Last updated: October 19th, 2018
1. DATA PROTECTION
1.1 JetWebinar (the data processor) is appointed by Subscriber (the data controller) to process Subscriber Personal Data on behalf of Subscriber(a User, or an Affiliate of Subscriber, as applicable) only as is necessary to provide the Services and as may subsequently be agreed by the parties in writing.
1.2 Each party shall comply with its respective obligations under the Data Protection Laws as a data controller or a data processor (as applicable) in respect of the processing of Subscriber Personal Data under or in relation to the Agreement.
1.3 The categories of Subscriber Personal Data to be processed by JetWebinar and the processing activities to be performed under this Agreement are set out in Schedule 1.Subscriber has sole responsibility for the accuracy, quality and legality of Subscriber Personal Data and warrants and represents that:
- it has complied with its obligations under the Data Protection Laws in respect of the collection, use, and transfer of subscriber Personal Data and will identify and inform JetWebinar of any other data controller in respect of the Subscriber Personal Data;
- it is able to document and evidence its compliance with its obligations under the Data Protection Laws;
- no Subscriber Personal Data provided or transferred to JetWebinar constitutes a special category of Personal Data pursuant to Article 9 of the GDPR or Personal Data relating to criminal convictions and offenses pursuant to Article 10 of the GDPR;
- it is authorized to give instructions and otherwise act on behalf of its Users or Affiliates in relation to such Subscriber Personal Data and to bind its Users or Affiliates to the terms of this Exhibit; and
- the quantity of Subscriber Personal Data provided to JetWebinar is the minimum necessary for the performance of the Services pursuant to the Agreement.
1.4 JetWebinar agrees in respect to subscriber personal Data that it shall, in all material respects:
- only process Subscriber Personal Data in accordance with this Exhibit and the Agreement (and not otherwise unless alternative processing instructions are agreed between the parties in writing), unless required to do otherwise by EU law or the national law of an EU member state to which JetWebinar is subject. In which event, JetWebinar shall inform Subscriber of the legal requirement before processing Subscriber Personal Data other than in accordance with Subscriber 's instructions, unless that applicable law prohibits JetWebinar from doing so. If JetWebinar believes that any instruction received by it from Subscriber is likely to infringe the Data Protection Laws it shall promptly notify Subscriber and shall be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions such that the relevant Services are not infringing;
- implement, maintain, and comply with the minimum security requirements set out in Schedule 2. Subscriber agrees that JetWebinar may from time to time, upon reasonable prior written notice, change the minimum security requirements set out in Schedule 2, provided that any such changes do not materially reduce the level of security and protection for Subscriber Personal Data required pursuant to clause 1.4.7;
- not publish, disclose, or divulge Subscriber Personal Data to a third party unless Subscriber has given its prior written consent;
- ensure that only those JetWebinar personnel who may be required by JetWebinar to assist JetWebinar in meeting its obligations under this Agreement will have access to Subscriber Personal Data, that such JetWebinar personnel, prior to such access, meet and remain in compliance with the requirements. Privacy and Confidentiality of Information of the Agreement, and take reasonable steps to ensure the reliability of such JetWebinar personnel;
- at Subscriber's cost and taking into account the nature of the processing, provide reasonable cooperation to Subscriber to allow Subscriber(or an Affiliate of Subscriber to comply with its obligations as a Data Controller; and
- at the Subscriber's cost and the Subscriber's option, following the end of the provision of Services pursuant to the Agreement, either return or delete all Subscriber Personal Data in the possession or control of JetWebinar, except to the extent that any applicable law requires JetWebinar to store or retain copies of such Subscriber Personal Data. For the avoidance of doubt, this requirement to return or delete Subscriber Personal Data shall not apply to Subscriber Personal Data which is archived on JetWebinar's backup systems; and
- provide an adequate level of security and protection for Subscriber Personal Data in accordance with the requirements of the Data Protection Laws.
1.5 JetWebinar may appoint third parties to process Subscriber Personal Data ("Subprocessors") subject to JetWebinar:
- providing reasonable prior notice to Subscriber of the identity and location of the Subprocessor and a description of the intended processing to be carried out by the Subprocessor reasonably sufficient to enable Subscriber to evaluate any material risks to Subscriber Personal Data; and
- imposing legally binding contract terms on the Subprocessor which are the same as those contained in this Exhibit including the referenced Schedules.
1.6 Within 30 days of being informed of the appointment of the new Subprocessor, Subscriber may object to the appointment in writing to JetWebinar. If Subscriber objects, JetWebinar shall use its reasonable endeavors to resolve Subscriber's objection. If Subscriber's objection cannot be reasonably accommodated, either party may terminate the Agreement upon 30 days' prior written notice. This is Subscriber's sole and exclusive remedy.
1.7 Subscriber authorizes the appointment of the Subprocessors listed:
- Amazon Web Services.
1.8 JetWebinar acknowledges and agrees that it shall remain liable to Subscriber for a breach of the terms of this Agreement by a Subprocessor appointed by it.
1.9 JetWebinar shall, in accordance with the Data Protection Laws, make available to Subscriber upon reasonable request such information that is in JetWebinar's possession or control as is necessary to demonstrate JetWebinar's compliance with this Exhibit (including the referenced Schedules) and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28).
