Appendix 1 Data Processing Agreement

Similar documents
DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

Data Processing Agreement

Data Processing Addendum

Data Processing Agreement

FUJITSU Cloud Service K5: Data Protection Addendum

SUPPLIER DATA PROCESSING AGREEMENT

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

DATA PROCESSING AGREEMENT. (1) You or your organization or entity as The Data Controller ( The Client or The Data Controller ); and

DATA PROCESSING ADDENDUM

Telekom Austria Group Standard Data Processing Agreement

PERSONAL DATA PROCESSING AGREEMENT

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

The Rental Exchange. Contribution Agreement for Rental Exchange Database. A world of insight

Purchasing Terms and Conditions

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

Annex 1: Standard Contractual Clauses (processors)

OTrack Data Processing Terms

Model Data Processing Agreement (GDPR)

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

DATA PROCESSING AGREEMENT

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

Terms of Business

Data Processing Addendum

AGREEMENT FOR ACCESS, WHICH MAY RESULT IN PERSONAL DATA PROCESSING

THE SCOTTISH ENVIRONMENT PROTECTION AGENCY CONSULTANCY TERMS AND CONDITIONS

DocuSign Envelope ID: 93578C7C-0B BEE9-0536AB6EDE32

ARTICLE 29 DATA PROTECTION WORKING PARTY

AnyComms Plus. End User Licence Agreement. Agreement for the provision of data exchange software licence for end users

Serco Limited Purchase Order Terms and Conditions (the "PO Terms")

SSLI \6.0 v1.0

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

OPICO LIMITED STANDARD TERMS AND CONDITIONS OF SALE

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

FORM OF CLASS LICENSE FOR VALUE ADDED SERVICES INTENDED TO BE GRANTED BY THE TELECOMMUNICATIONS REGULATORY AUTHORITY

Customer Data Annual Privacy Agreement

Conditions of Contract for Purchase of Goods and Services

SOFTWARE LICENCE. In this agreement the following expressions shall have the following meanings:

Working document 01/2014 on Draft Ad hoc contractual clauses EU data processor to non-eu sub-processor"

Presidion IBM SPSS Academic Licence Agreement

Data Processing Addendum

Data Protection Transfer Agreement. Reference Number: CORP_142-a01 Policy

NATIONAL GRID GAS PLC NTS CHARGING MODEL SOFTWARE LICENCE AGREEMENT

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Exhibit MC - Standard Contractual Clauses (processors)

Trócaire General Terms and Conditions for Procurement

Client Order Routing Agreement Standard Terms and Conditions

BaxEnergy GmbH ( BaxEnergy ) Software License and Services Agreement

The Scottish Further and Higher Education Funding Council. Standard Terms and Conditions of Contract for professional services.

TERMS AND CONDITIONS OF SALE

3T Software Labs EULA

Ameri- can Thoracic Society, 1. Key definitions Authorized Users Outsource Provider Effective Date Fee Licensed Material Licensee

Data processing agreement

Data Protection Policy. Malta Gaming Authority

CONDITIONS DELEGATED REPORTING EMIR CLIENT REPORTING SERVICE AGREEMENT

AIA Australia Limited

THIS INDEPENDENT ENGINEER'S AGREEMENT (this Independent Engineer's Agreement) is made on [ ]

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

Manchester University Press Manchester Medieval Sources Online: Institutional, Single Site Licence Agreement

Your signature below will constitute acceptance of the provisions of this Agreement and of the attached General Terms and Conditions of Sale.

RESTREINT UE/EU RESTRICTED

TERMS AND CONDITIONS. V6 (15 December 2017) 2017 Intercontinental Exchange, Inc. 1 of 6

EUKLEIA SOFTWARE-AS-A-SERVICE AGREEMENT LEARNING MANAGEMENT SYSTEM. Standard Terms and Conditions Schedule

DACS Website Licence Terms and Conditions November 2014

END-USER SOFTWARE LICENSE AGREEMENT FOR TEKLA SOFTWARE

SERVICES TERMS AND CONDITIONS

Completion Notes Consultancy Contract with Historic Environment Scotland (SETC3gt)

VistaJet Purchase Order General Terms and Conditions

HBDI Technology and Herrmann Materials Licensing Agreement

INDEPENDENT CONTRACTOR AGREEMENT

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

GENERAL TERMS AND CONDITIONS FOR THE SUPPLY OF GOODS AND SERVICES

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

Trustmark Licence Agreement

Memorandum of Understanding. Republic of Korea

8557/16 SHO/ra 1 DGD 2

STATUTORY INSTRUMENT 2002 NO THE ELECTRONIC COMMERCE (EC DIRECTIVE) REGULATIONS Statutory Instruments No. 2013

