Data Processing Addendum

This Data Processing Addendum (“DPA“) is made and entered into as of the date of the last signature below and forms part of the applicable agreement (the “Agreement“) entered by and between the Oosto entity with whom you have entered into the Agreement (“Oosto”, “Us”, “We”, “Our”, “Service Provider” or “Data Processor”) and you (as defined below). You acknowledge that you, on your own behalf as an individual and on behalf of your employer or another legal entity (collectively, “You”, “Your”, “Company” or the “Organization”) have read and understood and agree to comply with this DPA, and are entering into a binding legal agreement with Oosto to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) of European individuals. Both parties shall be referred to as the “Parties” and each, a “Party”.

WHEREAS, Oosto provides face recognition and video analytics software, and Company, as either a customer or reseller, has entered into an agreement regarding the use thereof, as well as associated support and maintenance services, all as shall be set out in the applicable Agreement (collectively, the “Services“), as described in the Agreement; and
WHEREAS, The Services may entail the processing of personal data in accordance with the EU Data Protection Directive 95/46/EC and its corresponding implementation laws in the EU Member States, as well as, as of May 25th 2018, the General Data Protection Regulation (EU) 2016/679 (collectively, the “Data Protection Laws and Regulations“); and
WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a “Data Processor”; and the Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:

1. INTERPRETATION AND DEFINITIONS

1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.

1.2 References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.

1.3 Words used in the singular include the plural and vice versa, as the context may require.

1.4 Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

1.5 Definitions:

      • 1.5.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control“, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
      • 1.5.2 “Authorized Affiliate” means any of Company’s Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Company and Oosto, but has not signed its own agreement with Oosto and is not “Company” as defined under the Agreement.
      • 1.5.3 “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
      • 1.5.4 “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
      • 1.5.5 “Oosto Group” means Oosto and its Affiliates engaged in the Processing of Personal Data.
      • 1.5.6 “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
      • 1.5.7 “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
      • 1.5.8 “Oosto” means the relevant Oosto entity of the following Oosto legal entities: Anyvision US Inc. (d/b/a Oosto), Anyvision Interactive Technologies Ltd. (d/b/a Oosto), Anyvision UK Limited (d/b/a Oosto) and/or Anyvision Asia Pacific Pte. Ltd (d/b/a Oosto).
      • 1.5.9 “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
      • 1.5.10 “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
      • 1.5.11 “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      • 1.5.12 “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
      • 1.5.13 “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Company, as updated from time to time, to be provided upon Company’s request or as otherwise made reasonably available by Oosto.
      • 1.5.14 “Sub-processor”means any Processor engaged by Oosto.
      • 1.5.15 “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, and as between the Parties (i) Oosto is the Data Processor and (ii) Oosto or members of the Oosto Group may engage Sub-processors pursuant to the requirements set forth in Section 5 (“Authorization Regarding Sub-Processors”) below.

2.2 Company’s Processing of Personal Data. Company shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Company’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. As between the Parties, Company shall have sole responsibility for the means by which Company acquired Personal Data. Without limitation, Company shall ensure that it has any and all required legal bases in order to collect, Process, store and transfer to Data Processor the Personal Data and to authorize the Processing by Data Processor of the Personal Data which is authorized in this DPA.

2.3 Data Processor’s Processing of Personal Data. Subject to the Agreement, Data Processor shall Process Personal Data in accordance with Company’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide the Services; (ii) Processing for Company to be able to use the Services; (iii) Processing to comply with other documented reasonable instructions provided by Company (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iv) Processing as required by Union or Member State law to which Data Processor is subject; in such a case, Data Processor shall inform the Company of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. To the extent that Data Processor cannot comply with a request from Company and/or its authorized users (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind), (i) Data Processor shall inform Company, providing relevant details of the problem, (ii) Data Processor may, without any kind of liability towards Company, temporarily cease all Processing of the affected Personal Data (other than securely storing such data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Company shall pay to Data Processor all the amounts owed to Data Processor or due before the date of termination. Company will have no further claims against Data Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).

