This data processing addendum forms part of the Service Agreement or any other
agreement pertaining to the delivery of services (the “Agreement”) between First App Holdings
Limited (“First App Holdings”), Aceville Pte. Ltd.
(“Aceville”) (First App Holdings and Aceville, each a
“Data Processor”) and the Customer(s) named in such Agreement
and/or identified below (the “Data Controller(s)”) to reflect
the parties’ agreement with respect to the Processing of Personal Data (as defined below) and incorporates the
terms and conditions set out in the Schedules hereto (the “Addendum”).
In respect of this Addendum, if the Customer is a registered entity in Singapore,
references to “Data Processor” shall be read as a reference to Aceville; and if the Customer is a registered
entity outside of Singapore, references to “Data Processor” shall be read as a reference to First App Holdings.
Each Data Controller has appointed Data Processor to provide services to the Data
Controller(s). As a result of its providing such services to the Data Controller(s), Data Processor will store
and process certain personal data of the Data Controller(s), in each case as described in further detail in
Schedule 1 (Processing Details).
In no event shall VooV Meeting (defined below) assume or
otherwise serve as a data controller of the Personal Data covered by this Addendum.
1.
Definitions
1.2
The Data Processor and Data Controller(s), each a ‘party’ and together the ‘parties’.
1.3
For the purposes of this Addendum, the following expressions bear the following meanings
unless the context otherwise requires:
“Applicable Data Protection Laws”
means any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance,
regulation, rule, or other binding instrument relating to the processing of Personal Data by a party, including
(a) the GDPR, (b) the e-Privacy Directive, (c) the UK Data Protection Act 2018 (“DPA”), (d) the UK General Data Protection Regulation, as defined by the
DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit)
Regulations 2019 (together with the DPA, the “UK GDPR”), (e)
the Privacy and Electronic Communications Regulations 2003, and (f) the CCPA, the Colorado Privacy Act, the
Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act,
the Iowa Consumer Data Protection Act, the Indiana Consumer Data Protection
Act, the Montana Consumer Data Privacy Act, the Tennessee Information Protection Act, the Texas Data Privacy
and Security Act, the Oregon Consumer Privacy Act and the Florida Digital Bill of Rights (collectively,
“Applicable US Data Protection Laws”), in
each case as amended, consolidated, re-enacted or replaced from time to time;
- “Business”, “Data
Subject”, “Selling”,
“Service Provider” and “Sharing” shall have the meaning given to these term or equivalent
concepts in the relevant Applicable Data Protection Laws;
“CCPA” means the California Consumer
Privacy Act, as amended by the California Privacy Rights Act;
“Controller to Processor Clauses”
means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the
transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021,
specifically including Module 2 (Controller to Processor); and (ii) in respect of
transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission
Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended,
updated or replaced from time to time;
“Customer” shall have the meaning set forth in
the Agreement;
“Data Processor” shall have the meaning set forth in the recitals of this
Addendum;
“e-Privacy Directive” means Directive
2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal
data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic
communications);
“GDPR” means Regulation 2016/679 of
the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data;
“Personal Data” shall have the meaning given to “personal data” and
“personal information” and other similar terms in the relevant Applicable Data Protection Laws;
“Process”, “Processed” or “Processing” shall have the meaning given to this term or equivalent concept in the relevant Applicable Data
Protection Laws;
Processor to Controller Clauses”
means, as relevant, (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual
clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June
2021, specifically including Module 4 (Processor to Controller); (ii) in respect of transfers of Personal Data
subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual
Clauses (version B.1.0) issued by the UK Information Commissioner, and (iii) in respect of transfers of Personal
Data outside any jurisdiction that requires such transfer to be effected by a Lawful Export Measure, the lawful
form of contract for the transfer of Personal Data to Third Countries from data processors to data controllers
approved by the relevant competent authority of such jurisdiction, in each case as in force, amended, updated or
replaced from time to time;
- “Processor to Processor Clauses” means, as relevant, (i) in respect of transfers of Personal Data
subject to the GDPR, the standard contractual clauses for the
transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021,
specifically including Module 3 (Processor to Processor); (ii) in respect of transfers of Personal Data
subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual
Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or
replaced from time to time;
“Regulator” means the data protection
supervisory authority which has jurisdiction over a Data Controller’s Processing of Personal Data;
“Services” means the various video
conferencing, web conferencing, meeting room, screen sharing and other collaborative services as well as voice
connectivity services and shall have the meaning set forth in the Agreement;
“Third Countries” means (i) in
relation to Personal Data transfers subject to the GDPR, any country or territory outside of the scope of the
data protection laws of the European Economic Area (“EEA”),
excluding countries or territories approved as providing adequate protection for Personal Data by the European
Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any
country or territory outside of the scope of the data protection laws of the UK, excluding countries or
territories approved as providing adequate protection for Personal Data by the relevant competent authority of
the UK from time to time; and
“VooV Meeting” refers to the relevant
Data Processor, depending on where the Customer is registered in.
