Quickchannel Data Processing Agreement  

1. Introduction 
   • 1.1. The Data processor will in connection with the provision of the Services process personal data as a processor on behalf of the Data controller. To the extent the processing of personal data is subject to Applicable Data Protection Laws, this data processing agreement (”DPA”) applies. This DPA forms an integral part of the Subscription Agreement.  
   • 1.2. The Parties agree that a Partner may enter into this DPA on behalf of the Data controller. 
   • 1.3. This DPA supersedes and replaces any data processing agreements previously concluded between the Parties. 
   • 1.4. Applicable Data Protection Laws apply to the processing of personal data covered by this DPA. 
   • 1.5. In the event of any conflict or inconsistency between this DPA and the terms of the Subscription Agreement, the terms of this DPA shall prevail. 

2. Definitions 
   • 2.1. The following defined terms are used in this DPA: 

”Applicable Data Protection Laws”	means the GDPR and all data protection legislation and regulations, including regulations issued by relevant Supervisory Authority, protecting the fundamental rights and freedoms of data subjects with respect to the processing of their personal data, that apply to the Parties;
”Applicable Laws”	means laws and regulations under EU law and relevant Member State laws that apply to the Parties;
”Data Subject Request”	means a request from a data subject to exercise rights afforded to data subjects under Applicable Data Protection Laws;
”GDPR”	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
”Instruction”	means documented instructions issued by the Data controller that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and any specific requirements that apply to the processing, including Schedule 1 of this DPA;
”Partner”	means a legal entity authorized by the Data processor under a commercial agreement to re-sell the Services to the Data controller;
“Data processor”	Data processor is the part who processes personal data on behalf of the data controller.
“Data controller”	Data controller is the part who decides for what purposes the data will be processed and how the processing will be carried out
”Subprocessor”	means a subcontractor, supplier, consultant or third party engaged by the Data processor to process personal data on behalf of the Data controller;
”Supervisory Authority”	means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR
”Third Country”	means a country which is not a member of the European Union (EU) or the European Economic Area (EEA).
“User generated information”	User behavior when using the Services, e.g. information about clicks and site visits.
“Identification information”	Name, Username
“Content”	Video, audio, chat conversation, content in support conversations.
“Contact information”	E-mail, phone number
“Profile information”	Title, company or organization of the registered individual.
“Technical information”	IP-address, web browser, operating system, type of device.

• 2.2. Lower case terms used but not defined in this DPA, such as ”controller”, ”processor”, ”personal data” and ”processing” shall have the same meaning as in Article 4 of the GDPR. 

• 2.3. Capitalized terms used, but not defined in this DPA, shall have the same meaning as in the General Terms and Conditions, as amended from time to time, available on www.quickchannel.com/en/toc.  

3. General obligations on the Data processor 
   • 3.1. The Data processor agrees to only process personal data on behalf of the Data controller in accordance with any Instruction of the Data controller and Applicable Data Protection Laws. 
   • 3.2. Any further Instruction with respect to the processing of personal data shall be provided to the Data processor by way of e-mail to the following address: legal@quickchannel.com. If the Data controller issues new Instructions which are over and beyond what Applicable Data Protection Laws require or which is not supported by the Services, the Data processor shall, if the Data controller maintains the Instruction, be entitled to reasonable compensation for the cost that the new Instruction implies or otherwise according to a separate agreement between the Parties. 
   • 3.3. Notwithstanding what is stated in Clause 3.1 above the Data processor may process the personal data to the extent it is necessary in order to comply with legal requirements under Applicable Laws to which Data processor is subject. The Data processor shall inform the Data controller of that legal requirement before the processing, unless Applicable Laws prohibit Data processor from providing this information. 
   • 3.4. The Data processor shall immediately notify the Data controller if the Data processor cannot fulfil its obligations under this DPA or if the Data processor is of the view that an Instruction regarding the processing of personal data given by the Data controller would be in breach of Applicable Data Protection Laws, unless the Data processor is prohibited from notifying the Data controller under Applicable Laws. Notification shall be given by e-mail to the designated e-mail address set by the Data Controller in the Orderform. 

