
Customer, whose online video services are integrated with the Conviva software and services.
The data importer is (please specify briefly activities relevant to the transfer):
Conviva, which provides software products and SaaS-based services for analyzing and optimizing the quality of Customer’s online video streaming services.
The personal data transferred concern the following categories of data subjects (please specify):
Customer’s end users that use Customer’s online video services that are integrated with the Conviva services, and, for Conviva’s Social Insights services, Customer’s end users that post videos and other content on social platform services, from which Conviva obtains data and analytics via API calls.
Customer’s employees that log into Conviva’s website to access the data and analytics computed by the Conviva services.
Categories of data
The personal data transferred concern the following categories of data (please specify):
Customer’s end users: IP addresses and, at Customer’s discretion, viewer ID numbers, device ID numbers, geolocation information, and other personal data related to Customer’s end users’ use of Customer’s online video services, and, for Conviva’s Social Insights services, the captions, comments and/or tweets that contain personal data, and other personal data and/or identifiers related to Customer’s use of the social platform services.
Customer’s employees: website login credentials including name, email address and password.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Not applicable or appropriate.
The personal data transferred will be subject to the following basic processing activities (please specify):
The Conviva Insights Service is a passive, statistical analytics solution, with Conviva Insights software libraries and/or APIs integrated by Customer as a plug-in to Customer’s video player(s). This service enables quality of experience insights into video playback on Customer’s video players. When a video stream is initiated, the Conviva software computes raw technical information at the player level into service statistics and transmits these service statistics to Conviva’s SaaS platform, for Customer to view in Conviva’s front-end interface, Pulse, according to certain metrics and filters. The service statistics are initially identified to an IP address on initiation of the video stream. The IP address is deleted after it is anonymously converted to an instance ID number, which is randomly generated and cannot be related back to the IP address, unless otherwise requested by Customer. The IP address is not stored in any persistent storage.
The Conviva Social Insights Service is an analytics solution that provides consumption and audience intelligence for video playback on social platforms. Through API calls to social platforms (including Facebook, Instagram, YouTube, Twitter and Snapchat), metrics and metadata are obtained regarding videos posted by Customer on these social platforms.
The Conviva Precision Service is an active solution, with Conviva Precision software libraries and/or APIs integrated by Customer as a plug-in to Customer’s video player(s). This service optimizes quality of experience of video playback on Customer’s video player(s) using the Insights service statistics. Such optimization occurs by choosing a suitable CDN provider and optimal bitrate and resolution for the video playback under current technical and other circumstances prevailing at the time in the relevant ecosystem.
Customer’s employees may access the applicable service statistics, metrics and metadata by securely logging into Conviva’s website. Such login credentials include name, email address and password.
DATA EXPORTER: [CUSTOMER]
DATA IMPORTER: CONVIVA INC.
APPENDIX 2 TO THE STANDARD CONTRACTUALCLAUSES
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The data importer (Conviva) manages and maintains its internal systems, processes, security and system alerts pursuant to industry best practices. All personal data collected by the data importer is transmitted over SSL and stored using logical separation for each Customer. Encryption is used to transmit data from endpoint devices to the data importer. The only ports open for inbound data are HTTP (80) and HTTPS (443) for the data importer’s SaaS application. Requests to the HTTP endpoint are redirected to the HTTPS endpoint to enforce client security. Any personal data stored in the database is encrypted utilizing AES encryption and AES hashes where possible. Industry best practice access controls, both physical and virtual, are maintained by the data importer and its vendors for data center hosting and data access. Administrative access is performed over SSH using private keys, and/or SSL for web portals, using passwords. Administrator accounts are granted only to those who need privileged access and revoked once it is no longer needed. Further, the data importer’s website used to access its SaaS application employs industry best practices for secure authentication. User access is via single sign-on and multi-factor authentication, built in a high-availability configuration, and passwords are converted to irreversible and unique hashes.
In addition, the data exporter (Customer) shall cooperate with the data importer in establishing a password or other procedures for verifying that only designated employees of the data exporter have access to any administrative functions of the data importer’s services. The data exporter will be responsible for maintaining the security of its account, passwords (including administrative and user passwords), files, and for all uses of the data exporter’s account. The data exporter shall not share with any third party (other than its Affiliates) any such account or password without the prior written consent of the data importer.