Vimeo OTT Data Processing Agreement
Last Updated: February 25, 2024
Pursuant to the Vimeo OTT Services Agreement entered into between Vimeo OTT and Producer, Vimeo OTT processes Personal Data relating to Producer Customers in providing the Vimeo OTT Services. This Data Processing Agreement (“DPA”) sets forth the parties’ rights and obligations under data protection laws with respect to such data.
In the event of any inconsistency with the terms of this DPA and any other agreement between the parties, the terms of this DPA shall prevail. If there is any conflict between the Standard Contractual Clauses and the terms of this DPA, the Standard Contractual Clauses shall prevail.
1. Definitions
- “Applicable Privacy and Data Protection Laws” means collectively all national, federal, state, provincial and local privacy and data protection laws and regulations that apply to the parties with regard to the processing of Personal Data in connection with the Vimeo OTT Services Agreement, including, only to the extent applicable and when legally effective (including those that come into effect after the “Last Updated” date above): Brazil’s Lei Geral de Proteção de Dados (“LGPD”), the California Consumer Privacy Act (including as amended by the California Privacy Rights Act of 2020) (“CCPA”), the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“CDPA”), the Utah Consumer Privacy Act (“UCPA”), and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CTPA”) and the regulations promulgated under any of the foregoing; Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); the European Union’s General Data Protection Regulation (“GDPR”); Japan’s Act on the Protection of Personal Information (“APPI”); Switzerland’s Federal Act on Data Protection (“FADP”); and the United Kingdom’s General Data Protection Regulation (“UK GDPR”).
- “Business Purpose” means the enumerated Business Purposes set forth in Cal. Civ. Code section 1798.140(d)(1)-(7) and, on or after January 1, 2023, Cal. Civ. Code section 1798.140(e)(1)-(8) that are applicable to the Vimeo OTT Services.
- “Controller” means the party that controls the purposes and means of processing, and shall include ‘controller’, ‘business’, and other similar terms under Applicable Privacy and Data Protection Laws.
- “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data Privacy Framework and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce.
- “Data Subject” means ‘data subject’, ‘consumer’, or similar terms under Applicable Privacy and Data Protection Laws.
- “Personal Data” means all data which is defined as ‘personal data’, or ‘personal information’, or similar terms under Applicable Privacy and Data Protection Laws.
- “Producer” means a Vimeo OTT customer that uses the Vimeo OTT Services to deliver Producer’s video content to Producer Customers.
- “Processor” means a party that processes Personal Data on behalf of another party, and shall include ‘processor’, ‘service provider’ and other similar terms under Applicable Privacy and Data Protection Laws.
- “Producer Customer” means a Data Subject who has subscribed to or otherwise purchased Producer’s video service through the Vimeo OTT Services.
- “Producer Customer Data” means the Personal Data of Producer Customers that is submitted to Vimeo OTT in connection with the OTT Services. Producer Customer Data does not include Personal Data collected by Vimeo OTT outside of the Vimeo OTT Services.
- “Restricted Transfer” means: (i) where the GDPR or FADP applies, a transfer of Personal Data from the European Economic Area or Switzerland (as applicable) to a country outside of the European Economic Area or Switzerland (as applicable) which is not subject to an adequacy determination by the European Commission or Swiss Federal Data Protection and Information Commissioner (as applicable); and (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018. A transfer of Personal Data to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer.
- “Sensitive Data” means ‘sensitive personal information’, ‘sensitive data’, ‘special categories of personal data’, or Personal Data similarly classified under Applicable Privacy and Data Protection Laws.
- “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, populated in accordance with Section 8 of this DPA. For processing of Personal Data that is subject to UK GDPR, the Standard Contractual Clauses also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), populated in accordance with Section 8 of this DPA.
- “Vimeo OTT” means, for the purpose of this DPA, Vimeo.com, Inc.
- “Vimeo OTT Services” means the video hosting and streaming platform applicable services provided by Vimeo OTT pursuant to the Vimeo OTT Services Agreement and any associated Order Form or Statement of Work.
