Data Processing Addendum
This Data Processing Addendum (“DPA”) is incorporated into, and forms part of, the Agreement between Invideo and the Customer. Capitalised terms used but not defined in this DPA shall have the same meaning as ascribed to them in the Master Services Agreement (“MSA”).
If there is any conflict between this DPA and the MSA in relation to the Processing of Personal Data, this DPA shall prevail.
1. Application and Roles
1.1 This DPA applies to Invideo’s Processing of Personal Data contained in the Customer Data and Customer Content (including Inputs, Outputs and Designs) in connection with its provision of the Services under the Agreement.
1.2 For such Processing:
1.2.1 The Customer acts as a Data Controller or equivalent (including Data Fiduciary or Business, as per the Applicable Data Protection Laws); and
1.2.2 Invideo acts as a Data Processor or equivalent (including service provider/ processor, as per the Applicable Data Protection Laws).
1.3 Customer Personal Data is Personal Data Processed by Invideo on behalf of the Customer under the Applicable Data Protection Laws.
2. Customer Instructions
2.1 Invideo will Process Customer Personal Data only:
2.1.1 to provide, maintain, secure and support the Services as described in the Agreement and applicable Order Forms;
2.1.2 to perform its obligations, exercise its rights and as required under the Agreement, Applicable Laws and/ or Applicable Data Protection Laws; and
2.1.3 as initiated or configured by the Customer, its Affiliates or Authorised Users via the Services; (together, the “Customer Instructions”)
and shall not Process Customer Personal Data for its own independent purposes. For the avoidance of doubt, this Section applies only to Standard Tier usage. Experimental Tier usage is governed exclusively by the Experimental Tier Terms.
2.2 If Invideo is required by law to Process Customer Personal Data for purposes other than the Customer Instructions, it will, where legally permitted, notify the Customer before such Processing.
2.3 If, in Invideo’s opinion, any of the Customer Instructions infringes Applicable Data Protection Laws, Invideo will inform the Customer without undue delay, and as required by the Applicable Data Protection Laws.
2.4 Invideo will promptly inform the Customer if it determines that it can no longer comply with its obligations under this DPA or Applicable Data Protection Laws, in which case the Customer may, upon written notice, take reasonable and appropriate steps to stop or remediate such Processing, including suspension of Processing where necessary.
3. Invideo’s Obligations
3.1 Confidentiality. Invideo will ensure that persons authorised to Process Customer Personal Data are subject to appropriate confidentiality obligations under the Agreement or under a statutory obligation of confidentiality, and Process such data only as required to perform the Services.
3.2 Security. Invideo will implement and maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Such measures shall constitute the technical and organisational measures for the purposes of Annex II of the Standard Contractual Clauses.
3.3 Biometric Data. To the extent the Customer submits Biometric Data to the Services, Invideo shall: (a) process such Biometric Data solely in accordance with the Customer Instructions and for the purposes set out in this DPA; (b) not retain Biometric Data beyond the period strictly necessary to perform the relevant Services or as required by Applicable Data Protection Laws; (c) implement technical and organisational measures appropriate to the sensitivity of Biometric Data and proportionate to the risks of its processing, including any specific measures required under Applicable Data Protection Laws; and (d) ensure that persons authorised to process Biometric Data are subject to appropriate confidentiality obligations. The Customer is solely responsible for ensuring it has a valid legal basis and all required consents under Applicable Data Protection Laws for the submission and processing of Biometric Data through the Services.
3.4 Personal Data Breaches. Invideo will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer Personal Data and will provide information reasonably available to enable the Customer to comply with its notification obligations under the Applicable Data Protection Laws, which may be provided in phases as information is gathered. Without prejudice to the foregoing, where the Standard Contractual Clauses or other applicable transfer mechanisms impose specific notification timelines, those timelines shall apply to the extent required by such mechanisms.
3.5 Data Subject/ Data Principal requests. Taking into account the nature of the Processing and the functionality of the Services, Invideo will provide reasonable assistance to the Customer, by appropriate technical and organisational measures, to enable the Customer to respond to requests from Data Subjects/ Data Principals to exercise their rights under Applicable Data Protection Laws, where such requests relate to Customer Personal Data Processed by Invideo.