Software Licence Terms

INTERFACE TERMS & CONDITIONS

askmid User Agreement

Introduction Agreement

ASSETMARK TRUST COMPANY TOTALCASH MANAGER TM ACCESS AUTHORIZATION AGREEMENT

(a) Unless otherwise expressly stated to the contrary, terms used herein shall bear the following meanings:

STANDARD TERMS AND CONDITIONS FOR THE SUPPLY OF GOODS AND SERVICES

C-LABS SA STANDARD TERMS OF USE FOR SGS DIGICOMPLY SERVICES ( TERMS ) Version:

SIMON READHEAD Q.C. PRIVACY NOTICE

NON-DISCLOSURE AGREEMENT

Terms and Conditions Belfius via SWIFT

Date Reference 1 (14) 1 December 2015 TSA XXX-XXX

SOUTHERN CALIFORNIA EDISON COMPANY ENERGY SERVICE PROVIDER SERVICE AGREEMENT

Software Licence Agreement

Terms and Conditions GDPR Ready Data

JSE DATA AGREEMENT (JDA) GENERAL TERMS AND CONDITIONS

EIS. Terms and Conditions. Tel: Fax: EIS

Training Provider Registration Agreement

UNI PAC Contract Final

FULLY EXECUTED Contract Number: Contract Effective Date: 08/08/2014 Valid From: 07/01/2014 To: 12/31/2099

Authorizing the City Manager to execute an Agreement between the City of Columbia and Passport Parking

General Terms and Conditions Day Ahead. of innogy Gas Storage NWE GmbH, Flamingoweg 1, Dortmund (hereinafter, "igsnwe")

[1.1] In the Agreement the following words shall have the meanings hereby assigned to them:

Transcription:

Appendix 1 Data Processing Agreement Except as modified below, the terms of the Agreement shall remain in full force and effect. The Agreement and this DPA are connected and cannot be terminated separately. This DPA may, however, be replaced by a new valid DPA without this affecting the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, the DPA shall prevail. 1. Definitions 1.1. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below: Contracted Processor means Colourbox or a Sub-processor; Data Protection Laws and Regulations means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement; DPA means this Data Processing Agreement; GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); Licensee Personal Data means any Personal Data Processed by a Contracted Processor on behalf of Licensee pursuant to or in connection with the Agreement; Security Practices means the security practices applicable to the specific Services provided according to the Agreement, as updated from time to time, and accessible on Colourbox s Internet site or as otherwise made reasonably available by Colourbox; Services means the services and other activities to be supplied to, or carried out by or on behalf of Colourbox for, Licensee pursuant to the Agreement; and Page 1 of 14

Sub-processor means any Processor appointed by or on behalf of Colourbox to Process Personal Data on behalf of Licensee in connection with he Agreement. 1.2. The terms Commission, Controller, Data Subject, Member State, Personal Data, Personal Data Breach, Processing, Processor and Supervisory Authority shall have the meaning given to them in the GDPR, and their cognate terms shall be construed accordingly. 2. Processing of Personal Data 2.1. The parties acknowledge and agree that with regard to the Processing of Personal Data, Licensee is the Controller, Colourbox is the Processor and that Colourbox will engage Sub-processors pursuant to the requirements set forth in Section 5, Sub-Processors below. 2.2. Licensee shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Licensee s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations and have lawful basis. Licensee shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Licensee Processes Personal Data. 2.3. Colourbox shall comply with all applicable Data Protection Laws and Regulations in the Processing of Licensee Personal Data. 2.4. Colourbox shall only Process Licensee Personal Data on behalf of and in accordance with Licensee s documented instructions for the following purposes only, unless required to do so by European Union or Member State law to which Colourbox or Sub-processor is subject, in such a case, Colourbox shall inform Licensee of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest: 2.4.1. Processing in accordance with the Agreement; and 2.4.2. Processing to comply with other documented instructions provided by Licensee (e.g., via email) where such instructions are consistent with the Agreement. 2.5. The subject-matter of Processing of Personal Data by Colourbox is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Licensee Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule A (Details of the Processing) to this DPA. 3. Rights of Data Subjects 3.1. Colourbox shall, to the extent legally permitted: Page 2 of 14

