This Videobot Data Processing Agreement (this “DPA”) is part of the Agreement between
Videobot Oy and You (“Customer”) and governs the processing of information relating to an identified or identifiable natural person (“Personal Data”) that takes place in the context of the Service provided by Videobot under the Agreement. Unless otherwise indicated, the terms of the Agreement shall apply to this DPA.
Under the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) the Customer is the controller and Videobot processes Personal Data on behalf of the Customer as a processor for the purposes of the Agreement. If and to the extent the Customer acts as a processor in relation to other controllers, Videobot shall act as a sub–processor under this DPA.
1. General Terms of the Processing of Personal Data
Videobot shall only process Personal Data for the provision of the Service in accordance with the Agreement and the written instructions of the Customer, unless required to do so by applicable legislation, in which case Videobot s. The Customer’s instructions regarding the processing of Personal Data must be commercially reasonable, compliant with data protection legislation, and consistent with the Agreement. In case Videobot finds any instruction given by the Customer to be non–compliant with legislation applicable to Videobot, Videobot shall not be obliged to comply with such instruction and shall inform the Customer.
The Customer is responsible for the lawful processing and collection of personal data in
compliance with the GDPR and other legislation relating to the processing of Personal Data. The Customer shall be responsible for having the required rights and necessary permissions from third parties to lawfully process Personal Data for the purposes of the Agreement.
The subject matter, categories, and types of data as well as other details of the processing are specified in Schedule 1 of this DPA (Description of the Processing Operations).
Following the expiration of the Agreement, Videobot shall within a reasonable time period delete all Personal Data, unless the Customer requests the data to be returned or unless Videobot is required to retain the Personal Data due to requirements under applicable legislation.
Taking into account the nature of the processing, Videobot shall assist the Customer with
appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.
Taking into account the nature of the processing and the information available to Videobot, Videobot shall provide the Customer with assistance in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority).
In case such assistance requires measures from Videobot, Videobot has the right to charge an hourly fee for handling such assistance requests, subject to the Customer’s prior approval of such additional costs.
The Customer gives its general authorization to allow Videobot to engage other companies as subprocessors to process Personal Data to provide the Service. Videobot is free to choose and change its subprocessors. Upon request, Videobot shall inform the Customer of the subprocessors currently involved. In case there is a later change of a subprocessor (addition or replacement), Videobot shall notify the Customer of the change, allowing the Customer to object to the change. If Videobot is not willing to change the subprocessor the Customer has objected to, both Parties shall have the right to terminate the Agreement and this DPA.
Substantively similar data protection obligations as set out in this DPA shall be included in the DPA between Videobot and the subprocessor. Where a subprocessor fails to fulfill its data protection obligations, Videobot shall remain liable to the Customer for the performance of the subprocessor’s obligations.
4. International Transfers
The Customer accepts that Videobot may transfer personal data to its subprocessors outside the European Economic Area (“EEA”) in the context of the Service. Before any personal data is transferred from the EEA for processing in any country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data, Videobot shall comply with Chapter V of the GDPR and ensure the transfer takes place under appropriate safeguards for protection of the Personal Data, including (but not necessarily limited to) the standard contractual clauses adopted by the European Commission.
The Customer or an auditor appointed by the Customer shall have the right to audit the processing activities of Videobot under this DPA to assess the compliance of Videobot with its contractual obligations under this DPA and applicable data protection legislation during the ordinary business hours of Videobot and with thirty (30) days prior written notice. If Videobot employees or other representatives participate in such audits at the request of the Customer, the Customer shall compensate Videobot for the expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Videobot or threaten intellectual property rights of Videobot, the Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to the benefit of Videobot.
At the Customer’s request, Videobot makes available to the Customer information necessary to demonstrate compliance with the GDPR. In case such assistance requires measures from Videobot, Videobot has the right to charge an hourly fee for handling such assistance requests, subject to the Customer’s prior approval of such additional costs.
6. Security of the Processing
Videobot shall implement and maintain appropriate technical and organizational measures to protect the Personal Data within its area of responsibility to safeguard it against unauthorized or unlawful processing or access and against accidental loss or destruction. Videobot shall take into account the costs of implementation as well as the nature, scope, context and purposes of processing carried out by Videobot as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, where appropriate and relevant for each processing action: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Service; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Videobot ensures that the persons processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Schedule 1: Description of the Processing
Subject-matter, nature and purpose of the processing: Provision of the Videobot Service under the Agreement
Duration of the processing: Duration of the Agreement
Categories of data subjects: End users of the Service on the Customer’s website
Type of personal data: Contact details, data provided by the data subjects, usage data
The following entities are authorized sub-processors that our organization uses for specific processing activities:
Purpose: Server Infrastructure
Data Location: Data center is located in Frankfurt, Germany
Purpose: Front-end Application Hosting
Data Location: EU customers are served from data centers in Sweden, France, Ireland, and Germany
Purpose: Messaging Service
Data Location: Data centers are located in France and Belgium
Purpose: DNS Service and Video Distribution
Data Location: IP addresses and traffic data are processed at locations nearest to the user. Cloudflare operates multiple data centers both within the European Union and globally.
Business ID: 3304661-1
Yliopistonkatu 31, 20100, Turku, Finland