Data Processing Agreement

Last updated: September 2024

This Data Processing Agreement, including the Schedules and Annexes (“DPA”) forms incorporated herein by reference is between IPVideo Corporation, a wholly-owned subsidiary of Motorola Solutions, Inc., on behalf of itself and its affiliates and subsidiaries (collectively “IPVideo”) and the undersigned customer (“Customer”) and reflects the Parties’ agreement with respect to the Processing of Customer Data which may include Personal Data pursuant to Customer’s agreement with IPVideo (the “Agreement”). Unless otherwise defined herein, all capitalized terms shall have the meaning set forth in the Agreement. Customer and IPVideo are hereafter referred to collectively as the “Parties,” or individually as a “Party.”

In the event of a conflict between this DPA, the Agreement, or any schedule, annex, or other addenda to the Agreement, this DPA will prevail with respect to the handling of Customer and end-user data, including but not limited to personally identifiable information.

1. Definitions

All capitalized terms not defined herein must have the meaning set forth in the Agreement. All lower case terms not defined in this DPA must have the meaning as set within Article 4 of the GDPR if defined therein, regardless of whether GDPR applies.

“Authorized Users” means Customer’s employees, contractors, agents, customers and end-users who are authorized to use the Services to access or receive Data. IPVideo or Customer (as determined by IPVideo) will be responsible for all User identification and password change management.

“IPVideo Data” means data provided by IPVideo and made available to the Customer in connection with the provision of Products and Services.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Customer Data” means data including images, text, videos, and audio, that are provided to IPVideo by, through, or on behalf of Customer and its Authorized Users or their end users, through the use of the Products and Services. Customer Data does not include Customer Contact Data, Service Use Data other than that portion comprised of Personal Information, or Third Party Data.

“Customer Contact Data” means data IPVideo collects from Customer for contact purposes, including, without limitation, contract fulfillment, marketing, advertising, licensing, and sales activities.

“Data” means collectively IPVideo Data and Customer Data, including any Personal Data included therein.

“Data Protection Laws and Policies” means all applicable corporate, state and local, federal and international laws, standards, guidelines, policies, regulations and procedures applicable to IPVideo pertaining to data security, confidentiality, privacy, and breach notification, as amended, including without limitation the European Union General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018.

“Data Subjects” means the identified or identifiable person to whom Personal Data relates.

“GDPR” means European Union General Data Protection Regulation 2016/679.

“Metadata” means data that describes other data.

“Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person transmitted to IPVideo by, through, or on behalf of Customer and its Authorized Users or their end users as part of Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.

“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, copying, analyzing, caching, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Security Incident” means an incident that compromises or is suspected to compromise the security, confidentiality, integrity or availability of IPVideo Data, Customer Data or Personal Data. For the avoidance of doubt, “suspected to compromise” means a determination by IPVideo based on specific and articulable facts and circumstances, taken together with rational inferences from those facts, that an act or omission may likely result in a breach of security, confidentiality, availability or integrity with respect to the IPVideo Data, Customer Data or Personal Data.

“Service Use Data” means data generated about the use of the Products and Services through Customer’s use or IPVideo’s support of the Products and Services, which may include Metadata, Personal Data, product performance and error information, activity logs, and date and time of use.

“Standard Contractual Clauses” means the clauses attached hereto as Schedule 1 as established by the European Commission’s decision (C(2021) 3972 of 4 June 2021) on Standard Contractual Clauses for the transfer of personal data to processor established in third countries which do not ensure an adequate level of data protection.

“Sub-processor” means other processors engaged by IPVideo to Process Customer Data which may include Personal Data, as outlined on the following website: https://www.motorolasolutions.com/en_us/about/trust-center/privacy/data-sub-processors.html.

“Third Party Data” means information obtained by IPVideo from publicly available sources or its third party content providers and made available to Customer through the Products or Services.

2. Processing of Customer Data

2.1. Roles of the Parties. The Parties agree that with regard to the Processing of Personal Data hereunder, Customer is the Controller and IPVideo is the Processor who may engage Sub-processors pursuant to the requirements of Section 6 entitled “Sub-processors” below.

