This Data Processing Addendum (“DPA”) forms part of the ExecVision Terms of Service (“Terms of Service”) between ExecVision Inc, a Delaware corporation with a business office located at 1901 Ft Myer Drive, Suite 902, Arlington, VA, and the Customer, whose details are indicated in the Order Form (“Customer”) as set forth in the signature block below, to reflect the parties’ agreement with regard to the Processing of Personal Data. All capitalized terms not defined herein will have the meaning set forth in the Terms of Service.
1. DATA PROCESSING TERMS
In the course of providing the Service to Customer pursuant to the Terms of Service, ExecVision may Process Personal Data on behalf of Customer. ExecVision agrees to comply with the following provisions with respect to Personal Data processed by ExecVision as part of the Service for Customer.
1.1 “Affiliate” means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Terms of Service, where “control” means the ownership of a majority share of the voting stock, equity or voting interests of such entity.
1.2 “ExecVision Information Security Policy” means the information security documentation applicable to the specific Service purchased by Customer, as updated from time to time, and made available by ExecVision upon request.
1.3 “Individual” means a natural person to whom Personal Data relates, also referred to as “Data Subject” pursuant to EU data protection Laws and regulations.
1.4 “Other Parties to the Call”—parties to Customer’s phone calls, video calls and online demos, other than Personnel.
1.5 “Personal Data” means data about an identified or identifiable Individual.
1.6 “Personnel” means the employees, agents, consultants and contractors of Customer and Customer’s Affiliates.
1.7 “Privacy Laws and Regulations” means all US federal and state privacy laws and regulations, Israeli privacy laws and regulations and data protection laws and regulations of the European Union, applicable to the Processing of Personal Data under the Terms of Service.
1.8 “Privacy Shield” means the EU-US Privacy Shield Framework, as administered by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
1.9 “Privacy Shield Principles” mean the Privacy Shield Principles, as supplemented by the Supplemental Principles and contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016, as may be amended, superseded or replaced.
1.10 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.11 “Service Notice”—means a clear written or recorded notice about the Service and Customer’s use thereof, which at a minimum provides that the Service is a speech analytics tool, it enables Customer to record, analyze and share for a limited period of time the recordings of phone calls, video calls and online demos (as applicable), including associated data and documentation (if applicable), and further includes information as required under the applicable law.
2. DATA PROCESSING
2.1 Scope and Roles. This DPA applies when Personal Data is Processed by ExecVision as part of ExecVision’s provision of Service, as further specified in the Terms of Service and the applicable Order Form. In this context, to the extent that EU Privacy Laws and Regulations apply to the Personal Data that ExecVision processes for Customer under the Terms of Service, Customer is the Data Controller and ExecVision and applicable Affiliates are the Data Processor under such laws and regulations.
2.2 Customer’s Processing of Personal Data. Customer’s instructions to ExecVision to Process Personal Data will comply with Data Protection Laws and Regulations. Customer will have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Customer acquired Personal Data, and Customer permissions to Process Personal Data pursuant to this DPA.
2.3 Instructions for ExecVision’s Processing of Personal Data. ExecVision will only Process Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs ExecVision to Process Personal Data for the following purposes: (i) Processing in accordance with the Terms of Service and applicable Order Forms; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Terms of Service and comply with applicable Privacy Laws and Regulations. Processing outside the scope of this DPA (if any) will require prior written agreement between ExecVision and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to ExecVision for carrying out such instructions.
2.4 Processing for Legitimate Purposes. Notwithstanding, ExecVision may Process Personal Information for legitimate business purposes, including archiving, back-up and disaster recovery, cybersecurity, operations, control, improvements and development of ExecVision’s Service, fraud and service misuse prevention, and legal and administrative proceedings.
3. RIGHTS OF INDIVIDUALS
3.1 Requests. ExecVision will, to the extent legally permitted, promptly notify Customer if it receives a request from an Individual, whose Personal Data is included in Customer’s Personal Data, or a request by the Individual’s legal guardians, to exercise the right to access, correct, amend or delete Personal Data related to the Individual, or to exercise such other personal right that the Individual is entitled to pursuant the applicable Privacy Laws and Regulations.
3.2 Assistance. ExecVision will provide Customer with commercially reasonable cooperation and assistance in relation to handling the Individual’s request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Service. Except if not permitted under the applicable Privacy Laws and Regulations, Customer will reimburse ExecVision any costs and expenses related to ExecVision’s provision of such assistance.
4. EXECVISION PERSONNEL
4.1 Limitation of Access. ExecVision will ensure that ExecVision’s access to Personal Data is limited to those personnel who require such access to perform the Terms of Service.
4.2 Confidentiality. ExecVision will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection and data security. ExecVision will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. ExecVision will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.
5. AFFILIATES AND THIRD-PARTY SERVICE PROVIDERS
5.1 Affiliates. Some or all of ExecVision’s obligations under the Terms of Service may be performed by ExecVision Affiliates.
5.2 Agents. Customer acknowledges and agrees that: (i) ExecVision’s Affiliates may Process Personal Data on ExecVision’s behalf to perform the Service under the Terms of Service; and (ii) ExecVision and ExecVision’s Affiliates respectively may engage third-party service providers in the performance of the Service. All Affiliates and agents to whom ExecVision transfers Personal Data to provide the Service have entered into written agreements with ExecVision or other binding instruments that bind them by substantially the same material obligations under this DPA.
5.3 Liability. ExecVision will be liable for the acts and omissions of its Affiliates and agents to the same extent ExecVision would be liable if performing the Service of each Affiliate or agent directly under the terms of this DPA, except as otherwise set forth in the Terms of Service.
5.4 Consent. Customer consents to ExecVision’s use of ExecVision Affiliates and agents in the performance of the Service in accordance with the terms of this Section 5.
6. ADDITIONAL TERMS FOR EU PERSONAL DATA
ExecVision complies with US Privacy Laws and Regulations. Transfer of Personal Data related to EU Individuals to US is made in accordance with the EU Commission Chapter V of Regulation EU 2018/1725.
7.1 Controls. ExecVision will maintain administrative, physical and technical safeguards for the protection of the security, confidentiality and integrity of Customer’s Personal Data, pursuant to the ExecVision Information Security Policy. ExecVision regularly monitors compliance with these safeguards. ExecVision will not materially decrease the overall security of the Service during the term of the Terms of Service.
7.2 Policies, Certifications and Audit Reports. ExecVision uses external auditors to verify the adequacy of its security measures. The internal controls of the Service are subject to periodic testing by such auditors and are based on the Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organisation Control (SOC2) report. Upon Customer’s written request at reasonable intervals and subject to confidentiality limitations, ExecVision will make available to Customer that is not an ExecVision competitor (or to a third-party auditor on Customer’s behalf, that is not an ExecVision competitor and subject to the auditor’s execution of ExecVision’s non-disclosure agreement), the then-most-recent version of the ExecVision Information Security Policy summaries of third-party audit or certification reports commonly made available to ExecVision Customers.
8. SECURITY BREACH MANAGEMENT AND NOTIFICATION
8.1 Breach prevention and management. ExecVision will maintain security incident management policies and procedures and will, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized access to, acquisition of, or disclosure of Customer Personal Data, by ExecVision or its Affiliates or agents of which ExecVision becomes aware (a “Security Incident”).
8.2 Remediation. To the extent that a Security Incident is caused by a violation of the requirements of this DPA by ExecVision, ExecVision will make reasonable efforts to identify and remediate the cause of such Security Incident.
10. DELETION AND RETENTION OF PERSONAL DATA
10.1 Data Deletion. ExecVision will return Customer Personal Data to Customer or delete such data in accordance with the procedures and timeframes specified in ExecVision’s data retention and destruction policies and procedures. At Customer’s request, ExecVision will state in writing that it has completed the deletion of the Customer Personal data from its systems.
10.2 Data Retention. Notwithstanding, Customer acknowledges and agrees that ExecVision may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under the applicable law, including to retain data pursuant to legal requirements and to use such data to protect ExecVision, its Affiliates, agents and any person on their behalf in court and administrative proceedings, and for investigations and inspections related to the use of ExecVision’s services.
11. ANONYMIZED AND AGGREGATED DATA
ExecVision may process data based on extracts of Personal Data on aggregated and non-identifiable forms, for ExecVision’s legitimate business purposes, including for testing, development, controls and operations of the Service, and may share and retain such data at ExecVision’s discretion.
12. LIMITATION OF LIABILITY
Each party’s and its Affiliates’ liability arising out of or related to this DPA (whether in contract, tort or under any other theory of liability) is subject to the section ‘Limitation of Liability’ of the Terms of Service, and any reference in such section to the liability of a party means that party and its Affiliates in the aggregate.
This DPA will commence on the same date that the Terms of Service are effective, and will continue until the Terms of Service are expired or terminated, pursuant to the terms therein.
14.1 ExecVision’s compliance team is responsible to make sure that all relevant ExecVision’s personnel adhere to this DPA.
14.2 ExecVision’s compliance team can be reached at: privacy@ExecVision.io.