Data Processing Addendum
This Data Processing Addendum (“DPA”) is effective as of the latter of September 27, 2021, or the effective date (“Effective Date”) that you as a commercial customer (“you” or the “Customer”) procure Services (as defined below) from Clipchamp Pty Ltd (ACN 162516556), a subsidiary of Microsoft Corporation (“Clipchamp,”“we,”“us,”“our,”or“Service Provider”), and forms part of any and all agreements (including, without limitation, the Terms (as defined below)), purchase orders, statements of work and other contractual documents between the parties (individually and collectively, the “Agreement”). This DPA is executed by Clipchamp and/or and any associated Affiliates (as defined below) providing Services to Customer and the Customer and/or any associated Affiliates (as defined below) procuring Services from Clipchamp under an Agreement. This DPA applies to the extent that Service Provider receives, stores or processes Personal Data on behalf of Customer in connection with any Services. Clipchamp and Customer are individually a “party” and, collectively, the “parties” to this DPA. The Agreement expressly incorporates this DPA. In the event of a conflict between this DPA and the Agreement, the Agreement shall prevail to the extent of the control (except to the limited extent that DPA terms are required under applicable law, in which case the relevant terms in this DPA shall prevail to the extent of the conflict). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
The following terms have the meanings set forth below for purposes of the DPA only, and do not apply to the Clipchamp Terms and Conditions (“Terms”). Other terms may be defined inline in this DPA.
1.1 “Affiliates” means entities that own, are owned by, or are under common ownership with either party.
1.2 “Business Operations” consist of the following, each as incident to delivery of the Services to Customer: (1) billing and account management; (2) compensation (e.g., calculating employee commissions and partner incentives); (3) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, cybercrime, or cyber-attacks that may affect Clipchamp’s Services or its Affiliates’ products and services; (5) improving the core functionality of accessibility, privacy or energy-efficiency; and (6) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Processed Data outlined in Section 2.9 below).
1.3 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
1.4 “Data Protection Law” means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law and the Australian Privacy Act 1988 (Cth).
1.5 “Data Subject” means the individual to whom Personal Data relates.
1.6 “EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”); (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (iii) Directive and GDPR as transposed into domestic legislation of each Member State.
1.7 “Standard Contractual Clauses” means the applicable standard contractual clauses for Processors as approved by the European Commission that are incorporated into this DPA.
1.8 “Personal Data” means any information relating to an identified or identifiable natural person that is submitted to Service Provider by Customer as part of the Services.
1.9 “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
1.10 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not be automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.11 “Processed Data” means: (a) Customer Data; (b) Professional Services Data; (c) Personal Data; and (d) any other data processed by Clipchamp in connection with the Services that is Customer’s confidential information under the Agreement.
1.12 “Processor” means an entity that processes Personal Data on behalf of the Controller.
1.13 “Professional Services” means the following services: (a) Clipchamp’s consulting services, consisting of planning, advice, guidance, data migration, deployment and solution/software development services provided under a Clipchamp service order that incorporates this DPA by reference; and (b) technical support services provided by Clipchamp that help customers identify and resolve issues affecting Services, including technical support provided as part of Clipchamp's support services and any other technical support services.
1.14 “Professional Services Data” means all data, including all text, sound, video, image files or software, that are provided to Clipchamp, by or on behalf of a Customer (or that Customer authorizes Clipchamp to obtain from Services) or otherwise obtained or processed by or on behalf of Clipchamp through an engagement with Clipchamp to obtain Professional Services.
1.15 “Services” means, individually and collectively, any products, services or documentation provided by Service Provider to Customer under the Agreement.
1.16 “Subprocessor” means any Processor used or engaged by Service Provider or any member of its group of companies that processes Customer Data, Professional Services Data, and/or Personal Data pursuant to the Agreement as described in Article 28 of GDPR. A Subprocessor may include third parties or any member of Service Provider’s group of companies (i.e., Service Provider Affiliates).
1.17 “To provide Services” consists of one or more of the following: (a) Delivering functional capabilities as licensed, configured, and used by Customer and its users, including providing personalized user experiences; (b) Troubleshooting (preventing, detecting, and repairing problems); and (c) Ongoing improvement (installing the latest updates and making improvements to user productivity, reliability, efficacy, quality, and security).