2.2. IPVideo’s Processing of Customer Data. IPVideo and Customer agree that IPVideo may only use and Process Customer Data, including the Personal Information embedded in Service Use Data, in accordance with Customer’s documented instructions for the following purposes: (a) to perform Services and provide Products under the Agreement; (b) analyze Customer Data to operate, maintain, manage, and improve IPVideo products and services; and (c) create new products and services. Customer agrees that its Agreement (including this DPA), along with the Product and Service Documentation and Customer’s use and configuration of features in the Products and Services, are Customer’s complete and final documented instructions to IPVideo for the processing of Customer Data. Any additional or alternate instructions must be agreed to according to the process for amending Customer’s Agreement. Customer represents and warrants to IPVideo that Customer’s instructions, including appointment of IPVideo as a Processor or Sub-processor, have been authorized by the relevant C Customer Data may be processed by IPVideo at any of its global locations and/or disclosed to Sub-processors. It is Customer’s responsibility to notify Authorized Users of IPVideo’s collection and use of Customer Data, and to obtain any required consents, provide all necessary notices, and meet any other applicable legal requirements with respect to such collection and use. Customer represents and warrants to IPVideo that it has complied with the terms of this provision.

2.2.1. Additional Products and Services. In the event, Customer purchases additional Products and Services that integrate with the previously purchased Products and Services, Customer Data may be processed at additional locations around the world and by Sub-processors utilized in connection with the additional Products and Services. Identification of Sub-processors utilized by IPVideo Solutions can be found at Motorola Sub-Processors or Annex III attached hereto.

2.3. Details of Processing. The subject matter of Processing of Personal Data by IPVideo hereunder, the duration of the Processing, the categories of Data Subjects and types of Personal Data are set forth on Schedule 2, Annex I to this DPA.

2.4. Disclosure of Processed Data. IPVideo must not disclose to or share any Customer Data with any third party except to IPVideo’s Sub-processors, suppliers and channel partners as necessary to provide the Products and Services unless permitted under this Agreement, authorized by Customer or required by law. In the event a government or supervisory authority demands access to Customer Data, to the extent allowable by law, IPVideo must provide Customer with notice of receipt of the demand to provide sufficient time for Customer to seek appropriate relief in the relevant jurisdiction. In all circumstances, IPVideo retains the right to comply with applicable law. IPVideo must ensure that its personnel are subject to a duty of confidentiality, and will contractually obligate its Sub-processors to a duty of confidentiality, with respect to the handling of Customer Data and any Personal Data contained in Service Use Data.

2.5. Customer’s Obligations. Customer is solely responsible for its compliance with all Data Protection Laws and establishing and maintaining its own policies and procedures to ensure such compliance. Customer must not use the Products and Services in a manner that would violate applicable Data Protection Laws. Customer must have sole responsibility for (a) the lawfulness of any transfer of Personal Data to IPVideo; (b) the accuracy, quality, and legality of Personal Data provided to IPVideo; (c) the means by which Customer acquired Personal Data; and (d) the provision of any required notices to, and obtaining any necessary acknowledgements, authorizations or consents from Data Subjects. Customer takes full responsibility to keep the amount of Personal Data provided to IPVideo to the minimum necessary for IPVideo to perform in accordance with the Agreement. Customer agrees that it has implemented administrative, physical and technical safeguards for Customer’s environment and operations that are no less rigorous than accepted industry practices and shall ensure that all such safeguards comply with applicable data protection and privacy laws. Customer agrees that IPVideo shall not be liable for any Security Incident arising from Customer’s breach of this requirement.

2.6. Customer Indemnity. Customer will defend, indemnify, and hold IPVideo and its subcontractors, subsidiaries and other affiliates harmless from and against any and all damages, losses, liabilities, and expenses (including reasonable fees and expenses of attorneys) arising from any actual or threatened third-party claim, demand, action, or proceeding arising from or related to Customer’s failure to comply with its obligations under this Agreement and/or applicable Data Protection Laws. IPVideo will give Customer prompt, written notice of any claim subject to the foregoing indemnity. IPVideo will, at its own expense, cooperate with Customer in its defense or settlement of the claim.

3. Service Use Data. Except to the extent that it is Personal Information, Customer understands and agrees that IPVideo may collect and use Service Use Data for its own purposes, provided that such purposes are compliant with applicable Data Protection Laws. Service Use Data may be processed by IPVideo at any of its global locations and/or disclosed to Sub-processors.