3.6 DPIAs, consultations and records. To the extent required by the Applicable Data Protection Laws and considering the information available to Invideo, Invideo will provide reasonable assistance to the Customer in relation to data protection impact assessments, consultations, inspections, inquiries, etc. by supervisory/ regulatory authorities, and maintenance of records of Processing activities relating to Customer Personal Data.
3.7 Government and law-enforcement requests. Where legally permitted, Invideo will notify the Customer of any legally binding request from a public authority for disclosure of Customer Personal Data and will limit any such disclosure to what is strictly required by law.
4. Sub-processors
4.1 The Customer authorises Invideo to engage third parties, including Invideo Affiliates, as sub-processors to Process Customer Personal Data in connection with the Services (“Sub-processors”).
4.2 Invideo will:
4.2.1 impose on Sub-processors, data protection obligations that are no less protective of Customer Personal Data than those set out in this DPA, including the prohibition on using Customer Personal Data to train or fine-tune any AI or ML models, and as required under Applicable Data Protection Laws; and
4.2.2 remain responsible for Sub-processors’ Processing of Customer Personal Data, subject to the limitations of liability in the Agreement.
This Section applies only to Standard Tier Sub-processors. Experimental Tier Sub-processors are governed exclusively by the Experimental Tier Terms.
4.3 Invideo will provide notice of new Sub-processors via its website (https://trust.invideo.io/subprocessors), service notification or email. The Customer may object on reasonable data protection grounds within thirty (30) days of such notice. If the Parties are unable to resolve such objection, the Customer may terminate the affected Services and Invideo shall refund any prepaid fees covering the remainder of the term of such affected Services.
5. International Transfers
5.1 To the extent Invideo transfers Customer Personal Data originating in the EEA, UK or Switzerland to a country that does not ensure an adequate level of protection, the Parties will ensure such transfer is subject to an appropriate data transfer mechanism under Applicable Data Protection Laws, which may include:
5.1.1 the standard contractual clauses adopted by the European Commission for controller-to-processor and processor-to-processor transfers;
5.1.2 the UK International Data Transfer Addendum and UK SCCs; or
5.1.3 other mechanisms recognised by Applicable Data Protection Laws.
5.2 The Standard Contractual Clauses (including Modules Two and Three), the UK International Data Transfer Addendum and any other applicable transfer mechanism are hereby incorporated by reference and deemed executed where required.
For SCC purposes:
5.2.1 Clause 9 Option 2 applies (general authorisation)
5.2.2 Clause 17: Ireland law applies
5.2.3 Clause 18: Ireland jurisdiction applies
5.2.4 Annexes I–III are deemed completed via Schedule 1 and Sub-processor list
Copies of the Standard Contractual Clauses are available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914 and the UK International Data Transfer Addendum, as issued by the UK Information Commissioner’s Office (ICO) and updated from time to time, is available on the ICO’s official website.
5.3 Invideo will, upon reasonable request, provide information necessary for the Customer to carry out any transfer impact assessments required under Applicable Data Protection Laws in relation to such transfers. Where required under Applicable Data Protection Laws, the Standard Contractual Clauses and the UK International Data Transfer Addendum shall be deemed executed between the Customer (as data exporter) and Invideo (as data importer), and shall apply automatically to such transfers.
5.4 Invideo shall ensure that any onward transfer of Customer Personal Data by its Sub-processors is subject to appropriate safeguards in accordance with Applicable Data Protection Laws.
6. India DPDP Act
6.1 Where the DPDP Act applies, the Customer is the Data Fiduciary and Invideo acts as a Data Processor in relation to Customer Personal Data.
6.2 Invideo will, in addition to its other obligations under this DPA:
6.2.1 process Customer Personal Data only on documented Customer Instructions;
6.2.2 implement reasonable security safeguards to prevent personal data breaches;
6.2.3 notify the Customer of any personal data breach and provide information required for the Customer’s notification to the Data Protection Board of India and the relevant Data Principals; and
6.2.4 assist the Customer in meeting its obligations to respond to Data Principal requests.
