This Data Processing Agreement (the “DPA”) is entered between Digimarc Corporation (“Digimarc”) and the other party to the Agreement (as defined below) referencing this DPA (“Customer”). This DPA applies to Digimarc’s processing: (a) as a processor, any personal data originating from the European Economic Area (“EEA”), Switzerland, the United Kingdom (“UK”), or any other territory subject to Data Protection Laws; and (b) as a service provider, any personal information of California consumers (collectively, “Customer Personal Data”), under one or more agreements between the parties (each an “Agreement”). All capitalized terms not defined in this DPA have the meaning set forth in the Agreement.
The parties agree as follows:
1. Definitions
Terms used in this DPA but not defined, including “business,” “business purpose,” “consumer”, “controller,” “data subject,” “personal data,” “personal information,” “processing,” “processor,” “sell,” “sensitive data,” “service provider,” and “sub-processor” have the meanings set forth in the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA, including: (i) the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016) (the “GDPR”); (ii) any applicable national/federal or state/provincial legislation implementing the GDPR in a member state of the European Economic Area; (iii) the GDPR as incorporated into United Kingdom law pursuant to s.3 of the European Union (Withdrawal Act) 2018; and (iv) the Federal Data Protection Act of 19 June 1992 (Switzerland) (the “Swiss DPA”), in each case as such legislation may be amended or replaced from time to time (“Data Protection Laws”).
2. Details of the Processing Operations
The nature and subject matter of the processing, including the processing operations carried out by Digimarc on Customer’s behalf, Customer’s instructions to Digimarc, and the technical and organizational security measures employed by Digimarc, are described in Annex 1 (Description of Processing) to this DPA. Digimarc acts as a processor or service provider for, and on behalf of, Customer and conducts its processing operations in accordance with Customer instructions.
3. Customer Obligations
3.1. Obligations. Customer is responsible for determining the purposes for and means by which Customer Personal Data is being or will be processed, and the manner in which they are or will be processed.
3.2. Warranties. Customer represents and warrants to Digimarc that, with respect to Customer Personal Data provided to Digimarc under this DPA, Customer:
(a) complies with data security and other obligations prescribed by Data Protection Law for controllers or businesses;
(b) confirms that the provision of Customer Personal Data to Digimarc complies with Data Protection Laws;
(c) has established a procedure for the exercise of the rights of the data subjects/consumers whose personal data or personal information is collected;
(d) only processes personal data or personal information that has been lawfully and validly collected and ensure that such data or information is relevant and proportionate to the respective uses;
(e) discloses Customer Personal Data to Digimarc for a lawful business purpose consistent with the disclosures Customer make to Customer Personal Data subjects/consumers in Customer privacy policies, and Customer does not sell Customer Personal Data to Digimarc;
(f) ensures that after Customer has assessed the requirements of Data Protection Laws, the security and confidentiality measures supported by this DPA are suitable for protection of Customer Personal Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and
(g) will take reasonable steps to ensure compliance with the provisions of this DPA by Customer personnel and by any person accessing or using Customer Personal Data on Customer’s behalf.
4. Digimarc Obligations
4.1. Roles. Digimarc is processing Customer Personal Data on Customer’s behalf. Customer is a controller and Digimarc is a processor and service provider.
4.2. Obligations. Digimarc shall:
(a) unless otherwise required by applicable law, process Customer Personal Data only on Customer’s behalf and in compliance with Customer’s instructions (including relating to international data transfers), including instructions in this DPA and under the Agreement;
(b) inform Customer if in Digimarc’s opinion an instruction from Customer violates Data Protection Laws;
(c) implement and maintain for the duration of this DPA the technical and organizational security measures identified in Annex 1 (Description of Processing) to this DPA;
(d) take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Customer Personal Data are aware of and comply with this DPA;
(e) comply with confidentiality obligations in respect of Customer Personal Data under the Agreement and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Customer Personal Data;
(f) inform Customer of:
(i) any legally binding requests for disclosure of Customer Personal Data by a law enforcement authority, unless otherwise prohibited;
(ii) any personal data breach under Data Protection Laws relating to Customer Personal Data (“Security Incident”);
(iii) any relevant notice, inquiry, or investigation by a supervisory authority relating to Customer Personal Data; and
(iv) any requests from a data subject or consumer to exercise their data protection rights under Data Protection Laws without responding to that request, unless Customer have authorized a response or such a response is required by law;
(g) provide Customer with reasonable co-operation and assistance in respect of Customer obligations regarding:
(i) requests from data subjects/consumers in respect of the exercise of their data protection rights under Data Protection Laws with respect to Customer Personal Data;
(ii) the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;
(iii) the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority, in each case where and to the extent required by Data Protection Laws;
(iv) the security of Customer Personal Data, including by implementing the technical and organizational security measures detailed in Annex 1 (Description of Processing) to this DPA;
(h) if Digimarc is required by law to process Customer Personal Data, take reasonable steps to inform Customer of this requirement in advance of any processing, unless Digimarc is prohibited from informing Customer; and
(i) upon reasonable request, make available to Customer all information necessary to demonstrate compliance with the obligations in this section.