4. Third Party Data and IPVideo Data. IPVideo Data and Third Party Data may be available to Customer through the Products and Services. Customer and its Authorized Users may use the IPVideo Data and Third Party Data as permitted by IPVideo and the applicable Third Party Data provider, as described in the Agreement. Unless expressly permitted in the Agreement, Customer must not, and must ensure its Authorized Users must not: (a) use the IPVideo Data or Third Party Data for any purpose other than Customer’s internal business purposes or disclose the data to third parties; (b) “white label” such data or otherwise misrepresent its source or ownership, or resell, distribute, sublicense, or commercially exploit the data in any manner; (c) use such data in violation of applicable laws; (d) use such data for activities or purposes where reliance upon the data could lead to death, injury, or property damage; (e) remove, obscure, alter, or falsify any marks or proprietary rights notices indicating the source, origin, or ownership of the data; or (f) modify such data or combine it with Customer Data or other data or use the data to build databases. Additional restrictions may be set forth in the Agreement. Any rights granted to Customer or Authorized Users with respect to IPVideo Data or Third Party Data must immediately terminate upon termination or expiration of the Agreement. Further, IPVideo or the applicable Third Party Data provider may suspend, change, or terminate Customer’s or any Authorized User’s access to IPVideo Data or Third Party Data if IPVideo or such Third Party Data provider believes Customer’s or the Authorized User’s use of the data violates the Agreement, applicable law or IPVideo’s agreement with the applicable Third Party Data provider. Upon termination of Customer’s rights to use of any IPVideo Data or Third Party Data, Customer and all Authorized Users must immediately discontinue use of such data, delete all copies of such data, and certify such deletion to IPVideo. Notwithstanding any provision of the Agreement to the contrary, IPVideo has no liability for Third Party Data or IPVideo Data available through the Products and Services. IPVideo and its Third Party Data providers reserve all rights in and to IPVideo Data and Third Party Data not expressly granted in the Agreement.

5. IPVideo as a Controller or Joint Controller. In all instances where IPVideo acts as a Controller it must comply with the applicable provisions of the IPVideo Privacy Statement at IPVideo Privacy Statement as may be updated from time to time. IPVideo holds all Customer Contact Data as a Controller and must Process such Customer Contact Data in accordance with the IPVideo Privacy Statement. In instances where IPVideo is acting as a Joint Controller with Customer, the Parties must enter into a separate addendum to the Agreement to allocate the respective roles as joint controllers.

6. Sub-processors.

6.1. Use of Sub-processors. Customer agrees that IPVideo may engage Sub-processors who in turn may engage Sub-processors to Process Personal Data in accordance with the DPA. A list of Sub-processors is set forth at Motorola Sub-Processors and Schedule 3. When engaging Sub-processors, IPVideo must enter into agreements with the Sub-processors to bind them to obligations which are substantially similar or more stringent than those set out in this DPA.

6.2. Changes to Sub-processing. Customer hereby consents to IPVideo engaging Sub-processors to process Customer Data provided that: (a) IPVideo use its reasonable endeavors to provide at least ten (10) days prior notice of the addition or removal of any Sub-processor, which may be given by posting details of such addition or removal at Motorola Sub-Processors; (b) IPVideo imposes data protection terms on any Sub-processor it appoints that protect the Customer Data to the same standard provided for by this DPA; and (c) IPVideo remains fully liable for any breach of this clause that is caused by an act, error or omission of its Sub-processor(s). Customer may object to IPVideo’s appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, IPVideo will either appoint or replace the Sub-processor or, if in IPVideo’s discretion this is not feasible, Customer may terminate the Agreement and receive a pro-rata refund of any prepaid service or support fees as full satisfaction of any claim arising out of such termination.

6.3. Data Subject Requests. IPVideo must, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject, including without limitation requests for access to, correction, amendment, transport or deletion of such Data Subject’s Personal Data and, to the extent applicable, IPVideo must provide Customer with commercially reasonable cooperation and assistance in relation to any complaint, notice, or communication from a Data Subject. Customer must respond to and resolve promptly all requests from Data Subjects which IPVideo provides to Customer. Customer must be responsible for any reasonable costs arising from IPVideo’s provision of such assistance under this Section.

7. Data Transfers. IPVideo agrees that it must not make transfers of Personal Data under this Agreement from one jurisdiction to another unless such transfers are performed in compliance with this DPA and applicable Data Protection Laws. IPVideo agrees to enter into appropriate agreements with its affiliates and Sub-processors, which will permit IPVideo to transfer Personal Data to its affiliates and Sub-processors. IPVideo agrees to amend as necessary the Agreement to permit transfer of Personal Data from IPVideo to Customer. IPVideo also agrees to assist the Customer in entering into agreements with its affiliates and Sub-processors if required by applicable Data Protection Laws for necessary transfers.

