These Data Processing Terms (“DP Terms”) set forth the obligations and terms that apply to the Processing of Client Personal Data pursuant to the Services (capitalized terms defined below), beginning on or after May 24, 2018.
1. Background
1.1. ON24 operates a content delivery platform that enables its business customers to create, manage, host and deliver webcasts and other content, as well as virtual events and environments, to send emails and communications to registrants, attendees and other end users, and to collect registration and other information from registrants, attendees and other end users (the “Platform”). In operating and providing the Platform, ON24 will provide services to its business customers relating to their use of the Platform (the “Services”). These DP Terms applies to the Processing (defined below) of Client Personal Data (defined below), pursuant to the Services, including Personal Data received from the European Economic Area (“EEA”), the United Kingdom in the event the United Kingdom exits the European Union, and Switzerland.
1.2. These DP Terms form a part of the ON24 Universal Terms and Conditions, and any Master Services Agreement, Subscription Agreement, Services Agreement, Work Order, and other written or electronic agreement between ON24 and Client related to Client’s purchase of Services and ON24’s provision of the same, and any amendments thereto (collectively, the “Agreement,” which also includes any amendments hereto).
1.3. These DP Terms supersedes any prior data processing agreements, data processing addenda or similar terms between the parties. In the event of any conflict or inconsistencies between the terms of these DP Terms and any other terms in the Agreement, these DP Terms will control.
2. Execution
Pursuant to Section 1.2, these DP Terms are incorporated by reference into the Agreement. These DP Terms do not need to be executed separately to be effective.
3. Certain Definitions
3.1. In these DP Terms, the following terms will have the meanings set out below:
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
(b) “Brexit” means any full or partial departure of the United Kingdom from the European Union;
(c) “CCPA” means California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended or superseded from time to time;
(d) “Client Affiliate” means any Affiliate of Client that is authorized and/or permitted to use the Platform or Services pursuant to the Agreement;
(e) “Client Materials” means any materials or data Client enters into, collects, manages or creates using the Platform, including, but not limited to, slides, audio files, video files, photographs, and recordings generated from a Client Event;
“Client Personal Data” means any Personal Data Processed by ON24 or a Subprocessor in the provision of the Services to Client or a Client Affiliate, including (but not limited to) any contact information or other personally identifiable information of End Users of Client Events or contained in Client Materials;
(f) “Data Breach” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data transmitted, stored or otherwise Processed by ON24 or its Subprocessors;
(g) “Data Protection Laws” means any local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, as amended, replaced or superseded from time to time, including: (i) the GDPR and laws of EEA Member States implementing or supplementing the GDPR; and (ii) any data protection laws of the United Kingdom substantially amending, replacing or superseding the GDPR in whether or not as a result of a Brexit (including the UK Data Protection Act 2018);
(h) “End User” means an actual and prospective attendee, visitor and other user who has registered for or attended one or more Client Events;
(i) “Client Event” means the webcasts, webinars, virtual environments, and other content offered or made available through the Platform by Client or Client Affiliate;
(j) “GDPR” means EU General Data Protection Regulation 2016/679;
(k) “Personal Data” is any information defined as “personal data”, “personal information”, or other similar terms under applicable Data Protection Laws;
(l) “Process” means any operation or set of operations that is performed upon Client Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction, and “processed,” or “processing” will be construed accordingly;
(m) “Restricted Transfer” means a transfer of Client Personal Data to or by ON24 and/or a Subprocessor, to a jurisdiction that is not recognized as providing an adequate level of protection for Personal Data by applicable Data Protection Laws;
(n) “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection of data subjects, which have been approved by the European Commission as adducing adequate safeguards for Restricted Transfers, or any successor clauses thereto or alternative data transfer mechanisms recognized by the European Commission pursuant to Article 46 of the GDPR, or by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law;
(o) “Subprocessor” means any person or entity (including any third party and any ON24 Affiliate, but excluding an employee of ON24) appointed by or on behalf of ON24 who may Process Client Personal Data;
(p) “Supervisory Authority” means (a) an independent public authority established by a Member State pursuant to Article 51 of the GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws; and
(q) The terms “Data Controller,” “Data Processor,” “Data Subject,” and “Member State,” will have the same meaning as in the GDPR.
(r) The term “Consumer” will have the same meaning as in the CCPA.
3.2. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
4. Processing of Personal Data
4.1. The parties acknowledge and agree that with regard to the Processing of Client Personal Data, Client is the Data Controller, and ON24 is the Data Processor.
4.2. ON24 will, and will ensure that Subprocessors will Process Client Personal Data only on Client’s documented instructions, or where Processing is required by applicable laws to which ON24 or Subprocessors are subject; in the latter case, ON24 will notify the Client of the legal requirement before Processing, unless the law prohibits such notification.