- “Vimeo OTT Services Agreement” means the Seller Addendum to the Vimeo Terms of Service Agreement, available at https://vimeo.com/selleraddendum as well as the Vimeo Terms of Service Agreement, available at https://vimeo.com/terms, unless there is a separately negotiated agreement for Vimeo OTT Services between you and Vimeo OTT, then “Vimeo OTT Services Agreement” means that agreement.
- “Vimeo OTT Policies” mean internal information security policies, including applicable retention schedules.
- The terms "commercial purpose," “personal data breach,” “process,” "sell," "share" and their cognates shall have the same meaning as under Applicable Privacy and Data Protection Laws.
2. Roles
2.1. The parties agree that with respect to processing Producer Customer Data in the provision of the Vimeo OTT Services, Producer is the Controller, and Vimeo OTT is the Processor.
2.2. Producer acknowledges and agrees that notwithstanding Section 2.1, Vimeo OTT and its affiliates may collect and process Personal Data directly from Data Subjects in their capacity as users of other Vimeo OTT services. Though these Data Subjects may also be Producer Customers, Vimeo OTT acts as a Controller for Personal Data collected or submitted outside of the Vimeo OTT Services, which is not Producer Customer Data.
2.3. The parties agree and acknowledge that the subject matter and details of processing are set out in Annex I.
3. Terms of Processing by Vimeo OTT
3.1. Vimeo OTT will:
3.1.1. Process Producer Customer Data for the provision of the Vimeo OTT Services to Producer according to the written instructions set forth in the Vimeo OTT Services Agreement or as otherwise instructed by Producer;
3.1.2. Process CCPA ‘personal information’ only for a Business Purpose or as otherwise permitted under Applicable Data Protection Laws;
3.1.3. Ensure that anyone acting on its behalf will process Producer Customer Data according to the provisions of this DPA and Applicable Data Protection Laws, and is bound by an appropriate obligation of confidentiality;
3.1.4. Notify Producer if Vimeo OTT becomes aware of circumstances which would prevent it from fulfilling Producer’s instructions or the obligations of this DPA, including any Schedules;
3.1.5. Notify Producer if Vimeo OTT becomes aware that any law or regulation applicable to it prevents it from fulfilling the instructions received from Producer and its obligations under this DPA, including any Schedules;
3.1.6. Notify Producer within the time period required by Applicable Privacy and Data Protection Laws if it determines it can no longer meet its obligations under Applicable Privacy and Data Protection Laws, and allow Producer to take reasonably and appropriate steps to stop and remediate unauthorized processing of Producer Customer Data;
3.1.7. Upon Producer’s request, provide information to reasonably enable Producer to conduct and document data protection assessments; and
3.1.8. To the extent required by Applicable Privacy and Data Protection Law, and not more than once annually, allow and cooperate with reasonable assessments by Producer or its designated assessor (or if mutually agreed and at Vimeo OTT’s expense, Vimeo’s qualified assessor), to conduct an assessment of Vimeo’s policies and technical and organizational measures in support of the obligations under Applicable Privacy and Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and subject to reasonable access and confidentiality restrictions. If Vimeo OTT engages its own assessor, it shall provide a summary report to Producer upon request, which shall satisfy Vimeo OTT’s obligations under this Section 3.1.8.
3.2. Subject to Section 3.1.1, Vimeo OTT will not:
3.2.1. Sell or share the Producer Customer Data;
3.2.2. Retain, use or disclose the Producer Customer Data for any purpose other than providing the Vimeo OTT Services, the Business Purposes, or another purpose permitted under Applicable Data Protection Laws.
3.2.3. Retain, use or disclose the Producer Customer Data outside of the direct business relationship between Producer and Vimeo OTT without first obtaining the prior written agreement of Producer; or
3.2.4. Combine Producer Customer Data with Personal Data Vimeo OTT receives from other customers.
4. Terms of Processing by Producer
Producer will:
4.1. Collect, use and process Producer Customer Data in accordance with all Applicable Data Protection Laws;
4.2. Have primary responsibility for the accuracy, quality, and legality of Producer Customer Data and the means by which it was obtained, including where applicable, any notice obligations or necessary consents to lawfully process personal data, including Sensitive Data, under Applicable Data Protection Laws; and
4.3 Process Producer Customer Data in accordance with published Privacy Policies, whether such policies are furnished by Vimeo OTT or Producer. In the event Producer’s processing is inconsistent with the Vimeo OTT-provided Privacy Policy, Producer must provide its own Privacy Policy which provides sufficient notice of all processing activities being conducted by Producer and Vimeo OTT.