8. Security. IPVideo must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing of Personal Data, taking into account the costs of implementation; the nature, scope, context, and purposes of the Processing; and the risk of varying likelihood and severity of harm to the data subjects. The appropriate technical and organizational measures implemented by IPVideo are set forth in Schedule 3. In assessing the appropriate level of security, IPVideo must weigh the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise Processed.

9. Security Incident Notification. If IPVideo becomes aware of a Security Incident, then IPVideo must (a) notify Customer of the Security Incident without undue delay, (b) investigate the Security Incident and apprise Customer of the details of the Security Incident, and (c) take commercially reasonable steps to stop any ongoing loss of Personal Data due to the Security Incident if in the control of IPVideo. Notification of a Security Incident must not be construed as an acknowledgement or admission by IPVideo of any fault or liability in connection with the Security Incident. IPVideo must make reasonable efforts to assist Customer in fulfilling Customer’s obligations under Data Protection Laws to notify the relevant supervisory authority and Data Subjects about such incident.

10. Data Retention and Deletion. Except for anonymized Customer Data, as described above, or as otherwise provided under the Agreement, IPVideo deletes all Customer Data ninety (90) days following termination or expiration of the Agreement unless otherwise required to comply with applicable law. Notwithstanding the foregoing, IPVideo will retain the Customer Data for at least thirty (30) days following such termination or expiration to accommodate a request by Customer for the Customer Data. If, within such thirty (30) day period, Customer requests (in writing), IPVideo will make Customer Data available to Customer for export or download for a period of thirty (30) days. IPVideo has no obligation to retain such Customer Data beyond such thirty (30) day period. Subject to Section 3 regarding CJIS Data, IPVideo may delete any Service Use Data upon termination or expiration of the Agreement.

11. Audit Rights

11.1. Periodic Audit. IPVideo will allow Customer to perform an audit of reasonable scope and duration of IPVideo operations relevant to the Products and Services purchased under the Agreement, at Customer’s sole expense, for verification of compliance with the technical and organizational measures set forth in Schedule 3 if (a) IPVideo notifies Customer of a Security Incident that results in actual compromise to the Products and/or Services purchased; or (b) if Customer reasonably believes IPVideo is not in compliance with its security commitments under this DPA, or (c) if such audit is legally required by the Data Protection Laws. Any audit must be conducted in accordance with the procedures set forth in Section 11.3 of this DPA and may not be conducted more than one time per year. If any such audit requires access to confidential information of IPVideo’s other customers, suppliers or agents, such portion of the audit may only be conducted by Customer’s nationally recognized independent third party auditors in accordance with the procedures set forth in Section 11.3 of this DPA. Unless mandated by GDPR or otherwise mandated by law or court order, no audits are allowed within a data center for security and compliance reasons. IPVideo must, in no circumstances, provide Customer with the ability to audit any portion of its software, products, and services which would be reasonably expected to compromise the confidentiality of any third party’s information or Personal Data.

11.2. Satisfaction of Audit Request. Upon receipt of a written request to audit, and subject to Customer’s agreement, IPVideo may satisfy such audit request by providing Customer with a confidential copy of a IPVideo’s applicable most recent third party security review performed by a nationally recognized independent third party auditor, such as a SOC2 Type II report or ISO 27001 certification, in order that Customer may reasonably verify IPVideo’s compliance with industry

11.3. Audit Process. Customer must provide at least sixty days (60) days prior written notice to IPVideo of a request to conduct the audit described in Section 11.1. All audits must be conducted during normal business hours, at applicable locations or remotely, as designated by IPVideo. Audit locations, if not remote will generally be those location(s) where Customer Data is accessed, or Processed. The audit must not unreasonably interfere with IPVideo’s day-to-day operations. An audit must be conducted at Customer’s sole cost and expense and subject to the terms of the confidentiality obligations set forth in the Agreement. Before the commencement of any such audit, IPVideo and Customer must mutually agree upon the time, and duration of the audit. IPVideo must provide reasonable cooperation with the audit, including providing the appointed auditor a right to review, but not copy, IPVideo security information or materials provided such auditor has executed an appropriate non-disclosure agreement. IPVideo’s policy is to share methodology and executive summary information, not raw data or private information. Customer must, at no charge, provide to IPVideo a full copy of all findings of the audit.

