Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, Infrared5 Terms of Service (the “Agreement”) entered into by Infrared5 (“we”, “our” or “us”) and, Client (collectively referred to as the “Parties”). This Addendum sets forth the terms and conditions relating to the Processing of Personal Data by Infrared5 on behalf of Client in connection with Client’s use of the Services pursuant to the Agreement. Terms not defined herein have the meaning ascribed to them in the Agreement.

I. Definitions

Client Data” means Personal Data relating to Customer’s relationship with Infrared5, including: (i) Users’ account information (e.g. name, email address, or Red5 account ID; (ii) billing and contact information of individual(s) associated with Client’s Red5 account (e.g. billing address, email address, or name); (iii) Users’ device and connection information (e.g. IP address); and (iv) content/description of technical support requests (excluding attachments). Deployment information, such as dates and times of scheduled deployments, audience sizes by region for each deployment, sources of streams for deployments, authentication endpoints and other infrastructure information required to support deployments. Audio and/or video data and recordings that you send and receive via the Services and which we may process and store audio and/or video recordings if you utilize recording or DVR features as part of your use of Services. If you submit content to customer support, we may obtain audio and/or video recordings from you during this process.

Client Personal Data” means Personal Data contained in Client Data that Infrared5 Processes under the Agreement solely on behalf of Client. For clarity, Client Personal Data includes any Personal Data included in the attachments provided by Client or its Users in any technical support requests. 

“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Instructions” means this Addendum, the Agreement and any further written agreement entered into by the Parties through which Client instructs Infrared5 to perform specific Processing of Personal Data.

“Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.

“Personal Data Breach” means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data by any of Infrared5’s staff or Sub-Processors, or any other identified or unidentified third party.

Processing” (and “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor” means the entity which Processes Personal Data on behalf of the Controller.

Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data Processed by Infrared5 and/or its Sub-Processors. 

“Sub-Processor” means an entity engaged by Infrared5 to Process Personal Data on behalf and under the authority of the Data Controller.

“Business”, “Business Purpose”, “Sell” “Service Provider”, ”Share” shall have the meanings ascribed to them in the CCPA/CPRA.

II. Roles and Responsibilities of the Parties

(A) The Parties acknowledge and agree that Client is acting as a Data Controller and Business with respect to the Processing of Personal Data Processed under this Addendum, and Infrared5 is acting as a Data Processor and Service Provider on behalf and under the Instructions of Client. Infrared5 understands and agrees that, except as described in Section II(E) below, it will not (1) Sell or Share Personal Data, or (2) retain, use or disclose Personal Data (a) for any purpose other than the Business Purpose(s) of performance of the services specified in the Agreement, and otherwise for fulfillment of its obligations under the Agreement, or as required or permitted by applicable law, or (b) outside the direct business relationship between Client and Infrared5, or (3) combine Personal Data received pursuant to the Agreement with personal data received from or on behalf of another person(s), or collected from Infrared5’s interaction with individuals, unless permitted by applicable law.

(B) Client represents and warrants that: (1) all Personal Data has been obtained by Client and disclosed to Infrared5 in compliance with applicable law and for limited and specified purposes; (2) Client has all rights and permissions and a lawful basis to use and disclose Personal Data for the purposes contemplated by the Agreement; and (3) all Instructions to Client concerning the Processing of Personal Data will comply with applicable law.

(C) The Parties acknowledge and agree that Infrared5 may aggregate, de-identify and/or anonymize Personal Data as part of the services for analytics purposes and improving Infrared5’s products and services.