2.4 Oosto will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Oosto, to the extent that such is a result of Company’s instructions.

2.5 If Company provides Oosto or any of the entities of the Oosto Group with instructions, requests, suggestions, comments or feedback (whether orally or in writing) with respect to the Services, Company acknowledges that any and all rights, including intellectual property rights, therein shall belong exclusively to Oosto and that such shall be considered Oosto’s intellectual property without restrictions or limitations of any kind, and Company hereby irrevocably and fully transfers and assigns to Oosto any and all intellectual property rights therein and waives any and all moral rights that Company may have in respect thereto.

2.6 Details of the Processing. The subject-matter of Processing of Personal Data by Data Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA specified in Schedule 1 (Details of the Processing) to this DPA.

3. RIGHTS OF DATA SUBJECTS

Data Processor shall, to the extent legally permitted, promptly notify Company if Data Processor receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, erasure (“right to be forgotten”), restriction of Processing, data portability, right to object, or its right not to be subject to automated individual decision making (“Data Subject Request“). Data Processor may respond to a Data Subject Request without Company’s consent in order to confirm that such request relates to Company, to which Company hereby agrees. Taking into account the nature of the Processing, Data Processor shall assist Company by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Company’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Company, in its use of the Services, does not have the ability to address a Data Subject Request, Data Processor shall upon Company’s request provide commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Company shall be responsible for any costs arising from Data Processor’s provision of such assistance.

4. OOSTO PERSONNEL

4.1 Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Personal Data have committed themselves to confidentiality and non-disclosure.

4.2 Data Processor may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable Data Protection Laws and Regulations (in such a case, Data Processor shall inform the Company of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).

5. AUTHORIZATION REGARDING SUB-PROCESSORS

5.1 Appointment of Sub-processors. Company acknowledges and agrees that (a) Data Processor’s Affiliates may be used as Sub-processors; and (b) Data Processor and/or Data Processor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

5.2 Objection Right for New Sub-processors. Company may reasonably object to Data Processor’s use of a new Sub-processor by notifying Data Processor promptly in writing within three (3) business days after receipt of Data Processor’s notice in accordance with the mechanism set out in Section 5.2 and such written objection shall include the reasons for objecting to Data Processor’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business days following Data Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Company reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Data Processor will use reasonable efforts to make available to Company a change in the Services or recommend a commercially reasonable change to Company’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Company. If Data Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Company may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to new Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Until a decision is made regarding the new Sub-processor, Data Processor may temporarily suspend the Processing of the affected Personal Data. Company will have no further claims against Data Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.

5.3 Agreements with Sub-processors. Data Processor shall respect the conditions referred to in Articles 28.2 and 28.4 of the GDPR when engaging another processor for Processing Personal Data provided by Company. In accordance with Articles 28.7 and 28.8 of the GDPR, if and when the European Commission lays down the standard contractual clauses referred to in such Article, the Parties may revise this DPA in good faith to adjust it to such standard contractual clauses.

6. SECURITY

Controls for the Protection of Personal Data. Data Processor shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Company. Data Processor regularly monitors compliance with these measures. Upon the Company’s request, Data Processor will assist Company, at Company’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Data Processor.

7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION

Data Processor maintains security incident management policies and procedures specified in Security Documentation and, to the extent required under applicable Data Protection Laws and Regulations, shall notify Company without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Data Processor or its Sub-processors of which Data Processor becomes aware (a “Personal Data Incident“). Data Processor shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Data Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Company or Company’s users. In any event, Company will be the party responsible for notifying supervisory authorities and/or concerned Data Subjects (where required by Data Protection Laws and Regulations).

