This Data Processing Agreement ("Agreement") applies exclusively to the processing of Personal Data (as defined below) in the scope of the Master Service Agreement which can be found at https://legal.vidswap.com, by and between Vidswap. (hereinafter to be referred as the "Data Processor" or "VidSwap"); and Customer  (hereinafter to be referred as the "Data Controller" or “Customer”; each a "Party", and collectively the "Parties") 

This Agreement shall apply only to the extent Data Controller is established within the EEA and/or to the extent VidSwap Processes Personal Data of Data Subjects located in the EEA on behalf of the Data Controller. 

Capitalized terms not otherwise defined herein shall have the meaning given to them in the MSA.

THE PARTIES HEREBY AGREE AS FOLLOWS:

In this Agreement, the following terms shall have the meanings set out below:

1. ‘Applicable law’ means (a) European Union law or any laws of a member state of the European Union in respect of which VidSwap is subject to; and (b) any other applicable law in respect of which VidSwap is subject to; 
2. ‘Data Protection Legislation’ means, from 25 May 2018, the GDPR, and, to the extent applicable, the local data protection or privacy laws of any other country where VidSwap is established and provides Services from pursuant to the Agreement, including Israel;
3. ‘GDPR’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
4. ‘Services’ means the services as defined in the MSA;
5. ‘Supervisory Authority’ means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation;
6. ‘Term’ means the term of the Services Agreement, as defined therein;

The terms, ‘Commission’, ‘Controller’, ‘Data Subject’, ‘Member State’, ‘Personal Data’, ‘Personal Data Breach’ and ‘Processing’ shall have the same meaning as in the GDPR.

2. Processing of Personal Data

2.1. The Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by VidSwap. VidSwap will process the Personal Data only as set forth in Data Controller’s written instructions.

2.2. VidSwap will only process the Personal Data on documented instructions of the Data Controller in such manner as - and to the extent that - this is appropriate for the provision of the Services, except as required to comply with a legal obligation to which VidSwap is subject. In such a case, VidSwap shall promptly inform the Data Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller. VidSwap shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. VidSwap shall comply with all applicable Data Protection Legislation in the Processing of Customer's Personal Data.

2.3. The MSA and this Agreement set out Customer's complete instructions to VidSwap in relation to the Processing of Personal Data and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement)  will require prior written agreement of the parties.

2.4. Data Controller warrants that it has received warranties from its applicable  processors that they have all necessary rights to provide the Personal Data to Cato, for the Processing to be performed by VidSwap in relation to the Services.

3. Confidentiality

3.1. VidSwap shall ensure that any person that it authorizes to Process the Personal Data shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship but in any event VidSwap shall be responsible for any use or disclosure of Personal Data of any of its employees, affiliates, personnel and agents.

4. Security

4.1. VidSwap maintains a written security program for the security, integrity and protection of its Customer’s Personal data against unauthorized disclosure or loss. VidSwap’s security program includes administrative,  technical   and  physical  safeguards   appropriate  for  the   types  of information that it Processes. VidSwap’s appropriate technical and organizational security measures are governed by the VidSwap Information Security Policy, taking into account  the  state of   the art,  the costs of  implementation,  and   the  nature,  scope,   context  and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures are designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access or use. Taking into account the measures required by Article 32 of the GDPR, such measures may be updated by VidSwap from time to time provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.

4.2. VidSwap shall at all times have in place an appropriate written security policy with respect to the processing of Personal Data.

5. Sub-Processing

5.1. Data Controller agrees that VidSwap may engage third party subprocesses ("Sub-processor") to Process the Personal Data. The Sub-processors currently engaged by VidSwap and authorized by Customer are listed in Annex 1 of this Agreement. VidSwap shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this Agreement and shall remain liable for any breach of the Agreement caused by a Sub-processor.

5.2. For the avoidance of doubt, the above authorization constitutes Data Controller’s prior written consent to the sub-processing by Processor for purposes of Clause 11 of VidSwap's Standard Contractual Clauses, as defined below.

