Data Processing Addendum

This Data Processing Addendum (the “Addendum”) is incorporated into, and is subject to the terms and conditions of, the Dolby Media Terms of Service (the “Terms”) entered into by the entities identified as “Dolby” and “Customer” (collectively referred to as the “Parties”) in those Terms. This Addendum sets forth the terms and conditions relating to the Processing of Personal Data by Dolby on behalf of Customer in connection with Customer’s use of the Platform pursuant to the Terms.

I. Definitions

(A) “Data Protection Law” means applicable laws and regulations relating to the privacy, confidentiality, security or protection of Personal Data, including, without limitation: the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) and its implementing regulations; the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and laws or regulations implementing or supplementing the e-Privacy Directive, including laws regulating the use of cookies, other tracking mechanisms and unsolicited e-mail communications.

(B) “Instructions” means this Addendum, the Agreement and any further written agreement entered into by the Parties through which Customer instructs Dolby to perform specific Processing of Personal Data.

(C) “Personal Data” means any information that relates to an identified or identifiable individual, or is otherwise subject to Data Protection Law, that Customer discloses or provides to Dolby in connection with the use of Dolby’s services pursuant to the Agreement and that Dolby Processes on behalf of Customer in connection with Customer’s use of the Platform pursuant to the Terms. Any data that is in aggregated, de-identified or anonymized form will not constitute Personal Data.

(D) “Sub-Processor” means an entity engaged by Dolby to Process Personal Data on behalf and under the authority of the Data Controller.

(E) “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data Breach”, “Process”, “Processed”, and “Processing” shall have the meaning ascribed to them in the GDPR.

(F) “Business”, “Sell” and “Service Provider” shall have the meanings ascribed to them in the CCPA.

II. Roles and Responsibilities of the Parties

(A) The Parties acknowledge and agree that Customer is acting as a Data Controller and Business with respect to the Processing of Personal Data Processed under this Addendum, and Dolby is acting as a Data Processor and Service Provider on behalf and under the Instructions of Customer. Dolby understands and agrees that it will not (1) Sell Personal Data, or (2) retain, use or disclose Personal Data for any purpose other than the performance of the services and otherwise for fulfilment of its obligations under the Agreement, or as required or permitted by applicable law.

(B) Customer represents and warrants that: (1) all Personal Data has been obtained by Customer and disclosed to Dolby in compliance with applicable law; (2) Customer has all rights and permissions and a lawful basis to use and disclose Personal Data for the purposes contemplated by the Agreement; and (3) all Instructions to Customer concerning the Processing of Personal Data will comply with applicable law.

(C) The Parties acknowledge and agree that Dolby may aggregate, de-identify and/or anonymize Personal Data as part of the services for analytics purposes and improving Dolby’s products and services.

III. Obligation of Dolby

Dolby agrees to:

(A) Process Personal Data in accordance with the Customer’s Instructions, as set forth in the Agreement, including this Addendum, unless Dolby is otherwise required by applicable law. To the extent permitted by applicable law, Dolby shall inform Customer in advance if, in Dolby’s opinion, other Processing is required by law or an Instruction infringes applicable law.

(B) Comply with Data Protection Law in its capacity as a Data Processor or Service Provider to Customer.

(C) Ensure that personnel authorized by Dolby to Process Personal Data in the context of the services are subject to a duly enforceable contractual or statutory confidentiality obligation.

(D) Inform Customer promptly of any formal written request made to Dolby from Data Subjects exercising their rights under Data Protection Law. To the extent permitted by applicable law, Dolby shall provide appropriate and reasonable support to Customer in fulfilling Customer’s obligations to respond to such requests from Data Subjects with respect to Dolby’s Processing of their Personal Data.

(E) Taking into account the nature of Processing and information available to Dolby, reasonably assist Customer in complying with its obligations under Data Protection Law, in particular Customer’s obligation to implement appropriate data security measures, to carry out a data protection impact assessment, and to consult the competent supervisory authority or other regulatory agency, provided that such assistance does not violate applicable law or confidentiality or contractual obligations.

IV. Data Transfers

(A) Where Dolby transfers Personal Data to a jurisdiction outside the EEA, United Kingdom or Switzerland, Dolby shall transfer the Personal Data in accordance with Data Protection Law. To the extent that the GDPR applies to Personal Data and such data originates from the European Economic Area, then, to the extent required to comply with GDPR, the Parties agree that the use of such Personal Data is subject to the Standard Contractual Clauses annexed to Commission Decision 2010/87/EU. For these purposes, Dolby is the “data importer” and Customer is the “data exporter” as defined in the Clauses. The data subjects, categories of data, and purposes of processing are as set forth in Annex I.

V. Sub-Processing

(A) Customer shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to a Sub-Processor, unless Customer has authorized Dolby to do so.

(B) Customer hereby authorizes the Sub-Processors listed in Annex I to Process Personal Data. To the extent required by Data Protection Law, when any new Sub-Processor is engaged, Dolby shall give Customer written notice of the engagement at least 30 days prior to the new Sub-Processor Processing Personal Data. Dolby may provide such notice to Customer by updating the list of Sub-Processors located on its website voxeet.com.