(D) Client may take reasonable and appropriate steps to ensure that Infrared5 uses Personal Data in a manner consistent with Client’s obligations under the CCPA/CPRA in its capacity as a Service Provider to Client.  Client may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

(E) To the extent permitted by Applicable Data Protection Law, Infrared5 may retain, use, or disclose Personal Data obtained in the course of providing the Services: (1) to retain and employ another Data Processor/Service Provider as a subcontractor, where the subcontractor meets the requirements for a Data Processor/Service Provider under Data Protection Law; (2) for internal use by Infrared5 to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source; (3) to detect data security incidents, or protect against fraudulent or illegal activity; (4) to comply with federal, state, or local laws; (5) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (6) to cooperate with law enforcement agencies concerning conduct or activity that Infrared5 reasonably and in good faith believes may violate federal, state, or local law; or (7) to exercise or defend legal claims.

III. Obligation of Infrared5

Infrared5 agrees to:

(A) Process Personal Data in accordance with the Client’s Instructions, as set forth in the Agreement, including this Addendum, unless Infrared5 is otherwise required by applicable law. To the extent permitted by applicable law, Infrared5 shall inform Client in advance if, in Infrared5’s opinion, other Processing is required by law or an Instruction infringes applicable law.

(B) Comply with applicable obligations under Applicable Data Protection Law in its capacity as a Data Processor or Service Provider to Client.

(C) Infrared5 shall (1) provide the level of privacy of protection for Personal Data as is required by the CCPA/CPRA; (2) notify Client if Infrared5 makes a determination that it can no longer meet its obligations under this Addendum or applicable obligations under the CCPA/CPRA in its capacity as a Service Provider to Client.

(D) Ensure that personnel authorized by Infrared5 to Process Personal Data in the context of the services are subject to a duly enforceable contractual or statutory confidentiality obligation.

(E) Inform Client promptly of any formal written request made to Infrared5 from Data Subjects exercising their rights under Applicable Data Protection Law. To the extent permitted by applicable law, Infrared5 shall provide appropriate and reasonable support to Client in fulfilling Client’s obligations to respond to such requests from Data Subjects with respect to Infrared5’s Processing of their Personal Data.

(F) Taking into account the nature of Processing and information available to Infrared5, reasonably assist Client in complying with its obligations under Applicable Data Protection Law, in particular Client’s obligation to implement appropriate data security measures, to carry out a data protection impact assessment, and to consult the competent supervisory authority or other regulatory agency, provided that such assistance does not violate applicable law or confidentiality or contractual obligations.

IV. Data Transfers

Where Infrared5 transfers Personal Data to a jurisdiction outside the EEA, United Kingdom or Switzerland, Infrared5 shall transfer the Personal Data in accordance with Applicable Data Protection Law.

To the extent that the GDPR applies to Personal Data and such data originates from the European Economic Area, then, to the extent required to comply with GDPR, the Parties agree that the use of such Personal Data is subject to the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (the “EU Standard Contractual Clauses”), with Module 2 applying and with none of the optional clauses applying, except Clause 7 and Option 2 of Clause 9(a) (with the time period for prior notice of Sub-Processor changes as described in Section V(B) below). For purposes of Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the law of the Ireland. For purposes of Clause 18(b), disputes will be resolved before the courts of the Ireland. For these purposes, Infrared5 is the “data importer” and Client is the “data exporter” as defined in the EU Standard Contractual Clauses. The data subjects, categories of data, purposes of processing, and other descriptions of the data transfer, are as set forth in Schedule I hereto, which serves as Annex I of the EU Standard Contractual Clauses. Infrared5’s technical and organizational measures for the protection of Personal Data, available upon request, serves as Annex II of the EU Standard Contractual Clauses. Schedule II hereto, which lists the Sub-Processors that Infrared5 engages to Process Personal Data, serves as Annex III of the EU Standard Contractual Clauses. To the extent that the UK GDPR applies to Personal Data and such data originates from the United Kingdom, then, to the extent required to comply with the UK GDPR, the Parties agree that the use of such Personal Data is subject to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under SS119A(1) of the Data Protection Act 2018 (“UK Data Transfer Agreement”). Schedule I hereto includes the parties’ details and contact information for Table 1 of the UK Data Transfer Agreement. The above paragraph of this Section IV includes the information for Table 2 of the UK Data Transfer Agreement. For Table 3 of the UK Data Transfer Agreement: (a) the list of parties is found in the “List of Parties” section of Schedule I hereto; (b) the description of transfer is found in the “Description of Transfer” section of Schedule I hereto; (c) Annex II is available upon request; and Schedule II hereto, which lists the Sub-Processors that Infrared5 engages to Process Personal Data, serves as Annex III of the UK Data Transfer Agreement. For Table 4 of the UK Data Transfer Agreement, both the importer and exporter may end the UK Data Transfer Agreement in accordance with its terms.

