Videonor

Data Processing Agreement

Pursuant to European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and on the repealment of Directive 95/46/EF , Article 28 and 29, cf. Article 32-36, the following agreement is entered into

between

Name of organization

……………………….

(controller)

and

Videonor AS

(data processor)

1. The purpose of this agreement

The parties have entered into an agreement regarding the purchase and/or resale of Videonor’s services (the “Principle Agreement”).

The purpose of this data processing agreement is to regulate the processing of personal data that the data processor performs on the data controller’s behalf under the Principle Agreement, pursuant to European Parliament and Council Regulation (EU) 2016/679 of 27 April 2016 (the “General Data Protection Regulation” or “GDPR”) on the protection of individuals with regard the processing of personal data and the free movement of such data, and on the repealment of Directive 95/46/EF.

The agreement shall ensure that personal information is not used illegally, unlawfully or that the information is managed in ways that lead to unauthorized access, alteration, deletion, damage, loss or unavailability.

The agreement regulates the data processor’s use and processing of personal data on behalf of the controller, including collection, recording, combining, storing, dispensing, or combinations thereof.

 

2. The nature, purpose and duration of processing

The processing of personal data which the processor does on behalf of the controller consists in making Videonor’s cloud-based video communications services and related supplementary services available for the controller, and to perform the necessary maintenance of these services.

The personal information the data processor processes on behalf of the data controller can not be used for purposes other than the delivery and management of Videonor’s services unless such use is approved in advance by the controller.

The data processor can not transfer personal data covered by this agreement to partners or other third parties unless such use is approved in advance by the controller, ref. Section 5.4 herein.

The duration of the processing lasts until this agreement is terminated by either party, or the controller removes the relevant personal information from the service, or the personal information is removed by the data processor in accordance with the instructions detailed in Appendix A to this agreement.

 

3. Categories of subjects (registered persons) and the types of personal data being processed

The data processor processes personal information on behalf of the data controller about several categories of data subjects in connection with the delivery and management of Videonor’s services. These are mainly

  • Persons who have personal user accounts for authentication / login to the services’ administration interface, or for the use of video services
  • Persons who do not have personal user accounts on services, but whose names or other contact details are registered in the services
  • Persons who participate in video meetings where Videonor’s cloud services for video communications are being used

The types of personal information being processed include

  • Contact details such as name, email address, video address / URI (s), organizational affiliation
  • Authentication info, as well as information about user roles / permissions with regards to the services (eg. admin access)
  • Technical logs that record use of the services’ management functions, e.g. interaction with web-based management interfaces
  • Video communication traffic logs including time and duration of calls, signaling logs, call quality metrics, type designations for video communication equipment used, etc.
  • Recordings (audio / video) of video conferences in cases where Videonor’s supplementary services for video recording are being used by the customer

A more detailed summary of the information can be found in Appendix A to this agreement.

 

4. The controller’s obligations and rights

  • The data controller is responsible for ensuring that personal data is processed in accordance with the General Data Protection Regulation and the Norwegian Personal Data Act (ref. Article 24).
  • The controller has both a right and a commitment to determine for which purposes, and by which means the processing is done (ref. Article 4. 7).
  • The controller will provide documented instructions for the data processor describing how the information should be processed (see Article 28. 3 letter a). The instructions are attached to this Agreement, see Appendix A.
  • The controller has the right to terminate this agreement if the processor no longer meets the statutory requirements under Article 28 paragraph 1.

 

5. The data processor’s obligations

5.1 Only process personal information in accordance with the written instructions from the controller

  • The data processor shall only process personal data according to documented instructions from the controller, as regulated by this agreement. The exception is if Norwegian law requires the data processor to process the personal data in a specific manner, in which case the data processor shall notify the controller before processing commences, unless the law forbids such notification for reasons of important public interests.
  • The data processor must notify the controller if the data processor considers an instruction to be in breach of the General Data Protection Regulation or other provisions on the protection of personal data or national law (ref. Article 28 subparagraph 3, last paragraph).

5.2 Ensure that only authorized persons process the personal information, and in a confidential manner

The data processor must ensure via access control that only people with a legitimate need to handle the personal information are authorized and given access to these, whether this applies to employees of the processor, or contract labor.