5. Security & Compliance
5.1. Vimeo OTT shall Implement reasonable technical, organizational and security measures to protect the privacy and security of the Producer Customer Data.
5.2. Vimeo OTT shall assist Producer, within reasonable timetables, by the appropriate measures and as reasonably possible (considering the nature of the processing and the information available to us), in complying with its obligations under Articles 32 to 36 of the GDPR.
5.3. Any storage and/or transfer of Producer Customer Data by Producer to any third party or platform other than Vimeo OTT shall be at the sole risk and responsibility of Producer.
5.4. If Vimeo OTT becomes aware of any personal data breach affecting Producer Customer Data, Vimeo OTT will, without undue delay, provide notification to Producer in accordance with applicable regulations. Vimeo OTT’s notification of a personal data breach will not be deemed as an acknowledgement by Vimeo OTT of any fault or liability with respect to such incident. In the event of a personal data breach, Producer shall be obligated to take the measures required under applicable laws in connection with its Producer Customer Data. Where requested, Vimeo OTT will assist Producer with communicating with regulators regarding the personal data breach.
5.5. Upon reasonable written request, Vimeo OTT will make available to Producer information necessary to demonstrate compliance with its obligations under this DPA and applicable law.
6. Sub-processors
6.1. Producer consents to Vimeo OTT’s continued use of the sub-processors listed in Annex III.
6.2. Producer hereby grants Vimeo OTT general authorization to change, or engage new sub-processors without obtaining any further written, specific authorization from Producer. Vimeo OTT will notify Producer of any change or addition in sub-processors by updating Annex III and/or providing notification by email. If Producer objects to any sub-processing by Vimeo OTT, Producer should immediately discontinue its use of the Vimeo OTT Services.
6.3. Vimeo OTT shall execute an agreement with each sub-processor with terms ensuring at least the same level of protection and security as those set out in this DPA. Subject to the limitation of liability set forth in the Vimeo OTT Services Agreement, Vimeo OTT shall be responsible for all acts and omissions of any sub-processor who is processing Producer Customer Data.
7. Individual Rights Requests
7.1. Producer hereby instructs and authorizes Vimeo OTT to respond directly to verifiable individual rights requests under Applicable Data Protection Laws related to Producer Customer Data in Vimeo OTT’s possession, custody or control.
7.2. Vimeo OTT will notify Producer when it receives an individual rights request for erasure or access to information relating to Producer Customer Data. It is Producer’s responsibility to supplement such request with any data or information not available to Vimeo OTT, to the extent the provision of such supplemental information is required by law.
8. International Transfers
8.1 Restricted Transfers.Producer understands and agrees that Vimeo OTT operates the Vimeo OTT Service primarily from the United States and as such, Producer Customer Data will be transferred from Producer’s location and/or the applicable Data Subject’s location to Vimeo OTT in the United States. Where Producer Customer Data is the subject of a Restricted Transfer, Vimeo OTT will ensure such transfers are amde in compliance with Applicable Privacy and Data Protection Law by relying on the Standard Contractual Clauses, which are hereby incorporated into this DPA, and which are deemed to be completed, populated and incorporated as outlined in this Section 8.1.
8.1.1. For Restricted Transfers protected by the GDPR or UK GDPR, the Standard Contractual Clauses will apply completed as follows:
- Clause 7: the optional clause is included;
- Clause 11(a): the optional clause is disregarded;
- Clause 13(a): For the competent supervisory authority, insert the Bavarian Data Protection Authority;
- Clause 17: the governing law shall be that of the Republic of Germany;
- Clause 18: any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Munich, Germany; and
- Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
8.1.2. For Restricted Transfers protected by the FADP, the Standard Contractual Clauses, completed as set out above in Section 8.1.2 shall apply, except that:
- The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;
- Clause 17: the governing law shall be the laws of Switzerland;
- References to “Member State(s)” shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the Standard Contractual Clauses in Switzerland; and
- References to the “General Data Protection Regulation” in the Standard Contractual Clauses shall be understood to be references to the Swiss FADP.