V. Sub-Processing

(A) Client shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to a Sub-Processor, unless Client has authorized Infrared5 to do so.

(B) Client hereby authorizes the Sub-Processors listed in Schedule II to Process Personal Data. To the extent required by Data Protection Law, when any new Sub-Processor is engaged, Infrared5 shall give Client written notice of the engagement at least 30 days prior to the new Sub-Processor Processing Personal Data. Infrared5 may provide such notice to Client by updating the list of Sub-Processors and notifying customers via email.

(C) Client may object to the engagement of a new Sub-Processor by terminating the Agreement, provided that the grounds for such objection are reasonable and based on compliance with Applicable Data Protection Laws and Client sends written notice of termination to Infrared5 within 10 days of Infrared5 providing notice of the new Sub-Processor pursuant to section V(B). Any termination under this section shall be deemed to be without fault by either Party and shall be subject to the terms of the Agreement. This termination right is Client’s sole and exclusive remedy if Client objects to any new Sub-Processor.

(D) Where Infrared5 engages a Sub-Processor, Infrared5 shall enter into written agreements with the Sub-Processor that imposes obligations on the Sub-Processor that are substantially similar to those imposed on Infrared5 under this Addendum.

VI. Data Security

(A) Infrared5 shall implement appropriate technical and organizational measures to protect Personal Data in Infrared5’s possession, custody or control in accordance with Data Protection Law. A list of Infrared5’s technical and organizational measures is available upon request.

(B) Upon termination of the Agreement, Infrared5 shall return to Client, or at Client’s request, securely destroy or render unreadable or undecipherable, all Personal Data in Infrared5’s possession, custody or control, subject to applicable law. In the event applicable law does not permit Infrared5 to perform such delivery or destruction of the Personal Data, Infrared5 warrants that it shall protect the confidentiality of the Personal Data in accordance with this Addendum.

VII. Data Breach Notification

(A) Infrared5 shall inform Client without undue delay of any Personal Data Breach of which Infrared5 becomes aware. Infrared5 shall promptly investigate such Personal Data Breach and cooperate with Client in reasonable and lawful efforts to prevent, mitigate or rectify such breach. Infrared5 shall provide such assistance as required to enable Client to satisfy Client’s obligation to notify the relevant supervisory authority and Data Subjects of a Personal Data Breach under Articles 33 and 34 of the GDPR, provided that such cooperation does not violate applicable law or confidentiality or contractual obligations, disclose legal advice or interfere with Infrared5’s business operations.

VIII. Audit

(A) Infrared5 shall make available to Client information reasonably necessary to demonstrate Infrared5’s compliance with the obligations set forth in this Addendum, provided that such information does not violate applicable law or confidentiality or contractual obligations or contain legal advice.

(B) During the term of the Agreement, Infrared5 will conduct an assessment annually to validate the effectiveness of the technical and organizational security measures implemented by Infrared5 pursuant to the Addendum. Such assessment will be conducted (i) by a Infrared5-appointed qualified third party and (ii) under an appropriate assessment standard or criteria selected by Infrared5. Upon Client’s request, Infrared5 agrees to provide Client, on an annual basis and for no additional fee, (i) a report that reasonably summarizes the findings of the most recent assessment conducted pursuant to this section, and (ii) any other documents relevant to the security or compliance of the service that are made generally available by Infrared5 to customers of its services. Such report and information will be deemed Infrared5’s confidential information.