4.3. Audit. Customer or an accredited third-party audit firm agreed to by the parties may audit Digimarc’s compliance with the terms of this DPA during regular business hours in a manner that is not disruptive to Digimarc’s business, upon reasonable advance notice to Digimarc of no less than 60 days and subject to reasonable confidentiality procedures. Customer is responsible for all costs and fees related to each audit, including all reasonable costs and fees for any and all time Digimarc expends for that audit. Before the commencement of any audit, Customer and Digimarc must agree on the timing, duration, and scope of the audit, which will not involve physical access to the servers from which the data processing services are provided in order to maintain the security of Digimarc’s systems and to preserve the confidentiality of other customers’ data. Customer shall promptly notify Digimarc of information regarding any non-compliance discovered during the course of an audit. Customer agrees to exercise its audit rights under the SCCs by instructing Digimarc to comply with the audit measures described in this section.
4.4. CCPA. Under the California Consumer Protection Act of 2018:
(a) Digimarc is acting solely as a service provider with respect to Customer Personal Data;
(b) Digimarc shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific purpose of performing services under the Agreement; and
(c) Digimarc may deidentify or aggregate Customer Personal Data as part of its performance of services under the Agreement.
4.5. Data Transfers. If: (a) Customer Personal Data includes any personal data that is protected under the Data Protection Laws of the EEA, Switzerland, or the UK; (b) Digimarc processes such personal data outside of the EEA, Switzerland, or the UK; and (c) such processing takes place in a country that is not subject to an adequacy determination by the European Commission, the UK or Swiss authorities (as applicable), then the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“SCCs”) are hereby incorporated by reference and form an integral part of this DPA. The SCCs apply as follows:
4.5.1. EEA Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of the EEA, the SCCs apply as follows:
(a) the “data exporter” is Customer and the “data importer” is Digimarc;
(b) the Module Two terms are selected;
(c) in Clause 7, the optional docking clause applies;
(d) in Clause 9, Option 2 applies and the time period for prior notice of sub-processor changes is set out in Section 5 (Transfer and Disclosure and Third Parties);
(e) in Clause 11, the optional language does not apply;
(f) in Clause 17, Option 1 applies and the SCCs are governed by German law;
(g) in Clause 18(b), disputes will be resolved before the courts of Germany;
(h) in Annex I.A and I.B, the details of the parties and description of the transfer are set out in Annex 1 (Description of Processing) to this DPA;
(i) in Clause 13(a) and Annex I.C, the competent supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information of Germany;
(j) in Annex II, the description of the technical and organizational security measures is set out Annex 1 (Description of Processing) to this DPA; and
(k) in Annex III, the list of Sub-processors is in Section 5 (Transfer and Disclosure and Third Parties).
4.5.2. Swiss Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of Switzerland, the SCCs apply as described in Section 4.5.1 (EEA Transfers) with the following modifications:
(a) references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss Federal Data Protection Act of 19 June 1992 or any successor thereof (“Swiss DPA”);
(b) references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;
(c) references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’;
(d) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ is the Swiss Federal Data Protection Information Commissioner (“FDPIC”), or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the supervisory authority of the EEA member state in which Customer or Customer representative is in or where the data subjects are predominantly located (insofar as the transfer is governed by the GDPR;
(e) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the FDPIC and ‘competent Swiss courts’;
(f) in Clause 17, the SCCs are governed by the laws of Switzerland;
(g) in Clause 18(b), disputes will be resolved before competent Swiss courts; and
(h) the SCCs also protect the data of legal entities until entry into force of the revised Swiss DPA.
4.5.3. UK Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:
(a) in Table 1, the details of the parties are set out in the Agreements between Customer and Digimarc;
(b) in Table 2, the selected modules and clauses are set out in Section 4.5.1 (EEA Transfers);
(c) in Table 3, the appendix information is set out in Annex 1 (Description of Processing) to this DPA; and
(d) in Table 4, the ‘Importer’ is selected.