7. U.S. Privacy Laws (Service Provider / Processor)
7.1 To the extent Customer Personal Data is subject to U.S. privacy laws (including the CCPA and similar state laws), Invideo will act as a “service provider” or “processor” (or equivalent term) in respect of such Customer Personal Data and:
7.1.1 not “sell” or “share” Customer Personal Data as those terms are used in applicable U.S. privacy laws;
7.1.2 not retain, use or disclose Customer Personal Data for any purpose other than to provide the Services and perform the Agreement (including to ensure security and compliance) or as otherwise permitted by such laws;
7.1.3 not combine Customer Personal Data with personal data obtained from other sources, except as permitted by law (for example, for security or fraud prevention, or as aggregated or de-identified System Data under the Agreement); and
7.1.4 notify the Customer if it determines it can no longer meet its obligations under applicable U.S. privacy laws.
8. U.S. Health Information (HIPAA)
8.1 The Services are not designed for the storage, processing or transmission of “protected health information” as that term is defined in HIPAA. The Customer shall not submit, and shall ensure that its Authorised Users do not submit, any protected health information to the Services, except as expressly agreed in writing by the Parties in a separate business associate agreement.
8.2 Unless the Parties enter into a separate written business associate agreement that expressly states that Invideo is acting as Customer’s “business associate” under HIPAA, (a) Invideo does not act as a business associate to the Customer under HIPAA; and (b) HIPAA is not treated as imposing business-associate obligations on Invideo under this DPA.
8.3 The Customer is solely responsible for determining whether it is a “covered entity” or “business associate” under HIPAA and for ensuring that it does not use the Services in a manner that would require Invideo to comply with HIPAA absent such a business associate agreement.
9. Return and Deletion
9.1 During the Subscription Term, the Customer may export Customer Content and Outputs from the Services in accordance with the Agreement.
9.2 Following expiry or termination of the Agreement (or the relevant SOW/ Order Form), Invideo will delete or irreversibly de-identify Customer Personal Data within its systems within sixty (60) days of the effective date of termination or expiry, except for residual copies stored on archived backup media which shall be deleted in accordance with Invideo’s standard backup disposal schedule, unless continued storage is required by Applicable Laws, Applicable Data Protection Laws, or reasonably necessary for the establishment, exercise or defence of legal claims.
9.3 Upon the Customer’s written request made at or before termination, Invideo will, where technically feasible and not restricted by law or third-party rights, return a copy of Customer Personal Data then stored in the Services before deletion.
10. Audit and Information Rights
10.1 Invideo will maintain records of its Processing of Customer Personal Data as required by Applicable Data Protection Laws.
10.2 On written request, and no more than once in any twelve-month period (unless required by Applicable Laws/ Applicable Data Protection Laws or a regulatory/ supervisory authority), Invideo will make available information reasonably necessary to demonstrate its compliance with this DPA, subject to confidentiality obligations.
10.3 If such information is, in the Customer’s reasonable judgment, insufficient, the Customer (or an independent auditor mandated by the Customer) may conduct an audit of Invideo’s relevant Processing activities, subject to: (a) at least sixty (60) days’ prior written notice; (b) agreement on scope and timing; (c) execution of a suitable confidentiality agreement; and (d) conduct of the audit in a manner that minimises disruption and protects the confidentiality and security of other customers’ data and Invideo’s Confidential Information. Audit findings shared with the Customer shall be treated as Invideo’s Confidential Information. The Customer may use audit findings solely to verify compliance with this DPA and may share anonymized summaries (that do not identify Invideo) with its board, audit committee or regulators solely for its own governance and regulatory reporting obligations. The Customer shall bear all reasonable costs of any audit, except where the audit is required by Applicable Laws or triggered by a Personal Data Breach attributable to Invideo, in which case Invideo shall bear its own internal costs.