3.1.1. promptly notify Licensee if any Contracted Processor receives a request from a Data Subject under any Data Protection Law and Regulation in respect of Licensee Personal Data ( Data Subject Request ); and 3.1.2. ensure that the Contracted Processor does not respond to that request except to confirm that such request relates to Licensee, except (i) on the documented instructions of Licensee, or (ii) as required by applicable laws to which the Contracted Processor is subject, in which case Colourbox shall to the extent permitted by applicable laws inform Licensee of that legal requirement before the Contracted Processor responds to the request. 3.2. To the extent Licensee, in its use of the Services, does not have the ability to address a Data Subject Request, Colourbox shall upon Licensee s written request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent Colourbox is legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Data Protection Laws and Regulations. To the extent legally permitted, Licensee shall be responsible for any costs (including man-hours) arising from Colourbox s provision of such assistance. 4. Colourbox Personnel 4.1. Colourbox shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Licensee Personal Data. 4.2. Colourbox must ensure in each case that access is strictly limited to those individuals who need to know / access the relevant Licensee Personal Data, as strictly necessary for the purposes specified in Section 2.4, and to comply with applicable laws in the context of that individual s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality during the personnel agreement and after its termination. 5. Sub-processors 5.1. Licensee authorizes and instructs Colourbox to appoint (and permit each Sub-processor appointed in accordance with this Section 5 to appoint) Sub-processors in accordance with this Section 5 and any restrictions in the Agreement in order to provide the Services and to transfer Licensee Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Agreement. 5.2. Colourbox may continue to use those Sub-processors already engaged by Colourbox as at the date of this DPA. The current list of Sub-processors for the Services is included in Schedule B Page 3 of 14

(Sub-processors). The Sub-processor list includes the identities of those Sub-processors and their country of location. Colourbox must give Licensee prior documented notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. 5.3. Licensee may on reasonable grounds object to Colourbox s use of a new Sub-processor by notifying Colourbox promptly in writing within ten (10) business days after receipt of Colourbox s notice in accordance with Section 5.2: 5.3.1. Colourbox shall not appoint (or disclose any Licensee Personal Data to) that proposed Sub-processor until reasonable efforts to make available to Licensee a change in the Services or to recommend a commercially reasonable change to Licensee s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Licensee have been made; and 5.3.2. where such reasonable steps cannot be made within thirty (30) days from Colourbox s receipt of Licensee s notice, notwithstanding anything in the Agreement, Licensee may by written notice to Colourbox with immediate effect terminate the Agreement with respect only to those Services which cannot be provided by Colourbox without the use of the objected-to new Sub-processor. Colourbox will refund Licensee any prepaid fees covering the remainder of the term of such Agreement following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Licensee. 5.4. With respect to each Sub-processor, Colourbox shall: 5.4.1. ensure that the arrangement between Colourbox and the Sub-processor is governed by a written contract including terms which offer at least the same level of protection for Licensee Personal Data as to the extent applicable to the nature of the Services provided by such Sub-processor as those set out in this DPA and meet the requirements of article 28(3) of the GDPR; 5.4.2. provide to Licensee for review such copies of Colourbox agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) as Licensee may request from time to time, or 5.4.3. if that arrangement involves a transfer of Personal Data to countries outside the EU/EEA, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Colourbox and the Sub-processor before the Sub-processor first Processes Licensee Personal Data. Page 4 of 14

5.5. Colourbox must ensure that each Sub-processor performs the obligations under this DPA, as they apply to Processing of Licensee Personal Data carried out by that Sub-processor, as if it were party to this DPA in place of Colourbox. 5.6. Notwithstanding Sections 5.4 and 5.5, Licensee accepts that the at any point in time applicable standard Sub-processor agreement(s) provided by the following subset of the Sub-processors listed in Schedule B: Amazon will fulfil Colourbox obligations in accordance with this Section 5. 6. Security 6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Colourbox shall in relation to the Licensee Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. 6.2. In assessing the appropriate level of security, Colourbox shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach. 6.3. The appropriate level of security is set in accordance with Security Practices, see Schedule C. 7. Licensee Personal Data Incident Management and Notification 7.1. Colourbox maintains security incident management policies and procedures specified in the Security Practices. 7.2. Colourbox shall notify Licensee without undue delay and within 36 hours upon Colourbox or any Sub-processor becoming aware of a Personal Data Breach affecting Licensee Personal Data, providing Licensee with sufficient information to allow Licensee to meet any obligations to report or inform Data Subjects of the Licensee Personal Data Breach under the Data Protection Laws. 7.3. Colourbox shall make reasonable efforts to identify the cause of such Personal Data Breach and take those steps as Colourbox deems necessary and reasonable in order to remediate the cause to the extent the remediation is within Colourbox s reasonable control. 7.4. Colourbox shall co-operate with Licensee and take such reasonable commercial steps as are directed by Licensee to assist in the investigation, mitigation and remediation of each such Personal Data Breach. 7.5. If the Personal Data Breach is caused by Licensee, Licensee to the extent legally permitted, will be responsible for any costs arising from the Personal Data Breach. Page 5 of 14