1.18 “To provide Professional Services” consists of one or more of the following: (a) Delivering the Professional Services, including providing technical support, professional planning, advice, guidance, data migration, deployment, and solution/software development services; (b) Troubleshooting (preventing, detecting, investigating, mitigating, and repairing problems, including Security Incidents and problems identified in the Professional Services or relevant Product(s) during delivery of Professional Services); and (c) Ongoing improvement (improving delivery, efficacy, quality, and security of Professional Services and the underlying Product(s) based on issues identified while providing Professional Services, including installing the latest updates and fixing software defects).
2. SCOPE, ROLES, PROCESSING, AND DATA SUBJECT REQUESTS.
2.2 Role of the Parties. Except as set forth in Section 2.9 (Processing for Business Operations), the parties acknowledge and agree that with respect to Processing of Personal Data under this DPA, Customer may act as the Controller or Processor and Service Provider may act as the Processor or Subprocessor. Section 2.9 sets forth limited circumstances where Clipchamp may act as an independent Controller with the Customer.
2.3 Customer Processing of Personal Data. Customer will, in its use of the Services, comply with its obligations under Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to Service Provider. Customer represents and warrants that it has the authorizations necessary for Service Provider to Process Personal Data for purposes of providing the Services to Customer in accordance with the Agreement. For the avoidance of doubt, in any instance where EU Data Protection Law applies and Customer is a Processor, Customer represents and warrants to Clipchamp that Customer’s instructions, including appointment of Clipchamp as a Processor or Subprocessor, have been authorized by the relevant Controller.
2.4 Service Provider Processing of Personal Data. Service Provider will use and otherwise process Customer Data, Professional Services Data, and Personal Data only as described and subject to the limitations provided below (a) to provide Customer the Services in accordance with Customer’s documented instructions and (b) for business operations incident to providing the Services to Customer. Notwithstanding this, Customer instructs Service Provider to Process Customer Data, Professional Services Data, and Personal Data: (i) in accordance with the Agreement, (ii) as part of any Processing initiated by Customer in its use of the Services, (iii) to comply with Customer’s other reasonable instructions to the extent they are consistent with the terms of the Agreement, and (iv) in accordance with the rights and duties attached to the Personal Data. Processing any Customer Data, Professional Services Data, and/or Personal Data outside the scope of the Agreement will require prior written agreement between Service Provider and Customer by way of written amendment to the Agreement. Upon notice in writing, Customer may terminate the Agreement if Service Provider declines to follow Customer’s reasonable instructions that are outside those agreed to for the performance of the Services, to the extent such instructions are necessary for compliance with Data Protection Law. Service Provider will notify Customer if it can no longer abide by the rights and duties attached to the Personal Data and will immediately cease processing such Personal Data and take steps necessary to remediate any unauthorized processing.
2.5 Data Subject Requests. Service Provider will use best efforts to notify Customer promptly of any Data Subject requests for access to, correction, amendment or deletion of that individual’s Personal Data. To the extent Customer does not have access to such Personal Data through its use of the Services to respond to such request, Service Provider will provide Customer with commercially reasonable cooperation and assistance in relation to responding to a Data Subject’s request for access to that individual’s Personal Data to the extent legally permitted. Customer will be responsible for any costs arising from Service Provider’s provision of such assistance.
2.6 Duration. The duration of the Processing under the Agreement will continue until the applicable Services are terminated as set forth in the Agreement.
2.7 Purpose. The purpose of the Processing is the provision of the Services by Service Provider to Customer in accordance with the Agreement and as specified in any service orders entered into pursuant to the Agreement.
2.8 Ownership. As between the parties, Customer retains all right, title and interest in and to Customer Data. Clipchamp acquires no rights in Customer Data, other than the rights Customer grants to Clipchamp in the Agreement or this Section 2.8 of the DPA. Notwithstanding this, this Section 2.8 does not affect Clipchamp’s rights in software or services that Clipchamp licenses to Customer.
