JW Player Data Processing Agreement

Effective Date: January 15, 2024
Capitalized terms used herein and not otherwise defined herein have the meanings assigned to such terms in (i) the Order Form and the JW Player Terms of Service, available at www.jwplayer.com/tos/, incorporated therein or, if applicable, (ii) the Master Services Agreement (in each of the foregoing cases, the “Contract”) and in the GDPR.

This Data Processing Agreement together with its attachments (the “DPA” or “Agreement”) forms part of the Contract and is effective between the Publisher or Customer, as the case may be (herein, the “Client”) and the contracting entity specified in the Contract (together with its affiliates, the “Service Provider”), each a “party”; together “the parties”, to reflect the parties’ agreement with regard to the Processing of Personal Data of Client in accordance with the requirements of Applicable Law. Except as set forth in Annex 3 (State Law Annex), this DPA applies only (i) if Client is located in the European Economic Area (“EEA”), the United Kingdom of Great Britain and Northern Ireland (“UK”) or Switzerland, or (ii) if Client is not located in the EEA, the UK or Switzerland but only to the extent the Data Subjects are in the EEA, the UK or Switzerland. This DPA is an addendum and forms part of the Contract.
1. DEFINITIONS
For the purposes of this DPA:

1.1       “Applicable Law” shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any legislative and/or regulatory amendments or successors thereto), to which a party to this DPA is subject and which is applicable to a party’s Personal Data protection and privacy obligations.

1.2       “Data Controller” shall mean entity which alone or jointly with others determines the purposes and means of the Processing of Personal Data.

1.3       “Data Processor” shall mean entity that processes Personal Data on behalf of the controller.

1.4       “Data Subject” shall mean a natural person about whom Personal Data may be processed by Data Processor pursuant to the Contract or this DPA.

1.5       “GDPR” means, as and where applicable Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “EU GDPR”); and/or the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (the “UK GDPR”). References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.

1.6       “Personal Data” shall mean any information relating to an identified or identifiable Data Subject; an identifiable Data Subject is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

1.7       “Process” or “Processing” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means such as collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, access, disclosure, transfer, storage, deletion, combination, destruction, or other use of Personal Data.

1.8       “Relevant Body” in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office (“ICO”) and/or UK Government (as and where applicable); and/or in the context of the EEA and EU GDPR, means the European Commission.

1.9       “Restricted Country” in the context of the UK, means a country or territory outside the UK; and in the context of the EEA, means a country or territory outside the EEA, that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR.

1.10    “Restricted Transfer” means the disclosure, grant of access or other transfer of Personal Data to any person, either (i) in the context of the UK GDPR, in a country or territory outside the UK, (“UK Restricted Transfer”); and/or (ii) in the context of the EU GDPR, in a country or territory outside the EEA (“EEA Restricted Transfer”), which the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Personal Data under Article 45 of the GDPR.

1.11    “Sensitive Data” means special categories of personal data, as referenced in Article 9(1) of the GDPR.

1.12    “Services” means those services and activities to be supplied to or carried out by or on behalf of Service Provider for Client as defined in the Contract, including the provision, maintenance, and improvement of the services.

1.13    “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses issued or approved by the Relevant Body for use in respect of Restricted Transfers to Processors, the current forms of which are deemed to be included by reference hereto (i) in respect of UK Restricted Transfers, the template addendum B1.0 issued by the ICO under section 119A(1) of the Data Protection Act 2018, in force from 21 March 2022 (“UK Addendum”); and/or (ii) in respect of EEA Restricted Transfers, the standard contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”).

1.14    “State Privacy Laws” means the laws referenced in Annex 3, as effective.

1.15    “Subprocessor” means any third party appointed by or on behalf of Service Provider to Process Client Personal Data.