8. Return and Deletion of Licensee Personal Data 8.1. Subject to Section 8.2 and the limitations described in the Agreement and the Security Practices, Colourbox shall promptly upon the date of cessation of any Services involving the Processing of Licensee Personal Data, return all Licensee Personal Data and copies of such data to Licensee, procure the deletion of all copies or procure the Personal Data to be unidentifiable, unless applicable law or a need to document Licensee s use of the Services prevents it from returning or destroying all or part of the Licensee Personal Data. 8.2. Each Contracted Processor may retain Licensee Personal Data to the extent required by applicable laws or required to document Licensee s use of the Services and only to the extent and for such period as required by applicable laws and always provided that Colourbox shall ensure the confidentiality of all such Licensee Personal Data and shall ensure that such Licensee Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. 9. Limitation of Liability 9.1. The regulation of liability and limitation of liability in the Agreement also applies to this DPA being an integral part thereof. 9.2. The parties are liable according to the general rules of applicable law, subject, however, to the limitations set out in this section. 9.3. The following are not covered by the limitation of liability in this Section 9: 9.3.1. Loss as a direct result of the other party s grossly negligent or intentional acts; and 9.3.2. Reasonable expenses and internal resource consumption used to comply to obligations to a Supervisory Authority or the Data Subject, including compensation to a Data Subject, to the extent that these are caused by a breach by the other party. 10. Data Protection Impact Assessment, Audits and Prior Consultation 10.1. Colourbox shall upon Licensee s written request provide reasonable assistance needed to fulfil Licensee s obligation under the GDPR to carry out any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Licensee reasonably considers to be required of any Licensee by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law and Regulation, in each case solely in relation to Processing of Licensee Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors. Page 6 of 14

10.2. Colourbox must make available to Licensee on request necessary information to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Licensee or an auditor mandated by Licensee in relation to the Processing of the Licensee Personal Data by the Contracted Processors. 10.3. Information and audit rights of Licensee only arise under Section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law and Regulation (including, where applicable, article 28(3) (h) of the GDPR). 10.4. Licensee undertaking an audit shall give Colourbox reasonable notice of any audit or inspection to be conducted under Section 10.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Contracted Processors premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. 10.5. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection: 10.5.1. to any individual unless he or she produces reasonable evidence of identity and authority; 10.5.2. outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Licensee has given notice to Colourbox that this is the case before attendance outside those hours begins; or 10.5.3. for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any calendar year, except for any additional audits or inspections which Licensee is required or requested to carry out by Data Protection Law and Regulation, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws and Regulations in any country or territory. 10.6. Licensee must cover all Colourbox costs including fees for time spent, fees to legal or other relevant assistance if Licensee requests audits and inspections not subject to Colourbox obligations as stipulated in this Section 10. 11. Transfers to third-countries 11.1. Any transfer of Personal Data under this DPA from the European Union to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, must (i) be subject to the then current Standard Contractual Clauses or (ii) be authorized by Data Protection Laws and Regulations in the exporting country, for example in the case of transfers from within the European Union to a country Page 7 of 14

approved by the Commission as ensuring an adequate level of protection (such as Switzerland) or (iii) be subject to an authorized scheme (such as the US Privacy Shield) approved by the Commission or (iv) fall within a permitted derogation. Licensee hereby agrees and acknowledges that Colourbox may enter into Standard Contractual Clauses with affected Sub-processors with respect to Processing of Personal Data. 11.2. In any case, Licensee Personal Data may only be transferred to the extent permitted under the Data Protection Laws and Regulations in force from time to time 12. General Terms 12.1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses: 12.1.1. the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and 12.1.2. this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement. 12.2. Licensee may: 12.2.1. by at least 30 (thirty) calendar days written notice to Colourbox from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under Section 11.1), as they apply to transfers to third countries which are subject to a particular Data Protection Law and Regulation, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law and Regulation, to allow those transfers to third countries to be made (or continue to be made) without breach of that Data Protection Law and Regulation; and 12.2.2. propose any other variations to this DPA which Licensee reasonably considers to be necessary to address the requirements of any Data Protection Law and Regulation. 12.3. If Licensee gives notice under Section 12.2.1: 12.3.1. Colourbox shall promptly co-operate (and ensure that any affected Sub-processors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under Section 5.4.2. Page 8 of 14

