The company AirfairCTWW, SAS operating as Contrast with a capital of 214.22 euros, registered in the Commercial Register of Bobigny under the number 889006706 whose registered office is located at 7 place de l’hôtel de ville 96600 Aulnay-sous-Bois, represented by Salim Semaoune in his capacity as data protection officer ;
(hereinafter, the “Data Processor”) on the other hand,
The Data Processor and the Data Controller are individually referred to as a “Party” and jointly as the “Parties”.
IT HAS BEEN PREVIOUSLY SET FORTH, AS FOLLOWS:
The Parties declare and acknowledge that the negotiations that preceded the conclusion of this agreement were conducted in good faith and that they benefited during the pre-contractual negotiation phase from all necessary and useful information to enable them to make an informed commitment and have communicated to each other any information that could determine their consent and that they could legitimately ignore. The present Agreement is part of the terms of service concluded between the Parties of AirfairCTWW operating as Contrast and Your company.
THIS BEING EXPOSED, THE PARTIES HAVE AGREED AS FOLLOWS:
Purpose
The purpose of this agreement is to define the conditions in which the Data Processor undertakes to carry out, on the Data Controller's behalf, the personal data processing operations defined below.
As part of their contractual relations, the Parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the General Data Protection Regulation”).
Definitions
For the purposes of this agreement, the following terms shall have the meanings set out below or set forth in the General Data Protection Regulation:
Data Controller means the entity which determines the purposes and means of the Processing of Personal Data and refers to the company mentioned at the head of this agreement.
Data Processor means the entity which processes Personal Data on behalf of the Data Controller and refers to AirfairCTWW which operates under the name of Contrast, under the authority and on instructions of the Data Controller.
Data Subject means the identified or identifiable person to whom Personal Data relates.
Personal Data means any information relating to an identified or identifiable natural person and, an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable data protection laws and regulations). Personal Data covers any information that can identify an individual such as identification numbers or characteristics such as physical, physiological, mental, economic, cultural, or social identity. Examples include name, pseudonyms, address, telephone number, identity card number, occupation, salary/compensation, health or personnel records, birth date, financial/bank account information, physical characteristics, etc. Personal Data is each piece of information related to the individual, regardless of the form in which it is expressed and the format in which it is kept in or on the information holder (storage media, paper, tape, film, electronic media, etc.).
Processing means any operation or set of operations by the Data Processor on behalf of the Data Controller, which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Description of the Processing being subcontracted out
The Processor is authorised to process, on behalf of the Controller, the necessary Personal Data for providing the following services:
Contrast administration dashboard (https://admin.getcontrast.io)
Contrast audience application (https://app.getcontrast.io)
Contrast streaming studio (https://studio.getcontrast.io)
To perform the service covered herein, the Controller shall provide the Processor with the necessary information, including a detailed description of the processing set out in Appendix 1.
Duration of the agreement
This DPA is effective as of the date of the signature of the MSA agreement by the Parties for the duration of the engagement between the data controller and data processor or as long as personal data is being processed.
Data Controller’s obligations
The Data Controller acknowledges and ensures:
that the Processing is carried out in accordance with the General Data Protection Regulation, including that the Data Subject was informed of the existence of the Processing operation and its purposes, of his/her rights, the recipients of the Personal Data, and the Data privacy policy;
That in the event the Data Controller processes “sensitive Data” as set out in article 9 of the General Data Protection Regulation (namely the Processing of Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic Data, biometric Data for the purpose of uniquely identifying a natural person, Data concerning health or Data concerning a natural person's sex life or sexual orientation), the Data Controller has collected it and requires the Data Processor to process it in accordance with the article 9 of the General Data Protection Regulation;
that the Data Controller will respond, without undue delay, to requests for information from the data protection authority (in France, the CNIL), if appropriate;
that the Data Controller will respond, without undue delay, to requests from Data Subjects and will give appropriate instructions to the Data Processor, in due time.
The Controller undertakes to:
provide the Processor with the Personal Data mentioned in Appendix 1 hereof;
document, in writing, any instruction regarding the Processing of Personal Data by the Processor;
ensure, before and throughout the Processing, compliance with the obligations set out in the General Data Protection Regulation.
Data Processor's obligations
The Data Processor shall undertake to:
process the Personal Data solely for the purposes subject to the agreement signed between the Parties, as set out in Appendix 1;
where the Processor considers that an instruction infringes the General Data Protection Regulation or of any other legal provision of the Union or of Member States regarding Personal Data protection, it shall immediately inform the Controller thereof. Moreover, where the Data Processor is obliged to transfer Personal Data to a third country or an international organisation, under Union law or Member State law to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal requirement before the Processing, unless that law prohibits such information on important grounds of public interest;
guarantee the confidentiality of Personal Data processed hereunder;
ensure that the persons authorised to process the Personal Data hereunder:
have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
receive the appropriate Personal Data protection training;
take into consideration, in terms of tools, products, applications or services, the principles of Data protection by design and by default;
set up and maintain a specific documentation of Personal Data protection legislation and practice;
inform its employees of their responsibility regarding Data protection, including confidentiality of the Personal Data;
in the event of a legal, administrative or judicial prohibition of the Data Processor’s right to process Personal Data, the Data Processor will inform the Data Controller, who could terminate the Agreement, without enabling the Data Controller to entail the Data Processor’s liability or claim for damages;
cooperate with the data protection authorities.