2. DATA PROCESSING

2.1            Vis-a-vis Data Processor, all Personal Data Processed by the Service Provider in the performance of the Services that are subject to this DPA is owned by the Client. Having regard to the role(s) of the Client set out in Annex 1, the Client acts as (i) a Data Controller in relation to the Processing of Personal Data in respect of which Client is a Data Controller in its own right, or (ii) a Data Processor in relation to the Processing of Personal Data in respect of which Client is acting as a Data Processor on behalf of another Controller. Client instructs Service Provider to Process Personal Data as necessary to provide the Services to Client, and to perform Service Provider’s obligations and exercise Service Provider’s rights under the DPA. The Service Provider shall act as a Data Processor and shall be subject to the Applicable Laws that directly apply to the Service Provider.

2.2            Client retains all ownership rights in the Personal Data. Notwithstanding the foregoing, Client acknowledges that, except as otherwise set forth in the Contract and this DPA, Service Provider shall have no obligation to or liability for its failure to preserve, retrieve, recover, return, segregate or take any other action with respect to Personal Data. Client shall have no access to and will not attempt to access Personal Data except through standard interfaces made available by Service Provider and intended for Client’s access. Except as set forth in this DPA or in the Contract, Service Provider does not have any right to directly or indirectly sell, rent, lease, disclose or transfer Personal Data.

2.3            Annex 2 (Description of Processing) sets out certain information regarding Service Provider’s Processing of Personal Data as required by Article 28(3) of the GDPR; and to populate Appendix 1 to the EU SCCs in the manner described therein. Nothing in Annex 2 (Description of Processing) confers any right or imposes any obligation on any party to this DPA.

2.4            Annex 3 (State Privacy Law Annex) sets out certain requirements applicable to the Processing of Personal Data subject to State Privacy Laws.

2.5            Client represents and warrants on an ongoing basis throughout the term of the Contract and further undertakes, that (i) there is and will be a valid legal basis and (where applicable) condition for the Processing by Service Provider of Personal Data, as required under the Applicable Law, and applicable rules and  in accordance with this DPA and the Contract ; and (ii) it shall not (and shall ensure that its Personnel shall not) cause Service Provider or its Subprocessors to Process any Sensitive Data or any Personal Data relating to criminal convictions or offences.

2.6            With respect to Personal Data that falls under the scope of the GDPR provided by Client, or otherwise Processed by Service Provider on Client’s behalf, Service Provider shall, and shall ensure that any person engaging in Processing such Personal Data on its behalf, shall:

(a)   Process Personal Data only to deliver the Services as instructed and permitted by Client, this DPA and the Applicable Law (as well as any other agreements between the parties), and not Process Personal Data for any other purpose, unless agreed to or instructed by Client or required by the Applicable Law. To the extent permitted by the Applicable Law, Service Provider shall inform Client of any Processing to be carried out as required by the Applicable Law and the relevant legal requirements that require it to carry out such Processing, before the relevant Processing of that Personal Information. Where Service Provider receives an instruction from Client that, in its reasonable opinion, infringes the GDPR, Service Provider shall inform Client. Client acknowledges and agrees that any instructions issued by Client with regards to the Processing of Personal Data by or on behalf of Service Provider pursuant to or in connection with the Contract shall be strictly required for the sole purpose of ensuring compliance with the GDPR; and shall not relate to the scope of, or otherwise materially change, the Services to be provided by Service Provider under the Contract.  The parties agree that this DPA is Client’s complete and final instructions to Service Provider in relation to Processing of Personal Data. Processing outside the scope of this DPA (if any) will require prior written agreement between the parties on additional instructions for Processing, including agreement on any additional fees Client will pay to Service Provider for carrying out such instructions;

(b)  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Service Provider shall  implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk to protect Personal Data against anticipated threats or hazards to their security, confidentiality or integrity, and against unauthorized access or disclosure, and unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage, and against all other unauthorized forms of Processing. The safeguards shall meet or exceed the requirements provided by Client in Annex 1 (Information Security) and security requirements mandated by Applicable Law;

