DATA PROCESSING ADDENDUM - POWTOON
This Data Processing Addendum (“Addendum”) is an agreement between Powtoon limited. (“Powtoon” or “Data Processor”) and you or the entity you represent (“Customer” or “Data Controller”). This DPA supplements the Powtoon’s Master Services Agreement, between Customer and Powtoon governing Customer’s use of Powtoon’s Service (the “Agreement”). In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
To the extent that Powtoon Processes Personal Data (as defined below) subject to the GDPR/UK GDPR on behalf of Customer in the course of the provision of its Services, this Addendum shall apply.
In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.
-
Definitions
-
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
-
“GDPR” means EU General Data Protection Regulation 2016/679;
-
“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;
-
“Applicable Data Protection Laws” means all applicable law(s) protecting Personal Data and individuals’ right to privacy with respect to the Processing of Personal Data, including but not limited to the GDPR and as the UK GDPR;
-
“Standard Contractual Clauses” means the applicable model of the standard clauses for the transfer of Personal Data pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN’ and as applicable, the UK addendum (“UK Addendum”) to the European Commission's Standard Contractual Clauses for international data transfers available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf
-
“EEA” means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;
-
"Restricted Country" means any country which is not (i) a member of the European Economic Area; and (ii) is not deemed adequate by the European Commission pursuant to Applicable Data Protection Laws; and (iii) which the UK Secretary of State has not specified by regulations as provides an adequate level of protection of Personal Data in accordance with Section 17A of the Data Protection Act 2018;
-
"Onward Transfer" means the onward transfer of Personal Data received by a Data Importer from a Data Exporter (as defined in the SCC) to a third person or entity located in a Restricted Country;
-
“Services” means Powtoon’s visual communication platform that allows Customers to create professional and fully customized videos;
-
“Sub-processor” means any person (excluding an employee of Powtoon or any of its sub-contractors) appointed by or on behalf of Powtoon to Process Personal Data on behalf of Customer in connection with the Agreement;
-
“Supervisory Authority” means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR/UK GDPR; and (b) any similar regulatory authority responsible for the enforcement of Applicable Data Protection Laws; and
-
“Term” means the term of the Agreement, as defined therein.
-
The terms “Controller”, “Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR/UK GDPR, and their cognate terms shall be construed accordingly.
-
Processing of Customer Personal Data
-
The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the Applicable Data Protection Laws and that Powtoon is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints Powtoon as an authorised sub-processor, which shall not change the obligations of the parties under this Addendum as Powtoon will remain a Processor in any such event.
-
Powtoon shall Process Customer Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which Powtoon is subject. In which case, Powtoon shall notify Customer if, in its opinion, any instruction infringes the Applicable Data Protection Laws or other Union or Member State data protection provisions, unless that law prohibits such notification. Such notification will not constitute a general obligation on the part of Powtoon to monitor or interpret the laws applicable to Customer, and such notification will not constitute legal advice to Customer.
-
Customer warrants and represents that it is and will, at all relevant times, remain duly and effectively authorised to give the instruction set out in Section 2.2.
-
Customer warrants that it has all the necessary rights to provide the Personal Data to Powtoon for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in the Applicable Data Protection Laws support the lawfulness of the Processing. To the extent required by the Applicable Data Protection Laws, Customer is responsible for ensuring that all necessary privacy notices are provided to Data Subjects, and unless another legal bases set forth in the Applicable Data Protection Laws supports the lawfulness of the processing, that any necessary Data subject consents to the Processing are obtained, and for ensuring that a record of such consent is maintained. Should such consent be revoked by a Data Subject, Customer is responsible for communicating the fact of such revocation to Powtoon, and Powtoon will act pursuant to Customer's instructions as seems appropriate.
-
Annex 1 to this Addendum sets out certain information as required by Article 28(3) of the GDPR/UK GDPR and according to which, Personal Data may be Processed by Powtoon. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which Powtoon finds appropriate to provide the required Services.
-
Confidentiality
Without prejudice to any existing contractual arrangements between the parties, Powtoon shall ensure that any person that it authorises to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.
-
Security
-
Taken into account the state of the art, the costs of implementation and nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person, Powtoon shall implement appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data appropriate to the risk. Such measures are detailed under Annex 2 to this Addendum and may be updated by Powtoon from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
-
Customer acknowledges that the security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Customer will therefore evaluate the measures as implemented in accordance with section 4 on an on-going basis in order to maintain compliance with the requirements set forth in this section. The parties will negotiate in good faith, the cost, if any, to implement changes required by specific updated security requirements set forth in Applicable Data Protection Laws or by data protection authorities of competent jurisdiction.
-
Sub-processing
-
Powtoon may utilize Sub-processors to provide certain services on its behalf which are required to provide the Services. Customer provides a general authorisation to Powtoon, with respect to its use of such Sub-processors, and all in accordance with this section. The Powtoon website (currently posted at https://www.powtoon.com/dpa/sub-processors/) lists Sub-processors that are currently engaged by Powtoon.