(C) Customer may object to the engagement of a new Sub-Processor by terminating the Agreement, provided that the grounds for such objection are reasonable and based on compliance with Data Protection Laws and Customer sends written notice of termination to Dolby within 10 days of Dolby providing notice of the new Sub-Processor pursuant to section V(B). Any termination under this section shall be deemed to be without fault by either Party and shall be subject to the terms of the Agreement. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Sub-Processor.

(D) Where Dolby engages a Sub-Processor, Dolby shall enter into written agreements with the Sub-Processor that imposes obligations on the Sub-Processor that are the substantially similar to those imposed on Dolby under this Addendum.

VI. Data Security

(A) Dolby shall implement appropriate technical and organizational measures to protect Personal Data in Dolby’s possession, custody or control in accordance with Data Protection Law.

(B) Upon termination of the Agreement, Dolby shall return to Customer, or at Customer’s request, securely destroy or render unreadable or undecipherable, all Personal Data in Dolby’s possession, custody or control, subject to applicable law. In the event applicable law does not permit Dolby to perform such delivery or destruction of the Personal Data, Dolby warrants that it shall protect the confidentiality of the Personal Data in accordance with this Addendum.

VII. Data Breach Notification

(A) Dolby shall inform Customer without undue delay of any Personal Data Breach of which Dolby becomes aware. Dolby shall promptly investigate such Personal Data Breach and cooperate with Customer in reasonable and lawful efforts to prevent, mitigate or rectify such breach. Dolby shall provide such assistance as required to enable Customer to satisfy Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a Personal Data Breach under Articles 33 and 34 of the GDPR, provided that such cooperation does not violate applicable law or confidentiality or contractual obligations, disclose legal advice or interfere with Dolby’s business operations.

VIII. Audit

(A) Dolby shall make available to Customer information reasonably necessary to demonstrate Dolby’s compliance with the obligations set forth in this Addendum, provided that such information does not violate applicable law or confidentiality or contractual obligations or contain legal advice.

(B) During the term of the Agreement, Dolby will conduct an assessment annually to validate the effectiveness of the technical and organizational security measures implemented by Dolby pursuant to the Addendum. Such assessment will be conducted (i) by a Dolby-appointed qualified third party and (ii) under an appropriate assessment standard or criteria selected by Dolby. Upon Customer’s request, Dolby agrees to provide Customer, on an annual basis and for no additional fee, (i) a report that reasonably summarizes the findings of the most recent assessment conducted pursuant to this section, and (ii) any other documents relevant to the security or compliance of the service that are made generally available by Dolby to customers of its services. Such report and information will be deemed Dolby’s confidential information.

IX. Miscellaneous

(A) This Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.

(B) If any provision of this Addendum is held invalid or unenforceable, the remaining provisions shall remain in effect.

(C) All notices to Dolby provided under this Addendum must be in writing and sent to Dolby Laboratories, Inc., 1275 Market Street; San Francisco, CA 94103; Attention: Privacy Legal and via email at Privacy@Dolby.com.

(D) This Addendum supplements the Agreement. In the event of any conflict between the Agreement and this Addendum, the provisions of this Addendum shall control. This Addendum shall be subject to the limitations of liability under the Agreement.

ANNEX 1: SCOPE OF THE DATA PROCESSING

SCOPE OF THE DATA PROCESSING

Subject-matter and duration of the Processing The subject matter and duration of the Processing of Personal Data are set out in the Agreement and this DPA.
Nature and purpose of the Processing Dolby as Data Processor (the “Processor”) provides Customer with audio and video messaging, calling, and broadcasting services. In particular, Processor provides voice and video calling, screen-sharing, speech-to-text transcription for calls, and broadcast video and user interaction services. Processor also provides Customer with the ability to use code to add messaging, video, and audio chat features into their mobile or web application. Dolby’s purposes of processing include storage and other processing necessary to provide access to, maintain, and update the Platform; to provide customer and technical support and other services to Customer; and disclosures in accordance with the Agreement, or as compelled by law.
Types of Customer Personal Information to be Processed Name, email address, company name, user ID, cookies, and usage data, which can include IP address, domain names, URI addresses, the time of the request, method utilized to submit the request to the server, size of file, numerical code indicating the status of the server’s answer, country of origin, features of the browser and operating system utilized by the Customer, time details per visit, and path details within the application. In addition, Dolby may process the recording of a call (optional).
Types of Customer Sensitive Personal Information to be Processed None.
Categories of Data Subject to whom the Customer Personal Information relates End Users of Customer, as defined in the Terms.
Authorized Sub-processors Used to Process to Process Personal Data Amazon Web Services, Inc., Google Cloud, Intercom, Zendesk Inc., Sendgrid, and Google Analytics for Firebase.
Obligations and rights of the Customer as data controller The obligations and rights of the Customer as data controller are set out in the Agreement and this DPA.