  • The data processor must ensure that authorized persons are obliged to treat personal information confidentially, or are subject to a statutory duty of confidentiality.
  • The data processor shall, upon request from the controller, be able to demonstrate that the authorized persons are subject to confidentiality – e.g. by providing documentation (ref. Article no. 28 letter b and h).
  • The duty of confidentiality also applies after the data processor assignment is completed.

5.3 Obligation to have satisfactory security measures

  • The data processor is obliged to implement all measures required by the General Data Protection Regulation Article 32.
  • The data processor shall document their own security organization, security policies and procedures, risk assessments and established technical, physical and organizational security measures. Documentation shall be made available to the controller upon request. Employees of the controller has a duty of confidentiality in relation to any confidential security documentation that the data processor makes available to the controller.

5.4 Use of other data processors (subprocessors)

An overview of data processors approved by the controller can be found in Appendix A to this agreement. The data processor has the controller’s general approval to use other data processors (subprocessors). The data processor is nonetheless required to notify the controller of any plans to replace or use new data processors. The controller must receive such notification no later than four weeks before the change takes effect. The controller shall have the opportunity to oppose the changes, and shall inform the data processor of this no later than 2 weeks after receipt of the notification. If the controller objects to the adoption of a new sub processor, the processor may terminate this agreement and the Principle Agreement.

The data processor is obliged to enter into separate agreements with subprocessors that regulate the subprocessors’ handling of personal information in connection with the delivery and management of Videonor’s services. The data processor is obliged to submit such agreements to the controller upon request, with the exception of business sensitive information and trade secrets.

 

5.5 Assistance in answering requests concerning the rights of data subjects

The data controller is obliged to facilitate processes by which the privacy rights of the data subjects can be exercised, such as the right of access, rectification, deletion and objection, cf. section 3 of the privacy regulation.

In the case of a data subject exercising their right of access, the data processor must assist by collecting the information that is stored about the data subject. The data processor must make the information available to the controller so that the controller can properly consider the request for access.

5.6 Assistance to the controller

The data processor has a duty to assist the controller in complying with the obligations under the privacy regulation articles 32 to 36 that are relevant under the contractual relationship:

  • The data processor must immediately notify the controller if a personal data breach (ref. Article 33. 2) is uncovered.
  • If the breach involves a risk to the rights and freedoms of the data subjects, the notification to the controller must as far as possible contain the information required for the controller to provide a detailed description of the violation to the supervisory authority (ref. Article 33. 3 ).
  • If the breach requires that the controller must notify the data subjects (ref. Article 34), the data processor must provide any information required in order for the controller to fulfill the obligation to provide such notification in a clear manner, and in accordance with Article 33. 3 . letter c) and d).

Any assistance performed by the processor and required by the controller under this agreement shall be compensated according to the applicable hourly rates agreed between the parties, or, if no hourly rates are agreed upon, by the current regular and reasonable fees for such services.

 

5.7 Termination of the agreement

The data processor is obligated to delete all personal data that has been processed on the data controller’s behalf upon termination of the contractual relationship, in accordance with the instructions provided in Appendix A to this agreement or as otherwise agreed between the parties.

5.8 Information disclosure for the controller

The data processor must make available for the controller all information necessary to demonstrate that the obligations under Article 28 are met.

The data processor must facilitate and assist in revisions (such as inspections) conducted by the controller or another inspector, on the authority of the controller.

 

6. Breach of agreement terms

If the terms of this agreement are breached due to errors or omissions on part of the data processor, the controller can terminate the agreement with immediate effect. The data processor will still be obliged to delete the personal information it processes on behalf of the data controller in accordance with the provisions in the section on “Termination of the agreement” above. Any regulation on indemnification, liability and limitation of liability in the Principle Agreement applies likewise to the parties’ liability towards each other for breach of this agreement and the data protection law.

 

 

 

 

 

***

This agreement is in 2 – two copies, of which the parties have their own.

Place and Date

 On behalf of the controller                        On behalf of the data processor

………………………..                                          ………………………

Appendix A – Instructions for the data processor’s processing of personal data

The data processor shall adhere to the written instructions for the processing of personal data in Videonor’s services for video communications that the controller has decided to apply and that arises from this agreement.

Videonor AS commits to comply with all obligations under General Data Protection Regulation relevant to the use of Videonor’s services for processing of personal data.

