JW Player Data Processing Agreement

Effective Date: May 25, 2018

Capitalized terms used herein and not otherwise defined herein have the meanings assigned to such terms in the JW Player Terms of Service, available at www.jwplayer.com/tos/ (the “TOS”) or Order Form, as the case may be.

This Data Processing Agreement together with its attachments (the “Agreement”) forms part of the TOS and is effective between the Publisher (herein, the “Client”) and LongTail Ad Solutions, Inc. d/b/a JW Player, a Delaware Corporation (together with its affiliates, the “Service Provider”), each a “party”; together “the parties”, to reflect the parties’ agreement with regard to the Processing of Personal Information of Client in accordance with the requirements of Applicable Law. This Agreement applies only (i) if Client is located in the European Economic Area (“EEA”) or Switzerland, or (ii) if Client is not located in the EEA or Switzerland but only to the extent the Data Subjects are in the EEA or Switzerland. This Agreement is an addendum and forms part of the TOS.

1. Definitions

For the purposes of this Agreement: 

1.1 “Applicable Law” shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any legislative and/or regulatory amendments or successors thereto), to which a party to this Agreement is subject and which is applicable to a party’s Personal Information protection and privacy obligations.

1.2 “Data Controller” shall mean entity which alone or jointly with others determines the purposes and means of the Processing of Personal Information.

1.3 “Data Processor” shall mean entity that processes Personal Information on behalf of the controller.

1.4 “Data Subject” shall mean a natural person about whom Personal Information may be processed by Data Processor pursuant to the TOS or this Agreement.

1.5 “Personal Information” shall mean any information relating to an identified or identifiable Data Subject; an identifiable Data Subject is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

1.6 “Process” or “Processing” shall mean any operation or set of operations which is performed upon Personal Information, whether or not by automatic means such as collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, access, disclosure, transfer, storage, deletion, combination, destruction, or other use of Personal Information.

1.7 “Sensitive Data” means special categories of personal data, as referenced in Article 9 of the GDPR.

1.8 “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in third countries under EU Directive 95/46 (pursuant to Commission Decision 2010/87/EU and currently available at eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, as well as any new laws, rules, regulations, and/or contracts that that replace, supersede, or are required to be implemented in connection with the Standard Contractual Clauses.

2. Data Processing

2.1 Vis-a-vis Data Processor, all Personal Information that is subject to this Agreement is owned by the Client. The Client acts as a Data Controller. The Service Provider shall act as a Data Processor and shall be subject to the Applicable Laws that directly apply to the Service Provider.

2.2 Client as a Data Controller retains all ownership rights in the Personal Information. Notwithstanding the foregoing, Client acknowledges that, except as otherwise set forth in the TOS and this Agreement, Service Provider shall have no obligation to or liability for its failure to preserve, retrieve, recover, return, segregate or take any other action with respect to Personal Information. Client shall have no access to and will not attempt to access Personal Information except through standard interfaces made available by Service Provider and intended for Client’s access. Except as set forth in this Agreement or in the TOS, Service Provider does not have any right to directly or indirectly sell, rent, lease, disclose or transfer Personal Information.

2.3 Client represents and warrants that it will (i) obtain and maintain on an ongoing basis a valid legal basis to collect, process and transfer to Company Personal Information, as required under applicable law, rules and regulations; (ii) establish and maintain a procedure for the exercise of the rights of the individuals whose Personal Information is processed on behalf of Client; (iii) ensure compliance with the provisions of this Agreement by its personnel or any third-party accessing or using Personal Information on its behalf; and (iv) except for Publisher Information, not share, pass or transfer any Sensitive Data to Service Provider.