2.1
This Addendum governs the terms under which Data Processor is required to Process Personal
Data on behalf of the Data Controller(s).
3.1
Data Processor shall only Process Personal Data on behalf of the Data Controller(s) and in
accordance with, and for the limited and specific purposes set out in the documented instructions received from
the Data Controller(s) from time to time unless permitted or required to Process, and/or restricted from
Processing, such Personal Data by applicable law to which the Data Processor is subject; in each case, the Data
Processor shall inform the Data Controller of that legal requirement without undue delay, unless that law
prohibits such information on important grounds of public interest. To the extent required by Applicable US Data
Protection Laws, Data Processor shall provide the same level of privacy protection as is required by such
laws.
3.3
Data Processor shall ensure that its personnel authorised to Process the Personal Data have
committed themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality.
3.4
Data Processor shall implement appropriate technical and organisational security measures
designated to provide a level of security appropriate to the risk, taking into account the state-of-the-art, the
costs of implementation and the nature, scope, context and purpose of the Processing as set out in Schedule 2 (Technical and
Organisation Security Measures) of this Addendum before Processing each Data Controller’s Personal
Data and shall continue to comply with them during the term of this Addendum.
3.5
Except to the extent the same is caused or contributed to by the Data Controller, Data
Processor shall promptly notify the relevant Data Controller(s) about any breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal
Data belonging to the Data Controller(s). In such event, Data Processor shall take commercially reasonable steps
to mitigate the harmful effects known to Data Processor of a use or disclosure of the Personal Data in violation
of this Addendum.
3.6
To the extent required by Applicable Data Protection Laws, Data Processor shall:
(a)
upon reasonable written request from any Data Controller from time to time, but no more than
once annually, provide that Data Controller with such documentation in its possession as is reasonably necessary
to demonstrate compliance with the obligations laid down in this Addendum; and
(b)
permit each Data Controller at any time upon fourteen (14) days’ notice, to be given in
writing, to conduct audits or inspections during the term of this Addendum for the purposes of monitoring
compliance with Data Processor’s obligations under this Addendum, provided that any such inspection shall be
carried out by any Data Controller or an inspection body composed of independent members and in possession of
the required professional qualifications and bound by a duty of confidentiality, selected by the Data
Controller(s) and, where applicable, in accordance with the instructions of the Regulator. Alternatively, Data
Processor may arrange for a qualified and independent auditor to conduct, at least annually at Data Processor’s
expense, an assessment of Data Processor’s policies and technical and organizational measures in support of
obligations under Applicable Data Protection Laws using an appropriate and accepted control standard or
framework and assessment procedure for such assessments. Data Processor shall provide a report of such
assessment to Data Controller upon request.
3.7
Where:
(a)
a Data Subject exercises his or her rights under the Applicable Data Protection Law in
respect of Personal Data Processed by Data Processor on behalf of any Data Controller; or
(b)
any Data Controller is required to deal or comply with any assessment, enquiry, notice or
investigation by the Regulator; or
(c)
any Data Controller is required under the Applicable Data Protection Laws to carry out a
mandatory data protection impact assessment or consult with the Regulator prior to Processing Personal Data
entrusted to the Data Processer under this Addendum,
then Data Processor will provide reasonable assistance to the relevant Data Controller
to enable that Data Controller to comply with obligations which arise as a result thereof.