12. Regulation Specific Terms

12.1. HIPAA Business Associate. The parties do not contemplate the processing of Protected Health Information (PHI). However, should that occur and Customer is a “covered entity” or a “business associate” and includes PHI in Customer Data as those terms are defined in 45 CFR § 160.103, execution of the Agreement includes execution of an incorporated HIPAA Business Associate Agreement Addendum (“BAA”).  Customer may opt out of the BAA by sending the following information to IPVideo in a written notice under the terms of the Customer’s Agreement:  “Customer and IPVideo agree that no Business Associate Agreement is required. IPVideo is not a Business Associate of Customer’s, and Customer agrees that it will not share or provide access to PHI to IPVideo or IPVideo’s sub-processors.”

12.2. FERPA. If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), apply, IPVideo acknowledges that for the purposes of the DPA, IPVideo is a “school official” with “legitimate educational interests” in the Customer Data, as those terms have been defined under FERPA and its implementing regulations, and IPVideo agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials. Customer understands that IPVideo may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer must be responsible for obtaining any parental consent for any end user’s use of the Online Service that may be required by applicable law and to convey notification on behalf of IPVideo to students (or, with respect to a student under 18 years of age and not in attendance at a post-secondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in IPVideo’s possession as may be required under applicable law.

12.3. CJIS. IPVideo agrees to support the Customer’s obligation to comply with the Federal Bureau of Investigation Criminal Justice Information Services (CJIS) Security Policy and must comply with the terms of the CJIS Security Addendum for the Term of this Agreement and such CJIS Security Addendum is incorporated herein by reference. Customer hereby consents to allow IPVideo “screened” personnel as defined by the CJIS Security Policy to serve as an authorized “escort” within the meaning of CJIS Security Policy for escorting unscreened IPVideo personnel that require access to unencrypted Criminal Justice Information for purposes of Tier 3 support (e.g. troubleshooting or development resources). In the event Customer requires access to Service Use Data for its compliance with the CJIS Security Policy, IPVideo must make such access available following Customer’s request. Notwithstanding the foregoing, in the event the Agreement terminates, IPVideo must carry out deletion of Customer Data in compliance with Section 10 herein and may likewise delete Service Use Data within the time frame specified therein. To the extent Customer objects to deletion of its Customer Data or Service Use Data and seeks retention for a longer period, it must provide written notice to IPVideo prior to expiration of the 30 day period for data retention to arrange return of the Customer Data and retention of the Service Use Data for a specified longer period of time.

12.4. CCPA / CPRA. If IPVideo is Processing Personal Data within the scope of the California Consumer Protection Act (“CCPA”) and/or the California Privacy Rights Act (“CPRA”) (collectively referred to as the “California Privacy Acts”), Customer acknowledges that IPVideo is a “Service Provider” within the meaning of California Privacy Acts. IPVideo must process Customer Data and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in this DPA and as permitted under the California Privacy Acts, including under any “sale” exemption. In no event will IPVideo sell any such data. If a California Privacy Act applies, Personal Data must also include any data identified with the California Privacy Act or Act’s definition of personal data. IPVideo shall provide Customer with notice should it determine that it can no longer meet its obligations under the California Privacy Acts, and the parties agree that, if appropriate and reasonable, Customer may take steps necessary to stop and remediate unauthorized use of the impacted Personal Data.

12.5. CPA, CTDPA, VCDPA. If IPVideo is Processing Personal Data within the scope of the Colorado Privacy Rights Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), or the Virginia Consumer Data Protection Act (“VCDPA”) IPVideo will comply with its obligations under the applicable legislation, and shall make available to Customer all information in its possession necessary to demonstrate compliance with obligations in accordance with such legislation.

IPVideo Contact. If Customer believes that IPVideo is not adhering to its privacy or security obligations hereunder, Customer must contact the IPVideo Data Protection Officer at Motorola Solutions, Inc., 500 W. Monroe, Chicago, IL USA 90661-3618 or at privacy1@motorolasolutions.com.

12.6. GDPR. To the extent IPVideo is a Processor or Sub-processor of Personal Data subject to the GDPR (as defined in Section 7 herein), the Standard Contractual Clauses set forth in Schedule 1 hereto must apply.

12.7. UK-GDPR. To the extent IPVideo is a Processor or Sub-processor of Personal Data subject to the UK-GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Schedule 1 hereto must apply.

13. IPVideo Contact. If Customer believes that IPVideo is not adhering to its privacy or security obligations hereunder, Customer must contact the Motorola Data Protection Officer at Motorola Solutions, Inc., 500 W. Monroe, Chicago, IL USA 90661-3618 or at privacy1@motorolasolutions.com.