5. Transfer and Disclosure and Third Parties
5.1. Sub-Processing. Customer agrees that: (a) Digimarc’s Affiliates may be retained as sub-processors and (b) Digimarc and Digimarc’s Affiliates may engage sub-processors in connection with the provision of the data processing services. Digimarc or a Digimarc Affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. Customer hereby authorizes Digimarc to engage sub-processors required to assist Digimarc for the purposes of providing the data processing services under the Agreement.
5.2. Sub-Processors. A current list of Digimarc’s sub-processors is available at digimarc.com/legal/sub-processors. Digimarc will endeavor to provide Customer reasonable notice before engaging a new sub-processor of Customer Personal Data. Customer may object to Digimarc’s engagement of a new sub-processor by ceasing to use the applicable product, program, or feature following that notification. Customer continued use of the applicable product, program, or feature following that notification constitutes Customer acceptance of the new sub-processor.
6. Conflicts
In case of conflict between this DPA, the SCCS, and the Agreement, the terms will apply in the following order of precedence: (a) the SCCs, (b) this DPA, and (c) the Agreement.
Annex 1
Description of Processing
1. Nature and Subject Matter of the Processing
1.1. Categories of Data Subjects. Employees and other personnel of Customer and users of Customer’s services.
1.2. Categories of Personal Data Processed. Names of Customer personnel, contact information (including email addresses and telephone numbers) of Customer personnel, online identifiers of end users of services of the Customer, other categories identified in the Agreement, and other categories provided by Customer through its use of services.
1.3. Frequency of the Transfer. Continuous.
1.4. Nature of the Processing. Transmitting, collecting, storing, and analyzing data in order to provide the services to customer, and any other activities related to the provision of services or specified in the Agreement.
1.5. Subject Matter of the Processing. Providing services to Customer under the Agreement.
1.6. Duration of the Processing. For the period needed for Digimarc to provide the services and otherwise pursue its legitimate interests.
2. Customer Instructions
Customer herby instructs Digimarc to perform the processing operations contemplated by the Agreement and this DPA.
3. Technical and Organizational Security Measures
3.1. Physical Access Controls.
External and internal building access restrictions limiting access to employees and authorized contractors who have undergone background reviews, enforced by a HID proximity security reader system with access logging.
Further physical access restrictions limiting access to rooms containing sensitive equipment and data, such as the data center.
Computer policy settings enforcing a strict computer auto-lock policy to further mitigate the risk of unauthorized physical access to workstations located inside or outside of Digimarc’s premises.
Systems that ensure the environmental security of data centers by guarding against environmental hazards such as heat, fire, and water damage.
3.2. Operational Controls.
Information systems and security policies that are regularly reviewed and updated.
Logical access controls that are designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g. granting access on a need-to-know and least-privileged basis, use of unique IDs and passwords for all users, periodic review of established controls, and revocation of access rights or modification of access controls upon employee termination or reassignment).
Password controls that enforce password strength and usage restrictions including the prohibition of password sharing between users.
Change management procedures and tracking mechanisms that are designed to test, monitor, and approve changes to Digimarc technology and information systems.
Business continuity and disaster recovery policies and procedures that are designed to maintain service or recover from emergency situations and disasters.
Consistent patch management schedules and procedures for ensuring system updates are performed in a timely manner.
3.3. Data Protection.
Use of cryptographic transport protocols such as TLS to protect information transmitted over public networks in the course of communication with Digimarc applications.
Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring and, where applicable, utilization of commercially available and industry-standard encryption technologies.
Operational procedures and controls that provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal standards and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Digimarc possession.
3.4. Endpoint Protection.
Anti-virus and anti-malware protections on all user devices containing company data.
Data encryption technologies, e.g., Bitlocker or FileVault, to prevent unauthorized access to, and ensure confidentiality and integrity of, company data contained on any user device.
3.5. Intrusion Prevention and Detection.
At the network edge, stateful firewalls, web application firewalls, and DDoS protection. Within the internal network, a multi-tiered application model which enables the application of security controls between each layer.
Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
3.6. Risk Assessment.
Audit and risk assessment procedures, including periodic review and assessment of risks to the Digimarc organization, monitoring and maintaining compliance with Digimarc policies and procedures, and reporting the condition of its information security and compliance to senior management.
Periodic vulnerability scanning of sensitive systems from both internal and external vectors. Reporting and review of findings will be conducted and remediation plans put in place for any notable vulnerabilities.