4.3. Client on its own behalf and as agent for each relevant Client Affiliate instructs ON24 (and authorizes ON24 to instruct each Subprocessor) to, as reasonably necessary for the provision of the Services (including any additional services used by Client or Client Affiliate, which may subject to supplemental terms): (a) Process Client Personal Data; (b) transfer Client Personal Data to any country or territory provided such complies with Section 12 (Cross-border Transfers) below; and (c) engage any Subprocessors, provided such complies with Section applewebdata://1554DDCB-A781-4822-AB34-70F53BA4CA41#bookmark0 (Subprocessing) below.
4.4. Pursuant to, and as required under the CCPA, ON24 will process Client Personal Data to the extent necessary to provide the Services described in the Agreement and only for the purposes as instructed by Client in a manner consistent with this Addendum. ON24 will not retain, use, or disclose such Client Personal Data for any purpose other than to perform the Services, which for the avoidance of doubt prohibits ON24 from retaining, using, or disclosing Client Personal Data outside of the direct business relationship with Client or for any other commercial purpose. ON24 will not sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate such Client Personal Data to any third party for monetary or other valuable consideration. ON24 certifies that it understands the restrictions set out in this Section 4 and will comply with them. Client agrees that ON24 may de-identify or aggregate Client Personal Data and other data related to the Services to render it Anonymous Data, which may then be used for the purposes of operating and improving ON24’s services and operations, and other research, analytics and related purposes. ON24 may maintain Anonymous Data as part of its own records and information, and such data shall no longer be subject to the Agreement or these DP Terms. “Anonymous Data” means data that has been de-identified and/or aggregated with other data to such an extent that Client and Client Affiliates are no longer identifiable, and individuals are no longer identified, identifiable, linked or linkable, or otherwise ascertainable by reference to or combination with other datasets.
4.5. Client agrees that (a) Client’s submission of Client Personal Data and instructions for the Processing of Personal Data will comply with Data Protection Laws and Client will at all relevant times remain duly and effectively authorized to give the instruction set out in this Section (Processing of Personal Data) on behalf of each relevant Client Affiliate; (b) Client and any Client Affiliate will, in the use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws; and (c) Client will provide any required notices to and obtain any required consents from Data Subjects related to the Processing of Client Personal Data as contemplated in these DP Terms and the Agreement, or as otherwise instructed by Client.
4.6. Annex 1 to these DP Terms sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, and the categories of Personal Data and Data Subjects, as required by Article 28(3) of the GDPR; Annex 1 does not confer and rights or obligations on either party. Either of the parties may make reasonable amendments to Annex 1 as they reasonably consider necessary to meet the requirements of Article 28(3) of the GDPR by providing the other party with an updated or an additional Annex 1.
5. ON24 Personnel
ON24 will take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Client Personal Data, ensuring that such individuals are subject to confidentiality obligations or professional or statutory obligations of confidentiality.
6. Security
ON24 will implement appropriate technical and organizational measures, as set forth in Annex 2 (Technical and Organizational Measures), that are designed to provide a level of security appropriate to the risks presented by the Processing of Client Personal Data. In assessing the appropriate level of security, the ON24 will take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
7. Personal Data Breach
ON24 will notify Client without undue delay if it discovers a Data Breach involving Client Personal Data, and will provide information (as available) to assist Client to meet any obligations to report a Data Breach under the Data Protection Laws. ON24 will co-operate with Client and take such reasonable steps as are agreed in good faith by the parties to assist in the investigation, mitigation and remediation of each Data Breach. To the extent that Client is responsible for a Personal Data Breach Client will reimburse ON24 for all costs reasonably and properly incurred by ON24 performing its obligations under this Section (including internal costs and third party costs including legal fees).
8. Data Subject and Consumer Rights
ON24 will promptly notify Client if it receives a request from a Data Subject or Consumer entitled to exercise a request under applicable law regarding Client Personal Data as it pertains to that Data Subject or Consumer. Upon request, ON24 will provide Client with reasonable assistance as necessary to Client’s fulfillment of its obligations under applicable laws to respond to such requests relating to their Personal Data. Taking into account the nature of the Processing, such assistance will include, where practicable, implementation of reasonable and appropriate technical and organizational measures to allow Client to respond effectively to such requests.
9. Data Protection Impact Assessment and Prior Consultation
Upon request and subject to the nature of the relevant Processing by and information available to ON24, ON24 will provide reasonable assistance to Client with any data protection impact assessments and any prior consultations to any Supervisory Authority, which are required under applicable Data Protection Law. Client will reimburse ON24 in full for all costs reasonably and properly incurred by ON24 in performing its obligations under this Section (including internal costs and third party costs including legal fees).
