Data Processing Agreement

Hereinafter the “Agreement”, made pursuant to Article 28 (3) of the GDPR (as defined below), which forms an integral part of the Terms of Use (the “Terms of Use”) concluded by and between The Customer (the “Controller”) and Kerberos.io, seated Poel 18, 9090 Melle, Belgium (the “Processor"; the Controller and the Processor hereinafter jointly referred to as the “Parties”, and each individually as a “Party”).

1 Definitions and Interpretation

1.1 Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Use. The following capitalized terms used in this Agreement shall have the meanings set out below:

Customer Personal Data means any Personal Data processed by the Processor on behalf of the Controller in the provision of the Kerberos.io Service by the Processor to the Controller under the Terms of Use;
Data Protection Legislation means the GDPR and any national implementing laws, regulations or secondary regulations, as amended or updated from time to time;
GDPR means any Personal Data processed by the Processor on behalf of the Controller in the provision of the Kerberos.io Service by the Processor to the Controller under the Terms of Use;
Personal Data means the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free morvement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Processing means any operation or set of operations which is performed by the Processor on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; the scope, nature and purpose of the Processing by the Processor, the duration of the Processing and the types of the Personal Data and categories of the data subjects are set out in Schedule 1 hereto (Processing);

1.2 Interpretation

  • a. Unless explicitly stated otherwise, any and all references made to any section or schedule shall be deemed to be a section or schedule of this Agreement;
  • b. The headings in this Agreement are used for convenience only and do not affect its interpretation;
  • c. A Party includes a reference to that Party’s successors and permitted assigns; references to a person shall include both the legal entities and natural persons;

2 Subject of the Agreement

2.1 Under this Agreement, the Processor shall carry out the Processing on behalf of the Controller.

2.2 The Parties hereby undertake to comply with all applicable requirements of the Data Protection Legislation. This Article 2.2 is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.

2.3 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Controller is the controller and the Processor is the processor as defined in the Data Protection Legislation.

2.4 Without prejudice to the generality of Article 2.2, the Controller shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Processor for the duration and purposes of this Agreement.

2.5 The Controller instructs the Processor to process the Customer Personal Data and to transfer the Customer Personal Data to any country, as reasonably necessary for the provision of the Kerberos.io Services and consistent with the Terms of Use, as long as the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Customer Personal Data so transferred.

2.6 Without prejudice to the generality of Article 2.2, the Processor shall, in relation to any Personal Data processed in connection with the performance by the Processor or its obligations under this Agreement:

2.6.1 process the Customer Personal Data only on documented instructions of the Controller unless the Processor is required by the Data Protection Legislation. Where the Processor is relying on the Data Protection Legislation as the basis for processing the Customer Personal Data, the Processor shall promptly notify the Controller of this before performing the Processing required by the Data Protection Legislation unless the Data Protection Legislation prohibit the Processor from so notifying the Controller on important grounds of public interest;

2.6.2 ensure that it has in place appropriate technical and organizational measures, reviewed and approved by the Controller, to protect against unauthorized or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the harm that might result from the unauthorized or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting the Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);

2.6.3 ensure that all personnel of the Processor who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential; and

2.6.4 assist the Controller in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

2.6.5 notify the Controller without any undue delay on becoming aware of a Customer Personal Data breach;

2.6.6 at the written direction of the Controller, delete or return the Customer Personal Data and copies thereof to the Controller on termination of the Agreement unless required by the Data Protection Legislation to store the Customer Personal Data; and

2.6.7 maintain complete and accurate records and information to demonstrate its compliance with this clause 2.6 and to allow for audits by the Controller or the Controller 's designated auditor.

3 Consideration

3.1 The consideration for the performance of the obligations of the Processor under this Agreement and compensation of the Processor’s expenses associated therewith are fully included in the consideration for the Kerberos.io Services provided by the Processor to the Controller under the Terms of Use.

4 Appointing a Third Party a processor

4.1 The Controller authorizes the Processor to engage third-party processors in fulfilling the Processor’s obligation hereunder, including processing of the Customer Personal Data. The Controller specifically authorizes the Processor to engage any of the third-party processors listed in Schedule 2 hereto (List of Sub-processors).

4.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any of the third-party processors, thereby giving the Controller the opportunity to object to such changes.

5 Final Provisions

5.1 This Agreement is governed by the laws of the country or territory stipulated for this purpose in the Terms of Service.

5.2 Schedules to this Agreement:

  • Schedule 1: Processing
  • Schedule 2: List of Sub-processors
    • Schedule 1: Processing

      Scope of the Processing Video streaming and recording pursuant to the Terms of Use
      Nature of the Processing Live video streaming, including, depending on the subscription plan, video hosting
      Purpose of the Processing Performance of the contract with the Controller in accordance with the Terms of Use
      Duration of the Processing Depending on the subscription plan 3, 7, or 30 or other duration as specified in instructions given by Controller or set forth in the Terms of Use
      Types of the Personal Data Data of the individuals recorded in the video
      Categories of data subjects Individuals recorded in the video

      Schedule 2: List of sub-processors

      Amazon Web Services EU-Ireland
      Digital Ocean
      Scaleway