2.4 With respect to Personal Information provided by Client, or otherwise Processed by Service Provider on Client’s behalf, Service Provider shall, and shall ensure that any person engaging in Processing Personal Information on its behalf, shall:

• (a) Process Personal Information only to deliver services as instructed and permitted by Client, this Agreement and the Applicable Law (as well as any other agreements between the parties), and not Process Personal Information for any other purpose, unless agreed to or instructed by Client. The parties agree that this Agreement is Client’s complete and final instructions to Service Provider in relation to Processing of Personal Information. Processing outside the scope of this Agreement (if any) will require prior written agreement between the parties on additional instructions for Processing, including agreement on any additional fees Client will pay to Service Provider for carrying out such instructions;
• (b) Develop, implement, maintain, and monitor an information security program that contains appropriate administrative, technical, and physical safeguards designed to protect Personal Information against anticipated threats or hazards to their security, confidentiality or integrity, and against unauthorized access or disclosure, and unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage, and against all other unauthorized forms of Processing. The safeguards shall meet or exceed the requirements provided by Client in Annex 1 and security requirements mandated by Applicable Law;
• (c) Not disclose or transfer Personal Information to, or allow access by, any third party (except for affiliates and consultants under an obligation of confidentiality for the purposes of providing services to Service Provider) without the prior written agreement of Client, except (i) where such disclosure, transfer or access is mandated by Applicable Law (subject to Service Provider providing Client with prompt written notice of such requirement to transfer or disclose, unless such notice is prohibited by Applicable Law), (ii) where such disclosure, transfer or access is undertaken for the purpose of improving security features or eliminating fraudulent activities, and (iii) to subprocessors contained on the “Subprocessor List” (currently available at [www.jwplayer.com/subprocessors/](/subprocessors/)) that Service Provider uses to fulfill its contractual obligations under this Agreement and the TOS or to provide certain services on its behalf, such as providing support services (the “Services”). Service Provider shall provide notification (which notification shall be deemed given when Service Provider updates the Subprocessor List on the applicable publicly available website) of new subprocessor(s) before authorizing any new subprocessor(s) to Process Personal Information in connection with the provision of the Services. In order to exercise its right to object to Service Provider’s use of a new subprocessor, Client shall notify Service Provider promptly in writing within ten (10) business days after Service Provider notice in accordance with the mechanism set out above. In the event Client reasonably objects to a new subprocessor(s), Service Provider will use reasonable efforts to make available to Client a change in the affected Services or recommend a commercially reasonable change to Client’s configuration or use of the affected Services to avoid processing of Personal Information by the objected-to new subprocessor. If Service Provider is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Client may terminate the TOS in respect only to those Services which cannot be provided by Service Provider without the use of the objected-to new subprocessor, by providing written notice to Service Provider. Unless Client provides timely objection notice in accordance with the above procedure, Client shall be deemed to have approved such subprocessor. If Client approves Service Provider’s disclosure and/or transfer granting access of Personal Information to a third party, such third party shall, prior to any such disclosure, have entered into an agreement providing for appropriate protection of Personal Information. Service Provider shall remain accountable and responsible for all actions by such third parties with respect to the disclosed or transferred Personal Information;
• (d) As reasonably instructed by Client, ensure that all Personal Information created by Service Provider on behalf of Client which is inaccurate or incomplete is erased or rectified in accordance with the Client’s instructions;
