Vimeo OTT Data Processing Agreement
Last updated: December 14, 2022
Pursuant to the Vimeo OTT Services Agreement entered into between Vimeo OTT and Producer, Vimeo OTT processes Personal Data relating to Producer Customers in providing the Vimeo OTT Services. This Data Processing Agreement (“DPA”) sets forth the parties’ rights and obligations under data protection laws with respect to such data.
In the event of any inconsistency with the terms of this DPA and any other agreement between the parties, the terms of this DPA shall prevail. If there is any conflict between the Standard Contractual Clauses and the terms of this DPA, the Standard Contractual Clauses shall prevail.
- “Applicable Privacy and Data Protection Laws” means collectively all national, federal, state, provincial and local privacy and data protection laws and regulations that apply to the parties with regard to the processing of Personal Data in connection with the Vimeo OTT Services Agreement, including, only to the extent applicable and when legally effective (including those that come into effect after the “Last Updated” date above): Brazil’s Lei Geral de Proteção de Dados (“LGPD”), the California Consumer Privacy Act (including as amended by the California Privacy Rights Act of 2020) (“CCPA”), the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“CDPA”), the Utah Consumer Privacy Act (“UCPA”), and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CTPA”) and the regulations promulgated under any of the foregoing; Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); the European Union’s General Data Protection Regulation (“GDPR”); Japan’s Act on the Protection of Personal Information (“APPI”); Switzerland’s Data Protection Act; and the United Kingdom’s General Data Protection Regulation (“UK GDPR”).
- “Business Purpose” means the enumerated Business Purposes set forth in Cal. Civ. Code section 1798.140(d)(1)-(7) and, on or after January 1, 2023, Cal. Civ. Code section 1798.140(e)(1)-(8) that are applicable to the Vimeo OTT Services.
- “Controller” means the party that controls the purposes and means of processing, and shall include ‘controller’, ‘business’, and other similar terms under Applicable Privacy and Data Protection Laws.
- “Data Subject” means ‘data subject’, ‘consumer’, or similar terms under Applicable Privacy and Data Protection Laws.
- “Personal Data” means all data which is defined as ‘personal data’, or ‘personal information’, or similar terms under Applicable Privacy and Data Protection Laws.
- “Producer” means a Vimeo OTT customer that uses the Vimeo OTT Services to deliver Producer’s video content to Producer Customers.
- “Processor” means a party that processes Personal Data on behalf of another party, and shall include ‘processor’, ‘service provider’ and other similar terms under Applicable Privacy and Data Protection Laws.
- “Producer Customer” means a Data Subject who has subscribed to or otherwise purchased Producer’s video service through the Vimeo OTT Services.
- “Producer Customer Data” means the Personal Data of Producer Customers that is submitted to Vimeo OTT in connection with the OTT Services. Producer Customer Data does not include Personal Data collected by Vimeo OTT outside of the Vimeo OTT Services.
- “Sensitive Data” means ‘sensitive personal information’, ‘sensitive data’, ‘special categories of personal data’, or Personal Data similarly classified under Applicable Privacy and Data Protection Laws.
- “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, populated in accordance with Section 8 of this DPA. For processing of Personal Data that is subject to UK GDPR, the Standard Contractual Clauses also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), populated in accordance with Section 8 of this DPA.
- “Vimeo OTT” means, for the purpose of this DPA, Vimeo.com, Inc.
- “Vimeo OTT Services” means the video hosting and streaming platform applicable services provided by Vimeo OTT pursuant to the Vimeo OTT Services Agreement and any associated Order Form or Statement of Work.
- “Vimeo OTT Services Agreement” means the Seller Addendum to the Vimeo Terms of Service Agreement, available at https://vimeo.com/selleraddendum as well as the Vimeo Terms of Service Agreement, available at https://vimeo.com/terms, unless there is a separately negotiated agreement for Vimeo OTT Services between you and Vimeo OTT, then “Vimeo OTT Services Agreement” means that agreement.
- “Vimeo OTT Policies” mean internal information security policies, including applicable retention schedules.
- The terms "commercial purpose," “personal data breach,” “process,” "sell," "share" and their cognates shall have the same meaning as under Applicable Privacy and Data Protection Laws.
The parties agree that with respect to processing Producer Customer Data in the provision of the Vimeo OTT Services, Producer is the Controller, and Vimeo OTT is the Processor.
Producer acknowledges and agrees that notwithstanding Section 2.1, Vimeo OTT and its affiliates may collect and process Personal Data directly from Data Subjects in their capacity as users of other Vimeo OTT services. Though these Data Subjects may also be Producer Customers, Vimeo OTT acts as a Controller for Personal Data collected or submitted outside of the Vimeo OTT Services, which is not Producer Customer Data.
