This Data Processing Addendum (“DPA”) is an Attachment to the Twelve Labs Enterprise Terms of Service. Capitalized terms not defined in this DPA are defined therein.

1. Subject Matter and Duration. 

   1.1. Subject Matter. This DPA reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with the Agreement. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement. If and to the extent language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA controls.

   1.2. Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this DPA if it is completed after the effective date of the Agreement. Provider will Process Customer Personal Data until the relationship terminates as specified in the Agreement.

   
   

2. Definitions.  For the purposes of this DPA, the following terms and those defined within the body of this DPA apply.

   2.1. “Customer Personal Data” means Customer Data that is Personal Data Processed by Provider on behalf of Customer.

   2.2. “Data Protection Laws” means the applicable privacy and data protection laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).

   2.3. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

   2.4. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

   2.5. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Provider. 

   2.6. Subprocessor” means a vendor that Provider has engaged to Process Customer Personal Data.

   
   

3. Processing Terms for Customer Personal Data.

   3.1. Documented Instructions. Provider shall Process Customer Personal Data to provide the Cloud Service in accordance with the Agreement and any instructions agreed upon by the parties.

   3.2. Authorization to Use Subprocessors. Customer authorizes Provider to engage Subprocessors. Customer acknowledges that Subprocessors may further engage vendors.

   3.3. Provider and Subprocessor Compliance. Provider shall (i) enter into a written agreement with Subprocessors that imposes data protection requirements for Customer Personal Data on such Subprocessors that are consistent with this DPA; and (ii) remain responsible to Customer for the Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data. 

   3.4. Right to Object to Subprocessors. Where required by Data Protection Laws, Provider will notify Customer prior to engaging any new Subprocessors via a notification that is accessible when Customer logs into the Cloud Service and/or within the Documentation.  Provider will allow Customer ten (10) days from the date the new Subprocessor notification is first accessible to the Provider customer base (the “Objection Period”) to object to the new Subprocessor. If Customer raises legitimate objections to the appointment of any new Subprocessor within the Objection Period, the parties will work together in good faith to resolve the grounds for the objection.

   3.5. Confidentiality. Any person authorized to Process Customer Personal Data must be subject to a duty of confidentiality, contractually agree to maintain the confidentiality of such information, or be under an appropriate statutory obligation of confidentiality. 

   3.6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, Provider agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.

   3.7. Data Protection Assessment, Data Protection Impact Assessment, and Prior Consultation. Where required by Data Protection Laws, Provider agrees to provide reasonable assistance and information to Customer where, in Customer’s judgement, the type of Processing performed by Provider requires a data protection assessment, data protection impact assessment, and/or prior consultation with the relevant data protection authorities. 

   3.8. Demonstrable Compliance. Provider agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Customer’s reasonable request.

   3.9. California Specific Terms. To the extent that Provider’s Processing of Customer Personal Data is subject to the CCPA, this Section shall also apply. Customer discloses or otherwise makes available Customer Personal Data to Provider for the limited and specific purpose of Provider providing the Cloud Service to Customer in accordance with the Agreement and this DPA. Provider shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Customer Personal Data; (v) not retain, use, or disclose Customer Personal Data for any purpose (including any commercial purpose) other than to provide the Cloud Service under the Agreement or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Provider; and (vii) unless otherwise permitted by the CCPA, not combine Customer Personal Data with Personal Data that Provider (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Customer may: (1) take reasonable and appropriate steps agreed upon by the parties to help ensure that Provider Processes Customer Personal Data in a manner consistent with Customer’s CCPA obligations; and (2) upon notice, take reasonable and appropriate steps agreed upon by the parties to stop and remediate unauthorized Processing of Customer Personal Data by Provider.

   3.10. Aggregation and De-Identification. Provider may: (i) compile aggregated and/or de-identified information in connection with providing the Cloud Service provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.

   
   

4. Information Security Program. Provider shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data in accordance with Exhibit A.

   
   

5. Security Incidents. Upon becoming aware of a Security Incident, Provider agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws via email to a Customer-provided email address from Customer’s Order or Customer’s User accounts. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. 

   
   

6. Cross-Border Transfers of Customer Personal Data. 

   
   

   6.1. Cross-Border Transfers of Customer Personal Data. Customer authorizes Provider and its Subprocessors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. 

   6.2. EEA, Swiss, and UK Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Provider in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit B attached hereto, the terms of which are incorporated herein by reference. Each party’s signature to the Order shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

   
   

7. Audits and Assessments. Where Data Protection Laws afford Customer an audit or assessment right, Customer (or its appointed representative) may carry out an audit or assessment of Provider’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit or assessment must be: (i) conducted during Provider’s regular business hours; (ii) with reasonable advance notice to Provider; (iii) carried out in a manner that prevents unnecessary disruption to Provider’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit or assessment shall be limited to once per year, unless an audit or assessment is carried out at the direction of a government authority with jurisdiction over the Processing of Customer Personal Data.

   
   

8. Customer Personal Data Deletion. At the expiry or termination of the Agreement, unless otherwise agreed by the parties, Provider will delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Provider’s data retention schedule), except where Provider is required to retain copies under applicable laws, in which case Provider will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.

   
   

9. Customer’s Obligations. Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; and (ii) Provider’s Processing of Customer Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Customer and any third party.

   
   

10. Processing Details. 

    10.1. Subject Matter. The subject matter of the Processing is the Cloud Service pursuant to the Agreement.  

    10.2. Duration. The Processing will continue until the expiration or termination of the Agreement. 

    10.3. Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement. 

    10.4. Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Provider is the performance of the Cloud Service. 

    10.5. Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.

    
    

11. Account Data. Provider may Process Personal Data about Customer’s authorized users’ use of the Cloud Service (“Account Data”) in accordance with its Privacy Policy available at: https://www.twelvelabs.io/privacy-policy (as updated from time to time). Account Data is not Customer Data. 

EXHIBIT A TO THE DPA

Information Security Standards

This Exhibit A forms part of the DPA. Capitalized terms not defined in this Exhibit A have the meaning set forth in the DPA. 

Provider shall implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data. Such safeguards shall include: 

1. Information Security Policy. Provider will maintain a written information security policy.

2. Security Leadership. Provider has appointed one or more employees responsible for managing information security.

3. Background Checks. Where permitted by applicable law, Provider conducts background checks on new employees as part of the hiring process. 

4. Confidentiality. Provider personnel with access to Customer Personal Data are subject to confidentiality obligations.

5. Training. Provider will provide information security awareness training to all employees annually.

6. Access Control. Provider will limit access to Customer Personal Data to those employees and Subprocessors with a need-to-know. 

7. Encryption. Where appropriate, Customer Personal Data will be encrypted in-transit and at rest using industry standard encryption technologies. 

8. Malware Protection. Provider will maintain up-to-date malware prevention measures for employee workstations designed to protect against malicious code and viruses. 

9. Hosting Security. Provider primarily uses Google Cloud Platform and Amazon Web Services to host Customer Personal Data. For more information about Google Cloud Platform’s security measures, please visit: https://cloud.google.com/security/compliance.  For more information about Amazon Web Services’ security measures, please visit: https://aws.amazon.com/compliance/programs/. 

10. Multi-Factor Authentication. Provider personnel are required to use multi-factor authentication to access key systems and applications that host Customer Personal Data.  

11. Logical Separation. Provider will ensure Customer Personal Data is logically separated from other Provider client data. 

12. Incident Response Plan. Provider will maintain an incident response plan.

13. Backups of Customer Personal Data. Provider will maintain an industry standard backup system and backup of Customer Personal Data. 

EXHIBIT B TO THE DPA

Supplemental Terms for the Standard Contractual Clauses

This Exhibit B forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit B have the meaning set forth in the DPA. 

The parties agree that the following terms shall supplement the Standard Contractual Clauses: 

1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 3.4 of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).  

   
   

2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows: 

A. List of Parties 

Data Exporter: Customer. 

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.

Activities relevant to the data transferred under these Clauses: The Cloud Service.

Role: Controller. 

Data Importer: Provider. 

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement.

Activities relevant to the data transferred under these Clauses: The Cloud Service.

Role: Processor.

B. Description of the Transfer: 

Categories of data subjects whose personal data is transferred: Data subjects featured in Customer Personal Data that is uploaded by Customer to the Cloud Service. 

Categories of personal data transferred: Images, videos, and other content present in Customer Personal Data uploaded to the Cloud Service by Customer.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Any sensitive data that is featured in images or videos present in Customer Personal Data that are uploaded by Customer to the Cloud Service. Sensitive data will be subject to the safeguards set forth in Exhibit A. 

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Cloud Service, or as otherwise agreed upon by the parties.

Nature of the processing: The Cloud Service. 

Purpose(s) of the data transfer and further processing: The Cloud Service.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the DPA.  

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: For the subject matter, nature, and duration as identified above.

C. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.

D. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the DPA; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; and (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request.

3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows: 

Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with the DPA.

Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the DPA.  

4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows: 

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference. 

Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses. 

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the Addendum.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses. 

Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.