Personal information and categories of data subjects

The data processor may under this agreement process personal data on behalf of the data controller for several categories of data subjects related to the delivery and management of Videonor’s services:

I: Persons who have personal user accounts for login to administration interface(s)

These are persons who are given access to the services’ management interface on the web. Typically these persons will manage the setup of the service on their own behalf (a “user account”), or for an organization (an “enterprise account”).

The following information about these data subjects are processed:

  • Name
  • Email address
  • Admin user (yes / no)
  • Hashed / salted representation of password
  • Date / timestamp for creation / updating / activating the user account
  • Organization affiliation – for personal user accounts associated with an enterprise account
  • Service generated email messages – e.g. generated in connection with requests for resetting passwords etc.
  • Technical logs – information will be recorded in technical logs when user accounts are used for self service / management of personal accounts or an enterprise account for which the user account has administrator privileges. These logs will contain information such as
    • Time of registered actions
    • ID and user name of the user who performed the action
    • The type action that was performed (for example, creation / modification / deletion of subscriptions or services)
  • For users that opt to use LinkedIn as a third-party authentication mechanism for logging in to Videonor’s directory service “Seevia” and its management interface, the following additional information is stored:
    • LinkedIn user reference
    • Job title
    • Image URL

II: Persons who have user accounts for using Videonor’s video services

These are persons who are end-users of the video services offered by Videonor, and that authenticates using these accounts, e.g.  when logging in to a software-based video client. This group may overlap with the group described in section I above.

The following information on these data subjects are processed:

  • Name
  • Email address
  • Hashed / salted representation of password
  • Date / timestamp for creation / updating / activating the account
  • Organization affiliation – for personal user accounts associated with an enterprise account
  • Service generated email messages – e.g. generated in connection with requests for resetting passwords etc.
  • Technical logs – information will be recorded in technical logs in connection with normal use of the video services. These logs will contain information
    • Technical diagnostics information, e.g. call quality metrics and information about any errors arising during use
    • Traffic data in the form of information about the call duration and start / end time
    • URIs / IP addresses and display names for the participants in the conversation
    • Information about other servers / infrastructure components involved in signaling / media streams  
    • Information about protocols / codecs used in conjunction with the call

III: Individuals who are registered in the services through association with a video system, a virtual meeting room, or a video client whose contact details are entered into the services

This could be persons who do not have a personal user account on Videonor’s services, but who are registered in the service through the naming of a virtual meeting room, or by the controller entering contact details for personal video clients or video systems into Videonor’s directory service “Seevia” making it possible to identify individuals.

The following information on these data subjects are processed:

  • Display name – may coincide with a person’s name or variations thereof, such as  “John Smith” or “J.Smith,” “John’s office,” “John’s Virtual meeting room” etc.
  • Video addresses / URIs – The unique address of the video system / client. Could be a SIP / H.323 URI, a Skype4Business address, a telephone number or an IP address.
  • Organization affiliation – for video clients, video systems or virtual meeting room associated with an enterprise account
  • Technical logs – information about video systems / clients that are connected directly to Videonor’s directory service “Seevia” for retrieval of contact information will be recorded in the technical logs in connection with the processing of requests such as search / navigation in the directory. These logs may, in addition to the above information, also contain information like
    • Time of request
    • Search strings/keywords
    • IDs for organization / folder from which the directory information is being retrieved
    • Type designation for video system / client
    • IP address
    • For Cisco endpoints connected to the directory service, the following additional information may be recorded:
      • Software version
      • Product ID
      • Product type
      • MAC address
      • HW board number
      • HW serial number

IV: Persons registered via participation in calls where Videonor’s services are being used by one or more participant

This category may overlap with categories I, II and III above. In addition, people who use Videonor’s cloud services for video communications can set up calls with people who are not customers / users of Videonor’s services ( “external persons”). This may lead to the processing of personal data in the form of display names and video addresses for external persons, as such processing will be technically necessary to set up the call. For participants in calls, the following information is processed:

  • Display name
  • Video addresses / URIs
  • Technical diagnostics information, e.g. call quality metrics and information about any errors arising during use
  • Traffic data in the form of information about the call duration and start / end time
  • URIs / IP addresses and display names for the participants in the conversation
  • Information about other servers / infrastructure components involved in signaling / media streams  
  • Information about protocols / codecs used in conjunction with the call

In calls where Videonor’s supplementary services for recording video meetings are being used by the customer, recordings (audio / video) will be created.