3.8
When the Data Processor Processes Personal Data in the United States, the Data Processor is
prohibited from:
(a)
Selling the Personal Data;
(b)
Sharing the Personal Data for cross-context behavioural advertising purposes;
(c)
retaining, using, or disclosing the Personal Data for any purpose other than for the
specific purpose of performing the services that are to be provided to Data Controller;
(d)
retaining, using or disclosing the Personal Data outside of the direct business relationship
between the Data Processor and Data Controller; or
(e)
combining the Personal Data received from Data Controller with any Personal Data that may be
collected from Data Processor’s separate interactions with the individual(s) (if applicable) to whom the
Personal Data relates to or from any other sources.
(i)
in respect of the Processing of Personal Data in a Third Country
that is not subject to the GDPR or UK GDPR, and to the extent required by Applicable Data Protection Laws,
ensure such transfer is carried out using a Lawful Export Measure. To the extent such Lawful
Export Measure requires (a) a contract imposing appropriate safeguards on the transfer and processing of such
Personal Data (which is not otherwise satisfied by this Addendum); (b) a description of the Processing of
Personal Data contemplated under this Addendum; and (c) a description of technical and organisational measures
to be implemented by the data importer, the parties agree that the Controller to Processor Clauses, the
description of processing activities set out in Schedule 1 (Processing Details) and the description of technical and organisational
measures set out in Schedule 2 (Technical and Organisation Security Measures), shall apply mutatis mutandis for the benefit of such transfer, and in relation to any
onward transfer of the Personal Data by that data importer to another person, the other person shall comply with
the same importer obligations, mutatis mutandis;
(ii)
in respect of the Processing of Personal Data in a Third Country that is subject to the GDPR
or UK GDPR, comply with the data importer’s obligations set out in the Controller to Processor Clauses, which
are hereby incorporated into and form part of this Addendum; the Data Controller will comply with the data
exporter’s obligations in such Controller to Processor Clauses; and:
(A)
for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses,
the parties and Processing details set out in Schedule 1 (Processing Details) shall apply, and the Start Date is the Effective
Date, and the signature(s) (in any form) given in connection with the execution of this Addendum by a party and
the date(s) of such signature(s) shall apply as the dated signature required from that party;
(B)
if applicable, for the purposes of Part 1 of such Controller to Processor Clauses, the
relevant Addendum EU SCCs (as such term is defined in the applicable Controller to Processor Clauses) are the
standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision
2021/914 of 4 June 2021 (Module 2), as incorporated into this Addendum by virtue of this
Clause 3.9;
(C)
for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor
Clauses, the technical and organisational security measures set out in Schedule 2 (Technical and
Organisation Security Measures) shall apply; and
(D)
if applicable, for the purposes of: (i) Clause 9 of such
Controller to Processor Clauses, Option 2 (“General written
authorization”) is deemed to be selected and the notice period specified in
Clause 5.3 shall apply; (ii) Clause 11(a) of
such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is
deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory
authority shall be the Dutch Autoriteit Persoonsgegevens; (iv)
Clause 17, Option 2 is deemed to be
selected and the governing law shall be separately agreed between the parties; (v) Clause 18, the
competent courts shall be the competent courts of Netherlands; (vi)
Part 1 of such Controller to Processor Clauses, the Data Processor, as importer
may terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor
Clauses.
-
in respect of the Processing of Personal Data in a Third
Country that is not subject to the GDPR or UK GDPR, and to the extent required by Applicable Data Protection
Laws, comply with the data exporter’s obligations required by the Lawful Export Measure adopted; Data
Controller will comply with the data importer’s obligations required by the Lawful Export Measure adopted. To
the extent such Lawful Export Measure requires (a) a contract imposing appropriate safeguards on the transfer
and processing of such Personal Data (which is not otherwise satisfied by this Addendum); and (b) a
description of the Processing of Personal Data contemplated under this Addendum, the Parties agree that the
Processor to Controller Clauses and the description of processing activities set out in Schedule 1 (Processing Details), shall apply mutatis mutandis for the benefit of such transfer;
-
in respect of the Processing of
Personal Data in a Third Country that is subject to the GDPR or UK GDPR, comply with the data exporter’s
obligations set out in the Processor to Controller Clauses, which are hereby incorporated into and form part
of this Addendum; Data Controller will comply with the data importer’s obligations in such Processor to
Controller Clauses; and:
-
for the purposes of Annex I or Part 1 (as relevant) of
such Processor to Controller Clauses, the Parties and Processing details set out in Schedule 1 (Processing Details) shall apply, and the Start Date is the Effective Date, and the
signature(s) (in any form) given in connection with the execution of this Addendum by a party and the
date(s) of such signature(s) shall apply as the dated signature required from that party;
-
if applicable, for the purposes
of Part 1 of such Processor to Controller Clauses, the relevant Addendum EU SCCs (as such term is
defined in the applicable Processor to Controller Clauses) are the standard contractual clauses for the transfer of Personal
Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 4) as incorporated
into this Addendum by virtue of this sub-Clause (ii)(B); and
-
if applicable, for the purposes of: (i) Clause 17, the
governing law shall be the law of the Netherlands; (ii) Clause 18, the competent courts shall be the
competent courts of the Netherlands; (iii) Part 1 of such Processor to Controller Clauses, Data Processor
as Exporter may terminate the Processor to Controller Clauses pursuant to Section 19 of such Processor to
Controller Clauses.]
