This Data Processing Agreement (the “DPA”) is entered between Digimarc Corporation (“Digimarc”) and the other party to the Agreement (as defined below) referencing this DPA and its Affiliates (collectively, “Customer”). This DPA applies to Digimarc’s processing under one or more agreements between the parties (individually, an “Agreement,” and collectively, the “Agreements”): (a) as a processor, any personal data originating from the European Economic Area (“EEA”), Switzerland, the United Kingdom (“UK”), or any other territory subject to Data Protection Laws; and (b) as a service provider, any personal information of California consumers and other US consumers subject to state privacy laws (collectively, “Customer Personal Data”)
Digimarc may update this DPA from time to time, including as necessary to comply with changes in Data Protection Laws.
This DPA was last updated on October 24, 2024.
1. Definitions
Terms used but not defined in this DPA, including “business,” “business purpose,” “consumer”, “controller,” “data subject,” “personal data,” “personal information,” “processing,” “processor,” “sell,” “sensitive data,” “service provider,” and “sub-processor” have the meanings set forth in the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA, including: (a) the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016) (the “GDPR”); (b) any applicable national/federal or state/provincial legislation implementing the GDPR in a member state of the European Economic Area; (c) the GDPR as incorporated into United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018; (d) the Swiss Federal Data Protection Act of September 1, 2023 (FDPA) (the “Swiss DPA”); (e) the California Consumer Privacy Act of 2018 and its amendments, including the California Privacy Rights Act of 2020 (collectively, the “CCPA”); and (f) any other applicable national, federal, state, provincial, or international data protection or privacy laws, regulations, and decisions, including the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA), in each case as such legislation may be amended or replaced from time to time (“Data Protection Laws”).
2. Details of the Processing Operations
Digimarc is processing Customer Personal Data on Customer’s behalf. Customer is a controller and Digimarc is a processor and service provider and conducts its processing operations in accordance with Customer’s instructions. The Parties acknowledge that it is not possible to exhaustively enumerate all categories of Customer Personal Data that may be provided by Customer to Service Provider due to the discretionary nature of the data provided by Customer in the course of its use of Digimarc’s products and services. The nature and subject matter of the processing, including the processing operations carried out by Digimarc on Customer’s behalf, Customer’s instructions to Digimarc, and the technical and organizational security measures implemented by Digimarc, are detailed in Annex 1 (Description of Processing) to this DPA.
3. Customer Obligations
3.1. Obligations. Customer is responsible for determining the purposes for and means by which Customer Personal Data is or will be processed, and the manner in which it is or will be processed.
3.2. Warranties. Customer represents and warrants to Digimarc that, with respect to Customer Personal Data provided to Digimarc under this DPA, Customer:
(a) complies with data security and other obligations prescribed by Data Protection Law for controllers or businesses;
(b) confirms that the provision of Customer Personal Data to Digimarc complies with Data Protection Laws, particularly that Customer has provided all necessary notices to, and obtained all necessary consents from, data subjects for the lawful processing of Customer Personal Data by Digimarc in accordance with the Agreement and this DPA;
(c) confirms that all Customer Personal Data it provides to Digimarc is accurate, relevant, and limited to what is necessary for the purposes of processing;
(d) has established a procedure for the exercise of the rights of the data subjects/consumers whose personal data or personal information is collected;
(e) only processes personal data or personal information that has been lawfully and validly collected and ensure that such data or information is relevant and proportionate to the respective uses;
(f) discloses Customer Personal Data to Digimarc for a lawful business purpose consistent with the disclosures Customer makes to data subjects/consumers in Customer’s privacy policies, and does not sell Customer Personal Data to Digimarc;
(g) ensures that, after addressing the requirements of Data Protection Laws, the security and confidentiality measures supported by this DPA are suitable for the protection of Customer Personal Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, particularly when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and
(h) will take reasonable steps to ensure compliance with the provisions of this DPA by Customer personnel and by any person accessing or using Customer Personal Data on Customer’s behalf.