5.3. VidSwap shall inform the Data Controller as soon as reasonably practicable of any changes concerning the addition or replacement of any of the Sub-processors that will Process any Customer Personal Data, and shall update Annex 2 in accordance.  VidSwap may, by giving no less than sixty (60) days' notice to Data Controller, add or make changes to the Sub-processors. Controller may object to the appointment of an additional Sub-processor within thirty (30) days of such notice, in which case VidSwap shall have the right to cure the objection through one of the following options: (a) VidSwap will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Services without such Sub-processor; or (b) VidSwap will take the corrective steps requested by Data Controller in its objection before proceeding to use the Sub-processor with regard to Personal Data; or (c) VidSwap may cease to provide or Controller may agree not to use (temporarily or permanently) the particular aspect of the Services that would involve the use of such Sub-processor with regard to Personal Data, if agreed to by both parties.

5.4. If that engagement with a Sub-processor involves the transfer of Personal Data to a country outside of the European Union that has not been determined to ensure an adequate level of protection for Personal Data, VidSwap shall ensure that an appropriate data transfer safeguard is in place in compliance with Chapter IV of the GDPR.

6. Personal Data Breach

6.1. VidSwap shall notify the Data Controller without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data that is subject to the MSA. VidSwap shall provide Data Controller with information (as and when available) to assist the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Legislation.

6.2. Any notifications made to the Data Controller pursuant to this Section 6 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 2 of this Data Processing Agreement, if provided.

7. Assistance to Data Controller

7.1. VidSwap shall provide reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, for the fulfilment of the Data Controller’s obligations to respond to requests for exercising the Data Subject’s rights under the GDPR.

7.2. Minitgo shall assist the Data Controller in ensuring compliance with the obligations pursuant to Section 4 (Security) and prior consultations with Supervisory Authorities required under Article 36 of the GDPR taking into account the nature of the processing and the information available to VidSwap.

8. Returning of Destruction of Personal Data

8.1. Upon termination or expiration of this Agreement, VidSwap shall, in accordance with the terms of the Services Agreement, promptly and in any event within 90 calendar days of the date of termination, delete or make available to the Data Controller for retrieval all relevant Personal Data (including copies) in VidSwap's possession, save to the extent that VidSwap is required by any applicable law to retain some or all of the Personal Data only for the applicable period as required by Applicable Laws.

8.2. Each Sub-processor may retain Customer Personal Data to the extent required by Applicable Laws to the extent and for such period as required by Applicable Laws.

9. Audit Rights

9.1. VidSwap shall make available to the Data Controller on reasonable request such information reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR, but in any event VidSwap is not obliged to provide hard copies of such information.

9.2. VidSwap shall allow Data Controller to conduct an on-site audit of the procedures relevant to the protection of Personal Data ("Procedures"), subject to the confidentiality provisions of this Agreement. Data Controller and VidSwap will discuss and mutually agree in advance in the reasonable start date, scope and duration of the audit. VidSwap reserves the right to charge a fee (based on Mitigo's reasonable costs) for any such audit. VidSwap will provide further details of any applicable fee and the basis of its calculation to the Data Controller in advance of such audit In the event that such audit reveals any actual breach with respect to any of such Procedures, VidSwap shall pay the costs of such audit.

10. Supervisory Authorities

10.1. VidSwap shall notify Customer without undue delay if a Supervisory Authority or law enforcement authority or a Data Subject makes any inquiry or request for disclosure regarding Customer’s Personal Data.

11. Data Transfers

11.1. VidSwap shall notify the Data Controller of any permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall perform such a transfer after obtaining authorization from the Data Controller. Annex 3 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Agreement.

11.2. Personal Data transfer between the Parties shall be governed by Standard Contractual Clauses, in the form attached hereto as Annex 4. Standard Contractual Clauses will apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).

12. Miscellaneous

12.1. Order of precedence.  In the event of any inconsistency between the provisions of this Agreement and the provisions of the MSA, the provisions of the Agreement shall prevail.

12.2. Changes in Data Protection Legislation. If any variation is required to this Agreement as a result of a change in Data Protection Legislation, then either Party may provide written notice to the other Party of that change in law. The Parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing any necessary variations to this Agreement to address such changes, including any resulting changes to the charges.

12.3. Survival. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

12.4. Jurisdiction. This Agreement is governed by the laws of New York. Any disputes arising from or in connection with this Agreement shall be brought exclusively before the competent courts in the state of New York.

Authorized Sub-processors List

Data Controller's Contact Person Details

e-mail: datacontroller@pixellot.tv

Data Transfer Locations

United States

Standard Contractual Clauses

See: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN