This Data Processing Agreement (the “DPA”) is incorporated into and forms part of the Agreement (as defined below), and reflects the Parties’ agreement with respect to the processing of Licensee Personal Data by the Licensor on the Licensee’s behalf.
The purpose of this DPA is to ensure that the Parties comply with Applicable Data Protection Laws when carrying out their rights and obligations under the Agreement.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
In this DPA, the following definitions shall apply:
|
“Agreement” |
shall mean the General Terms and Conditions found here: https://fonngroup.com/fonn-group-general-terms-and-conditions and all therein listed appendices together with any Term Sheet / Order Form concluded between the Parties with respect to the purchase of Services. |
|
“Applicable Data Protection Laws” |
shall mean any law about protecting information about physical persons, which applies to a Party processing of Customer Personal Data under the Agreement, including but not limited to the EU Regulation 2016/679 (“GDPR”). |
|
“Licensee Personal Data” |
shall mean Licensee Data that is (i) subject to Applicable Data Protection Law, (ii) submitted to the Services by the Licensee or its Authorized Users; and (iii) which the Licensor is only allowed to process on the Licensee's behalf, except for such personal data for which the Licensor is the data controller for. |
|
“Data Subject Requests” |
shall mean requests from individuals whom Licensee Personal Data refers to, to exercise their rights under Applicable Data Protection Law. |
|
“EU SCCs” |
shall mean the sets of standard contractual clauses published by the EU Commission on 4 June 2021. |
|
“Subprocessor” |
shall mean any other entity used by the Licensor as a subcontractor for the processing of Licensee Personal Data under the Agreement. |
|
“Subprocessor Change Date” |
shall mean the date when the Licensor intends to start using a new Subprocessor, or replace an existing one. |
|
“Supervisory Authority” |
shall mean a public authority that investigates and enforces compliance with an Applicable Data Protection Law. |
|
“Third Country Transfer” |
shall mean, where the GDPR applies, a transfer of Licensee Personal Data to a country, territory or international organization outside of the EU/EEA that is not subject to an adequacy decision by the European Commission. |
|
“TOMs” |
shall mean technical and organizational measures that Licensor maintains to make sure that Licensee Personal Data is secure when processed in the Services. The TOMs are described in Appendix C. |
Other terms shall have the meaning given to them in the GDPR. For example, the terms “data controller”, “data processor”, “processing”, “data subject” and “personal data breach”, shall have the meaning given to them in the GDPR.
The Licensee decides and controls which type of Licensee Personal Data is submitted to the Services, and therefore also which Licensee Personal Data is processed by the Licensor. The Licensee also decides and controls the purposes for which Licensee Personal Data is processed and for how long. For this reason, the Licensee is the sole data controller of the Licensee Personal Data.
As the sole data controller of the Licensee Personal Data, the Licensee shall specifically be responsible for or ensure that:
The Licensor, as the processor of Licensee Personal Data under the Agreement, shall process Licensee Personal Data in accordance with Applicable Data Protection Laws and only in accordance with the documented instructions of the Licensee. Licensor shall not be responsible for compliance with any data protection laws applicable to the Licensee or the Licensee’s industry that are not generally applicable to the Licensor.
If any other processing is required to fulfill its obligations under Applicable Data Protection Laws, the Licensor will notify the Licensee, insofar as this is permitted by law.
The instructions of the Licensee are outlined in the Agreement, including this DPA. The Licensor shall immediately notify the Licensee if the Licensor believes the instructions are in conflict with Applicable Data Protection Laws.
Licensor will implement and maintain appropriate TOMs to protect Licensee Personal Data., as described in Appendix C to this DPA. Notwithstanding any provision to the contrary, Licensor may modify or update the TOMs at its own discretion provided that such modification or update does not result in a degradation in the protection offered by the TOMs.
The Licensee has assessed the risks involved with the processing of the Licensee Personal Data in the Services, and concluded that the TOMs ensure a level of security that is appropriate to the risks involved.
The Licensor will ensure that any personnel whom Licensor authorizes to process Licensee Personal Data on Licensor’s behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Licensee Personal Data.
The Licensor will notify the Licensee about any personal data breaches affecting Licensee Personal Data. Such notice will be sent without undue delay, and at least within 48 hours of the Licensor becoming aware of the personal data breach. If such information is available to Licensor when sending the notice, the notice will include a description of:
If the Licensor does not have all this information when first notifying the Licensee about the breach, but such information later becomes available, the Licensor will execute the notification in phases, as relevant information becomes available.
If the Licensee decides to notify a personal data breach affecting the Licensee Personal Data to a Supervisory Authority, or to the data subjects or the public, the Licensee will make reasonable efforts to provide Licensor with advance copies of the notice(s), and give Licensor an opportunity to provide any clarifications or corrections to them.
When providing the Services, the Licensor may engage Subprocessors to process Licensee Personal Data on Licensee’s behalf. Some Subprocessors apply to Licensee as default, and some Subprocessors will apply only if Licensee decides to opt in. Please see Appendix B for more information.
The Licensee generally authorizes Licensor to use Subprocessors when providing the Service, provided that Licensor notifies the Licensee before starting to use a new Subprocessor or replacing an existing one.
The Licensor will notify the Licensee about its intention to start using a new Subprocessor or to replace an existing one, at least thirty (30) calendar days before the Subprocessor Change Date.
The Licensee has the opportunity to object to the engagement of new Subprocessors on reasonable grounds relating to the protection of Licensee Personal Data within 30 days of Licensor notifying you. Such notice must be sent by email to dpo@fonngroup.com stating that the Licensee objects to the change, and the reason(s) for objecting to the change. The Licensor and Licensee will then discuss the concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Licensor will, at its sole discretion, either not appoint the new Subprocessor, or permit the Licensee to terminate the Agreement without liability to either party (but without prejudice to any fees incurred by the Licensee prior to the termination).
The objection right and obligation to notify Licensee do not apply to optional, feature-specific Subprocessors, as these Subprocessors will not process Licensee Personal Data unless the Licensee actively opts-in to the relevant feature.
In the case of extraordinary circumstances, for example a Subprocessor’s bankruptcy or irreparable material breach of contract, Licensor reserves the right to replace the relevant Subprocessor with a shorter notice period than described above, or without any prior notice to the Licensee, but without undue delay. In that case, the Licensee can object to the use of the new Subprocessor within thirty (30) calendar days of receiving Licensor’s notice, as described above.
When engaging a Subprocessor, the Licensor will make sure that the data protection obligations in the DPA are imposed on the Subprocessor.
Wherever Licensee Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with Applicable Data Protection Laws.
With respect to Licensee Personal Data subject to the GDPR, the Licensor will only make Third Country Transfers of such Licensee Personal Data when the Third Country Transfer is based on the Licensee's written instruction and is executed in line with the transfer requirements in Applicable Data Protection Law. The transfer can for example be established based on Licensor ensuring:
The Licensee is aware of and instructs Licensor to make the Third Country Transfers take place, or may take place, when Licensor uses its current Subprocessors. If Licensor notifies the Licensee of the use of a new Subprocessor in accordance with Section 7 above, which involves or may involve a Third Country Transfer, the Licensee's continued use of the Service will be considered an instruction on Licensor to execute the relevant Third Country Transfer.
Provided that Licensor is able to do so, considering the information about and access to Licensee Personal Data that Licensor has in providing the Service, Licensor will provide reasonable assistance to the Licensee in:
The Licensor will allow the Licensee to audit the Licensor's compliance with its obligations as the data processor under this DPA. This will, as a first option, be done by providing the information and documentation that the Licensee reasonably asks for. If the requested audit scope is addressed in any of Licensor’s audit reports issued by a third party auditor in the past twelve (12) months, and Licensor provides such a report to the Licensee confirming there are no known material changes in the controls audited, the Licensee agrees to accept the findings presented in the third party audit report rather than requesting an audit of the same controls covered by the report.
If the Licensee thinks it is necessary, Licensor will also allow the Licensee (or another party assigned by the Licensee, provided that the other party is accepted by Licensor and keeps the information it accesses confidential) to inspect Licensor's processing of the Licensee Personal Data.
The Licensee can request an audit once per year, for which each party will cover its own costs. Additional audits (exceeding one per year) can also be requested, at the Licensee’s sole cost.
Unless an audit is requested by a Supervisory Authority (in which the circumstances will be adjusted to the Supervisory Authority's request), the Licensee needs to provide written notice thirty (30) days in advance of the audit. The audit will be conducted during the Licensor’s normal business hours. It will not involve physical access to where the Service is hosted; not involve disclosure of commercially sensitive parts of the agreements with Licensor’s Subprocessors; and must be performed so that it does not compromise the security of Licensor’s systems or premises.
When this DPA is terminated or expired, the Licensor will delete all Licensee Data, including Licensee Personal Data, from the Services as soon as reasonably practicable, and at least sixty (60) days after the termination of the Agreement (except where Licensor is required by applicable law to retain some or all of the Licensee Data or where Licensor has archived Licensee Data on back-up systems, which data Licensor will securely isolate and protect from any further processing and delete in accordance with our deletion practices).
Prior to the end of the Agreement, Licensee may retrieve its Licensee Data from the Services. If Licensee needs help retrieving its Licensee Data during the term of the Agreement, Licensor may provide reasonable assistance to Licensee, at Licensor’s cost. Licensor will notify Licensee in advance of any applicable costs which will be commercially reasonable.
The liability of the Licensor, and any other Fonn Group Company if relevant, taken together in the aggregate, arising out of or related to this DPA, is subject to the “Limitation of Liability” section of the Agreement (or the section of the Agreement which addresses the exclusion and limitation of liability even if it does not have that heading), and any reference in such section to the liability of a party means the aggregate liability of the Licensor and any other Fonn Group Company, if relevant, under the Agreement, including this DPA.
The term of this DPA will follow the term of the Agreement.
Any disputes arising out of this DPA shall be resolved in accordance with the provisions of the Agreement, including any provisions on governing law.
What processing will happen, and for which purposes?
Mimir is a video production and collaboration platform for professionals that runs in the cloud. It provides production asset management, archive, asset management, and object-store features, and integrates with different AI technologies for automatic metadata enrichment using services including but not limited to transcription, translation, object labeling, face detection, semantic search and intelligent, automated scene description. It also provides an on-board quick-cutting feature and multiple collaboration and sharing functionalities.
The purpose of the processing of personal data is for the Licensor to enable the Licensee’s use of Mimir for its intended functionalities. Licensor will also process Licensee Personal Data for necessary purposes to enable and support the Licensee’s specific use of Mimir, such as logging, log analysis, troubleshooting, investigating and managing incidents.
Who are the data subjects?
Mimir is typically used by customers such as production companies, broadcasters, digital agencies, schools, organizations and other companies worldwide.
When Licensee uses Mimir, Licensor will process a limited amount of data about the individual users of Mimir for the purpose of creating and managing their user accounts and providing support. Such users usually consist of:
When a user of Mimir utilizes Mimir, Licensor will process data related to individuals depicted or mentioned in the content uploaded by users. Such individuals will usually consist of:
While this provides a list of the most typical data subjects, note that it is the Licensee who fully decides and controls what data is uploaded in Mimir and, therefore, is processed by Licensor.
What type of Licensee Personal Data will be processed about the data subjects?
The following data about the Mimir's individual users will typically be processed by Licensor:
The following data about the individuals depicted or mentioned in the content uploaded by users, typically consist of:
Note that it is the Licensee who fully decides and controls what data is uploaded in Mimir and, therefore, is processed by the Licensor.
For how long will Licensee Personal Data be processed?
The Licensee, as the data controller of the personal data processed in Mimir, decides how long such data will be stored in the Service, and for which purposes. A number of retention/deletion settings are offered in Mimir for this purpose.
If Licensee Personal Data is deleted from Mimir by the Licensee, they can choose to immediately delete said data from their account. The connected metadata is then stored in Licensor's disaster recovery backups for 35 days before it is permanently deleted.
All of Licensor's processing of Licensee Personal Data will stop after the termination of the Agreement, as described under “Erasure of Customer Personal Data” in the main text of this DPA. This applies to both Licensee Personal Data stored in the solution, and data about Licensee’s individual users of Mimir.
What processing will happen, and for which purposes?
Dina is a digital-first, cloud-native story-centric newsroom system with a web-based linear rundown system. It provides functionality for content planning, rundown planning, story creation, publishing, and collaboration tools to support publishing content to multiple platforms. Dina can optionally connect with AI to enable more efficient workflows, and integrates with several systems for information flow and production control.
The purpose of the processing of personal data is for the Licensor to enable the Licensee’s use of Dina for its intended functionalities. Licensor will also process Licensee Personal Data for necessary purposes to enable and support the Licensee’s specific use of Dina, such as logging, log analysis, troubleshooting, investigating and managing incidents.
Who are the data subjects?
Dina is typically used by customers such as production companies, broadcasters, digital agencies, schools, organizations and other companies worldwide.
When Licensee uses Dina, Licensor will process a limited amount of data about the individual users of Dina for the purpose of creating and managing their user accounts and providing support. Such users usually consist of:
When a user of Dina utilizes Dina, Licensor will process data uploaded in the Services in connection with story planning, as well as data related to individuals depicted or mentioned in the content and stories created by users. Such individuals will usually consist of:
While this provides a list of the most typical data subjects, note that it is the Licensee who fully decides and controls what data is uploaded in Dina and, therefore, is processed by Licensor.
What type of Licensee Personal Data will be processed about the data subjects?
The following data about Dina’s individual users will typically be processed by Licensor:
The following data about the individuals will typically be collected and processed in Dina for the purpose of creating stories (content is hosted in connected asset management systems, and only displayed through Dina):
Note that it is the Licensee who fully decides and controls what data is uploaded in Dina and, therefore, is processed by the Licensor.
For how long will Licensee Personal Data be processed?
The Licensee, as the data controller of the personal data processed in Dina, decides how long such data will be stored in the Service, and for which purposes. A number of retention/deletion settings are offered in Dina for this purpose.
If Licensee Personal Data is deleted from Dina by the Licensee, they can choose to immediately delete said data from their account. The connected metadata is then stored in Licensor's disaster recovery backups for 35 days before it is permanently deleted.
All of Licensor's processing of Licensee Personal Data will stop after the termination of the Agreement, as described under “Erasure of Customer Personal Data” in the main text of this DPA. This applies to both Licensee Personal Data stored in the solution, and data about Licensee’s individual users of Dina.
Appendix A3 - Description of the processing in the Service (Kunnusta.io)
What processing will happen, and for which purposes?
Kunnusta is a multi-platform publishing service and workflow engine. It consists of a workflow engine for creating and maintaining custom integrations and workflows in the newsroom and live production environments, and a set of standardized connectors for connecting social media accounts and websites to a newsroom system or asset system.
The purpose of the processing of personal data is for the Licensor to allow the Licensee to use the Kunnusta.io, Kunnusta.io Editor and Kunnusta.io connectors (together referred to as “Kunnusta”). Licensor will also process Licensee Personal Data for purposes that are necessary to enable and support the Licensee’s specific use of Kunnusta, such as logging, log analysis, troubleshooting, investigating and managing incidents.
Who are the data subjects?
Kunnusta is typically used by customers such as production companies, broadcasters, digital agencies, schools, organizations and companies worldwide.
When using Kunnusta, Licensor will process a limited amount of data about the individual users to create and manage their user accounts and provide support. Such users usually consist of:
When a user of Kunnusta utilizes Kunnusta, Licensor will process data related to individuals depicted or mentioned in content being processed , such as assets being moved from one system to another. Such individuals and their data will usually consist of:
While this provides a list of the most typical data subjects, note that it is the Licensee who fully decides and controls what data is processed in their systems and in Kunnusta and, therefore, is processed by Licensor.
What type of Licensee Personal Data will be processed about the data subjects?
The following data about Kunnusta individual users may typically be processed by Licensor:
The following data about the individuals depicted or mentioned in the content uploaded by users, typically consist of:
Note that it is the Licensee who fully decides and controls what data is processed by Kunnusta.io, Editor and Kunnusta connectors and, therefore, is processed by the Licensor.
For how long will Licensee Personal Data be processed?
The Licensee, as the data controller of the personal data processed in Kunnusta, decides how long such data will be stored in the Service, and for which purposes. If Licensee Personal Data is deleted from Kunnusta by the Licensee, they can choose to immediately delete said data from their account. The connected metadata is then stored in Licensor's disaster recovery backups for 35 days before it is permanently deleted.
All of Licensor's processing of Licensee Personal Data will stop after the termination of the Agreement, as described under “Erasure of Customer Personal Data” in the main text of this DPA. This applies to both Licensee Personal Data stored in the solution, and data about Licensee’s individual users of Kunnusta.
To help the Fonn Group Companies deliver their Services, the Fonn Group Companies engage Subprocessors to assist with their activities. A list of Subprocessors and the purpose for engaging them is located at the following website: https://fonngroup.com/fonn-subprocessors, which is incorporated into this DPA.
This Appendix C outlines the TOMs currently implemented by the Licensor.
Please note that these measures apply to the security of Licensee Data and other data when hosted on infrastructure managed by the Licensor. When on-premise components are deployed on the Licensee’s own infrastructure, the Licensee is solely responsible for implementing and maintaining its own appropriate security controls.
Measures to ensure integrity and confidentiality:
Licensor maintains and adheres to an internal, written Information Security Policy, which applies to all Fonn Group Companies.
Licensor hosts its Services with its multi-tenant, outsourced cloud infrastructure provider Amazon Web Services (AWS). Licensor places reliance on AWS’ security and compliance programs for the efficacy of physical, environmental and infrastructure security controls. These controls are independently validated as part of AWS’ SOC 2 Type 2 report and ISO 27001 certification. Please refer to AWS Compliance for more details.
Customers who interact with the Services via the user interface must authenticate before accessing Licensee Personal Data in their accounts. The Services support logins using two-factor authentication, and Authorized Users are encouraged to set up two-factor authentication. Licensee administrators can monitor who has enabled two-factor authentication within their organization at any time.
Access to the Licensor’s information systems is strictly controlled and follows the principles of access on a need-to-know and least privilege basis. Employees are granted access using a role-based access control model. Employees have unique IDs and passwords, multi-factor authentication is used where possible, granted system access can be reviewed regularly and access can be revoked/changed by the Licensor when employment terminates or changes in job functions occur. Access is restricted to selected personnel. All endpoint devices use strong passwords, local firewalls and encrypted storage.
Technical support personnel with the Licensor are only permitted to have access to Licensee Data and Licensee Personal Data when strictly needed, or when authorized by the Licensee for support purposes. In such cases, access is restricted to those individuals who require access to perform their job functions. Licensor’s personnel will never view, process, or use Licensee Data or Licensee Personal Data beyond what is strictly necessary for the specific activity that is needed. Licensor’s employees are only granted access to production systems based on their role within the organization.
All of Licensor’s employees are bound by confidentiality, non-disclosure provisions and undergo security awareness training. Onboarding and offboarding procedures are in place. Licensor’s employees are obligated to maintain the confidentiality of personal data, and this obligation continues even after their engagement ends.
Licensor leverages several technologies to ensure stored data is encrypted at rest. Licensee Personal Data is stored using AES-256 encryption. User passwords are hashed following industry best practices and are encrypted at rest.
All sensitive interactions with the Services are encrypted in transit with TLS 1.2 or 1.3 in combination with AES-256 encryption, or better.
Services and infrastructure events are logged, monitored and automatically analysed to record and detect divergent user access and system activity. Logs are protected from loss and manipulation.
Measures to ensure availability and resilience:
The Licensor’s infrastructure and components are designed to withstand intermittent and as well as high constant loads. Vulnerability screening, patch management and anti-malware protection are implemented to prevent, identify and mitigate against identified security threats, viruses and other malicious code.
Measures to quickly restore the availability of personal data after a physical or technical incident:
Business recovery plans are designed to maintain service and/or recovery from foreseeable emergencies or disasters.
Incident management procedures are in place to ensure a systematic approach to identify, mitigate, learn and report incidents related to Licensor’s Services and information assets.
Procedures for periodical review, assessment, and evaluation:
Information risk assessments are used to systematically evaluate threats and vulnerabilities in terms of the impact they could imply and the probability to occur. Such assessments and tests are performed at least annually or at major business changes.
Licensor has a vendor risk assessment process where third party service providers undergo assessments upon onboarding and where new business use cases are requested. The Licensor’s vendor risk program is structured so all of Licensor’s vendors’ risk assessments are updated two years from the last review date. Third party service providers deemed high risk, such as data center providers or other vendors storing data in scope for Licensor’s regulatory or contractual requirements, undergo reassessments annually.