3.11
The Data Controller acknowledges and agrees that Data Processor may, or may appoint an
affiliate or third party subcontractor to Process the Data Controller’s Personal Data in a Third Country,
provided that it ensures that such Processing takes place in accordance with the requirements of Applicable Data
Protection Laws and executes the Processor to Processor Clauses with any relevant subcontractor (including
affiliates) it appoints on behalf of the Data Controller.
4.1
Each Data Controller, represents, warrants and undertakes that:
(i) the legislation applicable to it does not prevent Data Processor from
fulfilling the instructions received from the Data Controller(s) and performing Data Processor’s obligations
under this Addendum; (ii) it is solely responsible for the accuracy, quality and legality of the Personal Data
provided to Data Processor by or on behalf of Customer, the means by which Customer acquired any such Personal
Data and the instructions Data Controller provides to Data Processor regarding the Processing of such Personal
Data; (iii) it shall not provide or make available to Data Processor any Personal
Data in violation of the Agreement, the Addendum or otherwise inappropriate for the nature of the Services; and
(iv) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has
obtained any necessary consents from Data Subjects (including but not limited to its personnel, employees or end
users who use or otherwise access the Services) or given any necessary notices to Data Subjects (including but
not limited to transparency notices that informs Data Subjects that their Personal Data will be Processed in
accordance with the Customer’s privacy notice, among other information) required under Applicable Data
Protection Laws, and otherwise has a legitimate ground to disclose the data to Data Processor and enable the
Processing of the Personal Data by the Data Processor as
set out in this Addendum and as envisaged by any services agreement in place between the parties.
4.2
Each Data Controller represents, warrants and undertakes to Data Processor that:
(a)
the Personal Data has been and will be collected in accordance with the Applicable Data
Protection Laws;
(b)
all instructions from Data Controller to Data Processor will comply with the Applicable Data
Protection Laws; and
(c)
the transfer of the Personal Data to Data Processor, and the Processing of the Personal Data
by Data Processor as instructed by Data Controller, is consented to by the relevant Data Subjects (where
required by law) and otherwise permitted by and in accordance with the Applicable Data Protection Laws.
4.3
Each Data Controller agrees that it will jointly and severally together with any other Data
Controller, indemnify and hold harmless Data Processor on demand from and against all claims, liabilities,
costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all
interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising
directly or indirectly from a breach of this Clause 4.
5.
Sub-Contracting
5.1
The Data Controller hereby grants the Data Processor general written authorisation to
engage, and consents to the use of the Subcontractors set out in and for the purposes further described in
Schedule 3 (Authorised Subcontractors).
5.2
The Data Controller approves the Subcontractors currently set out in Schedule 3 (Authorised
Subcontractors).
5.3
Data Processor may remove, replace or
appoint suitable and reliable further Subcontractors as set out in Schedule 3 (Authorised
Subcontractors) at its own discretion in accordance with this Clause 5.3. If Data Processor appoints a new Subcontractor or intends to
make any changes concerning the addition or replacement of the Subcontractors set out in Schedule 3 (Authorised
Subcontractors), it shall provide the Data Controller with ten (10) business days’ prior written
notice, during which the Data Controller can object against the appointment or replacement.