2.9 Processing for Business Operations. When Processing for Business Operations, Clipchamp will apply principles of data minimization and will not use or otherwise Process Customer Data, Professional Services Data, or Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes not related to the Services, or (c) any other purpose, other than for the purposes set out in this DPA. To the extent that Clipchamp uses or otherwise processes Personal Data subject to EU Data Protection Law for Business Operations incident to providing the Services to Customer, Clipchamp will comply with the obligations of an independent data controller under EU Data Protection Law for use in such limited circumstances. For the avoidance of doubt, Clipchamp is accepting the added responsibilities of a data “controller” under EU Data Protection Law for Processing in connection with its Business Operations to: (a) act consistent with regulatory requirements, to the extent required under EU Data Protection Law; and (b) provide increased transparency to Customer and confirm Clipchamp’s accountability for such Processing. Clipchamp employs safeguards to protect Customer Data, Professional Services Data, and Personal Data in Processing, including those identified in this DPA and those contemplated in Article 6(4) of the GDPR. With respect to Processing of Personal Data under this Section, Clipchamp makes the commitments set forth in the Additional Safeguards section. For those purposes (i) any Clipchamp disclosure of Personal Data, as described in Annex II to Exhibit 1 (Technical and Organisational Measures including Technical and Organisational Measures to Ensure the Security of the Data) (individually and collectively, “Additional Safeguards”), that has been transferred in connection with Business Operations is deemed a “Relevant Disclosure” and (ii) the commitments in Additional Safeguards apply to such Personal Data.
2.10 Processing of Personal Data; GDPR. All Personal Data processed by Clipchamp in connection with providing the Services is obtained as part of either (a) Customer Data, (b) Professional Services Data, or (c) data generated, derived or collected by Clipchamp for or in furtherance of performance of the Services (including data sent to Clipchamp as a result of a Customer’s use of service-based capabilities or obtained by Clipchamp from locally installed software). Personal Data provided to Clipchamp by, or on behalf of, Customer through use of the Services is also Customer Data. Personal Data provided to Clipchamp by, or on behalf of, Customer through use of the Professional Services is also Professional Services Data. Pseudonymized identifiers may be included in data processed by Clipchamp in connection with providing the Services and are also Personal Data. Any Personal Data pseudonymized, or de-identified but not anonymized, or Personal Data derived from Personal Data is also Personal Data.
2.11 Disclosure of Processed Data. Clipchamp will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by applicable law. All Processing of Processed Data is subject to Clipchamp’s obligation of confidentiality under the Agreement. Clipchamp will not disclose or provide access to any Processed Data to law enforcement unless required by applicable law. If law enforcement contacts Clipchamp with a demand for Processed Data, Clipchamp will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose or provide access to any Processed Data to law enforcement, Clipchamp will promptly notify Customer and provide a copy of the demand unless Clipchamp is or reasonably believes that it is legally prohibited from doing so. Upon receipt of any other third-party request for Processed Data, Clipchamp will promptly notify Customer unless prohibited by law. Clipchamp will reject the request unless required by law to comply. If the request is valid, Clipchamp will attempt to redirect the third party to request the data directly from Customer. For the avoidance of doubt, Clipchamp will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Processed Data; (b) platform encryption keys used to secure Processed Data or the ability to break such encryption; or (c) access to Processed Data if Clipchamp is aware that the data is to be used for purposes other than those stated in the third party’s request. In support of the above, Clipchamp may provide Customer’s basic contact information to the third party.
3.1 Use of Subprocessors. Customer acknowledges and agrees that (a) Service Provider’s affiliates and third-party service providers may be engaged as Subprocessors in connection with the provision of the Services. Such Subprocessors will be permitted to access Personal Data only to deliver the services that Service Provider has retained them provide in connection with the Services, and they are prohibited from using Personal Data for any other purpose. Service Provider has entered into a written agreement with each Subprocessor containing data protection obligations consistent with the DPA to the extent applicable to the nature of the services provided by the Subprocessor.
3.2 Liability for Subprocessors. Service Provider shall be liable for the acts of its Subprocessors to the same extent as Service Provider would be liable if performing the services of the Subprocessor directly under the DPA, except as otherwise set forth in the Agreement.
