The Data Processing agreement outlines how we handle, secure, and protect data on your behalf.
This data processing agreement sets out the terms under which elevate.io processes personal data on behalf of the users of the elevate.io software, platform(s), website(s), application(s) or services (the elevate.io Services).
The elevate.io Services include video editing and team collaboration functionality. To make use of these services, users may be able to upload, enter and/or edit information on the elevate.io Services, including personal information.
If a user uploads, enters or edits any personal data on the elevate.io Services, the User (as defined below) is the controller for this personal information and is responsible for complying with the obligations of a controller, including the transparency obligations to the data subjects.
elevate.io is the processor for that personal data.
This data processing agreement is incorporated into, and should be read in conjunction with, the Terms and Conditions.
1
DEFINITIONS
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
CCPA: the California Consumer Privacy Act of 2018.
Data Protection Legislation: all applicable data protection and privacy and regulatory requirements in force from time to time which apply to a party relating to the protection and use of Personal Data (including, without limitation, the privacy of electronic communications) including, without limitation, the UK GDPR, the EU GDPR and the CCPA.
elevate.io: Blackbird plc (trading as elevate.io), a public limited company registered in England and Wales under company number 3507286.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
User: the user of the elevate.io Services or, where the user uses the elevate.io Services on behalf of any business or organisation, that business or organisation.
2
Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
3
The parties acknowledge that for the purposes of the Data Protection Legislation, the User is the Controller and elevate.io is the Processor. Annex A sets out the scope, nature and purpose of processing by elevate.io, the duration of the processing and the types of Personal Data and categories of Data Subject.
4
Without prejudice to the generality of 2, the User will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to elevate.io and/or lawful collection of the Personal Data by elevate.io on behalf of the User for the duration and purposes of this data processing agreement.
5
Without prejudice to the generality of 2, elevate.io shall, in relation to any Personal Data processed in connection with the performance by elevate.io of its obligations under this data processing agreement:
5.1
process that Personal Data only on the documented written instructions of the User, as set out in Annex A, unless elevate.io is required by applicable law to otherwise process that Personal Data. Where elevate.io is relying on applicable law as the basis for processing Personal Data, elevate.io shall promptly notify the User of this before performing the processing required by the applicable law unless the applicable law prohibits elevate.io from so notifying the User;
5.2
ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
5.3
ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
5.4
not transfer any Personal Data outside of the UK or EEA unless the prior written consent of the User has been obtained and the following conditions are fulfilled:
(a)
the User or elevate.io has provided appropriate safeguards in relation to the transfer;
(b)
the data subject has enforceable rights and effective legal remedies;
(c)
elevate.io complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(d)
elevate.io complies with reasonable instructions notified to it in advance by the User with respect to the processing of the Personal Data;
5.5
assist the User, at the User's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
5.6
notify the User without undue delay on becoming aware of a Personal Data Breach;
5.7
at the written direction of the User, delete or return Personal Data and copies thereof to the User on termination of the agreement unless required by applicable law to store the Personal Data; and
5.8
maintain complete and accurate records and information to demonstrate its compliance with this clause 5.
6
The User consents to elevate.io appointing the processors listed in Annex A as third-party processors of Personal Data under this agreement. elevate.io confirms that it has entered or (as the case may be) will enter with each of the third-party processors into a written agreement incorporating terms which reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the User and elevate.io, elevate.io shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6.
Annex A Processing, Personal Data and Data Subjects
1
Processing by elevate.io
1.1
Scope: processing personal data contained in user content uploaded or inputted into the elevate.io Services in order to provide video editing and team collaboration services.
1.1
Scope: processing personal data contained in user content uploaded or inputted into the elevate.io Services in order to provide video editing and team collaboration services.
1.2
Nature: digital processing and storage
1.3
Purpose of processing: for elevate.io to provide video editing and team collaboration services to the User. The parties agree that these purposes shall amount to the documented written instructions under this data processing agreement.
1.4
Duration of the processing: the duration of the user’s licence to use the elevate.io Services, as set out in the Terms and Conditions.
2
Types of Personal Data: any personal data that may be contained in the User’s video content or team collaboration data. This is expected to include audiovisual personal data of individuals featuring in the video content and also textual comments and opinions of the User’s team collaborators.
3
Categories of Data Subject: the User’s team and any individuals featuring in the video content.
4
Third party processors: Amazon Web Services