• (e) To the extent legally permitted, reasonably cooperate with the Client with respect to any action taken relating to any request, complaint, or order or other document from a Data Subject or regulator relating to the Processing of Personal Information;
• (f) Cease Processing and (if technically feasible) return, archive, or destroy Personal Information in its possession, in accordance with Client’s instructions, upon termination or expiration of this Agreement or promptly upon the Client’s request, provided that Service Provider shall have no obligation to delete, archive, destroy or return any information that is anonymized, aggregated or de-identified;
• (g) Hold Personal Information in confidence and require employees and personnel who will be provided access or will otherwise Process Personal Information to take reasonable measures to protect all Personal Information in accordance with the requirements of this Agreement (including during the term of their employment and thereafter);
• (h) Maintain appropriate access controls designed to limit access to Personal Information to employees and personnel who require such access in order to provide the goods and/or services to Client;
• (i) Upon Client’s reasonable request, and subject to the confidentiality obligations set forth in the TOS, make available to Client (or Client’s independent, third-party auditor that is not a competitor of Service Provider) information regarding Service Provider’s compliance with the obligations set forth in this Agreement, which may be in the form of the third-party certifications and audits to the extent Service Provider makes them generally available to its customers; and subject to the confidentiality obligations set forth in the TOS, provide to such independent third-party inspection entity as Client may appoint, who shall not be a competitor of Service Provider, on written notice in accordance with the “Notices” Section of the TOS, at Client’s sole expense and no more than one (1) time in any year: (i) reasonable assistance and cooperation of Service Provider’s relevant staff; and (ii) reasonable facilities at Service Provider’s premises for the purpose of auditing Service Provider’s procedures relevant to the protection of Personal Information; Client shall reimburse Service Provider for any time expended for any such on-site audit at Service Provider’s then-current professional services rates. Before the commencement of any such on-site audit, data exporter and Service Provider shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Service Provider. Client shall promptly notify Service Provider with information regarding any non-compliance discovered during the course of an audit;
• (j) Service Provider shall implement and maintain an adequate and appropriate data incident management program. In the event of any unauthorized loss of Personal Information, or any unauthorized or unlawful use, access, disclosure, acquisition, alteration or destruction, or any other compromise of, Personal Information within the possession or control of Service Provider or any Service Provider’s sub processors (“Security Incident”), Service Provider shall promptly notify by any means Service Provider reasonably selects, including via email, Client of the Security Incident. Client agrees that an unsuccessful Security Incident will not be subject to this Section (j). An unsuccessful Security Incident is one that results in no unauthorized access to Personal Information or to any of Service Provider’s equipment or facilities storing Personal Information, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents. Client agrees that Service Provider’s obligation to report or respond to a Security Incident under this Section (j) is not and will not be construed as an acknowledgement by Service Provider of any fault or liability of Service Provider with respect to the Security Incident; and
• (k) Upon notice to Service Provider, Service Provider shall provide reasonable assistance to Client in the event of an investigation by any regulator, including a data protection regulator, or similar authority, if and to the extent that such investigation relates to Personal Information Processed by Service Provider on behalf of Client. Such assistance shall be at Client’s sole expense, except where such investigation was required due to Service Provider’s acts or omissions, in which case such assistance shall be at Service Provider’s sole expense.

