Effective Date: 27th July, 2021
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service available at https://www.hippovideo.io/terms_of_service.html (the “Terms”) and is applicable where Lyceum Technologies Inc. will be Processing Personal Data forming part of Customer Content on behalf of the Customer. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.
The Customer and Lyceum shall also be referred to collectively as the “Parties” and individually as “Party”.
Capitalised terms not specifically defined herein shall have the meaning ascribed thereto in the Terms and Conditions available at https://www.hippovideo.io/terms_of_service.html
In this DPA, the following terms shall have the following meanings:
1.3 “Personal Information” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"CCPA shall mean the California Consumer Privacy Act of 2018.
“GDPR” shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“Data Protection Laws” shall mean the data protection laws of the country in which You are established, including the GDPR, the Swiss Federal Act on Data Protection (as may be amended or superseded), CCPA and any data protection laws applicable to the Customer in connection with the Terms.
“Standard Contractual Clauses” means the standard contractual clauses as approved by the European Commission (Implementing Decision (EU) 2021/914 of 04 June 2021) and available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en (as amended or updated from time to time). To avoid doubt Modules 2 and 3 shall apply as set out in Clause 12.
“Personal Data” means any information relating to an identified or identifiable natural person that is submitted by the Customer to the Services as part of Customer Content.
“Services” means the services offered by Lyceum and shall include Hippo Video and other features and/or tools (as defined and described more fully in the Terms) including but not limited to video marketing, video selling, video personalisation or any new services that Lyceum may introduce as a Service to which the Customer may subscribe to and any updates, modifications or improvements to the Services, including individually and collectively, the Software, the API and any Documentation.
“Controller”, “Data Subject”, “Personal Data Breach”, “Processor”, and “Supervisory Authority” shall have the meaning given to them in the GDPR.
1.1 This DPA applies to Processing of Personal Data forming part of Customer Content.
1.2 Lyceum shall Process Personal Data only on behalf of Customer and at all times only in accordance with this DPA, especially the respective Appendix.
1.3 The Parties acknowledge that with respect to Processing Personal Data, the Customer shall be deemed the Controller and Lyceum the Processor.
1.4 Within the scope of this DPA, each Party shall be responsible for complying with its respective obligations as Controller and Processor under GDPR.
2.1 This DPA becomes effective upon the Customer subscribing to the Services by agreeing to the Terms. It shall continue to be in full force and effect as long as Lyceum is Processing Personal Data pursuant to the Services Agreement and shall terminate automatically thereafter.
2.2 Where amendments are required to ensure compliance of this DPA or an Appendix with Data Protection Agreement, the Parties shall make reasonable efforts to agree on such amendments upon request of Customer. Where the Parties are unable to agree upon such amendments, either party may terminate the Terms in accordance with the termination procedure contained therein.
3.1 Lyceum will Process Personal Data in accordance with Customer's instructions. This DPA contains Customer's initial instructions to Lyceum. The Parties agree that Customer may communicate any change in its initial instructions to Lyceum by way of amendment to this DPA.
3.2 For the avoidance of doubt, any instructions that would lead to Processing outside the scope of this DPA (e.g., because a new Processing purpose is introduced) will require a prior agreement between the Parties an d, where applicable, shall be subject to the contract change procedure under the respective agreement.
3.3 Lyceum shall, without undue delay inform the Customer in writing if, in Lyceum’s opinion, an instruction infringes GDPR, and provide a detailed explanation of the reasons for its opinion in writing.
Lyceum will restrict its personnel from Processing Personal Data without authorisation. Lyceum will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
5.1 Lyceum will not disclose Personal Data to any government agency, court, or law enforcement agency except with written consent from Customer or as necessary to comply with applicable mandatory laws. If Lyceum is obliged to disclose Personal Data to a law enforcement agency, then Lyceum agrees to give Customer reasonable notice of the access request prior to granting such access, to allow the Customer to seek a protective order or other appropriate remedy. If such notice is legally prohibited, Lyceum will take reasonable measures to protect the Personal Data from undue disclosure as if it were Lyceum own confidential information being requested and shall inform Customer promptly as soon as possible if and when such legal prohibition ceases to apply.