4. Security measures etc. 
   • 4.1. The Data processor shall at its own cost implement appropriate technical and organizational measures to protect and safeguard the personal data that is processed against personal data breaches. The measures shall at least reach a level of security equivalent of what is prescribed by Applicable Data Protection Laws, relevant Supervisory Authorities’ applicable regulations, guidelines regarding security of personal data, and what is otherwise appropriate to the risk of the processing of personal data. The minimum technical and organizational measures implemented by the Data processor are included in Schedule 2. 
   • 4.2. The Data processor shall, taking into account the nature of the processing and the information available to the Data processor, assist the Data controller in ensuring compliance with its obligations under Articles 35 and 36 of the GDPR to carry out data protection impact assessments (DPIAs) and prior consultations with the relevant Supervisory Authority in relation to the processing of personal data covered by this DPA. Requests for such assistance shall be sent to the Data processor by e-mail to legal@quickchannel.com.  
   • 4.3. The Data processor shall ensure that access to the personal data is limited to personnel of the Data processor who need access to personal data in order for the Data processor to fulfil its obligations under this DPA. The Data processor shall ensure that the personnel only process personal data in accordance with Clause 3.1 above. 
   • 4.4 The Data processor shall ensure that all employees authorized to access and process personal data covered by this DPA have committed themselves to confidentiality by ensuring that there are written confidentiality agreements in place with the personnel which covers personal data that the Data processor processes on behalf of the Data controller under this DPA. 
   • 4.5. The Data processor shall allow for and contribute to audits, including inspections, conducted by the Data controller. The Parties agree that such inspections shall be carried out by a third-party auditor jointly appointed by the Parties which has committed itself to confidentiality. 
   • 4.6. For the avoidance of doubt, any inspection or audit shall only comprise such information that is necessary in order for the Data controller to determine whether the Data processor fulfils its obligations under Article 28 of the GDPR and this DPA and shall not comprise any other information which is irrelevant to the Data processors processing of personal data under this DPA. 
   • 4.7. The Data controller shall give the Data processor reasonable notice of at least one (1) month prior to exercising its audit rights in order to allow the Parties to plan the audit or inspection. A request for an audit or inspection shall be sent to the Data processor by e-mail to legal@quickchannel.com. 
   • 4.8 Each Party shall bear its own costs in relation to any such audit. Should an audit or inspection show that the Data processor has not fulfilled its obligations under this DPA or Applicable Data Protection Laws, the Data processor shall without undue delay remedy such issue at its own cost. 

5. Personal data breach notification 
   • 5.1. In the event of a personal data breach the Data processor shall notify the Data controller in writing without undue delay after becoming aware of the personal data breach. Notification shall be given by e-mail to the designated e-mail address set by the Data controller in the Orderform. 
   • 5.2. The Data processor shall assist the Data controller to the extent necessary in order to investigate the personal data breach and to enable the Data controller to fulfil its notification obligations, where applicable, to relevant Supervisory Authorities and data subjects concerned under Applicable Data Protection Laws. The Data processor shall therefore immediately after becoming aware of a personal data breach: 
     • i. commence an investigation of the personal data breach in order to determine the scope, nature and the likely consequences of the personal data breach;  
     • ii. take appropriate remedial measures in order to mitigate the possible adverse effects of the personal data breach; and 
   • 5.3. Consult with the Data controller in order to determine as to whether the Data controller would be obligated under Applicable Data Protection Laws to notify the relevant Supervisory Authority and or the data subjects concerned of the personal data breach. 
     • i. As soon as possible following the commencement of the investigation, the Data processor shall provide the following information to the Data controller as regards the personal data breach: 
       • a. A description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; 
       • b. The likely consequences of the personal data breach; and
       • c. A description of the measures taken or proposed to be taken by Data processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.   
   • 5.4 Where, and in so far as, it is not possible for the Data processor to provide the above information at the same time, the information may be provided in phases without undue further delay. Notification of the information in Clause 5.2 (iv) above shall be given by e-mail to the designated e-mail address set by the Data controller in the Orderform.  