3.3 Objection to Subprocessors. Upon request, Service Provider will provide a current list of Subprocessors for the Services accessed by Customer. In the event that Customer reasonably objects to a Subprocessor, Service Provider will notify Customer of any available alternatives to change the Services or receive the Services from an alternate Subprocessor, together with any applicable charges or changes to terms. If an alternative acceptable to Customer is not available within a reasonable time, then Customer may terminate the Services which cannot be provided by Service Provider without the objectionable Subprocessor, and receive a prorated refund for the remaining unused period of Services.
4. DATA PRIVACY AND SECURITY.
4.1 Security Measures by Service Provider. Service Provider maintains a written security program to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed by Service Provider in the provision of the Services, in compliance with Data Protection Law. Service Provider’s security program includes administrative, technical and physical safeguards appropriate for Service Provider’s size and resources and the types of information that Service Provider processes. Service Provider may update its security measures from time to time as consistent with the development of best industry practices, provided that such updates and modifications do not result in the degradation of the security of the Services. For any Services for which Service Provider obtains third-party certifications or audits, upon request, Service Provider will provide a copy of Service Provider’s most recent third-party certification or audit as applicable, which Service Provider generally makes available to its customers at the time of the request.
4.2 Service Provider Personnel. Service Provider shall ensure that access of Service Provider personnel to Personal Data is limited to those Service Provider personnel who require such access to perform the Agreement. Service Provider personnel accessing Personal Data will be informed of the confidential nature of the Personal Data, are subject to written obligations of confidentiality and have received training appropriate for their responsibilities and the nature of the Personal Data.
4.3 Security Measures by Customer. A Service may make available security features and functionalities that Customer may elect to use (for example, encryption of data in transit). To the extent that the Service provides Customer with controls and functionality to enable Customer to manage the Service, Customer is responsible for configuring the Service appropriately and using the available controls as Customer considers adequate to maintain appropriate security, protection, deletion and backup of Personal Data. Customer is also responsible for implementing appropriate technical and organizational measures relating to its use of the Services in a manner which enables Customer to comply with Data Protection Law.
5. PERSONAL DATA BREACH RESPONSE.
Service Provider will use best efforts to promptly notify Customer of any unauthorized disclosure or loss of Personal Data as required by Data Protection Law and in accordance with the relevant provisions of the Agreement. Service Provider will take appropriate steps to identify and remediate the cause of such unauthorized disclosure or loss and will provide information relating to the Personal Data Breach as reasonably requested by Customer. Notifications will be delivered to Customer’s administrators for the Service by normal notice means except that due to time being of the essence in this situation, emails will be sent to the email on file with Clipchamp for Customer. It is Customer’s responsibility to ensure that Customer maintains current contact information on the applicable Service console. Customer acknowledges that Service Provider will not notify Customer of unsuccessful security breach attempts that do not result in unauthorized access to or loss of Personal Data.
6. DATA TRANSFERS AND EXPORTS.
6.1 Data Transfers. Customer acknowledges and consents to Service Provider’s transfer of Personal Data (including, if Customer is located in Europe, outside of the EEA and Switzerland in accordance with Section 6.2 below, and if Customer is located in Australia, outside of Australia), subject to Service Provider’s compliance with applicable Data Protection Law and the requirements of this DPA.
6.2 Data Transfers from the EEA and Switzerland. Unless Service Provider has provided an alternative adequate transfer mechanism (as recognized under Data Protection Law) for the applicable country or Service Provider is acting as a Subprocessor, the Standard Contractual Clauses will apply to Personal Data that is transferred by Service Provider from the European Economic Area (“EEA”) and/or Switzerland to a country not recognized by the European Commission or the Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data. Such transfers of Personal Data out of the EEA or Switzerland will be governed by Module 2 of the Standard Contractual Clauses as available at http://data.europa.eu/eli/dec_impl/2021/914/oj (the “New SCCs”) and transfers of Personal Data out of the United Kingdom will be governed by the Standard Contractual Clauses as available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 (the “Legacy SCCs”). The New SCCs and the Legacy SCCs are incorporated into and form part of this DPA. As used in the New SCCs and the Legacy SCCs, the term “data importer” means Service Provider, and the term “data exporter” means Customer and its Affiliates. Notwithstanding the foregoing, for the purposes of the Standard Contractual Clauses:
optional Clause 7 of the New SCCs will not be applicable,
option 1 of Clause 9(a) of the New SCCs will be applicable and the time period will be specified as 30 days;
option 1 of Clause 17 of the New SCCs will be applicable and will reference the Republic of Ireland;
the optional language in Clause 11(a) of the New SCCs will not be applicable;
Annex I, II and III of the New SCCs and Appendix I of the Legacy SCCs will be replaced in their entirety by Exhibit 1 attached hereto.