The parties agree and acknowledge that the subject matter and details of processing are set out in Annex I.
Vimeo OTT will:
Process Producer Customer Data for the provision of the Vimeo OTT Services to Producer according to the written instructions set forth in the Vimeo OTT Services Agreement or as otherwise instructed by Producer;
Process CCPA ‘personal information’ only for a Business Purpose or as otherwise permitted under Applicable Data Protection Laws;
Ensure that anyone acting on its behalf will process Producer Customer Data according to the provisions of this DPA and Applicable Data Protection Laws, and is bound by an appropriate obligation of confidentiality;
Notify Producer if Vimeo OTT becomes aware of circumstances which would prevent it from fulfilling Producer’s instructions or the obligations of this DPA, including any Schedules;
Notify Producer if Vimeo OTT becomes aware that any law or regulation applicable to it prevents it from fulfilling the instructions received from Producer and its obligations under this DPA, including any Schedules;
Notify Producer within the time period required by Applicable Privacy and Data Protection Laws if it determines it can no longer meet its obligations under Applicable Privacy and Data Protection Laws, and allow Producer to take reasonably and appropriate steps to stop and remediate unauthorized processing of Producer Customer Data;
Upon Producer’s request, provide information to reasonably enable Producer to conduct and document data protection assessments; and
To the extent required by Applicable Privacy and Data Protection Law, and not more than once annually, allow and cooperate with reasonable assessments by Producer or its designated assessor (or if mutually agreed and at Vimeo OTT’s expense, Vimeo’s qualified assessor), to conduct an assessment of Vimeo’s policies and technical and organizational measures in support of the obligations under Applicable Privacy and Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and subject to reasonable access and confidentiality restrictions. If Vimeo OTT engages its own assessor, it shall provide a summary report to Producer upon request, which shall satisfy Vimeo OTT’s obligations under this Section 3.1.8.
Subject to Section 3.1.1, Vimeo OTT will not:
Sell or share the Producer Customer Data;
Retain, use or disclose the Producer Customer Data for any purpose other than providing the Vimeo OTT Services, the Business Purposes, or another purpose permitted under Applicable Data Protection Laws.
Retain, use or disclose the Producer Customer Data outside of the direct business relationship between Producer and Vimeo OTT without first obtaining the prior written agreement of Producer; or
Combine Producer Customer Data with Personal Data Vimeo OTT receives from other customers.
Collect, use and process Producer Customer Data in accordance with all Applicable Data Protection Laws;
Have primary responsibility for the accuracy, quality, and legality of Producer Customer Data and the means by which it was obtained, including where applicable, any notice obligations or necessary consents to lawfully process personal data, including Sensitive Data, under Applicable Data Protection Laws; and
Vimeo OTT shall Implement reasonable technical, organizational and security measures to protect the privacy and security of the Producer Customer Data.
Vimeo OTT shall assist Producer, within reasonable timetables, by the appropriate measures and as reasonably possible (considering the nature of the processing and the information available to us), in complying with its obligations under Articles 32 to 36 of the GDPR.
Any storage and/or transfer of Producer Customer Data by Producer to any third party or platform other than Vimeo OTT shall be at the sole risk and responsibility of Producer.
If Vimeo OTT becomes aware of any personal data breach affecting Producer Customer Data, Vimeo OTT will, without undue delay, provide notification to Producer in accordance with applicable regulations. Vimeo OTT’s notification of a personal data breach will not be deemed as an acknowledgement by Vimeo OTT of any fault or liability with respect to such incident. In the event of a personal data breach, Producer shall be obligated to take the measures required under applicable laws in connection with its Producer Customer Data. Where requested, Vimeo OTT will assist Producer with communicating with regulators regarding the personal data breach.
Upon reasonable written request, Vimeo OTT will make available to Producer information necessary to demonstrate compliance with its obligations under this DPA and applicable law.
Producer consents to Vimeo OTT’s continued use of the sub-processors listed in Annex III.
Producer hereby grants Vimeo OTT general authorization to change, or engage new sub-processors without obtaining any further written, specific authorization from Producer. Vimeo OTT will notify Producer of any change or addition in sub-processors by updating Annex III and/or providing notification by email. If Producer objects to any sub-processing by Vimeo OTT, Producer should immediately discontinue its use of the Vimeo OTT Services.
Vimeo OTT shall execute an agreement with each sub-processor with terms ensuring at least the same level of protection and security as those set out in this DPA. Subject to the limitation of liability set forth in the Vimeo OTT Services Agreement, Vimeo OTT shall be responsible for all acts and omissions of any sub-processor who is processing Producer Customer Data.
