Tella Data Processing Addendum
This Data Processing Addendum, including its Appendices, (the DPA) forms part of the Terms of Use (the Terms) between Tella and Business User to which it is attached. This DPA reflects Parties’ agreement with regard to the Processing of Personal Data. When registering as a Business User, Parties enter into this DPA, to the extent required under Applicable Data Protection Laws. Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
1. Interpretation
1.1. The headings in this DPA are for convenience only and do not affect the interpretation of any provision of this DPA.
1.2. The singular includes the plural and vice versa, and each gender includes the other gender.
1.3. In this DPA capitalized terms have the meaning ascribed to such term in Appendix 1.
2. Position of the Parties; general arrangements
2.1. Business User is Controller, Tella is Processor and a third party engaged by Tella is a “Sub-processor” within the meaning of the Applicable Data Protection Laws.
2.2. Business User is responsible for the Personal Data that, in its use of the Application and the Services, is provided to Tella (or which can be accessed by Tella) in the context of the Processing and the performance of the Terms, including any updates or expansions of, or modifications or adjustments to the personal data (the Personal Data).
2.3. The purpose for Processing Business User’s Personal Data by Tella is the performance of the Services, as further specified in Annex I to Appendix 2. (the Processing).
2.4. Business User shall ensure that it processes the Personal Data in accordance with the Applicable Data Protection Laws. Business User’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. Business User has the sole responsibility for the accuracy, quality, and legality of Personal Data. Business User specifically acknowledges and agrees that its use of the Services will not violate the rights Individuals may have under the Applicable Data Protection Laws.
2.5. Tella shall process Personal Data under the authority and in accordance with the written instructions (including e-mail) of the Business User, and for and in accordance with the purposes and means of the Processing as determined by Business User.
2.6. Tella shall immediately inform the Business User if an instruction of the Business User infringes the Applicable Data Protection Laws.
2.7. Tella’s access to Personal Data is limited to personnel performing the Services.
2.8. Tella shall ensure that its personnel engaged in the Processing of Personal Data is informed of the confidential nature of the Personal Data and is subject to confidentiality obligations in respect of the Processing of Business User’s Personal Data.
2.9. Where required by Applicable Data Protection Laws, Tella shall maintain records of Personal Data processing activities in accordance with the rules and methods required by such Applicable Data Protection Laws.
2.10. Tella shall at Business User’s election, delete or return all Business User’s Personal Data and existing copies to the Business User after expiration or termination of the Business User’s Account in accordance with the Applicable Data Protection Laws, unless any law to which Tella is subject requires Tella to store the Business User’s Personal Data, or as may be required for business or legal archival purposes, but in any event, no longer than necessary and only as allowed by Applicable Data Protection Laws.
2.11. If Business User elects Tella to delete all Business User’s Personal Data in accordance with Article 2.10, Tella will delete all Business User’s Personal Data ultimately ninety days after expiration or termination of the Business User’s Account, or at an earlier moment at Business User’s request.
2.12. Business User indemnifies Tella for all damages, costs and other losses Tella incurs as a result of sharing Personal Data with, or making Personal Data available for, Business User or other User’s on Business User’s request, including in particular usage data of Business User’s personnel.
3. Subcontractors
3.1. Business User hereby acknowledges and agrees that Tella may appoint, remove or replace one or more Subcontractors to process Personal Data on behalf of Business User and to the extent necessary to fulfil Tella’s contractual obligations under the Terms. Tella remains responsible for any acts or omissions of its Subcontractors in the same manner as for its own acts and omissions hereunder. A list of Tella’s current Subcontractors is included in Appendix 3.
3.2. Tella shall impose obligations on its Subcontractors that are consistent with Tella’s obligations as Processor under this DPA, as and to the extent required under Applicable Data Protection Laws. Tella will inform Business User (including by email) in advance (except for emergency replacements) of any intended changes concerning the addition or replacement of Subcontractors. Business User has the opportunity to object to Tella’s use of a new Subcontractor, by notifying Tella promptly in writing ultimately thirty days after Tella’s notice. If the Business User does not object within this timeframe, the new Subcontractor(s) shall be deemed accepted.
3.3. If Business User objects to a new Subcontractor, it may notify Tella. In such case, Business User may terminate Business User’s Account. Tella will refund Business User any prepaid fees covering the remainder of the term of the Business User’s Account following the effective date of termination, without imposing a penalty for such termination on Business User.
4. Security
4.1. Tella has implemented and shall maintains appropriate technical, physical and organizational measures as further detailed in Annex II to Appendix 2 to ensure a level of security appropriate to ensure the security of the Processing. Tella shall take into account the risks of unauthorized or unlawful processing or disclosure of, or the accidental loss, destruction or alteration of Business User’s Personal Data. Business User has reviewed Tella’s technical, physical and organizational measures and acknowledges and agrees that the measures are appropriate taking into account the state of the art and technological development, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Individuals.
4.2. Tella regularly monitors compliance with these measures. Tella may change the technical, physical and organizational measures at any time without notice, as long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting Personal Data. Business User is solely responsible for making an independent determination as to whether the technical, physical and organizational measures meet the Business User’s requirements, including any of its security obligations under Applicable Data Protection Laws. Business User is responsible for implementing and maintaining privacy protections and security measures for components that Business User provides or controls (such as devices or networks).
5. Cooperation
5.1. Tella shall, to the extent legally permitted, notify Business User of any requests it received from an Individual or a government body (other than a Supervisory Authority). Tella shall not respond to such requests, unless and to extent (i) Business User authorizes Tella to do so, or (ii) Tella is legally obliged to respond. Taking into account the nature of the Processing, Tella shall assist Business User by appropriate technical and organizational measures, insofar as reasonably possible, and if and to the extent required by Applicable Data Protection Laws, to enable Business User to fulfil its obligation to respond to requests from Individuals or government bodies (other than a Supervisory Authority).
5.2. Tella shall reasonably assist Business User to enable it to meet its obligations regarding security, the notification of Data Breaches, the performance of data protection impact assessments, the preparation for a possible subsequent prior consultation of, and the response or defence against questions, requests or investigations by a Supervisory Authority under the Applicable Data Protection Laws, taking into account the nature of the Processing and information available to Tella.
5.3. Tella shall notify Business User without undue delay after becoming aware of a Data Breach. Notwithstanding the foregoing, where required under Applicable Data Protection Laws, Tella shall notify relevant Supervisory Authorities and other government bodies of any Data Breach.
5.4. The reasonable costs for Tella’s assistance pursuant to Articles 5.1 up to and including 5.3 will be borne by Business User.
6. Audits
6.1. Tella shall make available to the Business User all information necessary, and – in so far as this is required by Applicable Data Protection Laws – allow for and contribute to audits and inspections conducted by Business User or Business User’s mandated auditor, to demonstrate Tella’s compliance with its obligations under the Terms.
6.2. Unless Applicable Data Protection Laws require otherwise, audits are limited to once in any twelve-month period and the duration of an audit may not exceed three business days. Business User shall ensure that the audit does not lead to any delay in the provision of the Services.
6.3. Business User shall provide Tella with reasonable prior written notice of any audit at least sixty (60) days unless a Supervisory Authority or other competent authority requires Business User to carry out an audit sooner.
6.4. Business User and Tella shall mutually agree and document the scope and determine the agenda of the audit in advance. Parties shall, to the extent possible, use current certifications or other audit reports to confirm Tella’s compliance with the DPA to avoid or minimize repetitive audits. Business User and Tella shall bear their own costs for each audit. Business User shall provide Tella with a copy of the audit report.
7. International data transfers
7.1. Tella will meet the requirements of Applicable Data Protection Laws (if any) in relation to international data transfers.
7.2. If there is any conflict between the requirements of Applicable Data Protection Laws (if any) in relation to international data transfers and any terms of the Terms or this DPA, the terms of such requirements of Applicable Data Protection Laws shall prevail.
8. Term
8.1. This DPA enters into effect on the Effective Date.
8.2. This DPA replaces any existing data processing arrangements between Parties, and any existing data processing arrangements between Parties are hereby terminated.
8.3. This DPA remains in effect for as long as Tella provides the Services and the User remains a Business User under the Terms. This DPA terminates automatically at the later of (i) the registration of the User as a Business User ending; (ii) the Account ending or (iii) the applicability of the Terms ending.
9. Governing law and venue
9.1. This DPA is governed by the law governing the Terms. Any disputes arising out of or relating to this DPA shall be resolved in accordance with the Terms.LOCAL PROVISIONS
10. European Union
10.1. If the Business User is based in the European Union, the following applies in addition to the remainder of this DPA:(a) GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.(b) Member State means a member state of the European Union.
10.2. If Tella processes under this DPA Personal Data that is subject to the GDPR, Tella shall process such Personal Data in accordance with the provisions of the attached SCCs (Appendix 2), which are hereby incorporated into this DPA.
10.3. In deviation of clause 9.1, (i) the SCCs shall be governed by the law applicable in accordance with the SCCs, and (ii) any disputes arising out of the SCCs shall be brought before the competent court on the basis of the SCCs.
11. United Kingdom
11.1. If the Business User is based in the United Kingdom, the following applies in addition to the remainder of this DPA:(a) UK GDPR means the Retained Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
11.2. If Tella processes under this DPA Personal Data that is subject to the UK GDPR, Tella shall process the Personal Data in accordance with the provisions of the attached SCCs (Appendix 2), which are hereby incorporated into this DPA.
11.3. In deviation of clause 9.1, (i) the SCCs shall be governed by the law applicable in accordance with the SCCs, and (ii) any disputes arising out of the SCCs shall be brought before the competent court on the basis of the SCCs.
12. California
12.1. If the Business User’s Personal Data relates to California residents, the following applies in addition to the remainder of this DPA:(a) California Data Protection Laws means the California Consumer Privacy Act of 2018, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, as amended, and inclusive of all implementing regulations, as adopted, amended or replaced from time to time.(b) Business User and Tella agree that Tella is a Service Provider as such term is defined under California Data Protection Laws.(c) Business User provides Personal Data to Tella for the sole purpose of enabling Tella to provide the Services described in Article 2.3. Without prejudice to Tella’s rights under Article 2.7, Tella is prohibited from:(i) Selling Personal Data provided, as the term Selling is defined under California Data Protection Laws; and(ii) Retaining, using, or disclosing Personal Data outside of the direct business relationship between Tella and the Business User, or for any purpose other than for the specific purpose of performing the Services under the Terms including retaining, using, or disclosing Tella Personal Data for a commercial purpose other than providing the Services specified in the Terms.
12.2. Tella hereby certifies that it understands the restrictions set forth in Article 12 and will comply with them.
APPENDIX 1: DATA PROCESSING TERMS
Account: has the meaning ascribed to it in the Terms
Annex: an annex to an Appendix to this DPA
Appendix: an appendix to this DPA
Applicable Data Protection Laws: means the privacy, security, and data protection laws and regulations that apply to the Processing of Personal Data
Application: has the meaning as ascribed to it in the Terms
Article: means an article in this DPA
Business User: means the Business User as ascribed in the Terms
Controller: means the entity that determines the purposes and means of the Processing of Personal Data or that is otherwise responsible for the Processing of Personal data under the Applicable Data Protection Laws
Data Breach: has the meaning ascribed to it under the Applicable Data Protection Laws
DPA: this Data Processing Addendum
Individual: means the identified or identifiable person to whom Personal Data relates
Effective Date: the date on which a User registered itself or requested to be registered as a “Business User” of the Services
Party: means Tella or Business User and Parties means Tella and Business User together
Personal Data: has the meaning ascribed to it in Article 2.2
Processing: has the meaning ascribed to it in Article 2.3
Processor: means the entity which Processes Personal Data on behalf of and in accordance with the instructions of the Controller, including as applicable any “service provider” or similar as that term may be defined by Applicable Data Protection Laws
Tella: means the Tella entity that entered into the Terms
Terms: means the Terms of Use concluded between Tella and Business User
SCCs: Means sections I, II, III and IV (as applicable) to the extent they reference Module Two of the standard contractual clauses adopted by the European Commission in Decision 2021/914 of 4 June 2021 or any updated version thereof, currently available here.
Subcontractor: a subcontractor or affiliated party engaged by Tella that has access to or otherwise Processes the Personal Data on Tella’s behalf, also known as a subprocessor
Services: means the services provided by Tella under the Terms to Users
Supervisory Authority: the competent supervisory authority under the Applicable Data Protection Laws
User: has the meaning ascribed to it in the Terms
APPENDIX 2: STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS
For the purposes of the SCCs, the Business User is the data exporter and Tella is the data importer and the Parties agree to the following:
1. Clause 7 SCCs - Docking clause
Clause 7 of the SCCs shall apply.
2. Clause 9 SCCs – Use of sub-processors
Option 2 under clause 9 of the SCCs shall apply. Tella has Business User’s general authorisation for the engagement of Subcontractor in accordance with Article 3 of the DPA. The agreed list of Subcontractors is included in Appendix 3.
3. Clause 17 SCCs - Governing Law
The SCCs will be governed by Dutch law.
4. Clause 18 - Choice of forum and jurisdiction
The court of Amsterdam, the Netherlands shall have exclusive jurisdiction to hear any dispute arising out of these Clauses.
5. Appendix
(a) The contents of Annex I to Appendix 2 shall form Annex I to the SCCs.(b) The contents of Annex II to Appendix 2 shall form Annex II to the SCCs.
ANNEX IA. LIST OF PARTIES
Data exporter(s):
Name: the Business User as included in its Business User Account
Address: the Business User’s address as included in its Business User Account
Contact person’s name, position and contact details: Business User’s contact person that as included in its Business User Account
Activities relevant to the data transferred under these Clauses: Performance of the Services as further detailed in the Terms.
Role: ControllerData importer(s):
Name: Tella
Address: Tella’s address as included in the Terms
Contact person’s name, position and contact details: G. Shaddick, CEO, grant@tella.tv.
Activities relevant to the data transferred under these Clauses: Performance of the Services pursuant to the Terms.
Role: Processor
B. DESCRIPTION OF TRANSFER
1. Categories of Individuals whose personal data is transferred
Business User and Business User’s employees, contractors, officers, directors, freelancers, and other staff, Business User’s customers, clients and other users, and other individuals that have access to or which Personal Data is otherwise processed as part of or in connection with the Services.
2. Categories of personal data transferred
The categories of Personal Data transferred is subject to Business User’s use of the Services in accordance with the Terms, but includes the following categories of Personal Data:
Account personal data, such as a business users’ first and last name, password, photo (used as avatar), and email address. In addition, if business users sign up with a Google account, Google account information such as user access tokens.
Account subscription type, current and past subscription types, including start and end dates’ thereof.
Support data, such as a business users’ contact details, browser type and information regarding the use of the Services, their operating system.
Website (analytics) data, such as business users’ click behaviour, user behaviour, browser type, language preferences, time zone, IP-address, referral source and usage of the Services.
Video sharing data, such as recipients’ email addresses.
Video recording data, such as video recordings including business users’ and other persons facial image, voice and other personal data included in their recordings.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Video recording data may include special category personal data of any type.
4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
The data is transferred on a continuous basis depending on the use of the Services by Business User and its staff.
5. Nature of the processing
The nature of the Processing is the performance of the Services.
6. Purpose(s) of the data transfer and further processing
Data importer will process Personal Data as necessary to perform the Services and as further instructed by Business User in its use of the Services.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data importer will Process Personal Data for the duration as set out in Article 8 of the DPA, unless otherwise agreed in writing.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As per 5 above, any sub-processors will process Personal Data to ensure that the data importer can perform the Services pursuant to the Terms. The sub-processor will process Personal Data for the duration as set out in Article 8 of the DPA, unless otherwise agreed in writing.
C. COMPETENT SUPERVISORY AUTHORITY
There are four different situations with regard to the qualification of the competent Supervisory Authority:
Where the data exporter is established in a Member State: The Supervisory Authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent Supervisory Authority.
Where the data exporter is not established in a Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The Supervisory Authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent Supervisory Authority.
Where the data exporter is not established in a Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Where the data exporter is established in the United Kingdom or falls within the territorial scope of application of the UK General Data Protection Regulation: The Information Commissioner's Office shall act as the competent Supervisory Authority.
ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Measures of encryption of personal data Technical:
SSL encryption on the website.
Encryption of data stored in database.
Encryption of data stored on laptops.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Technical:
Authentication with username/password, two factor authentication, and/or biometric methods.
Password protected screensavers and automated screen locking in case of inactivity, and two-factor user authentication.
Organisational:
Digital keys management.
Authorisation is immediately blocked when employees and contractors leave the company/
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Technical:
Data is stored with automated backups.
Multi-region data hosting.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Organisational:
Regular code reviews.
Automated testing on all product updates.
APPENDIX 3: LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
Tella B.V.
Location: the Netherlands
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To develop and maintain the Services, including Tella’s web platform, create analytical reports, and to provide various business and operational services, including sales, marketing, business enhancement, bookkeeping as well as customer and other support services.
Amazon Web Services, Inc.
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To manage our application database.
Amplitude
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To provide analytical reports of the Tella website and the Services.
Segment
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To provide analytical reports of the Tella website and the Services.
Auth0
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To authenticate users of the Services.
Stripe
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To create and manage invoices and (recurring) payments.
Vero
Location: Australia
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To create and send (direct marketing) communications.
Intercom
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To provide support services to users.
Rollbar Inc.
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To monitor and track users for the identification and the solving of errors in our application.
Datadog, Inc.
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To monitor and track users for the identification and the solving of errors in our application. To provide analytical reports of the Tella website and the Services.
Sentry (Functional Software, Inc)
Location: United States
Contact person’s name, position and contact details: N/A
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): To monitor and track users for the identification and the solving of errors in our application.