6.3 Alternative Data Export Mechanism. If Service Provider adopts another alternative data export mechanism (as recognized under Data Protection Law), then the Standard Contractual Clauses will cease to apply with effect from the date that Service Provider implements such new data export mechanism.
7. DELETION OF DATA.
During and following the Agreement, Service Provider will delete or return to Customer all Personal Data in Service Provider’s possession or control as provided in the Agreement except to the extent Service Provider is required by applicable law to retain specific Personal Data (in which case Service Provider will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.
8.1 DPIAs, Records of Processing Activities, and Prior Consultations. To the extent required by EU Data Protection Law, Service Provider will, upon reasonable notice and at Customer’s expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments (“DPIAs”), records of processing activities, and/or prior consultations with data protection authorities. For the avoidance of doubt, Clipchamp will (where requested) supply records and information to Customer and keep such records and information accurate and up-to-date to the extent required under EU Data Protection Law.
8.2 Legal Disclosure Requests. If Service Provider receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, such request shall be immediately forwarded to Customer to allow Customer an opportunity to engage in any legal processes it deems appropriate with respect to the protection or disclosure of Personal Data. Notwithstanding this, Clipchamp may make any such information available to the supervisory authority if required by Data Protection Law.
8.3 Audits. With respect to the audits described in Clauses 5(f), 11 and 12(2) of the EU Model Clauses, Customer agrees that the audits shall be carried out in accordance with the following specifications: Upon data exporter’s request, and subject to the confidentiality obligations set forth in the Agreement, Service Provider shall, within a reasonable period following such request, make available to data exporter (or data exporter’s independent, third party auditor that is not a competitor of Service Provider) information regarding Service Provider’s compliance with the obligations set forth in the DPA, which may be in the form of third party audit reports and certifications, to the extent that Service Provider has such current reports or certifications and generally makes them available to customers. Customer shall reimburse Service Provider any time expended and expenses incurred for any on-site audit at Service Provider’s standard professional services rates. Before the commencement of any audit, Service Provider and the data exporter shall agree upon the scope, timing and duration.
9. LIMITATION OF LIABILITY.
9.1 Exclusion of Damages. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, EXEMPLARY, SPECIAL OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR IN CONNECTION WITH THIS DPA OR THE AGREEMENT, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
9.2 Total Liability. THE LIABILITIES ASSOCIATED WITH THIS DPA SHALL BE SUBJECT TO THE LIMITATION OF LIABILITY SET FORTH IN THE AGREEMENT. IF NO LIMITATION OF LIABILITY IS SET FORTH IN THE AGREEMENT, THEN IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY TO THE OTHER PARTY FROM ALL CAUSES OF ACTION AND THEORIES OF LIABILITY EXCEED ONE (1) TIME THE ACTUAL AMOUNT PAID BY CUSTOMER TO THE SERVICE PROVIDER IN THE PREVIOUS TWELVE (12) MONTH PERIOD UNDER THE AGREEMENT.
10.1 Modification and Supplementation. The parties agree to mutually determine and execute appropriate modifications to the terms of this DPA which do not materially alter the economics or allocation of risk established by the Agreement (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Law, or (iii) to implement or adhere to revised standard contractual clauses which may be issued under Data Protection Law. For the avoidance of doubt, the standard contractual clauses set forth in the UK International Data Transfer Agreement (“ITDA”) at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf will apply for personal data transfers from the United Kingdom to the United States and other non-adequate jurisdictions under this DPA. Supplemental terms may be added as an Attachment or Appendix to this DPA where such terms only apply to the processing of Personal Data under the Data Protection Law of specific countries or jurisdictions. Either party may provide notice of such changes to the other, and the modified DPA will become effective, in accordance with the terms of the Agreement.