4. Digimarc Obligations
4.1. Obligations. Digimarc shall:
(a) unless otherwise required by applicable law, process Customer Personal Data only on Customer’s behalf and in compliance with Customer’s instructions (including relating to international data transfers), including instructions in this DPA and under the Agreement;
(b) inform Customer if in Digimarc’s opinion an instruction from Customer violates Data Protection Laws;
(c) implement and maintain for the duration of this DPA the technical and organizational security measures identified in Annex 1 (Description of Processing) to this DPA;
(d) take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Customer Personal Data are aware of and comply with this DPA;
(e) comply with confidentiality obligations in respect of Customer Personal Data under the Agreement and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Customer Personal Data;
(f) inform Customer of:
(i) any legally binding requests for disclosure of Customer Personal Data by a law enforcement authority, unless otherwise prohibited;
(ii) any personal data breach under Data Protection Laws relating to Customer Personal Data (“Security Incident”);
(iii) any relevant notice, inquiry, or investigation by a supervisory authority relating to Customer Personal Data; and
(iv) any requests from a data subject or consumer to exercise their data protection rights under Data Protection Laws without responding to that request, unless Customer has authorized a response or such a response is required by law;
(g) provide Customer with reasonable cooperation and assistance in respect of Customer obligations regarding:
(i) requests from data subjects/consumers in respect of the exercise of their data protection rights under Data Protection Laws with respect to Customer Personal Data;
(ii) the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;
(iii) the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority, in each case where and to the extent required by Data Protection Laws;
(iv) the security of Customer Personal Data, including by implementing the technical and organizational security measures detailed in Annex 1 (Description of Processing) to this DPA;
(h) if Digimarc is required by law to process Customer Personal Data, take reasonable steps to inform Customer of this requirement in advance of any processing, unless Digimarc is prohibited from informing Customer; and
(i) upon reasonable request, make available to Customer all information necessary to demonstrate compliance with the obligations in this section.
4.2. Audit. Customer or an accredited third-party audit firm agreed to by the parties may audit Digimarc’s compliance with the terms of this DPA during regular business hours in a manner that is not disruptive to Digimarc’s business, upon reasonable advance notice to Digimarc of no less than 60 days and subject to reasonable confidentiality procedures. Customer is responsible for all costs and fees related to each audit, including all reasonable costs and fees for any and all time Digimarc expends for that audit. Before the commencement of any audit, Customer and Digimarc must agree on the timing, duration, and scope of the audit, which will not involve physical access to the servers from which the data processing services are provided in order to maintain the security of Digimarc’s systems and to preserve the confidentiality of other customers’ data. Customer shall promptly notify Digimarc of information regarding any non-compliance discovered during the course of an audit. Customer agrees to exercise its audit rights under the SCCs by instructing Digimarc to comply with the audit measures described in this section.
4.3. CCPA and Other U.S. State Data Protection Laws. Under the CCPA and other applicable U.S. state data protection laws:
(a) Digimarc is acting solely as a service provider with respect to Customer Personal Data;
(b) Digimarc shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific purpose of performing services under the Agreement;
(c) Digimarc may de-identify or aggregate Customer Personal Data as part of its performance of services under the Agreement;
(d) Digimarc shall not ‘sell’ or ‘share’ (as defined under the CCPA) Customer Personal Data;
(e) Digimarc shall comply with any additional restrictions or obligations imposed by applicable U.S. state data protection laws concerning cross-border data transfers and the handling of Customer Personal Data; and
(f) Digimarc shall assist Customer in responding to requests from consumers exercising their rights under the CCPA and other applicable U.S. state data protection laws.