5.4
If Data Controller reasonably objects against the appointment or replacement, Data Processor
shall have the right to cure the objection through one of the following options (to be selected at Data
Processor’s sole discretion):
(a)
Data Processor may cancel its plans to use the subcontractor with regard to Data
Controller’s Personal Data;
(b)
Data Processor may take corrective steps requested by Data Controller in its objection
(which remove Data Controller’s objection) and proceed to use the subcontract with regard to Data Controller’s
Personal Data;
(c)
Data Processor may cease to provide or Data Controller may agree not to use (temporarily or
permanently) the particular aspect of the Service that would involve the use of such subcontractor with regard
to Data Controller's Personal Data; or
(d)
Data Processor provides Data Controller with a written description of commercially
reasonable alternative(s), if any, to such engagement, including without limitation modification to the
Services. If Data Processor, in its sole discretion, cannot provide any such alternative(s), or if Data
Controller does not agree to any such alternative(s), Data Processor may terminate this Addendum with prior
written notice. Termination shall not relieve Data Controller of any fees owed to Data Processor under the
Agreement.
5.5
If no Data Controller objects, Data Processor may proceed with the appointment or
replacement and that new Subcontractor shall be deemed accepted.
5.6
Data Processor shall ensure that all Subcontractors set out in Schedule 3 (Authorised Subcontractors) have executed confidentiality agreements that
prevent them from unauthorized Processing of Customer Personal Data both during and after their engagement by
Data Processor.
5.7
Data Processor shall ensure that it has a written Addendum in place with all Subcontractors
which contains obligations on the Subcontractor which are no less onerous on the relevant Subcontractor than the
obligations on Data Processor under this Addendum.
6.1
The parties agree to negotiate in good faith modifications to this Addendum if changes are
required for Data Processor to continue to process the Personal Data, as contemplated by this Addendum in
compliance with the Applicable Data Protection Laws, or to address the legal interpretation of the Applicable
Data Protection Laws, including: (i) to comply with the GDPR or any national
legislation implementing it, or the UK GDPR or the DPA, and any guidance on the interpretation of any of their
respective provisions; (ii) if the Controller to Processor Clauses or the
Processor to Processor Clauses, or any other mechanisms or findings of adequacy, are invalidated or amended; or
(iii) if changes to the membership status of a country in the European Union or
the EEA require such modification.
7.1
Termination of this Agreement shall be governed by the Agreement.
8.
Consequences of Termination
8.1
Upon termination of this Agreement in accordance with Clause 7 (Termination), Data Processor shall, at the choice of the Data Controller,
unless the return or destruction violates any applicable laws:
(i)
return to the Data Controller all of the Personal Data and any copies thereof which it is
Processing or has Processed on behalf of the Data Controller; or
(ii)
destroy all Personal Data it has Processed on behalf of the Data Controller after the end of
the provision of services relating to the Processing, and destroy all copies of the Personal Data unless it will
violate applicable law; and
(iii)
in each case cease Processing Personal Data on
behalf of the Data Controller.
9.
Language
9.1
This Addendum is written in the Chinese and English language. In the event of any inconsistency between the Chinese language
version and the English language version, the English language version shall prevail.
-
Processing Details
-
LIST OF PARTIES
Data exporter(s) – Data Controller:
-
Name: Customer
-
Address: See details in Agreement.
-
Contact person’s name, position and contact details: See details in
Agreement.
-
Activities relevant to the data transferred under these Clauses:
Processing of Personal Data in relation to the provision of Services.
-
Role (controller/processor): Controller
Data importer(s) – Data Processor: Identity and
contact details of the data importer(s), including any contact person with responsibility for data
protection
-
Name: VooV Meeting
-
Address: See information in this Addendum.
-
Contact person’s name, position and contact details: See information
in this Addendum.
-
Activities relevant to the data transferred under these Clauses:
Processing of Personal Data in relation to the provision of Services.