10.2 Governing Law and Place to Resolve Disputes. Except as otherwise required to comply with Data Protection Law (including, without limitation, EU Data Protection Law), this DPA will be construed and enforced in accordance with the Agreement without regard to conflict of laws principles (“applicable law”). Each party agrees that any action, suit or other proceeding based upon or arising from this DPA (each, a “Dispute”) will be brought and maintained in accordance with the Agreement, and each party consents to the mandatory jurisdiction and venue of such arbitrators and courts and waives any right to object to jurisdiction and venue. The prevailing party in any Dispute will be entitled to recovery of its reasonable attorneys’ fees and costs except in arbitration, where recovery of attorneys’ fees and costs will be governed by the Agreement and arbitration rules. The Uniform Computer Information Transactions Act and United Nations Convention on Contracts for the International Sale of Goods will not apply to this DPA.
10.3 Miscellaneous. For the purposes of this DPA, any defined terms that refer to the singular include the plural and vice versa. Except insofar as a different DPA has been or will be executed between the parties on the subject matter hereof, this DPA constitutes the entire agreement between the parties and supersedes all proposals, oral or written, all negotiations, conversations or discussions between or among parties relating to the subject matter of this DPA and all past dealings or industry norms or customs.
10.4 California Consumer Privacy Act (CCPA). If Clipchamp is processing Personal Data within the scope of the CCPA, Clipchamp makes the following additional commitments to Customer. Clipchamp will process Customer Data, Professional Services Data, and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in the DPA and as permitted under the CCPA, including under any “sale” exemption. In no event will Clipchamp sell any such data. These CCPA terms do not limit or reduce any data protection commitments Clipchamp makes to Customer in the DPA and/or Agreement between Clipchamp and Customer. To the extent required under applicable law, the CCPA Addendum attached as Exhibit 2 to this DPA shall apply to the Services.
10.5 Biometric Data. If Customer uses Services to process Biometric Data, to the extent allowed under applicable law, Customer is responsible for: (i) providing notice to data subjects, including with respect to retention periods and destruction; (ii) obtaining consent from data subjects; and (iii) deleting the Biometric Data, all as appropriate and required under applicable Data Protection Requirements. Clipchamp will process that Biometric Data following Customer’s documented instructions (as described in the “Scope, Roles, Processing, and Data Subject Requests” section above) and protect that Biometric Data in accordance with the data security and protection terms under this DPA. For purposes of this section, “Biometric Data” will have the meaning set forth in Article 4 of the GDPR and, if applicable, equivalent terms in other Data Protection Law.
A. LIST OF PARTIES
Name: Customer or Customer’s affiliated entities or their respective clients and client affiliates which is a user of Service Provider’s products or services (“Service Provider Solutions”) and is located in the European Economic Area or Switzerland.
Address: Address specified in Agreement.
Contact person’s name, position and contact details: As described in the Agreement; if not described in the Agreement, then the signatory of the Agreement.
Telephone: As described in the notice section of the Agreement; if not described in the Agreement, then “Not Applicable.” E-mail: As described in the notice section of the Agreement; if not described in the Agreement, then “Not Applicable.”
Activities relevant to the data transferred under these Clauses:
Using the Clipchamp Services as described in the Agreement.
Signature and date: Same signatory and date as Agreement.
Role (controller/processor): Controller
Name: Clipchamp Pty Ltd (ACN 162516556)
Address: Level 1, 315 Brunswick Street, Fortitude Valley QLD 4006, Australia
Contact person’s name, position and contact details: Clipchamp Pty Ltd, c/o Microsoft Corporation, Attn: Chief Privacy Officer, 1 Microsoft Way, Redmond, WA 98052 USA
Telephone: n/a e-mail: email@example.com
Activities relevant to the data transferred under these Clauses:
Performing the Clipchamp Services as described in the Agreement.