Producer hereby instructs and authorizes Vimeo OTT to respond directly to verifiable individual rights requests under Applicable Data Protection Laws related to Producer Customer Data in Vimeo OTT’s possession, custody or control.
Vimeo OTT will notify Producer when it receives an individual rights request for erasure or access to information relating to Producer Customer Data. It is Producer’s responsibility to supplement such request with any data or information not available to Vimeo OTT, to the extent the provision of such supplemental information is required by law.
Producer understands and agrees that Vimeo OTT operates the Vimeo OTT Service primarily from the United States and as such, Producer Customer Data will be transferred from Producer’s location and/or the applicable Data Subject’s location to Vimeo OTT in the United States. Vimeo OTT will ensure such transfers are made in compliance with Applicable Data Protection Law, including by relying on the Standard Contractual Clauses (Module 2: Transfer Controller to Processor), which are hereby incorporated into this DPA, and which are deemed to be completed, populated and incorporated as follows:
- Clause 7: the optional clause is included;
- Clause 11(a): the optional clause is disregarded;
- Clause 13(a): For the competent supervisory authority, insert the Data Protection Commissioner of the Republic of Ireland;
- Clause 17: the governing law shall be that of the Republic of Ireland; and
- Clause 18: any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
Producer and Vimeo OTT agree that signature of an Order Form will constitute and have effect as signature of Annex IA and Annex II of the Standard Contractual Clauses in relation to any transfers falling within Section 8.1.1 that are required in relation to the Vimeo OTT Services to which that Order Form relates, and which are set out in a relevant, fully and appropriately populated version Annex I, Annex II and Annex III (below) to the Standard Contractual Clauses, together (where applicable) with the UK Addendum.
In the event the Standard Contractual Clauses are determined by competent authority to be invalid under Applicable Privacy and Data Protection Law, Vimeo OTT shall, as soon as possible, adopt an appropriate alternative transfer mechanism. In the event that Vimeo OTT fails to adopt an alternative transfer mechanism by the effective date of the invalidation, Producer may terminate the Vimeo OTT Services Agreement, at no cost, as of right and without prejudice to Producer’s other rights and remedies under the Vimeo OTT Services Agreement.
If Vimeo OTT receives an order from any third party for compelled disclosure of Producer Customer Data that has been transferred using the Standard Contractual Clauses, Vimeo OTT will:
Use every reasonable effort to redirect the third party to request the data directly from Producer;
Promptly notify Producer, unless prohibited by law;
Request a reasonable extension of time from the third party to allow Producer to evaluate the request; and
Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies or conflicts with the laws of the EU, Switzerland, UK, or applicable EU member state law.
If, after exhausting these steps, Vimeo OTT remains compelled to disclose Producer Customer Data to a third party, Vimeo OTT will disclose only the minimum necessary to satisfy the request.
This DPA shall be in effect for as long as such Producer uses any of the Vimeo OTT Services, provided however, that where Vimeo OTT is obligated, according to the terms of this DPA or any Vimeo OTT Policies, to keep Producer Customer Data following the termination of the Vimeo OTT Services, this DPA shall continue to be in effect for as long as Vimeo OTT holds such data.
Upon termination or expiration of the Vimeo OTT Services Agreement, and unless Vimeo OTT has a lawful basis to retain such Producer Customer Data under applicable law, Vimeo OTT shall delete the Producer Customer Data as soon as reasonably practicable in accordance with Vimeo OTT Policies and applicable laws.
Vimeo OTT shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.
Any questions regarding this DPA or requests from Producers to fulfill individual rights requests should be addressed to [email protected]. Vimeo OTT will attempt to resolve any complaints regarding the use of Producer Customer Data in accordance with this DPA and Vimeo OTT Policies.
- Data Exporter is the company identified in the Vimeo OTT Services Agreement.
- Role (controller/processor): Controller
Name: Vimeo.com, Inc. (“Vimeo” or “Vimeo OTT”)
Address: 330 West 34th Street, 5th Floor, New York, New York 10001
Contact person’s name, position and contact details: Michael Cheah, Data Protection Officer
Activities relevant to the data transferred under these Clauses: In accordance with the Vimeo OTT Services Agreement and associated Order Form agreed upon between Data Exporter and Data Importer.
Signature and date: According to Vimeo OTT Services Agreement.
Role (controller/processor): Processor
- Subject matter. The subject matter of the data processing under this DPA is Producer Customer Data.
Nature of the processing. Vimeo OTT processes Producer Customer Data to provide the Vimeo OTT Services, including such features and functionalities initiated by Producer. This includes:
- Producer uploading, hosting, managing, and streaming video content to Producer Customers;
- Processing transactions by Producer Customers and fulfilling orders made by such Producer Customers;
- Providing customer support to Producer Customers; and
- Providing all other features and functionality offered by the Vimeo OTT Services that Producer chooses to use.