11. Customer Obligations
11.1 The Customer is responsible for:
11.1.1 ensuring it has a lawful basis (or consent, where required) to Process Customer Personal Data and to instruct Invideo to Process it in accordance with this DPA and Applicable Data Protection Laws;
11.1.2 providing all notices and obtaining all consents and authorisations required from Data Subjects/ Data Principals, in accordance with the Applicable Data Protection Laws; and
11.1.3 configuring and using the Services (including access controls, retention and deletion settings) in compliance with the Agreement, this DPA, the AUP and Applicable Data Protection Laws.
12. Term, Liability and Precedence
12.1 This DPA enters into force on the Effective Date of the Agreement and remains in effect for as long as Invideo Processes Customer Personal Data on behalf of the Customer.
12.2 Any liability of either Party arising out of or in connection with this DPA is subject to the exclusions and limitations of liability in the Agreement.
12.3 In the event of any conflict: (a) the applicable Standard Contractual Clauses or other valid data transfer mechanism implemented under Section 5 shall prevail to the extent of such conflict; (b) thereafter, this DPA shall prevail over the MSA solely in relation to the Processing of Personal Data; and (c) in all other respects, the MSA shall prevail.
13. Definitions
For the purposes of this DPA:
13.1 “Applicable Laws” means all laws, statutes, ordinances, regulations, rules, codes and other binding requirements of any governmental authority that apply to a Party or to that Party’s performance under the Agreement, including Applicable Data Protection Laws.
13.2 “Applicable Data Protection Laws” means, to the extent applicable to a Party’s Processing of Customer Personal Data in connection with the Services, all laws and regulations relating to privacy, data protection and data security, including without limitation: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended or replaced from time to time (“GDPR”); (ii) the UK GDPR and UK Data Protection Act 2018; (iii) Swiss Federal data protection law; (iv) the Digital Personal Data Protection Act, 2023 of India (the “DPDP Act”) and its rules and notifications; (v) United States privacy laws governing processors or service providers, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”) and similar state laws; and (vi) U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), in each case as amended or replaced from time to time. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor”, “sub-processor”, “controller” and “supervisory authority”, “regulatory authority” shall have the meanings set forth for such or equivalent terms under Applicable Data Protection Laws.
13.3 “Biometric Data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, including facial geometry, voice prints, fingerprints, retinal scans and other biometric identifiers as defined under Applicable Data Protection Laws.
13.4 “Customer Personal Data” means Personal Data Processed by Invideo on behalf of Customer in connection with the Services.
13.5 “Sub-processor” means any third party (including an Invideo Affiliate) engaged by Invideo to Process Customer Personal Data on behalf of Customer in connection with the Services.
All other capitalised terms used but not defined in this Section 13 have the meanings given to them in the Agreement.
Schedule 1 – Details of Processing
(a) Nature and Purpose: The performance of the Services under the Agreement.
(b) Duration: The Subscription Term and such time required thereafter for the Parties to perform their applicable obligations following the end of the Subscription Term, including data deletion.
(c) Categories of Customer Data: The Customer may submit Customer Personal Data for the Services, the categories of which will depend upon the Customer’s use of the Services which is determined and controlled by the Customer in its sole discretion, but it may include, but is not limited to names, contact information, demographic information, or any other information provided by the Customer, its Affiliates or Authorised Users in unstructured data.
(d) Categories of data subjects/ data principals: The data subjects may include, but are not limited to Customer’s employees, customers, suppliers and generally users of the Services.
(e) Sensitive data transferred (if applicable): No sensitive personal data is intentionally required to be transferred or processed through the Services unless expressly agreed in writing, except that Biometric Data may be processed to the extent submitted by the Customer in accordance with Section 3.3 of this DPA. To the extent such data is submitted by the Customer, the Customer shall ensure compliance with Applicable Data Protection Laws and implement appropriate safeguards.
(f) Frequency: Continuous basis depending on the Customer’s use of the Services.
(g) Transfers to Sub-Processors: As per Section 4 of the DPA, Sub-Processors will Process Customer Personal Data as necessary to perform the Services. Such Processing will be for the duration of the Agreement, unless otherwise agreed in writing.