Signature and date: Same signatory and date as Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Customer as data exporter may submit personal data to Clipchamp (data importer), the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, without limitation, the following categories of data subjects whose personal data is transferred:
Prospects, customers, business partners, vendors and employees of data exporter (who are natural persons)
Employees or contact persons of data exporter and/or data exporter’s prospects, customers, business partners and vendors
Data exporters’ users authorized by data exporter to use the Services
Individuals whose images may appear in videos uploaded by data exporters’ users
Customer as data exporter may submit personal data to Clipchamp (data importer), the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, without limitation, the following categories of personal data transferred:
Contact information, employment and education information, IP address, connection data, localization data, and personal data included in content created by or about the user (including, without limitation, videos and images appearing in videos uploaded by data exporters’ users).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
As of the Effective Date of the Agreement, the parties do not anticipate special categories of personal data being transferred. Notwithstanding this, the Customer as data exporter may submit special categories of data to Clipchamp (data importer), the extent of which is determined and controlled by the data exporter in its sole discretion, through video uploads, text fields, or other content, and which is for the sake of clarity may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and/or health or sex life.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Nature of the processing:
To perform the Services as described in the Agreement.
Purpose(s) of the data transfer and further processing:
To perform the Services as described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
For the term of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
In accordance with the DPA, the data importer may hire other companies to provide limited services on data importer’s behalf, such as providing customer support. Any such subcontractors will be permitted to obtain personal data only to deliver the services the data importer has retained them to provide, and they are prohibited from using and personal data for any other purpose.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be:
The supervisory authority of the Republic of Ireland
ANNEX II -
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Clipchamp maintains documented security policies for the applicable Services, which are available to Customer in an Exhibit under the confidentiality terms of the Agreement.
The list of approved Subprocessors of Clipchamp is available under the confidentiality terms of the Agreement by sending a request to your Clipchamp sales representative. For the avoidance of doubt, any such list of Subprocessors may be updated by Clipchamp as set forth in the Agreement and/or this DPA.
California Consumer Privacy Act Addendum
This CCPA Addendum (“Addendum”) dated as of the Effective Date of the Agreement (as defined below) is incorporated into and forms part of the purchase order, agreement, and/or data protection agreement/appendix entered into between Clipchamp and/or its Affiliates identified below (“Service Provider”) and Customer and/or its Affiliates for the Agreement. Service Provider and Customer are individually a “party” and, collectively, the “parties.” For the purposes of this Addendum, “Affiliates” means any entity that directly or indirectly is owned or controlled by a party, where “control” is defined as the possession, directly or indirectly, of the power to control or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise. Unless otherwise set forth herein, any terms not defined in this Addendum will have the meaning set forth in the Agreement.
This Addendum sets forth the terms and conditions related to compliance with the California Consumer Privacy Act of 2018, Cal. Civil Code §1798.100 et seq. and related regulations (“CCPA”), as may be amended from time to time. In the event of a conflict between this Addendum and the Agreement, this Addendum will control, when applicable. Capitalized terms identified in this Addendum will have the same meaning as defined in the CCPA, unless otherwise noted.
The parties agree as follows:
To the extent applicable, Service Provider will at all times comply with the CCPA, including any amendments thereto. Further, to the extent that any Personal Information (as defined in the CCPA) (“Personal Information”) is collected by Service Provider as a result of this Agreement, the Service Provider will not retain, use, or disclose the Personal Information for any purpose other than providing the Services specified in the Agreement. Specifically, Service Provider will not retain, use, or disclose the Personal Information other than for permitted purposes under the Agreement.
Retain, use, or disclose the Personal Information outside of the direct business relationship between Service Provider and Customer; provided, however, that Service Provider may disclose Personal Information to and permit the processing of Personal Information by service providers who perform services for or on behalf of Service Provider, provided such service providers are subject to equivalent contractual requirements with respect to Personal Information as applying to Service Provider under the Agreement and this Addendum. Service Provider will remain liable for the actions of its service providers.
Notwithstanding anything in this Agreement to the contrary, the parties agree that any provision of Personal Information by Customer to Service Provider is necessary to perform a business purpose and is not part of and explicitly excluded from the exchange of consideration or any other thing of value between the parties.
If any modification to this Addendum is required because of a change in data protection laws or regulations, then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary amendments to this Addendum to address such change as soon reasonably practicable.