10. Audit Rights
10.1. Upon Client’s written request, ON24 will make available to Client information reasonably necessary to demonstrate ON24’s compliance with these DP Terms, and will allow for and contribute to inspections by a qualified, independent third-party auditor appointed by Client, in relation to the Processing of Client Personal Data by ON24 or its Subprocessors.
10.2. Client will give ON24 reasonable notice of any audit or inspection to be conducted under this Section and will (and ensure that each of its mandated auditors will) take all reasonable steps to avoid causing any damage, injury or disruption to the premises, equipment, personnel and business of ON24 or any Subprocessor during the course of such an audit. Except as otherwise required by applicable law or a relevant Supervisory Authority, any audit or inspection will be conducted within normal business hours no more than once in any calendar year. Client will reimburse ON24 in full for all costs reasonably and properly incurred by ON24 performing its obligations under this Section (including internal costs, third party costs including legal fees, and costs incurred by ON24 with respect to audits of other Subprocessors). Any information obtained under this Section will be kept confidential and not disclosed to any person without the express consent of ON24, and Client will ensure that any auditor, agent, personnel or other person or entity that participates in such audit is subject to appropriate written confidentiality obligations.
11. Subprocessing
11.1. Client authorizes ON24 to appoint (and permit each Subprocessor appointed in accordance with this Section to appoint) Subprocessors. Client expressly agrees that ON24 Affiliates may be engaged as Subprocessors, and that ON24 may continue to use those other Subprocessors already engaged by ON24 as of the date of these DP Terms. ON24 will make available a current list of ON24 Subprocessors at https://www.on24.com/about-us/gdpr/subprocessors, including the names and a description of the Processing to be undertaken by the Subprocessor, and will update the list prior to adding any additional Subprocessors. Client may subscribe to email notifications of new Subprocessors at https://www.on24.com/about-us/gdpr/subprocessors. ON24 will provide notice of new Subprocessors prior to authorizing new Subprocessors to Process Personal Data in connection with the Services by updating the Subprocessor list at https://www.on24.com/about-us/gdpr/subprocessors, and via email notification if Client has subscribed to email notifications about new Subprocessors. Client may object to the appointment of a new Subprocessor by sending written notice to ON24 at mailto:privacy@on24.com within ten (10) business days of the notice of new Subprocessors; Client’s notice of objection should state the basis for Client’s objection. Client agrees that it will not unreasonably object to the use of a Subprocessor. If Client does not object to the appointment of the Subprocessor within ten (10) business days, the Client shall be deemed to have approved and agreed to such appointment.
11.2. The parties will work in good faith to resolve Client’s objections to the appointment of any Subprocessors. During this time, there may be an impact to the provision of the Services; Client agrees that ON24 is not liable for any such impact. If the parties are unable to resolve Client’s objection within 90 days, Client may terminate without penalty the portion of the Agreement pertaining to the Services that ON24 states it cannot provide without the use of the objected-to Subprocessor, and ON24 will refund Client any prepaid but unused amounts for such portion; otherwise the Agreement shall remain in full force and effect.
11.3. With respect to each Subprocessor, ON24 will: (a) exercise commercially reasonable care in the assessment, appointment and oversight of the relevant Processing activities of Subprocessors; (b) include terms in the contract between ON24 and each Subprocessor which offer an equivalent level of protection for Client Personal Data as those set out in these DP Terms, taking into account the nature of the services performed by the Subprocessor; (c) if the arrangement involves a Restricted Transfer, ensure that adequate contractual measures are in place as required by Data Protection Laws, and where the Client Personal Data is from the EEA or Switzerland the Standard Contractual Clauses will be incorporated into the agreement between ON24 and the Subprocessor; and (d) remain liable to the Client for any failure by each Subprocessor to fulfil its obligations in relation to the Processing of Client Personal Data.
12. Cross-border Transfers
ON24 has self-certified to and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce. ON24 will maintain such self-certification to and compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks with respect to its Processing of Client Personal Data from the European Economic Area and/or Switzerland. If and to the extent ON24’s Privacy Shield certifications are withdrawn or expire, the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks are invalidated under the respective applicable laws of either the EEA or Switzerland, ON24 will execute the Standard Contractual Clauses with Client, or work with Client in good faith to put in place an alternative mechanism for the transfer of the relevant Client Personal Data to the United States.