12.4. If Licensee gives notice under Section 12.2.1, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Licensee s notice as soon as is reasonably practicable. 12.5. The regulation of force majeure in the Agreement on delivery of the Services also applies to this DPA being an integral part thereof. If the force majeure situation leads to a Personal Data Breach, the notification procedure in Section 7 will apply. Force majeure may only be asserted for the number of working days for which the force majeure situation lasts. Page 9 of 14

Schedule A - DETAILS OF PROCESSING This Schedule A includes certain details of the Processing of Licensee Personal Data as required by Article 28(3) GDPR. Nature and Purpose of Processing Colourbox will Process Licensee Personal Data as necessary to perform the Services pursuant to the Agreement. Subject matter and duration of Processing The subject matter and duration of the Processing of Licensee Personal Data are set out in the Agreement and/or in this DPA, unless otherwise agreed upon in writing. Duration is specifically subject to Section 8, Return and Deletion of Personal Data of this DPA. Categories of Data Subjects Licensee may submit Licensee Personal Data to the Services, the extent of which is determined and controlled by Licensee in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: Employees, agents, advisors, freelancers and customers of Licensee (who are natural persons) If the Services include organizing, storing and sharing of Licensee s Materials, Colourbox may process any category of Data Subjects, including Personal Data on children. This depends on Licensee s Material that is under the control of Licensee. Licensee must keep record of categories of data subject included in Licensee s Material. Type of Personal Data to be Processed Licensee may submit Personal Data to the Services, the extent of which is determined and controlled by Licensee in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: First and last name Contact information (e.g. company, email, phone, physical business address) If the Services include organizing, storing and sharing of Licensee s Materials, Colourbox may process any type of Personal Data, including Personal Data on children. This depends on Licensee s Material that is under the control of Licensee. Licensee must keep record of type of personal data included in Licensee s Material. Page 10 of 14 Copyright May 16, 2018 by Colourbox

The obligations and rights of Licensee The obligations and rights of Licensee are set out in the Agreement and this DPA. Page 11 of 14

Schedule B SUB-PROCESSORS Colourbox s current list of Sub-processors for the Services: Amazon Web Services - Burlington Plaza, 1 Burlington Rd, Dublin 4, D04 N9W8 Ireland - Hosting (infrastructure) ( Amazon ) Page 12 of 14

Schedule C - TECHNICAL AND ORGANISATIONAL SECURITY REQUIRE- MENTS AND SAFEGUARDS Specific technical and organisational security requirements: 1. The following specific requirements are made for Colourbox physical security: a) Physical access to Colourbox s building is controlled manually and video surveyed b) Amazon is used for providing the hosting service. Amazon s physical security facilities meet very high standard controls 2. The following specific requirements are made for Colourbox technical security: a) Colourbox undertakes regular risk analysis and adjusts its technical security accordingly b) 2-factor logins are required for accessing Colourbox infrastructure c) Source code is version-controlled and maintained through appropriate service d) In-and out data communication is encrypted according to latest industry standards 3. The following specific requirements are made for Colourbox organisational security: a) Colourbox educates all employees in proper handling of Licensee Personal Data b) Colourbox imposes appropriate contractual obligations upon its employees regarding confidentiality c) Colourbox restricts access to Licensee Personal Data to only relevant people and only for as long as needed 4. The following specific requirements are made for Colourbox deletion of personal data: a) Colourbox will hold Licensee Personal Data in accordance with the Agreement and upon the date of cessation of any Services involving the Processing of Licensee Personal Data, return all Licensee Personal Data and copies of such data to Licensee, procure the deletion of all copies or procure Licensee Personal Data to be unidentifiable, unless applicable law or a need to document Licensee s use of the Services prevents it from returning or destroying all or part of the Licensee Personal Data Page 13 of 14

Safeguards provided for the required security of processing 5. Colourbox has provided the following specific safeguards: a) Colourbox is using Amazon s AWS Glacier for backup b) Images, the database and the search engine are backed-up at three Amazon AWS facilities c) Data durability is designed to provide 99.999999999% durability cf. /https://docs. aws.amazon.com/amaxons3/latest/dev/datadurability.html) Page 14 of 14

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback