The Data Processing agreement outlines how we handle, secure, and protect data on your behalf.
This data processing agreement sets out the terms under which we process personal data on behalf of the users of our software, platform(s), website(s), application(s) or services (the Services).
The Services include video editing, team collaboration and video publishing functionality. To make use of these services, users may be able to upload, enter and/or edit information on the Services, including personal information.
If a user uploads, enters or edits any personal data on the Services, the User (as defined below) is the controller for this personal information and is responsible for complying with the obligations of a controller, including the transparency obligations to the data subjects.
We are the processor for that personal data.
This data processing agreement is incorporated into, and should be read in conjunction with, the Terms and Conditions.
1
DEFINITIONS
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.
CCPA: the California Consumer Privacy Act of 2018.
Data Protection Legislation: all applicable data protection and privacy and regulatory requirements in force from time to time which apply to a party relating to the protection and use of Personal Data (including, without limitation, the privacy of electronic communications) including, without limitation, the UK GDPR, the EU GDPR and the CCPA.
we / us: Blackbird plc (trading as elevate.io), a public limited company registered in England and Wales under company number 3507286.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
User: the user of the elevate.io Services or, where the user uses the elevate.io Services on behalf of any business or organisation, that business or organisation.
2
Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 2 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
3
The parties acknowledge that for the purposes of the Data Protection Legislation, the User is the Controller and we are the Processor. Annex A sets out the scope, nature and purpose of processing by us, the duration of the processing and the types of Personal Data and categories of Data Subject.
4
Without prejudice to the generality of 2, the User will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to us and/or lawful collection of the Personal Data by us on behalf of the User for the duration and purposes of this data processing agreement.
5
Without prejudice to the generality of 2, we shall, in relation to any Personal Data processed in connection with the performance by us of our obligations under this data processing agreement:
5.1
process that Personal Data only on the documented written instructions of the User, as set out in Annex A, unless we are required by applicable law to otherwise process that Personal Data. Where we are relying on applicable law as the basis for processing Personal Data, we shall promptly notify the User of this before performing the processing required by the applicable law unless the applicable law prohibits us from so notifying the User;
5.2
ensure that we have in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
5.3
ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
5.4
not transfer any Personal Data outside of the UK or EEA unless the prior written consent of the User has been obtained and the following conditions are fulfilled:
(a)
the User or we have provided appropriate safeguards in relation to the transfer;
(b)
the data subject has enforceable rights and effective legal remedies;
(c)
we comply with our obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
(d)
we comply with reasonable instructions notified to us in advance by the User with respect to the processing of the Personal Data;
5.5
assist the User, at the User's cost, in responding to any request from a Data Subject. If we receive any request from a Data Subject:
(a)
we will forward the request to you;
(b)
you agree to respond to the Data Subject directly in accordance with your legal obligations under the Data Protection Legislation; and
(c)
you shall be liable to us and indemnify us for any breach of clause 5.5(b). This means you will be responsible for any loss or damage we suffer as a result of your breach;
5.6
assist the User, at the User’s cost in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
5.7
notify the User without undue delay on becoming aware of a Personal Data Breach;
5.8
at the written direction of the User, delete or return Personal Data and copies thereof to the User on termination of the agreement unless required by applicable law to store the Personal Data; and
5.9
maintain complete and accurate records and information to demonstrate our compliance with this clause 5.
6
The User consents to us appointing the processors listed in Annex A as third-party processors of Personal Data under this agreement. We confirm that we have entered or (as the case may be) will enter with each of the third-party processors into a written agreement incorporating terms which reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the User and us, we shall remain fully liable for all acts or omissions of any third-party processor appointed by us pursuant to this clause 6.
Annex A Processing, Personal Data and Data Subjects
1
Processing by us
1.1
Scope: processing personal data contained in user content uploaded or inputted into the Services by or on behalf of the User in order to provide video editing, team collaboration and video publishing services.
1.2
Nature: digital processing and storage
1.3
Purpose of processing: for us to provide video editing, team collaboration and video publishing services to the User. The video publishing services may include publishing the content on any platform or service controller by us, as directed by the User.The parties agree that these purposes shall amount to the documented written instructions under this data processing agreement.
1.4
Duration of the processing: the duration of the user’s licence to use the elevate.io Services, as set out in the Terms and Conditions.
2
Types of Personal Data: any personal data that may be contained in the User’s video content or team collaboration data. This is expected to include audiovisual personal data of individuals featuring in the video content and also textual comments and opinions of the User’s team collaborators.
3
Categories of Data Subject: the User’s team and any individuals featuring in the video content.
4
Third party processors: Amazon Web Services