This Data Protection Addendum ("Addendum") shall be deemed as an integral part of the Commercial Terms Form combined with the Terms and Conditions, ("Agreement"), in connection with Customer’s use of Agent Video Intelligence Ltd.'s ("Agent Vi") cloud-based video analytics software (collectively, the "Services"), entered into between Agent Vi and Customer (collectively, the "Parties").
Upon the Customer's checking "I agree" where applicable, Customer acknowledges that it has read this Addendum, understands it, and agrees to be bound by it. If Customer does not agree to any of the terms below, Agent Vi may be unwilling to grant Customer access to the Services. If Customer is unwilling to accept all of the terms of this Agreement or is in need of additional information, it should check the "I disagree" checkbox where applicable and the Customer shall not be entitled to use the Services.
Customer declares that the acceptance of this Addendum constitute a valid and legally binding contract with Agent Vi. If a person/entity is accepting this Agreement on behalf of a Customer, such person/entity represents and warrants that it has the full power and authority to bind the Customer to the terms and conditions contained herein. Customer or anyone acting on its behalf may not accept this Addendum if it is an entity and/or person barred from receiving the Services under the laws of the country in which it is a resident or from which it uses the Services.
This Addendum shall apply only to the extent Customer is established within the European Union and/or to the extent that Agent Vi Processes Personal Data of Data Subjects, located in the European Union on behalf of Customer or a Customer Affiliate.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended, and including, this Addendum.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 "Applicable Laws" means (a) European Union law or any laws of a member state of the European Union in respect of which Agent Vi or any Customer Group Member is subject to; and (b) any Israeli and other applicable law in respect of which Agent VI or Customer is subject to;
1.1.2 "Contracted Processor" means Agent Vi or a Sub-processor;
1.1.3 "Customer's Personal Data" means any Personal Data which may be processed by a Contracted Processor on behalf of a Customer, pursuant to or in connection with the Agreement;
1.1.4 "Data Protection Legislation"
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as amended from time to time or any regulation replacing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and the relevant Israeli applicable law.
1.1.5 "EU" means the European Union;
1.1.6 "EEA" means the European Economic Area. The GDPR applies to the European Economic Area (EEA), which includes all EU countries as well as Iceland, Liechtenstein and Norway;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Services" means the services as defined in the Agreement;
1.1.9 "Sub-processor" means any person (excluding an employee of Agent Vi or any of its sub-contractors) appointed by or on behalf of Agent Vi to Process Personal Data on behalf of Customer in connection with the Agreement;
1.1.10 "Supervisory Authority" means (a) an independent public authority which is established by a member state of the European Union pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Legislation; and
1.1.11 "Term" means the term of the Agreement, as defined therein.
1.2 The terms "Controller", "Data Subject", "member state", "Personal Data", "Personal Data Breach", and "Processing" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Customer Personal Data
2.1 The parties acknowledge that Customer is the Controller and shall comply with the obligations of a Controller under the GDPR and that Agent Vi is acting in the capacity of a Processor. In some circumstances, Customer may additionally or alternatively be a Processor, in which case Customer appoints Agent Vi as an authorised sub-processor, which shall not change the obligations of the Parties under this Addendum as Agent Vi will remain a Processor in any such event. Customer will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation.
2.2 Agent Vi shall only process Customer's Personal Data on the documented instructions of Customer, unless otherwise required by an Applicable Law to which Agent Vi is subject, in which case Agent Vi shall inform Customer of that legal requirement before such Processing, unless that law prohibits such information.
2.3 For the purpose of Section 2.2:
2.3.1 Customer instructs Agent Vi (and authorises Agent Vi to instruct each Sub-processor) to Process Customer Personal Data pursuant to the Agreement; and in particular, when it is necessary to provide the Services, transfer Customer Personal Data, and provide access to Personal Data according to sections 6 and 10.1.
2.3.2 Customer warrants and represents that it is and will, at all relevant times, remain duly and effectively authorised to give the instruction set out in Section 2.2, including on behalf of each relevant Customer Affiliate.