3. Data Transfers

3.1 Service Provider shall not cause or permit any of the Personal Information to be transferred to a country outside the EEA without Client’s prior written consent, which shall not be unreasonably withheld. Transfers to countries outside the EEA in accordance with a mechanism set forth in Section 3.2 below shall be deemed reasonable. Client hereby consents to transfer of Personal Information to Service Provider’s systems located in the United States and to any other location in the world solely for use and Processing authorized by the TOS and the Privacy Policy and in accordance with the mechanisms set forth in Section 3.2 below.

3.2 ADDITIONAL TERMS FOR EU PERSONAL DATA

• (a) The Standard Contractual Clauses and the additional terms in this Section 3.2 will apply to the Processing of Personal Information by Service Provider that is transferred from the EEA or Switzerland to any country or recipient: (i) not deemed by the European Commission as providing an adequate level of protection for Personal Information, and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Information. The objective of Processing of Personal Information by Service Provider is the performance of the Services.
• (b) Clause 1 of the Standard Contractual Clauses (“data importer”). The term “data importer” means: Service Provider.
• (c) Clause 1 of the Standard Contractual Clauses (“data exporter”). The term “data exporter” means: Client and its affiliates established within the EEA and Switzerland that have purchased Services on the basis of an Order Form pursuant to the TOS.
• (d) Clause 5(a) of the Standard Contractual Clauses. This Agreement and the TOS are data exporter’s complete and final instructions to Service Provider for the Processing of Personal Information. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the data exporter to Process Personal Information: (i) Processing in accordance with the TOS and applicable Order Forms; (ii) as part of any Processing initiated by Client in its use of the Services; and (iii) to comply with other reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the TOS.
• (e) Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications: Upon data exporter’s request, and subject to the confidentiality obligations set forth in the TOS, Service Provider shall make available to data exporter (or data exporter’s independent, third-party auditor that is not a competitor of Service Provider) information regarding Service Provider’s compliance with the obligations set forth in this Agreement, which may be in the form of the third-party certifications and audits to the extent Service Provider makes them generally available to its customers. Client may contact Service Provider in accordance with the “Notices” Section of the TOS to request an on-site audit of the procedures relevant to the protection of Personal Information. Client shall reimburse Service Provider for any time expended for any such on-site audit at Service Provider’s then-current professional services rates. Before the commencement of any such on-site audit, data exporter and Service Provider shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Service Provider. Data exporter shall promptly notify Service Provider with information regarding any non-compliance discovered during the course of an audit.
• (f) Clause 5(h) of the Standard Contractual Clauses. Pursuant to Clause 5(h) of the Standard Contractual Clauses, the data exporter acknowledges and expressly agrees that Service Provider may engage third-party subprocessors in connection with the provision of the Services.
• (g) Clause 5(j) of the Standard Contractual Clauses. The parties agree that the copies of the subprocessor agreements sent by Service Provider to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Service Provider beforehand; and, that such copies will be provided by Service Provider only upon reasonable request by data exporter.
• (h) Clause 12(1) of the Standard Contractual Clauses. The parties agree that the certification of deletion of Personal Information that is described in Clause 12(1) shall be provided by Service Provider to the data exporter only upon data exporter’s request.

4. Miscellaneous

4.1 Service Provider’s liability toward the Client with regard to any and all breaches of this Agreement and/or the Standard Contractual Clauses will be as set forth in the TOS and only to the extent it is liable pursuant to Article 82 of the EU’s General Data Protection Regulation.

4.2 Service Provider may modify the terms of this Agreement in its sole discretion and such modifications shall take effect and be binding on Client on the earliest date on which they are posted to Service Provider’s publicly available website or delivered to Client via electronic or physical delivery. No one other than Service Provider has the right to modify this Agreement.

4.3 This Agreement will terminate automatically upon termination of the TOS, or as earlier terminated pursuant to the terms of this Agreement.

4.4 Nothing in this Agreement shall affect any indemnification provisions set forth in underlying agreements between the parties, including any Terms of Service; nor shall this Agreement create new obligations of indemnification from one party to the other, except where expressly set forth herein.

Annex 1

INFORMATION SECURITY

(1) Information Security Policies and Standard

Service Provider’s security measures shall include, at a minimum, measures designed to:

• Prevent unauthorized persons from gaining access to Personal Information Processing systems (physical access control);
• Prevent Personal Information Processing systems being used without authorization (logical access control);
• Ensure that persons entitled to use a Personal Information Processing system gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Information cannot be read, copied, modified or deleted without authorization (data access control);
• Ensure that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Information by means of data transmission facilities can be established and verified (data transfer control);
• Ensure that Personal Information is Processed solely in accordance with the Client’s instructions (control of instructions);
• Ensure that Personal Information is protected against accidental destruction or loss (availability control); and
• Ensure that Personal Information collected for different purposes can be processed separately (separation control).

These measures are kept up to date, and revised whenever relevant changes are made to the information system that uses or houses personal data, or to how that system is organized.

Security policies and standards include:

• Data breach investigation;
• System access control;
• User privilege control;
• Software development and change control;
• Personal Information security;
• Business continuity planning;
• Electronic communication security;
• System administrative security; and
• Access to computer facilities.

(2) Physical Security

The Data Processor will maintain adequate security systems at all Data Processor sites at which an information system that uses or houses use Personal Information is located. The Data Processor reasonably restricts access to such personal data appropriately, including through the use of restricted building access, key card access and contracting with subprocessors with which Service Provider has entered into a data processing agreement.

(3) Organizational Security

When media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any use of Personal Information stored on them before they are withdrawn from the inventory, including through destruction of storage devices or deletion of data. When media are to leave the premises at which the files are located as a result of maintenance operations, procedures have been implemented to prevent undue retrieval of personal data stored on them, including through the use of authentication controls and limited access to personal data.