 

Retaining and deleting personal data

 

The different categories of personal data described in this appendix shall be retained and deleted according to the following:

  • User account information including name and email address. Will be retained until the parent enterprise account is closed/deleted, or a user with admin privileges for the enterprise account acting on behalf of the customer actively deletes the user account. Note that In the case of personal user accounts for Videonor’s directory service “Seevia”, the users may delete their own user accounts. Inactive Seevia user accounts may also be routinely deleted by Videonor after a period of inactivity of no less than a year.
  • Video endpoint/client registration details including display names and contact details such as video addresses. Will be retained until the enterprise account is closed/deleted, or a user with admin privileges for the enterprise account acting on behalf of the customer actively deletes the video endpoint/client registration
  • “Seevia” directory entries including names and details such as video addresses for persons and video systems. Will be retained until
    • a user with admin privileges for the enterprise account acting on behalf of the customer deletes the entry or its parent enterprise account, or
    • an automated sync removes the entry from Seevia based on the fact that the entry is no longer part of the local source selected for syncing, or
    • an external integration (API user) deletes the entry based on user input or rules in an external system used for managing directory entries on the customer’s behalf
  • Usage information including call detail records, IP addresses, device information and call diagnostics. Will be retained for 90 days. Meeting details older than 90 days will be anonymized so that although it may be possible to see that a product (Virtual Meeting Room, Desktop App or Endpoint) associated with a particular user has been used, the information that allows identification of additional individual meeting participants will be removed/anonymized

 

  • Audio and video images as may be generated by customers who have access to the Videonor’s supplementary recording feature. Meeting details for such meetings will be stored for up to two years after the end of the customer relationship. Note that this two year retention period is only for data about the meeting, and does not include the actual video/audio recording, which will be deleted 4 weeks after termination of the account/service, or can be deleted by the customer at any time.

 

  • Service notifications such as emails generated in order to facilitate certain tasks and workflows that are part of the service, like resetting passwords. Service notifications will be retained for 45 days. Additionally, metadata for bounced (unsuccessfully delivered) emails can be retained for up to 12 months for troubleshooting purposes.

 

Use of subcontractors

The controller approves of the data processor engaging the following subprocessors in connection with the delivery and management of Videonor’s services:

Subcontractor Country Personal data being processed Joined “Privacy shield” program?
LocalHost AS Norway

Contact details for users with personal login, such as name, email address, organizational affiliation, video address, authentication information, etc.

Contact information for persons who are registered in the services through association with a video system, a virtual meeting room, or a video client, such as name, organizational affiliation and video address

N / A
Amazon Web Services, Inc Ireland, USA

Contact information for users with personal login, such as name, email address, organizational affiliation, video link, authentication information etc

Contact information for persons who are registered in the services through association with a video system, a virtual meeting room, or a video client, such as name, organizational affiliation and video address

Service-generated email messages – e.g. generated in connection with requests for resetting passwords and the like.

Technical logs of call setup and other use of the services

Yes
Media Network Services Norway Technical logs generated in connection with video meetings where Videonor’s supplementary recording service based on MNS’s product “rec.vc” is used, and recordings from such meetings N / A
Phonect AS Norway Technical logs for call setup, may include telephone numbers and video addresses / URIs N / A
Quick Channel AB Sweden Technical logs generated in connection with video meetings where Videonor’s supplementary recording service based on Quick Channel AB’s product is used, and recordings from such meetings N / A
Twilio Inc USA Technical logs for call setup, may include telephone numbers and video addresses / URIs Yes
Wildbit LLC USA Service generated email messages distributed using Wildbit LLC’s service “Postmark” – e.g. emails generated in connection with requests for resetting passwords and the like. Yes

 

Transfer to countries outside the EU / EEA

For subcontractors located outside the EU / EEA the transfer of personal data shall be done according to the rules on transfers to third countries in Article 45 to 47 and 49 in the Privacy Regulation.

Subcontractors who are registered with “USA” as country in the table above are American businesses in the United States who have joined the Privacy Shield program, which allows such transfer under the Privacy Regulation.