8.1.3. Producer and Vimeo OTT agree that signature of an Order Form will constitute and have effect as signature of Annex IA and Annex II of the Standard Contractual Clauses in relation to any Restricted Transfers that are required in relation to the Vimeo OTT Services to which that Order Form relates, and which are set out in a relevant, fully and appropriately populated version Annex I, Annex II and Annex III (below) to the Standard Contractual Clauses, together (where applicable) with the UK Addendum.
8.2. Data Privacy Framework. Producer acknowledges that Vimeo OTT complies with the Data Privacy Framework and that transfers of Producer Customer Data to Vimeo OTT made under the Data Privacy Framework shall not be a Restricted Transfer. If Vimeo OTT’s Data Privacy Framework certification lapses, or the Data Privacy Framework is invalidated, transfers of Producer Customer Data shall immediately be considered a Restricted Transfer, and the provisions of Section 8.1 will apply.
8.3. If Vimeo OTT receives an order from any third party for compelled disclosure of Producer Customer Data that has been transferred using the Standard Contractual Clauses, Vimeo OTT will:
8.3.1. Use every reasonable effort to redirect the third party to request the data directly from Producer;
8.3.2. Promptly notify Producer, unless prohibited by law;
8.3.3. Request a reasonable extension of time from the third party to allow Producer to evaluate the request; and
8.3.4. Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies or conflicts with the laws of the EU, Switzerland, UK, or applicable EU member state law.
If, after exhausting these steps, Vimeo OTT remains compelled to disclose Producer Customer Data to a third party, Vimeo OTT will disclose only the minimum necessary to satisfy the request.
9. Term and Termination
9.1. This DPA shall be in effect for as long as such Producer uses any of the Vimeo OTT Services, provided however, that where Vimeo OTT is obligated, according to the terms of this DPA or any Vimeo OTT Policies, to keep Producer Customer Data following the termination of the Vimeo OTT Services, this DPA shall continue to be in effect for as long as Vimeo OTT holds such data.
9.2. Upon termination or expiration of the Vimeo OTT Services Agreement, and unless Vimeo OTT has a lawful basis to retain such Producer Customer Data under applicable law, Vimeo OTT shall delete the Producer Customer Data as soon as reasonably practicable in accordance with Vimeo OTT Policies and applicable laws.
9.3. Vimeo OTT shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.
9.4. Any questions regarding this DPA or requests from Producers to fulfill individual rights requests should be addressed to [email protected]. Vimeo OTT will attempt to resolve any complaints regarding the use of Producer Customer Data in accordance with this DPA and Vimeo OTT Policies.
ANNEX I
Details of the processing
A. LIST OF PARTIES
Data exporter(s):
- Data Exporter is the company identified in the Vimeo OTT Services Agreement.
- Role (controller/processor): Controller
Data importer(s):
- Name: Vimeo.com, Inc. (“Vimeo” or “Vimeo
OTT”)
Address: 330 West 34th Street, 5th Floor, New York, New York 10001
Contact person’s name, position and contact details: Aleah Vickers, Data Protection Officer. [email protected]
Activities relevant to the data transferred under these Clauses: In accordance with the Vimeo OTT Services Agreement and associated Order Form agreed upon between Data Exporter and Data Importer.
Signature and date: According to Vimeo OTT Services Agreement. - Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
- Subject matter. The subject matter of the data processing under this DPA is Producer Customer Data.
- Nature of the processing. Vimeo OTT processes Producer Customer Data to provide the Vimeo OTT Services, including such features and functionalities initiated by Producer. This includes:
- Producer uploading, hosting, managing, and streaming video content to Producer Customers;
- Processing transactions by Producer Customers and fulfilling orders made by such Producer Customers;
- Providing customer support to Producer Customers; and
- Providing all other features and functionality offered by the Vimeo OTT Services that Producer chooses to use.
