DATA PROCESSING AGREEMENT/ADDENDUM (“DPA”)

This DPA forms part of the Software Subscription Agreement (the “Agreement”) between the AnyClip entity executing the Agreement (“AnyClip”) and the customer as defined in the Agreement and/or order form, its parent company and affiliates (collectively, the “Customer”). Both parties shall be referred to as the “Parties” and each, a “Party”. The Parties agree as follows:

    1. Definitions. For purposes of this DPA, defined terms shall have the meaning set forth in the GDPR, California Consumer Privacy Act (“CCPA”) (as amended or modified, including, by the California Privacy Rights Act (“CPRA”)) as applicable. “Services” means performance of the services and activities provided pursuant to or in connection with the Agreement previously entered into between AnyClip and Customer. “Standard Contractual Clauses” means the applicable module of the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here:
      Standard Contractual Clauses: Controller to Processor
      Standard Contractual Clauses: Processor to Processor
    2. Roles of the Parties. With regard to the Processing of Personal Data, Customer is the Data Controller and AnyClip is the Data Processor. AnyClip will process Personal Data as necessary to perform the Services pursuant to the Agreement. The duration, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects are further specified in Schedule 1 of this DPA
    3. Customer’s Instructions. Subject to the Agreement, AnyClip shall Process Personal Data only in accordance with Customer’s documented instructions. Customer’s instructions for the processing of Personal Data shall comply at all times with the GDPR and any other applicable law. For the avoidance of doubt, the Agreement and this DPA are considered instructions. To the extent that AnyClip or its affiliates cannot comply with a request (including, without limitation, any instruction) from Customer and/or its authorized users relating to Processing of Personal Data or where AnyClip considers such a request to be unlawful, AnyClip (i) shall inform Customer, providing relevant details of the problem, (ii) AnyClip may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, the Parties shall resolve this issue in light of the terms of the Agreement.
    4. Rights of Data Subject. If AnyClip receives a request from a Data Subject to exercise its rights under GDPR, AnyClip shall, to the extent legally permitted, promptly notify and forward the request to Customer. AnyClip shall use commercially reasonable efforts to assist Customer, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject request under GDPR.
    5. Assistance. Upon the Customer’s request, AnyClip will use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to AnyClip.
    6. AnyClip personnel. AnyClip shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons have committed themselves to confidentiality. For the avoidance of doubt, AnyClip may disclose and Process the Personal Data also (a) to the extent required by a court of competent jurisdiction or other supervisory authority and/or otherwise as required by applicable laws or GDPR, or (b) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), and investors or potential acquirers.
    7. Sub-processors. Customer hereby approves AnyClip’s current list of sub-processors available (“Sub-processor List”). Customer may reasonably object to AnyClip’s use of a new Sub-processor for reasons related to the GDPR by notifying AnyClip promptly in writing within three (3) business days after receipt of AnyClip’s notice. Failure to object to such new Sub-processor in writing within three (3) business days following AnyClip’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, AnyClip will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If AnyClip is unable to make available such change within a reasonable period of time, the Parties shall resolve this issue in light of the terms of the Agreement. Until a decision is made regarding the new Sub-processor, AnyClip may temporarily suspend the processing of the affected personal data.
    8. Security and audits. Taking into account the state of the art, AnyClip shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR. Upon Customer’s written request at reasonable intervals (subject to the confidentiality obligations) AnyClip shall make available to Customer relevant information that is necessary to demonstrate compliance with the obligations laid down in this Section (provided, however, that such information shall only be used by Customer to assess compliance with this Section, and shall not be disclosed to any third party without AnyClip’s prior written approval). At Customer’s cost and expense, AnyClip shall allow audits conducted by the Customer or another auditor mandated by Customer (who is not a competitor of AnyClip), provided that the Parties shall agree on the scope, methodology and timing of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that does not belong to Customer.
    9. Personal data incident management and notification. To the extent required under GDPR, AnyClip shall notify Customer without undue delay after becoming aware of an incident related to Customer´s Personal Data. AnyClip shall make reasonable efforts to identify the cause of such Personal Data incident and take those steps as AnyClip deems necessary, possible and reasonable in order to remediate the cause of such Personal Data incident to the extent the remediation is within AnyClip’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, AnyClip will not be responsible for notifying supervisory authorities and/or concerned Data Subjects.
    10. Return and deletion of Personal Data. AnyClip shall, at the choice of Customer, delete or return the Personal Data to Customer after the end of the provision of the Services relating to Processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, AnyClip may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations.
    11. Transfers of Personal Data. Personal Data may be transferred from the EU Member States, the three EEA member countries and the United Kingdom to countries that were declared adequate per the adequacy decisions published by the relevant data protection authorities, without any further safeguard being necessary. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an adequacy decision, the Parties shall comply with Chapter V of the GDPR.
    12. CCPA/CPRA. AnyClip shall not sell Personal Data. AnyClip further agrees not to retain, use or disclose Personal Data for any other purpose than to provide the Services under the Agreement or for a commercial purpose other than providing the Services. Notwithstanding the foregoing, AnyClip may use, disclose, or retain Personal Data to: (i) transfer the Personal Data to other AnyClip’s entities (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Customer; (ii) to comply with applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by the AnyClip to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyze anonymous information. AnyClip may de-identify Personal Data in accordance with the CCPA to use such information for AnyClip’s own purposes. For de-identified information, AnyClip will: (i) not attempt to or actually re-identify any previously de-identified information, (ii) implement and maintain technical safeguards that prohibit re-identification of the de-identified information, and (iii) implement and maintain business processes that specifically prohibit re-identification of the de-identified information and prevent inadvertent release of the information.
    13. Termination. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
    14. Miscellaneous. This DPA may not be amended or modified except by a written instrument which is signed by both Parties. This DPA may be executed in counterparts. Either Party may assign this DPA or its rights or obligations hereunder to any affiliate thereof, or to a successor or any affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. In case of a conflict between the provisions of this DPA and the provisions of the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail.

SCHEDULE 1 –
DETAILS OF THE PROCESSING

Subject matter – AnyClip will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing
1. Providing the Service(s) to Customer; Performing the Agreement, this DPA and/or other contracts executed by the Parties;
2. Providing support and technical maintenance, if agreed in the Agreement;
Duration of Processing – Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof.
Type of Personal Data – Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Personal Data provided by Customer through the Services and/or to AnyClip, including: User private data (user forms, user ID level data); User ID, level data of video usage (such as views), engagement and interaction with videos on AnyClip player; and User forms (Dynamic fields that the customer can create for the user to fill proactively).
  • Any other Personal Data or information that the Customer decides to provide to the AnyClip or the Services.

Categories of Data Subjects and/or special Categories of Data (if any). Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data subjects to whom it belong the Personal Data detailed above.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous basis
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. As agreed between the Parties in the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. As detailed in the Sub-processors List.