(c)  Not disclose or transfer Personal Data to, or allow access by, any third party (except for affiliates and consultants under an obligation of confidentiality for the purposes of providing services to Service Provider) without the prior written agreement of Client, except (i) where such disclosure, transfer or access is mandated by Applicable Law (subject to Service Provider providing Client with prompt written notice of such requirement to transfer or disclose, unless such notice is prohibited by Applicable Law), (ii) where such disclosure, transfer or access is undertaken for the purpose of improving security features or eliminating fraudulent activities, and (iii) to subprocessors contained on the “Subprocessor List” (currently available at www.jwplayer.com/subprocessors) that Service Provider uses to fulfill its contractual obligations under this DPA and the Contract or to provide certain services on its behalf, such as providing support services. Service Provider shall provide notification of new subprocessor(s) before authorizing any new subprocessor(s) to Process Personal Data in connection with the provision of the Services. Service Provider shall provide notification by updating its Sub-Processor List and providing a means on the Sub-Processor List page by which Client may subscribe to receive notice of such updates. Client agrees that Client is solely responsible for ensuring that it subscribes to such updates, and it shall do so. In order to exercise its right to object to Service Provider’s use of a new subprocessor, Client shall notify Service Provider promptly in writing within ten (10) business days after Service Provider notice in accordance with the mechanism set out above. In the event Client reasonably objects to a new subprocessor(s), Service Provider will use reasonable efforts to make available to Client a change in the affected Services or recommend a commercially reasonable change to Client’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new subprocessor. If Service Provider is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Client may terminate the Contract in respect only to those Services which cannot be provided by Service Provider without the use of the objected-to new subprocessor, by providing written notice to Service Provider. Unless Client provides timely objection notice in accordance with the above procedure, Client shall be deemed to have approved such subprocessor. If Client approves Service Provider’s disclosure and/or transfer granting access of Personal Data to a third party, such third party shall, prior to any such disclosure, have entered into an agreement with Service Provider providing terms which offer at least an equivalent level of protection of Personal Data as those set out in this DPA. Service Provider shall remain accountable and responsible for all actions by such third parties with respect to the disclosed or transferred Personal Data;

(d)  As reasonably instructed by Client, ensure that all Personal Data created by Service Provider on behalf of Client which is inaccurate or incomplete is erased or rectified in accordance with the Client’s instructions;

(e)   To the extent legally permitted, reasonably cooperate with the Client with respect to any action taken relating to any request, complaint, or order or other document from a Data Subject or regulator relating to the Processing of Personal Data;

(f)   Cease Processing and (if technically feasible) return, archive, or destroy Personal Data in its possession, in accordance with Client’s instructions, upon termination or expiration of this DPA or promptly upon the Client’s request, provided that Service Provider shall have no obligation to delete, archive, destroy or return any information that is anonymized, aggregated or de-identified. Service Provider and any Subprocessor may retain Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Service Provider and any such Subprocessor shall ensure the confidentiality of all such Personal Data and that Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose;

(g)   Hold Personal Data in confidence and require employees and personnel who will be provided access or will otherwise Process Personal Data to take reasonable measures to protect all Personal Data in accordance with the requirements of this DPA (including during the term of their employment and thereafter) and to ensure such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;

(h)  Maintain appropriate access controls designed to limit access to Personal Data to employees and personnel who require such access in order to provide the Services to Client;

(i)    Upon Client’s reasonable request, and subject to the confidentiality obligations set forth in the Contract, make available to Client (or Client’s independent, third-party auditor that is not a competitor of Service Provider) such information as Service Provider (acting reasonably) considers appropriate in the circumstances to demonstrate Service Provider’s compliance with the obligations set forth in this DPA, which may be in the form of documentary evidences, the third-party certifications and audits, only to the extent the documentary evidence made available by Service Provider is not sufficient in the circumstances to demonstrate Service Provider’s compliance with this DPA, and Service Provider makes them generally available to its customers; and subject to the confidentiality obligations set forth in the Contract, provide to such independent third-party inspection entity as Client may appoint, who shall not be a competitor of Service Provider, on written notice in accordance with the “Notices” Section of the Contract, at Client’s sole expense and no more than one (1) time in any year: (i) reasonable assistance and cooperation of Service Provider’s relevant staff; and (ii) reasonable facilities at Service Provider’s premises for the purpose of auditing Service Provider’s procedures relevant to the protection of Personal Data; Client shall reimburse Service Provider for any time expended for any such on-site audit at Service Provider’s then-current professional services rates. Before the commencement of any such on-site audit, data exporter and Service Provider shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Service Provider. Client shall promptly notify Service Provider with information regarding any non-compliance discovered during the course of an audit;

(j)    Service Provider shall implement and maintain an adequate and appropriate data incident management program. In the event of any unauthorized loss of Personal Data, or any unauthorized or unlawful use, access, disclosure, acquisition, alteration or destruction, or any other compromise of, Personal Data within the possession or control of Service Provider or any Service Provider’s sub processors (“Security Incident”), Service Provider shall promptly notify by any means Service Provider reasonably selects, including via email, Client of the Security Incident, providing Client with sufficient information (insofar as such information is, at such time, within Service Provider’s possession) to allow Client to meet any obligations under the GDPR to report the Security Incident to affected Data Subjects or the relevant data protection regulator (as may be determined in accordance with the GDPR). Client agrees that an unsuccessful Security Incident will not be subject to this Section (j). An unsuccessful Security Incident is one that results in no unauthorized access to Personal Data or to any of Service Provider’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents. Client agrees that Service Provider’s obligation to report or respond to a Security Incident under this Section (j) is not and will not be construed as an acknowledgement by Service Provider of any fault or liability of Service Provider with respect to the Security Incident; and

(k)   Upon notice to Service Provider, Service Provider shall provide reasonable assistance to Client in the investigation, mitigation and remediation of each such Security Incident, and in the event of an investigation by any regulator, including a data protection regulator, or similar authority, if and to the extent that such investigation relates to Personal Data Processed by Service Provider on behalf of Client. Such assistance shall be at Client’s sole expense, except where such investigation was required due to Service Provider’s acts or omissions, in which case such assistance shall be at Service Provider’s sole expense.

3. DATA TRANSFERS

3.1    Service Provider shall not cause or permit any of the Personal Data that falls under the scope of the GDPR to be transferred to a country outside the EEA or the UK without Client’s prior written consent, which shall not be unreasonably withheld. Data transfers to countries outside the EEA in accordance with the mechanism set forth in Section 3.2 below and data transfers outside the UK in accordance with the mechanism set forth in Section 3.3 below shall be deemed reasonable. Client hereby consents to transfer of such Personal Data to Service Provider’s systems located in the United States and to any other location in the world solely for use and Processing authorized by the Contract and in accordance with the mechanisms set forth in Section 3.2 and Section 3.3 below. In this respect, the SCCs in this Section 3.2 and 3.3 shall be incorporated by reference and form an integral part of this DPA only if and to the extent permitted and required under the GDPR to establish a valid basis under Chapter V of the GDPR in respect of the transfer to Service Provider of Personal Data.

3.2     ADDITIONAL TERMS FOR EU PERSONAL DATA

To the extent that any Processing of Personal Data involves an EEA Restricted Transfer, the parties shall comply with their respective obligations set out in the EU SCCs, which are hereby deemed to be entered into by the parties and incorporated by reference into this DPA. For the purposes of the EU SCCs (where such Clauses are applicable to the relevant Module(s) concerned): (a) Client acts as “data exporter” and Service Provider acts  as “data importer”; (b) the following Modules of the SCCs apply (having regard to the role(s) of the Client set out in Annex 1): (i) Module Two (controller to processor) applies to an EEA Restricted Transfer involving the Processing of Personal Data in respect of which Client is a Data Controller in its own right; and (ii) Module Three (processor to processor) applies to an EEA Restricted Transfer involving the Processing of Personal Data in respect of which Client acts as a Data Processor on behalf of another Data Controller; (c) in Clause 9, Option 2 shall apply and the “time period” shall be ten (10) business days; (d) in Clause 11, the optional language shall not apply; (e) in Clause 17 (Option 1) the EU SCCs shall be governed by Irish law; (f) in Clause 18(b), disputes shall be resolved before the courts of Ireland;  (g) the annexes of the EU SCCs shall be populated with the corresponding information set out in Annex 2 of this DPA; and (h) Annex 2 of the EU SCCs shall be deemed to refer to the measures included in Annex 1 to this DPA (Information Security).

3.3     ADDITIONAL TERMS FOR UK PERSONAL DATA

To the extent that any Processing of Personal Data under this DPA involves a UK Restricted Transfer, the relevant EU SCCs entered into in accordance with Section 3.2 of this DPA shall apply to that UK Restricted Transfer and are (a) hereby deemed to be entered into by the parties and incorporated by reference into this DPA; and (b) varied by the UK Addendum and populated as follows: (i) Tables 1, 2 and 3 to the UK Addendum are deemed populated with the corresponding details set out in Annex 2 to this DPA; and (ii) Table 4 to the UK Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked. The parties agree to be bound by the Mandatory Clauses (as such term is defined in the UK Addendum).

3.4     ADOPTION OF NEW TRANSFER MECHANISM

Provider may on notice vary this DPA and replace the relevant SCCs with any new form of the relevant SCCs or a Transfer Mechanism issued or approved under and in accordance with the GDPR, other than the SCCs, that enables the lawful transfer of Personal Data to a Restricted Country in compliance with Chapter V of the GDPR.

4. MISCELLANEOUS

4.1       Service Provider’s liability toward the Client with regard to any and all breaches of this DPA and/or the Standard Contractual Clauses will be as set forth in the Contract and only to the extent it is liable pursuant to Article 82 of the GDPR.

4.2       Service Provider may modify the terms of this DPA in its sole discretion and such modifications shall take effect and be binding on Client on the earliest date on which they are posted to Service Provider’s publicly available website or delivered to Client via electronic or physical delivery. No one other than Service Provider has the right to modify this DPA.

4.3       This DPA will terminate automatically upon termination of the Contract, or as earlier terminated pursuant to the terms of this DPA.

4.4       Nothing in this DPA shall affect any indemnification provisions set forth in underlying agreements between the parties, including any Terms of Service; nor shall this DPA create new obligations of indemnification from one party to the other, except where expressly set forth herein.

4.5       In the event of any conflict or inconsistency between:

(a)         this DPA and the Contract, the provisions in this DPA shall prevail to the extent of such conflict or inconsistency; or

(b)        any SCCs that may apply in accordance with Section 3 and this DPA and/or the Contract, notwithstanding any operational clarifications detailed herein, those SCCs shall prevail in the context of the Restricted Transfer(s) to which they apply to the extent of any such conflict or inconsistency.

 

Annex 1
INFORMATION SECURITY
(1) Information Security Policies and Standard
Service Provider’s security measures shall include, at a minimum, measures designed to:

• Prevent unauthorized persons from gaining access to Personal Data Processing systems (physical access control);
• Prevent Personal Data Processing systems being used without authorization (logical access control);
• Ensure that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control);
• Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control);
• Ensure that Personal Data is Processed solely in accordance with the Client’s instructions (control of instructions);
• Ensure that Personal Data is protected against accidental destruction or loss (availability control); and
• Ensure that Personal Data collected for different purposes can be processed separately (separation control).

These measures are kept up to date, and revised whenever relevant changes are made to the information system that uses or houses personal data, or to how that system is organized.
Security policies and standards include:

• Data breach investigation;
• System access control;
• User privilege control;
• Software development and change control;
• Personal Data security;
• Business continuity planning;
• Electronic communication security;
• System administrative security; and
• Access to computer facilities.

(2) Physical Security
The Data Processor will maintain adequate security systems at all Data Processor sites at which an information system that uses or houses use Personal Data is located. The Data Processor reasonably restricts access to such personal data appropriately, including through the use of restricted building access, key card access and contracting with subprocessors with which Service Provider has entered into a data processing agreement.

(3) Organizational Security
When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any use of Personal Data stored on them before they are withdrawn from the inventory, including through destruction of storage devices or deletion of data. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of personal data stored on them, including through the use of authentication controls and limited access to personal data.
All personal data security incidents are managed in accordance with appropriate incident response procedures.

(4) Network Security
The Data Processor maintains network security using commercially available equipment and techniques, including firewalls, intrusion detection and/or prevention systems, and access control lists.

