On 25 May 2018, a very significant piece of European data protection legislation comes into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.
Voicea is committed to GDPR compliance and the following Data Processing Terms explain how we comply.
Data Processing TermsThis Data Processing Terms (“DPA”) constitutes an amendment to the TOU between you and Voicea. The parties agree to comply with the following provisions with respect to any Personal Data (defined below) processed by Voicea for you in connection with the provision of the Services. References to the TOU will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the TOU, the terms of this DPA shall govern.
1. DEFINITIONS1.1 “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.1.2 “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.1.3 “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.1.4 “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the TOU, including, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) and applicable to the Processing of Personal Data under the TOU.1.5 “Data Subject” means the individual to whom Personal Data relates.1.6 “Effective Date” shall have the meaning ascribed to such term in Section 11.1.7 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.1.8 “Personal Data” means any information relating to an identified or identifiable person that is subject to the Data Protection Laws as specified in Appendix 1.1.9 “Privacy Shield” means the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce.1.10 “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).1.11 “Security Breach” has the meaning set forth in Section 7 of this DPA.1.12 “Sub-processor” means any sub-processor engaged by Voicea for the Processing of Personal Data.1.13 “Term” means the period from the Effective Date to the date the DPA is terminated in accordance with Section 10.1.1.14 “Third Party Partner” means any entity engaged by you for the Processing of Personal Data including those listed here.
2. PROCESSING OF PERSONAL DATA2. 1 To the extent the Services involves the Processing of Personal Data, the parties agree that you are the Data Controller and Voicea is a Data Processor and that the subject matter and details of the processing of such Personal Data are described in Appendix 1. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Voicea shall keep a record of all processing activities with respect to Your Personal Data as required under GDPR.2.2 Each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Personal Data, including but not limited to providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date. you shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and you will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If Voicea believes or becomes aware that any of your instructions conflict with any Data Protection Laws, Voicea shall inform you. As between the parties, you shall have sole responsibility for determining the legal basis for processing of Personal Data and (to the extent legally required) obtain all consents from Data Subjects necessary for collection, and Processing of Personal Data in the scope of the Services.2.3 The objective of Processing of Personal Data by Voicea is the performance of the Services pursuant to the TOU. During the Term of this DPA, Voicea shall only Process Personal Data on behalf of and in accordance with the TOU and your instructions and shall treat Personal Data as Confidential Information. you instruct Voicea to Process Personal Data for the following purposes: (i) Processing in accordance with the TOU including but not limited to enabling the artificial intelligence engine powering Voicea’s Services to improve its recognition and understanding of your speech patterns and vocabulary; and (ii) Processing to comply with other reasonable instructions provided by you where such instructions are acknowledged by Voicea as consistent with the terms of the TOU. Voicea may Process Personal Data other than on the instructions of you if it is mandatory under applicable law to which Voicea is subject. In this situation, Voicea shall inform you of such a requirement unless the law prohibits such notice. Both parties agree that your instructions may include you directing Voicea to send data to one or more Third Party Partner(s) for further processing.
3. RIGHTS OF DATA SUBJECTS; DATA DELETION3.1 Voicea shall provide reasonable and timely assistance to you to enable you to respond to: (i) any request from a Data Subject to exercise any of its rights under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject in connection with the processing of the Data.
4. Voicea PERSONNEL4.1 Voicea shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.4.2 Voicea will take appropriate steps to ensure compliance with the Security Measures (defined below) by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process your Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Voicea.4.3 Voicea shall ensure that access to Personal Data is limited to that personnel who require such access to perform the Services.
5. SUB-PROCESSORS5. 1 You acknowledges and agrees that Voicea may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Voicea has retained them to provide, and are prohibited from using Personal Data for any other purpose. Voicea will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in this DPA.5.2 A list of Sub-processors is available to you by request. Please email [email protected] to request access. Voicea may change the list of such other Sub-processors by no less than 5 business days’ notice via the Voicea user interface. If you object to Voicea’s change in such Sub-processors, your sole and exclusive remedy is to delete your Voicea account.5.3 Voicea shall be liable for the acts and omissions of its Sub-processors to the same extent Voicea would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the TOU.5.4 You acknowledge and agree that Third Party Partners are not Sub-processors and Voicea assumes no responsibility or liability for the acts or omissions of such Third Party Partners.
6. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS6. 1 Voicea shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of your Personal Data. Voicea will implement and maintain technical and organizational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”, available to those with login credentials). As described in Appendix 2, the Security Measures include measures to protect Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Voicea’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Voicea may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.6. 2 Voicea will (taking into account the nature of the processing of your Personal Data and the information available to Voicea) assist you in ensuring compliance with any of your obligations with respect to the security of Personal Data and Personal Data breaches applicable to GDPR, including (if applicable) Your obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Appendix 2; and (b) complying with the terms of Section 7 of this DPA.6.3 No more than once per year, you may engage a mutually agreed upon third party to audit Voicea solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”). To request an audit, you must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to [email protected] The auditor must execute a written confidentiality TOU acceptable to Voicea before conducting the audit. The audit must be conducted during regular business hours, subject to Voicea’s policies, and may not unreasonably interfere with Voicea’s business activities. Any audits are at your expense.6.4 Any request for Voicea to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. You shall reimburse Voicea for any time spent for any such audit at the rates agreed to by the parties. Before the commencement of any such audit, you and Voicea shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which you shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Voicea.6.5 You shall promptly notify Voicea with information regarding any non-compliance discovered during the course of an audit.
7. SECURITY BREACH MANAGEMENT AND NOTIFICATION7.1 If Voicea becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any of your Personal Data transmitted, stored or otherwise Processed on Voicea’ equipment or facilities (“Security Breach”) which, in the reasonable opinion of Voicea’ Data Protection Officer, requires such notification, Voicea will promptly notify you of the Security Breach. Notifications made pursuant to this section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps Voicea recommends you take to address the Security Breach.7.2 You agrees that an unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access to your Personal Data or to any of Voicea’s equipment or facilities storing your Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.7.3 Notification(s) of Security Breaches, if any, will be delivered to your business, technical or administrative contacts by any means Voicea selects, including via email. It is your sole responsibility to ensure it maintains accurate contact information on Voicea’s support systems at all times.7.4 Voicea’s notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by Voicea of any fault or liability with respect to the Security Breach.7.5 Voicea shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to your Personal Data. As technical and organisational measures are subject to technological development, Voicea is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Law.7.6 You acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of your Personal Data as well as the risks to individuals) the Security Measures provide a level of security appropriate to the risk in respect to your Personal Data.
8. RETURN AND DELETION OF YOUR DATA8.1 Voicea will enable you to delete your Data during the Term in a manner consistent with the functionality of the Services. If you use the Services to delete any your data during the Term and that your Data cannot be recovered by you, this use will constitute an instruction to Voicea to delete the relevant Personal Data from Voicea’s systems in accordance with Data Protection Laws. Voicea will comply with instructions from you to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.On expiry of the TOU, you instruct Voicea to delete all of your Personal Data (including existing copies) from Voicea’s systems and discontinue processing of such data in accordance with Data Protection Law. Voicea will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that Voicea has archived your Personal Data on back-up systems so long as Voicea securely isolates and protect such data from any further processing except to the extent required by applicable law. Without prejudice to this Section, you acknowledges and agrees that you will be responsible for exporting, before the TOU expires, any of your Personal Data you wish to retain afterwards. Notwithstanding the foregoing, the provisions of this DPA will survive the termination of this TOU for as long as the Voicea retains any of your Personal Data.
9. CROSS-BORDER DATA TRANSFERS, PRIVACY SHIELD9.1 Voicea may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area and the United States.9.2 Voicea self-certified to and complies with the Privacy Shield, and Voicea shall maintain its self-certification to and compliance with the Privacy Shield with respect to the Processing of Personal Data that is transferred from the European Economic Area or Switzerland to the United States.9. 3 At your written request, or if the Services involve the storage and/or processing of your Personal Data which transfers of Personal Data out of the European Economic Area to a jurisdiction other than the United States that does not have adequate data protection laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the parties agree that the Standard Contractual Clauses for Processors in the form approved by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as amended or updated from time to time) (as amended or updated from time to time) (“Standard Contractual Clauses“) will apply and such Standard Contractual Clauses shall be incorporated by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between you and Voicea, you agree that you are a data controller and “data importer” and Voicea is the data processor and “data exporter” under the Standard Contractual Clauses. Further, Appendixes 1 and 2 of this DPA will take the place of Appendixes 1 and 2 of the Standard Contractual Clauses respectively.9.4 To the extent you are the recipient of Personal Data from Voicea pursuant to this DPA, you agree that you will provide at least the same level of protection for the information as is available under the Privacy Shield framework or Model Contractual Clauses.
10. LIABILITY10.1 Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.10.2 Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the TOU relating to liability (including any specific exclusions from any limitation of liability).
11. MISCELLANEOUS11.1 This DPA will take effect on May 24, 2018 or the date you are bound by the TOU (whichever is later, the “Effective Date”) and will remain in effect until, and automatically expire upon, the deletion of all of your Personal Data by Voicea as described in this DPA.11.2 Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.11.3 Where Your Affiliates are Data Controllers of the Personal Data, they may enforce the terms of this DPA against Voicea directly.11.4 This DPA may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one TOU.