6. Use of subprocessors 
   • 6.1. The Data controller hereby gives the Data processor a general written authorization to engage Subprocessors, named in appendix Subprocessors, which are necessary to provide the Services. Data processor shall prior to engaging a new (or replacing an existing) Subprocessor which will process personal data on behalf of the Data controller: 
     • i. Carry out an adequate due diligence to ensure that the Subprocessor is capable of providing sufficient guarantees with respect of compliance with Applicable Data Protection Laws;  
     • ii. Ensure that there is a written data processing agreement with the Subprocessor which imposes obligations on the Subprocessor which fulfils the requirements of Article 28(3) of the GDPR, upon which the Data processor may enter into such data processing agreement directly with the Subprocessor; 
     • iii. Where the Subprocessor will process personal data in a Third Country ensure that the requirements of Clause 8 of this DPA are fulfilled. 
   • 6.2. The Data processor maintains a list of all Subprocessors which Data processor has engaged from time to time. The list is available on www.quickchannel.com/en/gdpr. The list includes at least the following information in relation to each Subprocessor: 
     • i. The identity of the Subprocessor (including full legal name, corporate registration number and address); 
     • ii. The type(s) of service(s) provided by the Subprocessor;  
     • iii. The location where the Subprocessor will process personal data on behalf of the Data processor;  
     • iv. Information on the measures (or where information on such measures may be found) that the Subprocessor has taken to protect the personal data. 
   • 6.3. The Data processor shall prior to engaging a new Subprocessor notify the Data controller of this by e-mail to the designated e-mail address set by the Data controller in the Orderform. 
   • 6.4. If, within thirty (30) days of such notice, the Data controller notifies the Data processor in writing of any objections to the appointment, the Data processor and the Data controller shall seek to agree on a solution which is acceptable to Parties concerned. If the Parties do not agree on a solution within thirty (30) days following the Data controller’s written objection, or at such later time (which the Parties have agreed on in writing) and it is not possible for Data processor to provide the Services without the Subprocessor, the Data controller shall have a right to terminate the Subscription Agreement in advance to end following the thirty (30) days’ period.  
   • 6.5. Upon the Data controller’s request and without undue delay the Data processor shall provide a copy of the data processing agreement that the Data processor has entered into with the Subprocessor. The Data processor shall, however, have a right to delete or remove commercial information from such data processing agreement prior to disclosing the agreement to the Data controller. Such a request shall be sent to Data processor by e-mail to legal@quickchannel.com.  
   • 6.6. Where a Subprocessor fails to fulfil its data protection obligations, the Data processor shall remain fully liable to the Data controller for the performance of the Subprocessor’s obligations.  

7. Confidentiality of personal data 
   • 7.1. Without prejudice to the confidentiality undertaking in Clause 9 in the General Terms and Conditions, the Data processor shall keep and maintain all personal data in strict secrecy and not disclose or make available the personal data to a third party, unless otherwise authorized in advance in writing by the Data controller or otherwise required by Applicable Laws or for the performance of this DPA.  
   • 7.2. The Data processor agrees that this confidentiality undertaking shall survive the termination of this DPA and continue to apply until all personal data have been returned or (upon the Data controller’s written request) have been deleted or anonymized in a secure and irreversible way in accordance with Clause 9 below. 

8. Data subject requests 
   • 8.1. The Data processor shall, insofar as this is possible, assist the Data controller by taking appropriate measures for the fulfillment of the Data controller’s obligation to respond to Data Subject Requests. 
   • 8.2. The Data processor shall forward any Data Subject Request concerning personal data covered by this DPA to the Data controller. Notification shall be given by e-mail to the designated e-mail address set by the Data controller in the Orderform.  

9. Return of personal data 
   • 9.1. Upon termination of the Subscription Agreement, the Data controller shall instruct the Data processor in writing whether the personal data the Data processor (or a Subprocessor) processes on behalf of the Data controller shall (i) Data controller download the data or (ii) be deleted in a secure and irreversible way. If the Data controller does not provide such instruction within sixty (60) days following the termination of the Subscription Agreement, the Data processor shall delete any personal data covered by this DPA and in the Data processor’s possession without undue delay. The Instruction shall be given to Data processor by e-mail to legal@quickchannel.com. 
   • 9.2. The obligations under Clause 9.1 above do not apply if the Data processor is required under Applicable Laws to continue to store the personal data. 
   • 9.3. The Data processor shall, upon the Data controller’s request, provide a written notice as regards the measures taken by the Data processor to comply with its obligations under this Clause 9. Notification shall be given by e-mail to the designated e-mail address set by the Data controller in the Orderform.  

10. Personal data transfers 
    • 10.1. The Data processor shall ensure that personal data covered by this DPA will be processed and stored within the EU/EEA (including by Subprocessors engaged by the Data processor, unless the Parties agree otherwise. 
    • 10.2 The Data processor is only entitled to transfer personal data covered by this DPA to a Third Country if the Data controller has given its prior written authorization or if they are chosen in the Orderform and listed in this agreement in appendix Subprocessors and such transfer fulfills the requirements under Applicable Data Protection Laws.  