8. RETURN AND DELETION OF PERSONAL DATA

Subject to the Agreement, to the extent Data Processor holds any Personal Data, it shall, at the choice of Company, delete or return the Personal Data to Company after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Data Processor may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Company requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Data Processor’s customers.

9. AUTHORIZED AFFILIATES

9.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Company enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Data Processor. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Company.

9.2 Communication. The Company shall remain responsible for coordinating all communication with Data Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

10. OTHER PROVISIONS

10.1 GDPR. The Parties will Process the Personal Data in accordance with the GDPR requirements directly applicable to each Party in the context of the provision and use of the Services.

10.2 Collaboration with Company’s’ Data Protection Impact Assessments. Upon Company’s request, Data Processor shall provide Company, at Company’s cost, with reasonable cooperation and assistance needed to fulfil Company’s obligation under the GDPR to carry out a data protection impact assessment related to Company’s use of the Services, to the extent Company does not otherwise have access to the relevant information, and to the extent such information is available to Data Processor. Data Processor shall provide, at Company’s cost, reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 10.2 of this DPA, to the extent required under the GDPR.

10.3 Transfer mechanisms for data transfers.

10.3.1 Transfers to countries that offer adequate level of data protection: Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA“) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions“), without any further safeguard being necessary. As at the date of signature, Israel has been confirmed as offering an ‘adequate’ level of protection.

10.3.2 Transfers of Personal Data to the United States: Anyvision Inc. (d/b/a Oosto) is self-certified to and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce.

10.3.3 Transfers to other countries: If the Processing of Personal Data includes transfers from the EEA to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries“), the Parties shall comply with Article 46 of the GDPR, and shall execute the standard data protection clauses adopted by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission or comply with any of the other mechanisms provided for in the GDPR for transferring Personal Data to such Other Countries.

10.4 For clarity, responsibility for compliance with the obligations corresponding to Data Controllers under Data Protection Laws and Regulations shall rest with Company and not with Oosto. Oosto may, at Company’s cost, provide reasonable assistance to Company with regards to such obligations.

11. TERMINATION

This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided.

12. RELATIONSHIP WITH AGREEMENT

In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. Liability and indemnification terms shall be set forth in the Agreement.

13. AMENDMENTS

This DPA may be amended at any time by a written instrument duly signed by each of the Parties.

14. SIGNATURE

The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA.

You, as the signing person on behalf of Company, represent and warrant that you have, or you were granted, full authority to bind the Organization and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Organization and/or its Authorized Affiliates, you shall not supply or provide Personal Data to Oosto.

By signing the Agreement, Company is deemed as entered into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that Oosto processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.

This DPA has been pre-signed on behalf of Oosto.

The parties’ authorized signatories have duly executed this Agreement:

Oosto:

Anyvision Interactive Technologies Ltd. (d/b/a Oosto):

Signature:

Print Name:

Title:

Date: Anyvision US Inc. (d/b/a Oosto):

Signature:

Legal Name:

Title:

Date: Anyvision UK Ltd. (d/b/a Oosto):

Signature:

Legal Name:

Title:

Date: Anyvision Asia Pacific Pte. Ltd. (d/b/a Oosto):

Signature:

Legal Name:

Title:

Date: You:

Company Name:

Signature:

Legal Name:

Title:

Date:

Schedule 1 – Details of the Processing

The terms below set out the details of the Processing performed on behalf of the Company and/or its customers:

  1. Types of Personal Data. Contact Information, the extent of which is determined and controlled by the Customer in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Subscription Service.
  2. Purpose of the Processing. Personal Data will be Processed for purposes of providing the services set out and otherwise agreed to in the Agreement and any applicable Order.
  3. Duration of the Processing. Personal Data will be Processed for the duration of the Agreement, subject to Section 4 of this DPA.
We're extending our Vision AI platform to the cloud with new multi-class AI capabilities
SCHOOL SAFETY EMERGENCY SUMMIT
We're extending our Vision AI platform to the cloud with new multi-class AI capabilities