4.4. Data Transfers. If: (a) Customer Personal Data includes any personal data that is protected under the Data Protection Laws of the EEA, Switzerland, or the UK; (b) Digimarc processes such personal data outside of the EEA, Switzerland, or the UK; and (c) such processing takes place in a country that is not subject to an adequacy determination by the European Commission, the UK or Swiss authorities (as applicable), then the Standard Contractual Clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (as may be amended or replaced from time to time) (“SCCs”) are hereby incorporated by reference and form an integral part of this DPA. The parties agree to assess and implement appropriate supplementary measures to ensure that the transfer of Customer Personal Data complies with the requirements set forth by the Court of Justice of the European Union in the Schrems II decision (Case C-311/18) and any related guidance from supervisory authorities. The SCCs apply as follows:
4.4.1. EEA Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of the EEA, the SCCs apply as follows:
(a) the “data exporter” is Customer and the “data importer” is Digimarc;
(b) the Module Two terms are selected;
(c) in Clause 7, the optional docking clause applies;
(d) in Clause 9, Option 2 applies and the time period for prior notice of sub-processor changes is set out in Section 5 (Transfer and Disclosure to Third Parties);
(e) in Clause 11, the optional language does not apply;
(f) in Clause 17, Option 1 applies and the SCCs are governed by German law;
(g) in Clause 18(b), disputes will be resolved before the courts of Germany;
(h) in Annex I.A and I.B, the details of the parties and description of the transfer are set out in Annex 1 (Description of Processing) to this DPA;
(i) in Clause 13(a) and Annex I.C, the competent supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information of Germany;
(j) in Annex II, the description of the technical and organizational security measures is set out Annex 1 (Description of Processing) to this DPA; and
(k) in Annex III, a link to the list of sub-processors is provided in Section 5 (Transfer and Disclosure to Third Parties).
4.4.2. Swiss Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of Switzerland, the SCCs apply as described in Section 4.4.1 (EEA Transfers) with the following modifications:
(a) references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss DPA or any successor thereof;
(b) references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;
(c) references to ‘EU’, ‘Union,’ and ‘Member State’ are replaced with ‘Switzerland’;
(d) Clause 13(a) and Part C of Annex I are not used and the ‘competent supervisory authority’ is the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the supervisory authority of the EEA member state in which Customer or Customer representative is in or where the data subjects are predominantly located (insofar as the transfer is governed by the GDPR;
(e) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the FDPIC and ‘competent Swiss courts’;
(f) in Clause 17, the SCCs are governed by the laws of Switzerland;
(g) in Clause 18(b), disputes will be resolved before competent Swiss courts; and
(h) the SCCs also protect the datato force of the revised Swiss DPA.
4.4.3. UK Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:
(a) Table 1: The parties’ details (Digimarc and Supplier) are set out in the Agreement;
(b) Table 2: The selected modules and clauses are the same as outlined in Section 4.4.1 (EEA Transfers), with Module Two selected (controller to processor);
(c) Table 3: The appendix information is set out in Annex 1 (Description of Processing) to this DPA; and
(d) Table 4: The Importer is selected as Digimarc, and the Exporter is Customer.
In the event that the Standard Contractual Clauses or other lawful data transfer mechanisms are invalidated, amended, or otherwise deemed insufficient under Data Protection Laws, the parties agree to promptly cooperate and implement appropriate alternative transfer mechanisms or additional safeguards to ensure the lawful transfer of Customer Personal Data, including entering into updated standard contractual clauses or adopting an alternative recognized compliance standard.
5. Transfer and Disclosure to Third Parties
5.1. Sub-Processing. Customer agrees that: (a) Digimarc’s Affiliates may be retained as sub-processors and (b) Digimarc and Digimarc’s Affiliates may engage sub-processors in connection with the provision of the data processing services. Digimarc or a Digimarc Affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided herein. Customer hereby authorizes Digimarc to engage sub-processors required to assist Digimarc for the purposes of providing the data processing services under the Agreement.
5.2. Sub-Processors. A current list of Digimarc’s sub-processors is available here. Digimarc will endeavor to provide Customer reasonable notice before engaging a new sub-processor of Customer Personal Data. Customer may object to Digimarc’s engagement of a new sub-processor by ceasing to use the applicable product, program, or feature following that notification. Customer continued use of the applicable product, program, or feature following that notification constitutes Customer acceptance of the new sub-processor.
6. Cooperation with Supervisory Authorities
Digimarc agrees to cooperate, on request, with any supervisory authority in the performance of its tasks related to this DPA and the processing of Customer Personal Data. Digimarc shall:
6.1. Notification. Promptly inform Customer if it receives any request, inquiry, or inspection by a supervisory authority relating to the processing of Customer Personal Data, unless prohibited by law.
6.2. Assistance. Provide reasonable assistance to Customer in responding to any request from a supervisory authority, including providing all necessary information and taking appropriate action as reasonably requested by Customer.
6.3. Compliance. Comply with any legally binding requests or directives issued by a competent supervisory authority concerning the processing activities covered by this DPA.