- Duration. The duration of the processing is equal to the duration of Producer’s use of the Vimeo OTT Services.
- Purpose. The purpose of the processing is the provision of the Vimeo OTT Services initiated by Producer.
Republic of Ireland
Vimeo maintains internal Information Security and Privacy Policies, which are approved annually and must be reviewed and accepted by all Vimeo employees. These policies include standards for information security management as required by the EU's General Data Protection Regulation (GDPR), Sarbanes Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Security Trust Principles of SOC 2 Type 2 and other privacy or data security laws, regulations, or standards. The following spotlight controls demonstrate Vimeo’s information security framework:
Vimeo’s security program is based on the concept of in-depth security: securing our organization, and user data at every stage. Our security program is aligned with NIST (National Institute of Standards and Technology) standards, and is constantly evolving with updated guidance and new industry best practices. Vimeo maintains a dedicated security team led by Vimeo’s Senior Director of Security, who is responsible for the implementation and management of our security program is supported by the members of the Vimeo Security/Compliance, Information Technology and Site Reliability teams, who collectively focus on Infrastructure Security, Application Security, Governance, Risk, Product Security, Security Engineering and Operations, Incident Detection and Response.
Incident Response and Disaster Recovery
Vimeo has established controls to respond quickly and efficiently in the event of an incident that results in a compromise of Vimeo services. These controls have been codified through Vimeo Security policies and procedures. They provide system-specific response teams and procedures for each type of incident. They include protocols for assessing incident severity, remediating incidents and where necessary, notifying affected customers.
Vimeo uses cloud infrastructure, which in turn uses distributed physical data centers that can be leveraged in the event of a natural disaster or other significant event to mitigate against loss of service. Distributed locations allow for server failover in the event of location specific disasters. Test of failover procedures and walkthroughs of Vimeo’s established system specific disaster recovery plans takes place annually.
Vimeo users are given tools within their account settings to delete user-submitted account data (including videos, comments, group participation and channel participation). Vimeo hard deletes user-submitted account data within a reasonable time following a deletion request or account closure.
All Vimeo application endpoints are encrypted and authenticated prior to the exchange or derivation of session keys. Public keys must be authenticated prior to use. All externally-facing servers and applications must use a minimum of TLS 1.2 where possible
Data in Transit. All video and other data transmitted to Vimeo from users is encrypted using strong encryption protocols. Vimeo supports the latest recommended secure channels to encrypt all traffic in transit equivalent to TLS 1.2 protocols and/or AES 256 encryption.
Data at Rest. All data except video data within Vimeo’s production database is encrypted. Video data is encrypted where technologically feasible. All encryption keys are stored in a secure server with very limited access. Vimeo has implemented safeguards to protect all Vimeo user data from creation to deletion.
Vimeo adheres to NIST guidelines for Network Security. Firewalls and similar cloud-level functions that serve as firewalls have been implemented to define a logical network perimeter, security zones, enclaves, and other methodologies for discrete and specific subnet isolation. Similarly, anti-malware and anti-virus software must be installed for all Vimeo endpoints, including Vimeo employee workstations.
Provisioning. Vimeo adheres to the principles of least privilege and role-based permissions when provisioning Vimeo system access. Employees are only permitted to access data that they reasonably must handle in order to fulfill their job roles and responsibilities. Access for Vimeo Critical Systems is conducted on a periodic basis.
Vimeo also provides user and authorization workflows to assign administrators for role-based permissions to specific users so that any User content uploaded to Vimeo is seen and managed by specific individuals that users indicate.
Password Management. Vimeo requires all personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords to avoid password reuse, phishing and other password related risks.
Logging and Monitoring
Vimeo’s Security and Site Reliability Engineering Teams consistently monitor vulnerabilities across Vimeo Systems and use various vulnerability monitoring tools to do so.. Vimeo conducts internal and external penetration tests on a regular basis. Vimeo also leverages support from the security community through HackerOne Bug Bounty programs.
Vimeo conducts an information security review of all vendors that will access personal data, and imposes heightened data security requirements for vendors which have access to Vimeo’s critical systems. This review includes both initial onboarding and annual recertification.
- Akamai Technologies, Inc.
- Avalara, Inc.
- Amazon Web Services, Inc.
- Cloudflare, Inc.
- Datadog, Inc.
- Fastly, Inc.
- Google Analytics (Google LLC)
- Google Cloud (Google LLC)
- hCaptcha (Intuition Machines, Inc.)
- Heroku (salesforce.com, inc.)
- Intertrust Cloud Services Corporation
- Mux, Inc.
- Redis Ltd.
- Stripe Inc.
- Zendesk, Inc.