(5) Access Control
Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data.
User administration procedures define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines the logging/monitoring requirements and mechanisms.
Access rights are implemented adhering to the “least privilege” approach.
The Data Processor implements commercially reasonable physical and electronic security to create and protect passwords, including through the use of commercially available password manager services and user password salting and encryption.

(6) Personnel
The Data Processor implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations; physical security controls; security practices and security incident reporting.

(7) Business Continuity
The Data Processor implements appropriate disaster recovery and business resumption plans, including through the use of regular data backups, security logs and designated personnel.

(8) Contractual Control
The Data Processor enters into data processing agreements with subprocessors.

(9) Separation Control (Product Specific)
The Data Processor limits access and regularly rotates security logs. IP addresses of viewers for the Data Processor’s online video player (OVP) product are hashed with and without User Agent strings using a one-way hashing algorithm prior to database entry. With respect to Data Processor’s Data Rights Management (DRM) product, IP addresses and user agent strings are not hashed in the DRM usage logs and are stored in a secure location within the EU. With regards to the Subscription & Identity Management Services (SIMS) offering, cardholder data (payment information) is processed through encrypted channels (in transit) toward the Data Processor’s contracted payment providers. It is never stored on Data Processor’s systems or accessible by Data Processor. SIMS end-user subscription information is obtained by Data Processor upon account creation, encrypted and stored in  PCI DSS 4.0 Level 1 certified infrastructure within the EU. Access to the aforementioned data by Data Processor is restricted by least privilege and bi-annual access audits.

 

Annex 2
DESCRIPTION OF PROCESSING
A. DETAILS OF THE PARTIES
Client / ‘data exporter’ details
Name: As set out in the Contract or Order Form
Contact details for data protection: As set out in the Contract or Order Form
Customer Activities: Receipt of the Services
Role:
Data Controller – in respect of the Processing of Personal Data of which Client is a Data Controller in its own right;
Data Processor – in respect of the Processing of Personal Data of which Client acts as a Data Processor on behalf of another Data Controller.Service Provider / ‘data importer’ details
Name: LongTail Ad Solutions, Inc.
Contact details for data protection: privacy@jwplayer.com
Customer Activities: Provision of online video technology, streaming and hosting services
Role: Data Processor
B. DETAILS OF THE PROCESSING
Categories of Data Subjects:
Data Subjects include Client’s users and Client’s employees.
Categories of Personal Data:

• Personal Data relating to Data Subjects from the data exporter’s hosting, streaming and analytics and/or user accounts of data exporter
• As otherwise provided in the Contract, including IP addresses, email address (where necessary for the Services) device identifiers (only to the extent Client uses the SDKs (as defined in the Contract)), user agents, local storage client ids, non-persistent session ids and Client account information, in each case to the extent Personal Data under Applicable Law.

Special categories of Personal Data:
N/A.
Frequency of transfer:
Continuous / ongoing.
Nature of the Processing:
Processing operations required in order to provide the Services in accordance with the Contract.
Purpose of the Processing:
Provide the Services, as more particularly described in the Contract and/or the Order Form and including but not limited to the Business Purpose (as that term is defined in the CCPA) of performing services on behalf of Client, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying Client information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
Duration of Processing / Retention Period:
Concurrent with the term of the Contract and then thereafter pursuant to the applicable terms in this DPA.
Transfers to Subprocessors
Transfer to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor List (as may be updated from time to time in accordance with this DPA).
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be the supervisory authority of that EU Member State in which Client is established.

 

 
Annex 3
STATE PRIVACY LAWS ANNEX

1. The obligations under this Annex 3 that are not required to be imposed on Service Provider under the State Privacy Laws before such law(s) take effect shall apply to Service Provider only on and after such applicable law takes effect:

(a)    “CCPA” shall mean the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder.

(b)    “CPA” means the Colorado Privacy Act, effective July 1, 2023.

(c)    “PDPOM” means the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, effective July 1, 2023.

(d)    “UCPA” means the Utah Consumer Privacy Act, effective December 31, 2023.

(e)    “VCDPA” means the Virginia Consumer Data Protection Act.

(f)     “State Privacy Laws” means, collectively, the CCPA, CPA, PDPOM, UCPA, and VCDPA, as effective.