11. Request from supervisory authority 
    • 11.1. In case a Supervisory Authority requests: 
      • i. Information from the Data processor regarding its processing of personal data under this DPA; or 
      • ii. That the Data processor shall disclose personal data that the Data processor processes on behalf of the Data controller under this DPA, 
    • 11.2. The Data processor shall without undue delay notify the Data controller thereof. Notification shall be given by e-mail to the designated e-mail address set by the Data controller in the Orderform. The Parties shall thereafter consult regarding the Supervisory Authority’s request. The Data processor’s obligations do not apply if the Data processor is prohibited under Applicable Laws to notify or consult with the Data controller. The Data processor may not act on the Data controller’s behalf as agent for the Data controller or otherwise. 

12. Liability 
    • 12.1. Each Party shall be liable for any administrative fines imposed on the Party in question due to the Party’s failure fulfils its obligation under this DPA or Applicable Data Protection Laws or otherwise has processed personal data in breach of Applicable Data Protection Laws. 
    • 12.2. Liability for any claims for damages from data subjects concerned shall be governed by Article 82 of the GDPR. 
    • 12.3. With prejudice to Clauses 12.1 and 12.2 above, the limitation of liability included in the Subscription Agreement shall apply. The limitation of liability is, however, not applicable with respect to damages which arise in connection with breach of Clause 7 (Confidentiality of Personal Data).   

13. Term and termination
    • 13.1. This DPA enters into effect on the Start Date and applies for as long as the Data processor (or a Subprocessor engaged by the Data processor) processes personal data on behalf of the Data controller.   
    • 13.2. The DPA will automatically terminate if: 
      • i. a Party commits a material breach of any term of this DPA and/or substantially fails to fulfil its obligations under this DPA and fails to remedy such breach and/or failure within thirty (30) days following a written notice from the other party of the breach; or 
      • ii. the other party is declared bankrupt, is subject to corporate reorganization, commence composition proceedings, goes into liquidation or otherwise can be assumed to have become insolvent.  
    • 13.3. Clause 7 (Confidentiality of Personal Data), Clause 9 (Return of Personal Data), Clause 12 (Liability), and Clause 14 (Miscellaneous) shall survive the termination of this DPA for any reason.   

14. Miscellaneous 
    • 14.1. The DPA and its appendices constitute the entire agreement between the Parties on all matters to which the DPA relates. 
    • 14.2. Neither the rights nor the obligations of either party under this DPA may be assigned in whole or in part without the prior written consent of the other Party. 
    • 14.3. This DPA shall be governed by Swedish law. 
    • 14.4. Clause 14.7 in the General Terms and Conditions shall apply with respect to any dispute, controversy or claim arising out of or relating to this DPA, or the breach, termination or validity thereof. 

Schedule 1 to DPA – Instruction regarding the processing of personal data for the provision of the Services 

This Schedule 1 sets out the Data controller’s Instruction with respect to the Data processor’s (and its Subprocessors) processing of personal data in connection with provision of the Services. 

Purposes of the processing 

The Data processor will process personal data for the purposes of providing, managing, developing and improving the Services in order to allow the Data controller and the Users to use the Services and to fulfil its obligations under this DPA and Applicable Data Protection Laws.  

Specifically, the Data processor shall process personal data on behalf of the Data controller to: 

• Create, edit, manage, store and distribute online video, communication and content using the Services, 

• Enable User interactions on the Services, 

• Share online video, communication and content using the Services, 

• Analyse the use of the Services, 

• Manage access to the Services, 

• Communicate with Users regarding the Services, 

• Provide support and respond to questions regarding the Services, 

• Develop and improve the Services, and 

• Ensure technical functionality and security of the Services. 

Description of the Processing of Personal Data 

Create, edit, manage, store and distribute online video, communication and content using the Services 

Personal data is processed when content, including online video and communication, is created, edited, managed, stored, and distributed using the Services. 

Categories of data subjects	Categories of personal data
– Users  – Participants	– Contact information  – Content  – Identification information – Profile information  – Technical information

Enable User interactions on the Services 

Personal data is processed when Users interact on the Services, for example in chats, polls, and using voting functionality in the Services. 