-
Role (controller/processor): Processor
- Processing Operations
The Personal Data Processed by Data Processor will be subject to the following
basic Processing activities:
Data Processor will Process all Personal Data on behalf of Customer for the purposes of
providing the Services in accordance with the Agreement. For the avoidance of doubt, the table below sets out
which categories of Personal Data the Data Controller and Data Processor have technical access to.
|
Which entity has
technical access to the Personal Data?
|
|
Category of Personal Data
|
Data Controller
|
Data Processor
|
|
User ID
|
|
|
|
If the data subject chooses to share a broadcast via
YouTube: the name, email, authentication code and avatar of data subject provided to VooV
Meeting by Google
|
|
|
|
Country or primary location
|
|
|
|
Pictures (profile picture and personalized
virtual background)
|
|
|
|
Time zone
|
|
|
|
IP address
|
|
|
|
Device information (device ID, operating
system and version, IP address, UDI, battery, audio and video equipment information and system disk
storage size)
|
|
|
|
Software information (software version number
and browser type)
|
|
|
|
Communication log (meeting ID, meeting
subject, meeting start and end time, personal meeting ID)
|
|
|
|
Landline number
|
|
|
|
Audio and video quality data (volume and
packet loss rate)
|
|
|
|
Network status data (status of WiFi/internet
connection and whether data subject has authorisation to connect to the Service and its network, including
CPU usage, memory usage) (this is not stored by VooV Meeting)
|
|
|
|
Network status data (status of connection
between data subject’s connecting server and the Service's server, type of operating system used for
joining the meeting, network quality (uplink/downlink bitrate, frame rate, resolution, packet loss rate),
type of audio input/output and camera used for the meeting (whether it is an external or internal
microphone, headset; whether it's a front camera or facetime HD camera)).
|
|
|
|
Security related information (device
operation system settings, device information including Device ID, model, CPU structure, CPU model, kernel
version, resolution)
|
|
|
|
Service usage data (how often data subject
uses the Service, service default/error information, overall usage data, performance data, and the version
of the application)
|
|
|
|
Service log information (operational record
generated when data subject uses the Service, including device IP address, fault log, software operational
data (in case of failure, users can also voluntarily submit log files to the administrating
server))
|
|
|
|
Customer support communications (name, mobile
phone number, email address, photo (if data subject chooses to upload one to illustrate the error), and
details of error)
|
|
|
|
Automatic disconnection from a meeting when data subject’s
PC screen goes into screensaver or lock screen mode (this is not stored by VooV
Meeting)
|
|
|
|
Mobile phone locking (this is not stored by
VooV Meeting)
|
|
|
|
Device name (this is not stored by VooV
Meeting)
|
|
|
|
Name of data subject’s Bluetooth device (this
is not stored by VooV Meeting)
|
|
|
|
Sign up source: whether registered user
signed up via mobile, PC or web (this is anonymized prior to storage by VooV Meeting)
|
|
|
|
Meeting position information: position in
meeting layout automatically assigned to data subject and if the spotlighting function is available to
meeting host, data subject’s user ID, app ID, tiny ID and platform information (this information is not
stored by VooV Meeting)
|
|
|
|
Meeting invitation status: whether data
subject accepted to join a meeting using meeting invitation that was shared (this is anonymized prior to
storage by VooV Meeting)
|
|
|
|
Outlook plugin information: nickname and
account type, data subject’s existing audio and video configurations when using VooV Meeting, device ID,
Android ID, IDFV, UUID, hard disk number, other plugin information (channel from which plugin is
downloaded from, plugin version, a randomised plugin number and plugin UID) (this is either not stored or
is anonymized prior to storage by VooV Meeting)
|
|
|
|
Audio and video data (screen sharing of
desktop or a specific window of Data Subject’s desktop, any sound streaming coming from desktop and when
using a beauty filter)
|
|
|
|
Annotation during screen sharing (contents of
any collaborative annotations created during a screen share)
|
|
|
|
Live Broadcast Data: userID and enterpriseID
(functionality subject to availability)
|
|
|
|
YouTube API services: destination URL (for
the broadcast), broadcast title, broadcast start time, and all video/audio data contained in the broadcast
(e.g. participant video and audio,
screen sharing, device audio if selected)
|
|
|
|
Drawing board (streaming from drawing board
or when using drawing board function)
|
|
|
|
Recording Permission Data (if a meeting host
grants data subject permission to record a meeting, the recording will be processed and stored on Data
Subject’s local device (and it will not be processed or stored on the Data Processor’s servers). However,
User ID will be collected in order to grant data subject the permission to record the meeting).