2.4 Annex 1 to this Addendum sets out certain information as required by Article 28(3) of the GDPR according to, Personal Data may be processed by Agent Vi. Customer warrants it is an accurate reflection of the Processing activities pursuant to this Addendum and the Agreement. The nature of the Processing operations will depend on the scope of the Services and the nature of the Personal Data that Customer provides in its sole discretion, in a manner by which Agent Vi finds appropriate to provide the required Services. Such Services may include the following: storage, use, combining, analysing, archiving and/or destruction.
Agent Vi shall ensure that any person that it authorises to Process the Personal Data on its behalf, shall be subject to a duty of confidentiality that shall survive the termination of their employment and/or contractual relationship.
4.1 During the Term, Agent Vi shall implement technical and organizational measures with respect to the Processing of Customer's Personal Data, taking into account the measures required by Article 32 of the GDPR. Such measures may be updated by Agent Vi from time to time, provided that such updates shall not materially decrease the protection of Personal Data for Data Subjects.
4.2 Customer warrants that on the date of this Addendum, all of the Personal Data Customer provided to any Contracted Processor, has been collected and Processed by Customer, according to the Applicable Laws, as well as supported by a lawful basis.
5.1 Customer authorises Agent Vi to appoint (and permit each Sub-processor to appoint) Sub-processors in accordance with this Addendum and any restrictions in the Agreement.
5.2 Customer specifically authorises Agent Vi to permit Amazon Web Services LLC, with its principal place of business at 410 Terry Avenue North, Seattle, WA 98109, as well as Figure-Eight with its principal place of business at 940 Howard St. San Francisco, CA 94103, to process Customer's Personal Data as required to provide the Services. Customer hereby authorises Agent Vi to continue to use Sub-processors already engaged by Agent Vi, as of the date of this Addendum. When practical, such authorisation shall be subject to Agent Vi, meeting the requirements set forth in section 5.4 ("Authorised Sub-Processors").
5.3 Agent Vi shall inform Customer as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorised Sub-Processors that will Process any Customer Personal Data ("New Sub-Processor"). If, within 14 calendar days of receipt of that notice, Customer notifies Agent Vi in writing of any objections (on reasonable grounds) to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably), without undue delay, the commercially reasonable steps to be taken to ensure that the new Sub-processors is compliant with Article 28(4) of the GDPR. Where the Customer reasonably argues, that the risks involved with the sub-processing activities are still unacceptable, in the context of Article 28(4) and in relation to the appropriate steps, within the requisite time frame, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such time frame, Customer's sole remedy will be to terminate the Agreement.
5.4 With respect to each Sub-processor, Agent Vi shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this Addendum.
6. Data Subject Rights
6.1 Customer shall initially comply independently to requests received from Data Subjects to exercise their rights pursuant to Chapter III of the GDPR, with regard to accessing Customer's Personal Data held on Agent Vi's platform.
6.2 If the Data Subject will direct such a request to Agent Vi, Agent Vi shall inform and redirect the request to Customer.
6.3 Subject to section 6.1 and taking into account the nature of the Processing, Agent Vi shall assist Customer, at the Customer's cost, by appropriate technical and organisational measures, insofar as this is possible to comply with requests to exercise Data Subject rights, under the Data Protection Legislation.
7. Personal Data Breach
7.1 Agent Vi shall notify Customer without undue delay upon Agent Vi becoming aware of a personal data breach affecting Customer's Personal Data, providing Customer with information (as and when available) to assist Customer to meet any obligations to report or inform Data Subjects of the personal data breach under the Data Protection Legislation.
7.2 Agent Vi shall, at Customer's cost, cooperate with Customer and take the reasonable commercial steps which shall reasonably be instructed by Customer, to assist in the investigation and mitigation of each such personal data breach.
8. Deletion or Return of Customer's Personal Data
8.1 Agent Vi has a time based automatic data deletion mechanism for data retention assurance. Such mechanism is set to delete all Personal Data, including backed up data, up to 90 days after the time the data was initially collected by Agent Vi. However, this does not affect Customer's internal retention and back up mechanisms, as they are determined according to Customer's objectives or as Customer is required according to any Applicable Laws.