Categories of data subjects	Categories of personal data
– Users  – Participants	– Contact information  – Content  – Identification information  – Profile information  – Technical information

Share online video, communication and content using the Services 

Personal data is processed when content, including online video and communication, is shared by using the Services, for example when using integrations or the APIs. 

Categories of data subjects	Categories of personal data
– Users  – Participants	– Contact information  – Content  – Identification information  – Profile information  – Technical information

Analyse the use of the Services 

Personal data is processed when analyzing the use of the Services, for example to generate statistics and reports of meetings, streams, attendance etc. 

Categories of data subjects	Categories of personal data
– Users – Participants – Video consumers	– Contact information  – Content Identification – Profile information – Technical information – User generated information

Manage access to the Services 

Personal data is processed when managing access to the Services, for example when creating user accounts or granting access to the Service for Users. 

Categories of data subjects	Categories of personal data
– Users	– Contact information  – Identification information  – Profile information  – Technical information

Communicate with Users regarding the Services 

Personal data is processed when communicating with Users regarding the Services, for example to send information regarding meetings, content, updates to the Services or maintenance and incidents.  

Categories of data subjects	Categories of personal data
– Users	– Contact information  – Content  – Identification information  – Profile information  – Technical information

Provide support and respond to questions regarding the Services 

Personal data is processed to provide support and respond to questions regarding the Services, for example to register the support matter, carry out troubleshooting and to communicate for the same purpose.  

Categories of data subjects	Categories of personal data
– Users  – Contact persons of the Data controller	– Contact information  – Content I – Identification information  – Profile information  – Technical information

Develop and improve the Services 

Personal data is processed to develop and improve the Services, for example to anonymize personal data for the same purpose, to test and develop functionality and to verify software fixes. 

Categories of data subjects	Categories of personal data
– Users	– Content  – Identification information  – Profile information  – Technical information

Ensure technical functionality and security of the Services 

Personal data is processed to ensure the technical functionality and security of the Services, for example for security logging, error handling, and backups. 

Categories of data subjects	Categories of personal data
All concerned categories of data subjects, including users, contact persons of the Data controller, video consumers and participants	All relevant categories of personal data above

For information on all processing of personal data and current storage times please contact legal@quickchannel.com.  

Information on which Subprocessors the Data processor has contracted and where they process the personal data can be found below. 

Sub processors 

Accepted mandatory sub processors: 

Subprocessor	Purpose	Location of processing
OVH Groupe SAS  www.ovh.ie  Address: 2 rue Kellermann,  59100 Roubaix, France.	Cloud service provider.   Used for storage of media files, Live Events, Videosite and Storage of encrypted backups.  Optionally used for CDN services.	EU
Copernica B.V.  www.copernica.com  Address: De Ruijterkade 112,  1011 AB, Amsterdam, Netherlands.	Mail Service Provider  Used for automatic emails such as reset password or webinar invites and other communication with the service.	Netherlands

Accepted sub processors in addition to the mandatory sub processors are decided in the Order form by one of the choices ”EU Only” or ”Global”. 

With EU Only in the Orderform no additional subprocessors are included 

With Global in Orderform the following sub processors are included: 

Subprocessor	Purpose	Location of processing
Amazon Web Services, Inc.  aws.amazon.com  Address: 38 avenue John F. Kennedy,  L-1855 Luxembourg.	Optional subprocessor providing  CDN distribution, Storage and Live streaming.	Storage -Sweden, Ireland  CDN and Live – Worldwide
Microsoft Corporation  www.microsoft.com  Address: Regeringsgatan 25, 111 53,  Stockholm, Sweden.	Optional subprocessor providing  Integrations to AzureAD and Sharepoint.	Ireland, Netherlands
Google Ireland Limited  www.google.com  Reg.no. 368047  Address: Gordon House, Barrow Street, Dublin 4, Ireland	Optional subprocessor providing:  Login via Ouath2; or speech-to-text transcription; or   Translation; or; Analytics integration; or Ads integration; or Chromecast functionality.	Worldwide (distributed in EU/EEA and USA).
OpenAI Ireland Ltd  openai.com  Address: 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland	Optional subprocessor providing AI functionality for automations.	USA

Information about which sub processors that the Data processor has from time to time can be found here https://quickchannel.com/gdpr/ 

Changes to this instruction 

The Parties agree that this Instruction may be updated from time to time in order to reflect the processing of personal data carried out by the Data processor (and its Subprocessors) in connection with the provision of the Services. 

Schedule 2 

See appendix Security at Quickchannel.