1.10 Subject to a maximum of [one] audit request in any 12 month period, JetWebinar shall, upon reasonable prior notice, allow for and contribute to audits conducted by Subscriber (or another auditor mandated by Subscriber) for the purpose set out in Section 1.9, provided Subscriber (or such other auditor mandated by Subscriber) are bound by appropriate obligations of confidentiality. For the purpose set out in Section 1.9, Subscriber may perform on-site an on-site audit, at its own expense, if and only if (a) JetWebinar notifies Subscriber of a Security Breach, (b) Subscriber reasonably believes JetWebinar is not in compliance with its data security obligations under this Exhibit including the referenced Schedules, or (c) an on-site audit is required by the Data Protection Laws. To extent permissible under the Data Protection Laws, JetWebinar may satisfy an audit request by providing Subscriber with a copy of an independent audit report (which may be redacted as reasonably necessary to ensure confidentiality).
2. SECURITY BREACHES
JetWebinar shall notify Subscriber without undue delay of becoming aware of any confirmed accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Subscriber Personal Data ("Security Breach").
At Subscriber's cost, JetWebinar agrees to provide such assistance reasonably required by Subscriber to enable Subscriber to respond to any request, complaint, or binding instruction that is received from: (a) any living individual whose Personal Data is processed by JetWebinar on Subscriber's behalf; (b) any regulator or data protection authority; (c) any independent recourse mechanism that Subscriber elects to adopt under the Privacy Shield or any arbitration panel set up under the Privacy Shield Framework.
4. DATA TRANSFERS
4.1 JetWebinar shall not process Subscriber Personal Data outside the EEA (including by way of remote access) without the prior written consent of Subscriber.
4.2 Subscriber hereby consents to Subscriber Personal Data being processed outside the EEA, subject to JetWebinar's compliance with Section 4.3 and Section 4.4 below throughout the duration of the Agreement.
4.3 To the extent that Subscriber Personal Data is processed outside the EEA and/or Switzerland,
- the transfer shall be governed by and is within the scope of JetWebinar's certification to the Privacy Shield. JetWebinar shall at all times for the purposes of this Exhibit: (a) maintain a "current" Privacy Shield certification status with the U.S. Department of Commerce related to its processing of Subscriber Personal Data and remain at all times in compliance with the requirements of the Privacy Shield and the Privacy Shield Principles; and (b) provide Subscriber with ninety (90) days written notice prior to any date on which JetWebinar's "current" certification status with the U.S. Department of Commerce ends and, in such case, JetWebinar shall promptly execute any supplemental privacy and security terms with Subscriber or its Affiliates as Subscriber may direct in its sole judgment, including but not limited to European Commission standard contractual clauses.
4.4 If, for whatever reason, the transfer of Subscriber Personal Data under Section 4.3 above ceases to be lawful, the parties shall use reasonable endeavors to promptly implement an alternative lawful transfer mechanism.
5.1 Each party's liability for one or more breaches of this Exhibit shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party's liability for a breach of this Exhibit exceed the liability cap set out in the Agreement.
5.2 Neither party limits or excludes any liability that cannot be limited or excluded under applicable law.
6. GENERAL TERMS
6.1 Nothing in this Exhibit reduces JetWebinar's obligations under the Agreement in relation to the protection of Subscriber Personal Data or permits JetWebinar to process (or permit the processing of) Subscriber Personal Data in a manner which is prohibited by the Agreement.
6.2 Subject to Section 6.1, with regard to the subject matter of this Exhibit, in the event of inconsistencies between the provisions of this Exhibit and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Exhibit, the provisions of this Exhibit shall prevail.
6.3 Either party may by at least 30 calendar days' written notice to the other from time to time propose any variations to this Exhibit which that party reasonably considers to be necessary to address the requirements of the Data Protection Laws. If such notice is given, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as reasonably practicable.
7.1 "Affiliate" means any entity in which the party owns, either directly or indirectly, more than 50% of the equity interest or voting stock, or equivalent, in such entity, or controls, is controlled by or under common control with such entity, whether such entity is now existing or subsequently created or acquired during the term of the Agreement,
7.2 The terms "Data Controller", "Data Processor", "Personal Data", "data subject", "supervisory authority", "process" and "processing" have the meanings given to them under all applicable Data Protection Laws from time to time.
7.3 "Data Protection Laws" means any applicable law relating to the processing, privacy and use of Personal Data, as applicable to either party or the Services, including:
- the EU Data Protection Directive (95/46/EC) and/or the EU General Data Protection Regulation (2016/679) ("GDPR") and/or the UK Data Protection Act 1998;
- any laws which implement any such laws in each applicable jurisdiction; and
- any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.
7.4 "Subscriber Personal Data" means any Personal Data processed by JetWebinar (and its Subprocessors (if applicable)) on behalf of the Subscriber or its Affiliates pursuant to or in connection with the Agreement.
7.5 "Privacy Shield" means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
7.6 "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded, or replaced).
SCHEDULE 1: DESCRIPTION OF PERSONAL DATA PROCESSING
The data processing activities carried out by JetWebinar under this Agreement may be described as follows:
1. Subject Matter
1.1 Names and email addresses for webinar registrants and attendees of client webinars.
2.1 As long as the client uses our webinar software.
3. Nature and Purpose
3.1 We host webinars and online events for clients and collect name, email, phone numbers (custom field data) for clients.
4. Data Categories
4.1 Name, Email Address, Phone Numbers, and custom fields.
5. Data Subjects
5.1 Webinar registrants and attendees.