All personal data security incidents are managed in accordance with appropriate incident response procedures.

(4) Network Security

The Data Processor maintains network security using commercially available equipment and techniques, including firewalls, intrusion detection and/or prevention systems, and access control lists.

(5) Access Control

Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Information.

User administration procedures define user roles and their privileges, how access is granted, changed and terminated; addresses appropriate segregation of duties; and defines the logging/monitoring requirements and mechanisms.

Access rights are implemented adhering to the “least privilege” approach.
The Data Processor implements commercially reasonable physical and electronic security to create and protect passwords, including through the use of commercially available password manager services and user password salting and encryption.

(6) Personnel

The Data Processor implements a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations; physical security controls; security practices and security incident reporting.

(7) Business Continuity

The Data Processor implements appropriate disaster recovery and business resumption plans, including through the use of regular data backups, security logs and designated personnel.

(8) Contractual Control

The Data Processor enters into data processing agreements with subprocessors.

(9) Separation Control

The Data Processor limits access and regularly rotates security logs. IP addresses are hashed with and without User Agent strings using a one-way hashing algorithm prior to database entry.

Annex 2

DESCRIPTION OF PROCESSING

What Personal Information will be processed?
As provided in the TOS and Privacy Policy, including IP addresses, device identifiers (only to the extent Client uses the SDKs (as defined in the TOS)), user agents, local storage client ids, non-persistent session ids and Client account information, in each case to the extent Personal Information under Applicable Law.

Categories of Data Subjects
Data Subjects include Client’s users and Client’s employees.

How will the Personal Information be shared with Data Processor?
As provided in the TOS and Privacy Policy.

Describe the purpose of the processing
As provided in the TOS and Privacy Policy.

Describe how the Personal Information will be processed by Data Processor
As provided in the TOS and Privacy Policy.

Describe how the Personal Information will be stored by Data Processor
As provided in the TOS and Privacy Policy.

ATTACHMENT 1

Attached hereto and incorporated herein by reference as Attachment 1 are the Standard Contractual Clauses. For the purposes of the Standard Contractual Clauses, the data exporting organization is the Publisher, and the contact details of the data exporting organization are those made available to Service Provider online or on an Order Form.

Name of the data importing organization: LongTail Ad Solutions, Inc.
Address: 530 7th Avenue, Ste. 1906, New York, NY 10018
Tel.: +1 212-244-0140; fax: +1 917 633 4958; e-mail: privacy@jwplayer.com
Other information needed to identify the organization: Not applicable

The Appendices to the Standard Contractual Clauses are as set forth below.

These Standard Contractual Clauses and the Appendices thereto are acknowledged and agreed by the parties by execution of the TOS.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):

Data Exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA) and Switzerland that have purchased Service on the basis of one or more Order Forms.

Data importer
The data importer is (please specify briefly activities relevant to the transfer):

LongTail Ad Solutions, Inc., which provides online video technology, streaming and hosting, which processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement.

Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
Data exporter may submit personal data to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

• Customers of data exporter (who are natural persons)
• Employees or contact persons of data exporter
• Data exporter’s users authorized by data exporter to use the Service

Categories of data
The personal data transferred concern the following categories of data (please specify):

The personal data relating to individuals from the data exporter’s hosting, streaming and analytics and/or user accounts of data exporter.

Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):

n/a

Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):

The objective of Processing of personal data by data importer is the performance of the Service pursuant to the Agreement.

DATA EXPORTER
Name: See the Data Processing Agreement
Authorized Signature: Acknowledged by execution of the TOS

DATA IMPORTER
Name: LongTail Ad Solutions, Inc.
Authorized Signature: Acknowledged by execution of the TOS

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data resulting from or uploaded to the Service, as described in the Data Processing Agreement entered into between data importer and date exporter.

DATA EXPORTER
Name: See the Data Processing Agreement
Authorized Signature: Acknowledged by execution of the TOS

DATA IMPORTER
Name: LongTail Ad Solutions, Inc.
Authorized Signature: Acknowledged by execution of the TOS

Last Revised: May 9, 2018