7. Liability
Subject to Section 8 (Conflicts), each party and its Affiliates’ liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit either party’s liability with respect to any individual’s data protection rights under this DPA or Data Protection Laws.
8. Conflicts
In the event of any conflict between this DPA, the SCCs, and the Agreements, the following order of precedence shall apply: (a) the SCCs; (b) this DPA; (c) the Agreements.
9. Governing Law and Jurisdiction
This DPA shall be governed by the laws of the State of Oregon, USA, unless otherwise provided by the SCCs, in which case the relevant governing law provisions shall apply. Disputes under this DPA shall be subject to the exclusive jurisdiction of the state and federal courts located in Portland, Oregon, USA, unless otherwise required by the SCCs.
Annex 1
Description of Processing
1. Nature and Subject Matter of the Processing
1.1. Categories of Data Subjects. Employees and other personnel of Customer and users of Customer’s products and services.
1.2. Categories of Personal Data Processed. Names of Customer personnel, contact information (including email addresses and telephone numbers) of Customer personnel, online identifiers of end users of services of the Customer, other categories identified in the Agreement, and other categories provided by Customer through its use of Digimarc products and services.
1.3. Frequency of the Transfer. Continuous.
1.4. Nature of the Processing. Transmitting, collecting, storing, and analyzing data in order to provide Digimarc products and services to, for the benefit of, and on behalf of Customer, and any other activities related to Digimarc’s provision of its products and services to, for the benefit of, and on behalf of Customer, or for the other purposes specified in the Agreement.
1.5. Subject Matter of the Processing. Providing Digimarc products and services to, for the benefit of, and on behalf of Customer under the Agreement.
1.6. Duration of the Processing. For the period needed for Digimarc to provide its products and services to, for the benefit of, or on behalf of Customer, and otherwise pursue its legitimate interests.
2. Customer Instructions
Customer herby instructs Digimarc to perform the processing operations contemplated by the Agreement and this DPA.
3. Technical and Organizational Security Measures
3.1. Physical Access Controls.
External and internal building access restrictions limiting access to employees and authorized contractors who have undergone background reviews, enforced by a HID proximity security reader system with access logging.
Further physical access restrictions limiting access to rooms containing sensitive equipment and data, such as the data center.
Computer policy settings enforcing a strict computer auto-lock policy to further mitigate the risk of unauthorized physical access to workstations located inside or outside of Digimarc’s premises.
Systems that ensure the environmental security of data centers by guarding against environmental hazards such as heat, fire, and water damage.
3.2. Operational Controls.
Information systems and security policies that are regularly reviewed and updated.
Logical access controls that are designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g. granting access on a need-to-know and least-privileged basis, use of unique IDs and passwords for all users, periodic review of established controls, and revocation of access rights or modification of access controls upon employee termination or reassignment).
Password controls that enforce password strength and usage restrictions including the prohibition of password sharing between users.
Change management procedures and tracking mechanisms that are designed to test, monitor, and approve changes to Digimarc technology and information systems.
Business continuity and disaster recovery policies and procedures that are designed to maintain service or recover from emergency situations and disasters.
Consistent patch management schedules and procedures for ensuring system updates are performed in a timely manner.
3.3. Data Protection.
Use of cryptographic transport protocols such as TLS to protect information transmitted over public networks in the course of communication with Digimarc applications.
Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring and, where applicable, utilization of commercially available and industry-standard encryption technologies.
Operational procedures and controls that provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal standards and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Digimarc possession.
3.4. Endpoint Protection.
Anti-virus and anti-malware protections on all user devices containing company data.
Data encryption technologies, e.g., Bitlocker or FileVault, to prevent unauthorized access to, and ensure confidentiality and integrity of, company data contained on any user device.
3.5. Intrusion Prevention and Detection.
At the network edge, stateful firewalls, web application firewalls, and DDoS protection. Within the internal network, a multi-tiered application model which enables the application of security controls between each layer.
Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
3.6. Risk Assessment.
Audit and risk assessment procedures, including periodic review and assessment of risks to the Digimarc organization, monitoring and maintaining compliance with Digimarc policies and procedures, and reporting the condition of its information security and compliance to senior management.
Periodic vulnerability scanning of sensitive systems from both internal and external vectors. Reporting and review of findings will be conducted and remediation plans put in place for any notable vulnerabilities.