In the event of a Brexit where the United Kingdom is considered a ‘third country’ for the purposes of GDPR, ON24 shall: (a) procure that its Affiliate entity registered in the United Kingdom, ON24 Limited (registered company number 05278776), shall enter into the Standard Contractual Clauses as a ‘data importer’ in respect of any Client Personal Data originating from the EEA and Switzerland; and (b) work with the Client to ensure that there are adequate contractual measures in place as required by applicable Data Protection Laws for the transfer of any Client Personal Data originating the United Kingdom to the United States.
13. Deletion or Return of Personal Data
Upon the termination or expiration of the Agreement (unless continued Processing is subject to a new or amended agreement) and to the extent not prohibited by applicable law, ON24 will within 90 days (the “Cessation Date”) cease Processing and delete or return the Client Personal Data. If Client does not inform ON24 of its choice of either return or deletion of such Client Personal Data at least 30 days prior to the Cessation Date, then Client will be deemed to have chosen deletion. The parties agree that ON24 is not required to return or delete any Anonymous Data at the conclusion of the Agreement.
14. Limitation of Liability
The aggregate liability of ON24 arising out of or related to these DP Terms, whether in contract, tort or under any other theory of liability, is subject to the limitations on liability in the Agreement.
15. General Terms
15.1. No Legal Advice. Notwithstanding anything to the contrary in these DP Terms, ON24 will not be required to provide legal advice to Client and nothing provided by ON24 will be construed by Client as legal advice.
15.2. Termination. The parties agree that these DP Terms and the Standard Contractual Clauses will terminate automatically upon: (a) termination of the Agreement; or (b) expiry or termination of all service contracts entered into by ON24 with Client pursuant to the Agreement; or (iii) termination or completion of statements of work, work orders or similar documents, thereunder, whichever is later.
15.3. Third-Party Rights. A person who is not a Party to this Addendum will have no right to enforce any term of this Addendum; the rights to rescind or vary this Addendum are not subject to the consent of any other person.
15.4. Changes in Data Protection Laws. If any variation is required to these DP Terms (including the Standard Contractual Clauses) as a result of a change in Data Protection Law, either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary variations to these DP Terms to address such changes.
ANNEX 1: DETAILS OF PROCESSING OF CLIENT PERSONAL DATA
This Annex 1 includes certain details of the Processing of Client Personal Data as required by Article 28(3) of the GDPR.
1. Subject matter and duration of the Processing of Client Personal Data:
The subject matter and duration of the Processing of Client Personal Data are set out in the Agreement and these DP Terms.
2. The categories of Data Subject to whom Client Personal Data relates:
3. The nature and purpose of the Processing of Client Personal Data:
4. The types of Client Personal Data to be Processed:
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES
1. Any Processing of Personal Data will take place on data processing systems for which commercially reasonable technical and organizational measures for protecting Personal Data have been implemented. ON24 will maintain reasonable and appropriate technical, physical, and administrative measures to protect Client Personal Data under its possession or control against unauthorized or unlawful Processing or accidental loss, destruction or damage, taking into account the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage and the sensitivity of the Client Personal Data.
2. Security measures will be designed to:
(a) deny unauthorized persons access to data-processing equipment used for processing Personal Data (equipment access control);
(b) prevent the unauthorized reading, copying, modification or removal of media (data media control);
(c) prevent the unauthorized input of Personal Data and the unauthorized inspection, modification or deletion of stored Personal Data (storage control);
(d) prevent the use of automated data-processing systems by unauthorized persons using data communication equipment (user control);
(e) provide that persons authorized to use an automated data-processing system only have access to the Personal Data covered by their access authorization (data access control);
(f) enable ON24 to verify and establish to which individuals Client Personal Data have been or may be transmitted or made available using data communication equipment (communication control);
(g) enable identification of which Client Personal Data have been put into automated data-processing systems and when and by whom the input was made (input control);
(h) prevent the unauthorized reading, copying, modification or deletion of Client Personal Data during transfers of those data or during transportation of storage media (transport control);
(i) include commercially reasonable disaster recovery procedures to provide for the continuation of services under the Agreement and backup of Client Personal Data; and
(j) include appropriate technical security solutions are implemented and managed to protect the confidentiality, integrity and availability of Client Personal Data.
3. Where appropriate, data will be encrypted in transmission and at rest, using industry-standard cryptographic techniques and secure management of keys.
4. ON24 will take reasonable steps to ensure the reliability of its employees and other personnel having access to Client Personal Data, and will limit access to Client Personal Data to those Personnel who have a business need to have access to such Client Personal Data, and have received reasonable training regarding the handling of Personal Data and Data Protection Laws.
5. On request and subject to written confidentiality obligations, ON24 will provide the Company with access to its relevant data security policies and procedures.
Previous Versions:
ON24 Data Processing Terms for applicable agreements entered into by December 10, 2019