5.2 In case Customer receives any request or communication from Data Subjects which relates to the Processing of Personal Data ("Request"), Lyceum shall reasonably provide the Customer with full cooperation, information and assistance ("Assistance") in relation to any such Request where instructed by Customer.
6.1 Lyceum is certified SOC 2 Type 2 compliant as of the Effective Date and will remain certified to these or equivalent or greater standards (the “ISMS Standards”) throughout the term of this DPA. Upon Customer’s written request, Lyceum will provide its certificate of registration which states its conformance with the requirements of SOC 2 Type 2. Lyceum will maintain appropriate administrative, physical and technical safeguards. These safeguards will include, but not be limited to, measures designed to ensure that Personal Data is Processed according to this DPA, to provide Assistance and to protect Personal Data against a Personal Data Breach ("TOMs") as set out in Appendix 2 hereto.
7.1 Where a Data Protection Impact Assessment ("DPIA") is required under Data Protection Laws for the Processing of Personal Data, Lyceum shall provide upon request to Customer any information and assistance reasonably required for the DPIA and assistance for any communication with data protection authorities, where required, unless the requested information or assistance is not pertaining to Lyceum’s obligations under this DPA.
7.2 The Customer shall pay Lyceum reasonable charges for providing the assistance in clause 8, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the services.
8.1 Lyceum shall, in accordance with GDPR, make available to Customer on request in a timely manner such information as is necessary to demonstrate compliance by Lyceum with its obligations under this DPA.
8.2 Lyceum shall, upon reasonable notice, allow for and contribute to audits of Lyceum’s Processing of Personal Data, as well as the TOMs (including data processing systems, policies, procedures and records), during regular business hours and with minimal interruption to Lyceum’s business operations. Such audits shall be conducted by the Customer, its affiliates or an independent third party on Customer's behalf (which will not be a competitor of Lyceum) that is subject to reasonable confidentiality obligations. The Parties shall cooperate in good faith and assess whether and when there is a need to perform audits on the Processor’s premises if the need arises.
8.3 Customer shall pay Lyceum reasonable costs of allowing or contributing to audits or inspections in accordance with clause 9.2 where Customer wishes to conduct more than one audit or inspection every 12 months.
8.4 Lyceum will immediately refer to Customer any requests received from national data protection authorities that relate to Lyceum’s Processing of Personal Data.
8.5 Lyceum undertakes to cooperate with Customer in its dealings with national data protection authorities and with any audit requests received from national data protection authorities.
In respect of any Personal Data Breach (actual or reasonably suspected), Lyceum shall:
9.1 notify Customer of a Personal Data Breach involving Lyceum or a sub-processor without undue delay and it shall be the responsibility of the Customer to inform the Supervisory Authority of such breach within 72 hours of notice by Lyceum;
9.2 provide reasonable information, cooperation and assistance to Customer in relation to any action to be taken in response to a Personal Data Breach under GDPR, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities.
10.1 Customer consents to Lyceum engaging third party sub-processors as indicated in Appendix 1 to Process Personal Data to fulfil its obligations under the DPA provided that, Lyceum will provide at least fifteen (15) days’ notice to the Customer’s account administrator prior to the appointment or replacement of any sub-processor. The Customer may object to Lyceum’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Lyceum will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the access and use of Lyceum Services (without prejudice to any fees incurred by Customer prior to such suspension or termination).
10.2 Where Lyceum, with Customer's consent, subcontracts its obligations and rights under this DPA it shall do so only by way of a binding written contract with the sub-processor which imposes essentially the same obligations according to Art. 28 GDPR especially with regard to instructions and TOMs on the sub-processor as are imposed on Lyceum under this DPA.
10.3 Where the sub-processor fails to fulfil its data protection obligations under the subcontracting agreement, Lyceum shall remain fully liable to Customer for the fulfilment of its obligations under this DPA and for the performance of the sub-processor 's obligations.
11.1 Lyceum shall at all times provide an adequate level of protection for the Personal Data, wherever Processed, in accordance with the requirements of Data Protection Laws. Where Lyceum Processes Personal Data under this DPA that originates from the EEA (including United Kingdom) and/or Switzerland in a country that has not been designated by the European Union Commission as providing an adequate level of protection for Personal Data, the SCCs, which are incorporated by reference, shall apply to any such Processing as follows:
A. Module 2 (Controller to Processor) shall apply where the Customer is a
Module 3 (Processor to Processor) shall apply where the Customer is a Processor. Where the Customer act as Processor under Module 3 (Processor to Processor) of the SCCs, We acknowledge that the Customer act as Processor under the instructions of Your Controller(s).