IX. Miscellaneous

(A) This Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.

(B) If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in effect.

(C) All notices to Infrared5 provided under this Addendum must be in writing and sent to:

P.O. Box 301776, Jamaica Plain, MA 02130 and/or via email at support@red5.net

(D) This Addendum supplements the Agreement. In the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall control.

This Addendum shall be subject to the limitations of liability under the Agreement.


RULE 1: SCOPE OF THE DATA PROCESSING

LIST OF PARTIES

Data Exporter: Client.

Contact details: The contact information for Client as set forth in Client’s account profile page.

Data Exporter Role: Controller

Signature and Date: By entering into this Addendum, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Addendum.

Data Importer: Infrared5, Inc.

Contact details: Infrared5 Privacy Team, support@red5.net 

Data Importer Role: Processor

Signature and Date: By entering into the Addendum, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Addendum.

Data Importer: Infrared5, Inc.

Contact details: Infrared5 Privacy Team, support@red5.net 

Data Importer Role: Processor

Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: Users of Client

Categories of personal data transferred:

Name, email address, company name, user ID, cookies, and usage data, which can include IP address, domain names, URL addresses, the time of the request, method utilized to submit the request to the server, size of file, numerical code indicating the status of the server’s answer, country of origin, features of the browser and operating system utilized by the Client, time details per visit, and path details within the application. Where Client uses media processing or conference recording services, audio and visual files may include personal information. 

In addition, Infrared5 may process the recording of a call (optional).

Sensitive data transferred and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: 

Infrared5 does not actively collect sensitive data in the context of the Services (as defined in the Agreement). Where Client or its users choose to include sensitive data within the communications that they transmit while using the Services (such as in a media file or audio/video content), such sensitive data may be processed. Infrared5 does not store sensitive data unless requested by Client. Client is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Client’s users to transmit or process, any sensitive data via the Services. The safeguards applied for the transfer of sensitive data are set forth in Annex II.

The frequency of the transfer:

The transfer takes place on a continuous basis under the Agreement, including this Addendum and the Privacy Policy.

Nature of the processing:

The nature of Processing depends on what services the Client has elected. Where applicable, Infrared5 provides voice and video calling, screen-sharing, speech-to-text transcription for calls, and broadcast video and user interaction services. Infrared5 also provides Client with the ability to use code to add messaging, video, and audio chat features into their mobile or web application. Infrared5 processes audio and visual files in connection with its media processing services.

Purpose(s) of the data transfer and further processing:

Infrared5 provides Client with audio and video messaging, calling, and broadcasting services and/or media processing services. Personal data is transferred to Infrared5 for the purposes of providing the contracted Services. In addition, Infrared5 stores and analyzes personal data for the purposes of customer support; monitoring, maintaining, and improving the functionality of the Services; security monitoring and audits; disclosures in accordance with the Agreement, or as compelled by law (including restricted party screenings).

Duration of the processing: 

The duration of the processing will be for the duration of the Agreement or as required by law. Infrared5 will delete or anonymize personal data when Infrared5 no longer requires it for the purposes described herein.

Transfers to Sub-Processors: 

See Schedule II.

COMPETENT SUPERVISORY AUTHORITY

Data Protection Commission (DPC) (Ireland)

Transfers to Sub-rocessors: 

See Schedule II.

COMPETENT SUPERVISORY AUTHORITY

Data Protection Commission (DPC) (Ireland)

SCHEDULE II: LIST OF SUB-PROCESSORS

Sub-ProcessorPurposeWebsite
Amazon – AWSData hosting and processinghttps://aws.amazon.com/
Google CloudAnalyticshttps://cloud.google.com/
Oracle Cloud InfrastructureData hosting and processinghttps://www.oracle.com/cloud/
StripePayment processinghttps://stripe.com/
TerraformDeployment processinghttps://www.terraform.io/