- Duration. The duration of the processing is equal to the duration of Producer’s use of the Vimeo OTT Services.
- Purpose. The purpose of the processing is the provision of the Vimeo OTT Services initiated by Producer.
C. COMPETENT SUPERVISORY AUTHORITY
Bavarian Data Protection Authority
ANNEX II
Technical and Organizational Measures to Ensure the Security of the Data
Vimeo maintains internal Information Security and Privacy Policies, which are approved annually and must be reviewed and accepted by all Vimeo employees. These policies include standards for information security management as required by the EU's General Data Protection Regulation (GDPR), Sarbanes Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Security Trust Principles of SOC 2 Type 2 and other privacy or data security laws, regulations, or standards. The following spotlight controls demonstrate Vimeo’s information security framework:
Governance
Vimeo’s security program is based on the concept of in-depth security: securing our organization, and user data at every stage. Our security program is aligned with ISO (International Standards Organization) 27001 and NIST (National Institute of Standards and Technology) standards, and is constantly evolving with updated guidance and new industry best practices. Vimeo maintains a dedicated security team led by Vimeo’s Chief Information Security Officer, who is responsible for the implementation and management of our security program.
Vimeo maintains and implements a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. The program applies to Vimeo’s employees, contractors, and suppliers. Vimeo maintains a process to monitor and enforce program compliance and log program violations.
Security Awareness Training
Vimeo provides annual security training to its personnel on relevant threats and business requirements such as social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.
Incident Response and Disaster Recovery
Vimeo has established incident response plans and procedures that sets forth guidelines for effectively detecting, responding to, mitigating, and recovering from security incidents within the organization, ensuring minimal impact on operations and safeguarding sensitive data. They include processes for incident preparation, detection/analysis, containment, eradication, recovery, remediation and communications to customers where necessary.
Vulnerability Management
Vimeo maintains a process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of customer data. Vimeo aims to mitigate critical vulnerabilities within 7 days of discovery. High risk vulnerabilities are mitigated within 30 days of discovery.
Malware defenses
Vimeo deploys endpoint detection and response and anti-malware software on workstations and servers to control, detect and remediate the installation, spread, and execution of malicious code.
Data Retention
Vimeo users are given tools within their account settings to delete user-submitted account data (including videos, comments, group participation and channel participation). Vimeo hard deletes user-submitted account data within a reasonable time following a deletion request or account closure.
Encryption
Vimeo encrypts customer data at rest and when in transit across open networks in accordance with industry best practices. For encryption at rest, AES128, or greater is used. For encryption at transit, TLS 1.2 or higher is used.
Firewalls
Vimeo maintains and configures firewalls to protect systems containing customer data from unauthorized access. Vimeo reviews firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
Access Control
Vimeo adheres to the principles of least privilege and role-based permissions when provisioning Vimeo system access. Employees are only permitted to access data that they reasonably must handle in order to fulfill their job roles and responsibilities. User access certifications are conducted on a quarterly basis.
Security Testing
Vimeo conducts internal and external penetration testing of systems to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities are addressed as part of Vimeo’s vulnerability management program. Vimeo also leverages support from the security community through HackerOne Bug Bounty programs.
Vendor Management
Vimeo conducts an information security review of all vendors that will access personal data, and imposes heightened data security requirements for vendors which have access to Vimeo’s critical systems. This review includes both initial onboarding and annual recertification.
ANNEX III
Vimeo OTT Subprocessors
Last Updated: February 25, 2024
- Akamai Technologies, Inc.
- Avalara, Inc.
- Amazon Web Services, Inc.
- Cloudflare, Inc.
- Datadog, Inc.
- Fastly, Inc.
- Functional Software, Inc. (Sentry)
- Google LLC (Google Analytics + Google Cloud)
- Intuition Machines, Inc. (hCaptcha)
- salesforce.com, inc. (Heroku)
- Intertrust Cloud Services Corporation
- Mailgun, Inc.
- Mux, Inc.
- Redis Ltd.
- Stripe Inc.
- Tipalti Solutions Ltd.
- Zendesk, Inc.