Appendix 1: Subject Matter and Details of the Data ProcessingData exporterThe data exporter is you (i.e., the meeting Host as defined in the TOU)Data importerThe data importer is VOICEA, INC. a company focussed on enabling meeting Hosts (i.e., you) to record, transcribe and store the output of a meeting, including the content, participants and any documentation associated with that meeting (the “Meeting Record”).Data subjectsThe personal data transferred concern the following category of data subjects: Hosts and meeting participants as outlined in the TOU.Categories of dataThe personal data transferred concern the following categories of personal data: data provided by the Host and meeting participants in order for the data importer to provide the Services as described under the TOU, including: Name and last name; E-mail; Telephone number; the Meeting Record; IP address and log file data; Product preference information, and Payment and banking details (from you only).Processing operations
Appendix 2Overview of Voicea’s Technical and Operational Security Measures
- Physical Access Controls: Voicea’s hosting sub-processors are contractually bound to ensure no unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems.
- Electronic Access Control: Voicea’s systems are designed to prevent unauthorised use of our data processing and storage systems. We also utilize (secure) passwords, automatic blocking/locking mechanisms and two-factor authentication.
- Internal Access Control: (i.e., permissions for user rights of access to and amendment of data): We create and maintain strict Access Control Lists (ACL’s). All incoming requests to our systems seeking access to personal data are authenticated to prevent unauthorised reading, copying, changes or deletions of data within the system. Each user and subsystem has access to the minimal set of resources it requires to function and no more (i.e., least privileged). We also log and audit system access events.
- Data Transfer Controls: All data is encrypted in transit and at rest. Over-the-wire encryption uses RSA 2048 bits keys. At rest, we encrypt files using 256-bit Advanced Encryption Standard (AES-256); we utilize some of the strongest block ciphers and encryption techniques available. We store our recordings on Amazon’s S3 where they are protected using server-side encryption and transferred over a secure TLS connection. Our metadata are stored in databases on our hosting providers which are also encrypted at rest and with which we communicate over secure connections.
- Data Entry Control: Our systems contain access logs to enable us to verify whether and by whom personal data is entered into our systems – or is changed or deleted.
- Local Devices & Corporate Network: Our employees’ machines are password-protected and the storage devices we use are encrypted; our corporate network sits behind a firewall and a VPN.
3. Data Center
- Infrastructure: Voicea utilizes geographically distributed data centers.
- Redundancy: Voicea infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated risks. Most services have been designed to allow Voicea to release enhancements or corrective maintenance without service interruption. Maintenance is scheduled through a process according to internal policies.
- Server Operating Systems: Most Voicea servers use a Linux-based implementation. Data is stored using algorithms which secure the data in order to enhance all products in production environments.
- Personnel Security: Voicea personnel are required to conduct themselves in a manner consistent with the company’s guidelines, professional standards, ethics and confidentiality requirements. Voicea employees are contractually bound to confidentiality. Personnel handling customer data are required to have a higher level of knowledge, authorization, and training regarding such access.
- Subprocessor Security: From time to time Voicea will employ carefully selected data SubProcessors. Voicea conducts diligence on the business suitability, reputation, and technical skills of our SubProcessors. Once Voicea has assessed the suitability of the Subprocessor, Voicea subjects our SubProcessors to the minimum-security requirements for a Voicea Subprocessor.
4. Availability and Resilience
- Availability Control: Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning.
- Rapid Recovery: Voicea replicates data over multiple systems to help to protect against accidental destruction or loss. Voicea has designed and regularly plans and tests its business continuity planning/disaster recovery programs.
- Penetration Testing: At Voicea, ensuring a culture of cybersecurity and hygiene is crucial to protect our users and their data. We work with skilled security researchers and white-hat hackers to identify security issues.
5. Procedures for regular testing, assessment and evaluation
- Data Protection Management: Voicea maintains an information security program which includes internal policies and procedures designed to secure data against accidental or unlawful loss, access or disclosure, identify to security and unauthorized access our systems, and minimize security risks, including through risk assessment and regular testing.
- Penetration Testing: At Voicea, ensuring a culture of cybersecurity and hygiene is crucial to protect our users and their data. We work with skilled security researchers and white-hat hackers to identify security issues.
- Cyber Hygiene: The security-first culture we’re fostering at Voicea starts with our individual commitment to cyber hygiene (personal and professional accounts alike).
- Passwords: All employees protect their accounts using strong passwords, the most critical of which are required to be updated regularly, and we employ multifactor authentication (MFA).
- Local Devices & Corporate Network: Our employees’ machines are password-protected and the storage devices we use are encrypted; our corporate network sits behind a Unified Threat Management firewall and a VPN.
- Incident Response Management: Voicea has an incident response plan and monitors a variety of communication channels for security incidents, and our security personnel will react promptly to known incidents.
- Incident Response Communications: Any security event that materially impacts our customers will result in a customer notification through an account team.
- Order or Contract Control: All data processing via Integration Partners is done solely at the request of each client and no data processing operations may take place without instructions from each client. Voicea takes reasonable steps to evaluate the privacy and security practices of each Subprocessor and each Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms with Voicea.