11.2. Purely for the purposes of descriptions in the SCCs and only as between the Parties, the Customer agree that it is the “data exporter” and Lyceum are the “data importer” under the SCCs (notwithstanding that the Customer may be located outside the EEA and may be a Processor acting on behalf of third-party Controllers). Further, Schedules A, B and C of this DPA will take the place of Annexes I, II and III of the SCCs respectively.
11.3. For the purposes of Clause 17 of the SCCs, the governing law of the SCCs shall be the law of Ireland. For the purposes of Clause 18 of the SCCs any dispute arising from the SCCs shall be resolved by the courts of Ireland. The foregoing shall not preclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with Clause 18(c) of the SCCs.
Upon termination or expiry of this engagement, Lyceum shall delete all Customer Content, including Personal Data within 7 (seven) days of effective termination of the Customer’s account. Within such retention period, the Customer may request export of the Customer Content by writing to Lyceum. This requirement shall not apply to the extent that Lyceum is required by applicable law to retain some or all of the Personal Data, in which event Lyceum shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
The Customer acknowledges and agrees that the Customer is the Business and Lyceum the Service Provider with respect to any Personal Information of Consumers (as those terms are understood under the CCPA) forming part of Customer Content. Lyceum will not sell, retain, use, or disclose Personal Information of Consumers that Lyceum processes on the Customer’s behalf when providing the Services under the Terms for any purpose other than for the specific purpose of providing the Services in accordance with the Terms and as part of the direct relationship between Lyceum and the Customer. Lyceum certifies that it understands the restrictions in this clause 13 and will comply with such restrictions.
14.1 In case of any conflict, the provisions of this DPA shall take precedence over the provisions of any other agreement with Lyceum.
14.2 No Party shall receive any remuneration for performing its obligations under this DPA except as explicitly set out herein or in another agreement.
14.3 Where this DPA requires a “written notice” such notice can also be communicated per email to the other Party. Notices shall be sent to the contact persons set out in Appendix 1.
14.4 Any supplementary agreements or amendments to this DPA must be made in writing and signed by both Parties.
14.5 Should individual provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.
The following Appendices forms an integral part of this DPA:
The data exporter is the Customer of the Services.
|Name||Lyceum Technologies Inc.|
|Address||Lyceum Technologies, Inc.2035 Sunset Lake Road, Suite B-2,Newark, Delaware, 19702|
|Contact person’s name, position and contact details||Madusudanan Rengasamy, Director - Product Engineermadusudanan@hippovideo.io|
|Activities relevant to the data transferred under these Clauses|
|Signature and date|
|Role (Controller / Processor)||(Sub-)Processor|
Data Subjects are those individuals whose Personal Data is transferred by the Customer to the Processor pursuant to the Terms
The Personal Data transferred concerns the following categories of data:
Personal Data as defined in the Terms.
(e.g. whether the data is transferred on a one-off or continuous basis): Data is transferred on a continuous basis.
Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).
Lyceum will Process the Personal Data in connection with its Services provided to Customer.
The duration of processing will be as designated in an applicable services agreement, or the Terms of Service
|Name of Sub-processor||Purpose||Data Centre||Duration|
|Lyceum Development Center Pvt Ltd||Registered Agent||None||2 year|
|Freshworks||Service Provider||United States||2 year|
|Chargebee||Subscription Payment Service Provider||United States||2 year|
|Drift.com, Inc||Service Provider||United States||2 year|
|Google LLC||Service Provider||United States||2 year|
|Pendo.io, Inc.||Service Provider||United States||2 year|
In respect of the SCCs:
Module 2: Transfer Controller to Processor
Module 3: Transfer Processor to Processor
Where Customer is the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13 of the SCCs.
Lyceum has implemented and shall maintain a security program in accordance with industry standards. Lyceum has implemented and will maintain appropriate TOMS to protect Service Data from a Personal Data Breach. Measures to protect Service Data from a Personal Data Breach are as set forth at https://www.hippovideo.io/security.html
The list of sub-processors shall be as provided under Section 8 under Appendix 1, Section (B)