2. For purposes of this Annex 3, the terms “business,” “commercial purpose,” “sell,” “share,” “business purpose,” and “service provider” shall have the respective meanings given thereto in State Privacy Laws, and “personal information” shall mean Personal Data provided by Client that constitutes personal information, personal data, or other analogous term governed by State Privacy Laws. As used herein, with respect to the VCDPA, CPA, PDPOM, and UCPA “Service Provider” shall mean “Processor” as defined under the VCDPA, CPA, PDPOM, and UCPA.
3. The business purposes and services for which Service Provider is processing personal information are for Client to provide the services to and on behalf of Client as set forth in the DPA, as described in more detail in Annex 2.
4. It is the parties’ intent that with respect to any personal information, Service Provider is a service provider. Service Provider shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any commercial purpose other than for the specific business purpose of providing the Services, or as otherwise permitted by the CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Service Provider and Client; or (d) combine personal information received pursuant to the DPA with personal information (i) received from or on behalf of another person, or (ii) or collected from Service Provider’s own interaction with any individual to whom such personal information pertains, except as permitted by the CCPA. Service Provider hereby certifies that it understands its obligations under this Section 2 and will comply with them.
5. Service Provider (a) acknowledges that personal information is disclosed by Client for the specified business purposes described in the DPA; (b) shall comply with applicable obligations under the CCPA and shall provide substantially the same level of privacy protection to personal information as is required by the CCPA; (c) shall notify Client of any determination made by Service Provider that it can no longer meet its obligations under the CCPA; and (d) agrees that Client has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
6. Service Provider shall provide all information and assistance reasonably requested by Client to demonstrate Service Provider’s compliance with this Annex and State Privacy Laws, including by way of audits and/or inspections in accordance with Section 7 of this Annex.
7. Subject to this Section 7, Service Provider shall undertake commercially reasonable efforts to make available to Client such information as Client may reasonably request for Service Provider to demonstrate compliance with State Privacy Laws and this Annex. Service Provider agrees that Client may conduct reasonable audits to help ensure that Service Provider’s use of personal information is consistent with Service Provider’s obligations under the State Privacy Laws or, alternatively, the Service Provider may arrange for a qualified and independent assessor to conduct an assessment of the Service Provider’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments; and provide a report of such assessment to Client’s upon reasonable request.
8. When Service Provider engages any new Subprocessor, Service Provider shall (i) notify Client of the engagement, (ii) not engage any such Subprocessor if Client reasonably objects within ten (10) business days, and (iii) enter into a written agreement with such Subprocessor that complies with the State Privacy Laws and contains privacy and security obligations substantially similar to those in this Annex. Notwithstanding the foregoing, Client consents to Service Provider’s use of existing to Subprocessors contained on the “Subprocessor List” (currently available at www.jwplayer.com/subprocessors).
9. Service Provider shall be required to ensure that each person processing the personal information on Service Provider’s behalf is subject to a duty of confidentiality with respect to the personal information.
10. Upon termination of the DPA, Service Provider shall, at Client’s direction, delete or return all of the personal information to Client as requested, unless retention of the personal information is required by law.
11. If Service Provider receives a request from Data Subjects to exercise their rights under the State Privacy Laws directly from an individual, Service Provider will notify Client and advise the individual to submit its request to Client. Client will be solely responsible for responding to the request, unless otherwise required by State Privacy Laws. Service Provider will provide Client with assistance reasonably necessary for Client to perform its obligations under the State Privacy Laws to fulfil or respond to requests from Data Subjects to exercise their rights under State Privacy Laws.
12. Service Provider agrees to cooperate in good faith with Client concerning any future amendments as may be necessary to address compliance with the State Privacy Laws.
13. Service Provider shall, taking into account the context of the processing, implement and maintain technical and organizational measures designed to protect personal information as described in Annex in Annex 1 (Information Security).
14. The parties acknowledge that Service Provider’s retention, use and disclosure of personal information authorized by Client’s instructions documented in the DPA are integral to Service Provider’s provision of the Services and the business relationship between the parties.