8.2 Subject to section 8.3, Customer may in its discretion by written notice to Agent Vi within 10 calendar days of the Cessation Date, require Agent Vi to (a) return a complete copy of all Customer's Personal Data to the Customer; and (b) delete all other copies of Customer's Personal Data Processed by any Contracted Processor. Agent Vi shall comply with any such written request within 60 calendar days of the Cessation Date.
8.3 Each Contracted Processor may retain Customer's Personal Data to the extent and for such period as required by Applicable Laws.
9. Audit Rights
9.1 Subject to section 9.2 and 9.3, Agent Vi shall make available to Customer upon a reasonable request, information which is reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR.
9.2 Where applicable, if Customer is not otherwise satisfied by its audit rights pursuant to the Agreement, Agent Vi shall, at the Customer's costs, allow for audits, including inspections, by an auditor mandated by Customer (subject to section 9.3 where auditor being subject to written confidentiality obligations in relation to such information) in relation to the Processing of the Customer Personal Data by the Contracted Processors, provided that:
9.2.1 Customer shall give Agent Vi a reasonable notice of any audit or inspection to be conducted; and
9.2.2 Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) to minimize disruption to the Contracted Processors' business, in the course of such audit or inspection, while such audits or inspections shall be conducted during normal working hours.
9.3 Agent Vi may object in writing to an auditor mandated by the Customer if the auditor is, in Agent Vi’s reasonable opinion, not suitably qualified or independent, a competitor of Agent Vi, or otherwise manifestly unsuitable. In the event of such an objection, Customer shall appoint another auditor or conduct the audit itself.
9.4 Where Agent Vi or any of its Contracted Processors shall assert that an on-premise audit inspection is deemed impracticable, Agent Vi, upon request, shall furnish the appropriate audit report or provide a confirmation that such an audit has occurred.
10. General Terms
10.1 Information may be transferred to third party companies and individuals to facilitate Agent Vi's services, who are located in a country outside of the EEA. Agent Vi as well as each contracted processor, shall implement appropriate technical and organizational measures to ensure a level of security, appropriate to the risk, while taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood of a risk to the rights and freedoms of natural persons. Furthermore, Agent Vi and each Contracted Processor shall maintain as appropriate, the specific controls described in Article 32(1), (a) to (d) of the GDPR and including any other controls mandated by applicable Data Protection Legislation or set out in the Agreement.
Order of Precedence
10.2 With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
Changes in Data Protection Legislation
10.3 If any variation is required to this Addendum as a result of a change in Data Protection Legislation, then either party may provide written notice to the other party of that change of law. The parties shall discuss the change in Data Protection Legislation and negotiate in good faith with a view to agreeing on any necessary variations to this Addendum to address such changes, including any resulting charges.
10.4 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject Matter and Duration of the Processing of Customer's Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this Addendum.
The nature and purpose of the Processing of Customer's Personal Data
Agent Vi grants Customer the right to use Agent Vi's cloud-based video surveillance analytics software. Agent Vi’s video analytics software includes products for on-premise installations as well as cloud-based solutions through a Software as a Service (SaaS) model. The software is set up by Customer, who may make private use of the surveillance, or make the data available to relevant businesses, organizations and individuals. Personal Data is processed when it originates from Customer’s video cameras and is automatically transferred to Agent Vi via cloud service (AWS) for algorithmic analytics, for the purposes defined by Customer. Agent Vi processes Personal Data to provide services, support and maintenance in order to allow Customer to utilize the software for its operations. In particular, Personal Data will be subject to basic processing when Customer requires assistance in support or maintenance and Agent Vi will process the Personal Data to enable such assistance.
Special Categories of Personal Data to be Processed [i.e. g racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation]
Special categories of Personal Data are not processed by Agent Vi.
The Categories of Data Subject to whom the Customer Personal Data Relates
The categories of data subject are chosen by Customer.
The Obligations and Rights of Customer and Customer Affiliates
The obligations and rights of Customer and Customer Affiliates are set out in the Agreement and this Addendum.