|
|
|
|
Caption and Translation data
|
|
|
|
Chat contents
|
|
|
|
Calendar data (this is not processed or
stored by VooV Meeting)
|
|
|
|
Blocked meeting participants (User ID of the
blocked participants)
|
|
|
|
Details of a particular meeting (including
the start and end time, subject of meeting, meeting ID and meeting link)
|
|
|
|
List of participants of historical meetings by a host
user: when the host of the meeting exports the following information in relation to the
meeting that it hosted (through the Service’s webpage): a list of the participants, the meeting’s start
and end time, subject of meeting, meeting ID, each participant’s start and end time, the duration of its
participation in the meeting and room type (i.e. meeting room or waiting room).
|
|
|
|
Chat records of historical meetings from chat function
(encrypted)
This data is only stored on Data Subject’s device, and is not stored on the Data
Processor’s servers.
|
|
|
|
Sharing meeting invitation (duration, time,
and topic of data subject’s meeting and meeting number when meeting details are shared through QQ, WeChat,
WeCom, WhatsApp and QQ Mail)
|
|
|
|
Login using mobile phone (mobile phone
number)
|
|
|
|
Single sign on login (userID, username,
email, mobile number, Customer’s name and logo and any other personal data which data subject chooses to
provide to Customer as login credentials)
|
|
|
|
Mobile phone of data subject joining meeting
as simultaneous interpreter
|
|
|
Data Subjects
The Personal Data Processed by Data Processor concern the following categories
of Data Subjects:
Individuals about whom Personal Data is provided to VooV Meeting via the Services by (or
at the direction of) Customer or Customer’s end users, which may include without limitation Customer’s
employees, contractors and end users (including end users of the personal version of the Services who are
invited to an enterprise user’s meeting).
Categories of Data
The Personal Data Processed by Data Processor includes the following categories
of data:
Depending on Customer’s use of the Service, Personal Data provided to VooV Meeting via the
Services by (or at the direction of) Customer or Customer’s end users, including but not limited to audio and
video data (including screen sharing), audio and video quality data and chat contents.
Please see “Processing Operations”
above for the categories of Personal Data that is processed by Data Processor on behalf of Customer.
Special Categories of Data (if appropriate)
The Personal Data Processed by Data Processor concern the following special
categories of data:
N/A.
Special categories of data are not required to use the Service. Customer may submit
special categories of data to VooV Meeting, the extent of which is determined and controlled by Customer in its
sole discretion. Such special categories of data include, but may not be limited to, Personal Data with
information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade
union membership, and the processing of data concerning an individual’s health or sex life.
The frequency of the
transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Continuous
Nature of the
processing
Organizing, structuring, storing, combining, retrieving,
disclosing and other Processing, for the Processing purpose.
Purpose(s) of the
data processing / data transfer and further processing
Provision of Services.
Duration of the
processing / the period for which the personal data will be retained, or, if that is not possible, the criteria
used to determine that period
Duration of the Agreement.
For processing by /
transfers to (sub-)processors, also specify subject matter, nature and duration of the processing
See Schedule 3
-
COMPETENT SUPERVISORY AUTHORITY
Autoriteit Persoonsgegevens
-
TECHNICAL AND ORGANISATION
SECURITY MEASURES
Description of the
technical and security organisational security measures implemented by the Data Processor in accordance with
Clauses 4(d) and 5(c) of the Model Clauses:
(a)
Data security. Implement:
(i)
standards for data categorisation and classification;
(ii)
a set of authentication and access control capabilities at the physical, network, system and
application levels; and
(iii)
a mechanism for detecting big data-based abnormal behaviour.
(b)
Network
security. Implement stringent rules on internal network isolation to
achieve access control and border protection for internal networks (including office networks, development
networks, testing networks and production networks) by way of physical and logical isolation.
(c)
Physical and environmental
security. Stringent infrastructure and environment access controls
for data access based on relevant regional security requirements. An access
control matrix to be established, based on the types of personnel and their respective access privileges, to
ensure effective management and control of access and operations personnel.
(d)
Incident
management. Operate active and real-time service monitoring,
combined with a rapid response and handling mechanism, that enables prompt detection and handling of security
incidents.
(e)
Compliance with
standards. Compliance with the following standards:
(i)
Information security management system – ISO 27001:2013.
(ii)
IT service management – ISO/IEC 20000-1:2011.
(iii)
Quality management system – ISO/IEC 9001:2015.
(iv)
IT Service Management System – ISO/IEC 27018:2014.
(v)
CSA Security, Trust & Assurance Registry (STAR).