-
From time to time, and in case required for the provision of the Service, Powtoon may engage new Sub-processors. Powtoon will provide a notice to Customer (by updating the website and providing Customer with a mechanism to obtain notice of that update) of any new Sub-processor at least 14 (fourteen) days in advance of providing that Sub-processor with access to Customer Personal Data.. If, within 14 calendar days of receipt of that notice, Customer notifies Powtoon in writing of any objections made on reasonable grounds, to the proposed appointment of a new Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processor is compliant with the requirements of this Addendum.
-
In the absence of a resolution, Powtoon will make commercially reasonable efforts to provide Customer with the same level of Service described in the Agreement, without using the objected Sub-Processor to process Customer Personal Data.
-
Where the Customer reasonably argues, that the risks involved with the sub-processing activities are still unacceptable, in the context of the requirements of the GDPR/UK GDPR and in relation to the appropriate steps, within the requisite time frame, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such time frame, Customer's sole remedy will be to terminate the Agreement.
-
With respect to each Sub-processors, Powtoon shall ensure that the Sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.
-
Data Subject Rights
-
Customer shall comply with requests received from Data Subjects to exercise their data protection rights under Applicable Data Protection Laws.
-
When Customer is unable to perform according to section 6.1, and therefore requires Powtoon's assistance, while taking into account the nature of the Processing, Powtoon shall assist Customer, upon Customer's request and at the Customer's cost, by using appropriate technical and organisational measures, insofar as this is possible, to comply with requests to exercise Data Subject rights, under the Applicable Data Protection Laws.
-
Personal Data Breach
-
When Powtoon becomes aware of an incident that has a material impact on the Processing of Personal Data that is the subject to the Agreement, it shall notify Customer about the incident. Powtoon shall cooperate with Customer and follow Customer's instructions with regard to such incidents, to enable Customer to perform an investigation into the incident, formulate a correct response and take suitable further steps in respect to the incident.
-
The term "incident" used in section 7.1 includes but not limited to:
-
A complaint or request with respect to the exercise of a Data Subject's rights under the Applicable Data Protection Laws.
-
An investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent.
-
Any unauthorized or accidental access, Processing, deletion, loss or any form of unlawful Processing of Personal Data.
-
Any breach of the security and/or confidentiality as set out in sections 3 and 4 to this Addendum, leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place.
-
Where in the opinion of Powtoon, implementing an instruction received from Customer, would violate applicable laws to which Customer or Powtoon are subject.
-
Where the incident is reasonably likely to require a data breach notification by Customer under the Applicable Data Protection Laws, Powtoon will assist Customer with the notification process.
-
Powtoon shall, at Customer's cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of every occurring Personal Data Breach.
-
Deletion or Return of Customer Personal Data
-
Customer may in its discretion by written notice to Powtoon within 30 calendar days of the cessation date, require Powtoon to (a) return a complete copy of all Customer Personal Data to the Customer; and (b) delete all other copies of Customer Personal Data Processed by Powtoon. Powtoon shall comply with any such written request within 60 calendar days of the cessation date.
-
Powtoon may retain Customer Personal Data to the extent and for such period as required by Applicable Data Protection Laws.
-
Audit Rights
-
Subject to section 9.2 and 9.3, Powtoon shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with this Addendum.
-
Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, Powtoon shall, at the Customer's costs, allow for audits, including inspections, by an auditor mandated by Customer (subject to section 9.3 where auditor shall be subject to written confidentiality obligations in relation to such information) in relation to the Processing of Customer Personal Data by Powtoon, provided that:
-
Customer shall give Powtoon a reasonable notice of any audit or inspection to be conducted; and
-
Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to Powtoon's business, in the course of such audit or inspection, while such audits or inspections shall be conducted during normal working hours.
-
Powtoon may object to an auditor mandated by Customer if the auditor is, in Powtoon’s opinion, not suitably qualified or independent, a competitor of Powtoon, or otherwise manifestly unsuitable. In the event of such objection, Customer shall appoint another auditor or conduct the audit itself.
-
Transfers
-
Information may be transferred to third party companies and individuals to facilitate Powtoon's Services who are located in a Restricted Country. To the extent that Powtoon or its Sub-processors Process Customer Personal Data in Restricted Countries the applicable module of the SCC and to the extent applicable the UK Addendum, shall apply and shall be incorporated herein upon execution of this Agreement by the parties or Powtoon shall otherwise ensure that the continuity of protection of Personal Data shall be maintained for any respective onward transfers. With respect to each such data transfer, Powtoon shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of Processing as well as the likelihood of a risk to the rights and freedoms of natural persons. Customer may request a reference to the appropriate or suitable safeguards and the means by which Powtoon implemented appropriate technical and organizational measures, including by making the signed SCC available to Customer and providing a copy the signed SCC to Customer where appropriate.
-
Annex II of the SCCs shall be deemed completed with the information set out in Annex 2 to this Addendum.
-
To the extent that Powtoon or Customer are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of a competent jurisdiction to be invalid, Powtoon or Customer agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
-
General Terms
Liability and Indemnity
-
Customer shall indemnify Powtoon and will hold Powtoon harmless against all claims, losses, damages and expenses incurred by Powtoon arising out of a breach of this Data Processing Addendum and/or the Applicable Data Protection Laws by Customer.
Order of Precedence
-
With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
Changes in Applicable Data Protection Laws
-
If any variation is required to this Addendum as a result of a change in Applicable Data Protection Laws, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Applicable Data Protection Laws and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.
Governing Law and Jurisdiction
-
This Agreement shall be governed by and construed under the laws of England and Wales. Any dispute arising under or in relation to this Agreement shall be resolved exclusively in the competent courts located in London, UK, and each of the parties hereby submits irrevocably to the exclusive jurisdiction of such courts.
Severance
-
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject Matter and Duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Customer Personal Data
Powtoon provides its Customers with a visual communication platform that allows its Customers’ end-users (“End User”) to create professional and fully customised videos. In the course of the provision of its Services, Powtoon may receive access to and Process Customer Personal Data and its End User’s Personal Data to provide the Services in accordance with the Agreement and this Addendum
Special Categories of Personal Data to be Processed [i.e. g racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation]
No special category data is processed by Powtoon
The Categories of Data Subject to whom the Customer Personal Data Relates
The categories of data subjects are chosen by Customer.
The Obligations and Rights of Customer
The obligations and rights of Customer are set out in the Agreement and this Addendum.
ANNEX 2: SECURITY MEASURES
General Security Measures
-
Powtoon shall establish a procedure for allowing access to Personal Data and restriction of such access. Powtoon shall ensure that access to Personal Data is strictly limited to those individuals who "need to know" or need to access the Personal Data and as strictly necessary for the purpose of providing the Service and shall keep record of the persons authorized to access the Personal Data subject of the Agreement.
-
Powtoon shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of the Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and written security protocols.
-
Powtoon shall implement physical measures to ensure that access to the Personal Data is granted only to authorized users.
-
Powtoon shall maintain and implement sufficient and appropriate (based on the type of Personal Data and its sensitivity) environmental, physical and logical security measures with respect to the Personal Data and to Powtoon’s system's infrastructure, data processing system, communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized access to Customer Personal Data or to Customer’s systems or communication lines between Powtoon and Customer.
-
Powtoon shall list all components (infrastructure and software) used to Process the Personal Data subject to this Agreement, including computer systems, communication equipment, and software. Powtoon shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them.
-
Powtoon shall act in accordance with an appropriate written information security policy and working procedures that comply with the security requirements under this Annex. Powtoon shall review its security policies and operating procedures periodically.
-
Powtoon shall implement control mechanism for verifying access to systems containing Personal Data, which shall include, inter alia, the user identity, date and time of access attempt, the system component attempted to be accessed, type and scope of access and if access was granted or denied. Powtoon shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to handle them.
-
Powtoon will perform security risk assessments to critical systems containing Personal Data, at least once every 18 months.
-
Powtoon will not disclose Personal Data through a public communications network or via the internet, without using industry-standard encryption methods.
Technical Security Measures
-
Access control and authentication
-
An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing, and deleting user accounts.
-
The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.
-
When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to personal data only to those who require it for achieving the Processor’s processing purposes.
-
Where authentication mechanisms are based on passwords, the data processor requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
-
The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.
-
Logging and monitoring
-
Log files are activated for each system/application used for the processing of personal data. They include all types of access to data (view, modification, deletion).
-
Security of data at rest
-
Server/Database security
-
Database and applications servers are configured to run using a separate account, with minimum OS privileges to function correctly.
-
Database and applications servers only process the personal data that are actually needed to process in order to achieve its processing purposes.
-
Workstation security
-
Users are not able to deactivate or bypass security settings.
-
Anti-virus applications and detection signatures are configured on a regular basis.
-
Users do not have privileges to install or deactivate unauthorised software applications.
-
The system has session time-outs when the user has not been active for a certain time period.
-
Critical security updates released by the operating system developer are installed regularly.
-
Network/Communication security
-
Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.
-
Traffic to and from the IT system is monitored and controlled through firewalls and intrusion detection systems.
-
Back-ups
-
Backup and data restore procedures are defined, documented, and clearly linked to roles and responsibilities.
-
Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
-
Execution of backups is monitored to ensure completeness.
-
Mobile/Portable devices
-
Mobile and portable device management procedures are defined and documented establishing clear rules for their proper use.
-
Mobile devices that are allowed to access the information system are pre-registered and pre-authorized.
-
Application lifecycle security
-
During the development lifecycle, best practice, state of the art and well acknowledged secure development practices or standards are followed.
- Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
- Penetration testing: We maintain relationships with industry recognized penetration testing service providers for two annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
-
Data deletion/disposal
-
Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD's, DVD's, etc.) physical destruction will be performed.
-
Shredding of paper and portable media used to store personal data is carried out.
-
Physical security
-
The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures (e.g. intrusion detection system, chip-card operated turnstile, single-person security entry system, locking system) or organizational measures (e.g. security guard) shall be set in place to protect security areas and their access points against entry by unauthorized persons.
-
Outsourced processing
-
We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Powtoon Limited
28 Church Road, London, HA7 4XR - UK