Sub-processing
The Data Processor may use another sub-processor (hereinafter, the “Sub-Processor”) to carry out specific Processing activities. The Processor hereby agrees to accept the use of Sub-Processors by the Processor. The Processor undertakes to send an up-to-date list of the Sub-Processors it uses, annually on the anniversary date of the Agreement. This information must clearly indicate the subcontracted Processing activities, the identity and contact information of the Sub-Processor and the dates of the Sub-Processing Contract.
The Data Controller has a minimum of 30 (thirty) days from the date of receipt of this information to present its objections. In the event of disagreement by the Data Controller with the use of one of the Sub-Processors and in the absence of an alternative found by the Parties within 30 (thirty) days, the Data Controller may terminate the Agreement, without being able to claim any compensation or damages as a result of it.
The Sub-Processor shall comply with the obligations hereunder on behalf of and under the instructions of the Data Controller. It is the initial Data Processor's responsibility to ensure that the Sub-Processor provides the same sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing meets the requirements of the General Data Protection Regulation. Where the Sub-Processor fails to fulfil its Personal Data protection obligations, the Data Processor remains fully liable before the Data Controller for the sub-contracting of its obligations.
Data Subjects’ information
It is the Data Controller's responsibility to inform the Data Subjects concerned by the Processing activities at the time Personal Data is being collected, unless otherwise agreed between the Parties.
Exercise of Data Subjects’ rights
It is the Data Controller's responsibility to fulfil its obligation to respond to requests of the Data Subjects to exercise their rights (right of access, rectification, erasure, and objection, right to restriction of Processing, right to portability, right not to be subject to an automated individual decision, including profiling), and will give proper instructions to the Data Processor, in due time, as set out in Article V-4 of this DPA.
The Data Processor shall assist the Data Controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the Data Subject's rights.
Where the Data Subjects submit requests to the Processor to exercise their rights, the Data Processor must forward these requests as soon as they are received by email to a point of contact of the Data Controller in charge of data protection and privacy.
Notification of Personal Data Breach
The Data Processor shall notify the Data Controller of any Personal Data Breach without undue delay, and not later than 48 (forty-eight) hours after having become aware of it. Said notification shall be sent along with any necessary documentation to enable the Data Controller, where necessary, to notify this Breach to the competent supervisory authority.
Data Processor shall make reasonable efforts to identify the cause of such a Personal Data Breach and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within Data Processor’s reasonable control.
Assistance
The Data Processor assists the Data Controller in carrying out data protection impact assessments.
The Data Processor assists the Data Controller in any consultation of the competent Data Protection Authority or in any matter for which its help is required.
Security measures
The Data Processor undertakes to implement the technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Appendix 2 (“Security measures”).
The Data Processor shall at all times have in place appropriate technical and organizational measures to prevent unauthorized access to Personal Data and the use of Personal Data for any purpose other than those for which they have been transmitted to the Data Processor.
The Data Processor represents and warrants that the security measures taken shall in no way be less than those required by applicable law or than those a reasonable cautious entity engaged in the same business as the Data Processor would take to protect Personal Data stored by it against unauthorized use or access.
The measures to be taken by the Data Processor include, but is not limited to, those listed in Appendix 2.
In cases where the Data Processor obtains the prior written approval of the Data Controller for transmitting Personal Data to a third party, the Data Processor shall again take the appropriate level of security measures to ensure a secured transmission of Personal Data.
The Data Processor shall protect and keep safe Personal Data as confidential information. The confidentiality requirements of the Data Processor contained in any and all business and/or confidentiality agreements it signed with the Data Controller shall also apply to Personal Data.
End of services
At the end of the service regarding the Processing of such Personal Data, the Data Processor undertakes to destroy or anonymize all Personal Data provided by the Data Controller.
Records of the Processing activities
The Data Processor acknowledges and ensures that it maintains a written record of all categories of Processing activities carried out on behalf of the Data Controller, containing:
the name and contact details of the Data Controller on behalf of which the Data Processor is acting, any other Sub-Processor and, where applicable, the Data Protection Officer;
the categories of Processing carried out on behalf of the Data Controller;
where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
where possible, a general description of the technical and organisational security measures, including inter alia:
the pseudonymisation and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
Documentation
The Data Processor provides the Data Controller with the necessary documentation for demonstrating compliance with all of its obligations and for allowing the Data Controller or any other auditor it has authorised to conduct audits, including inspections, and for contributing to such audits.
Ex-EEA Transfers
Any transfer of Personal Data outside the European Economic Area (EEA) must be carried out in compliance with the applicable regulations relating to the protection of Personal Data.
Pursuant to the General Data Protection Regulation, Personal Data of the Data Controller must not be processed outside the European Union (EU), except in countries that have been recognized by the European Commission as providing an adequate level of protection.
Consequently, the Data Processor undertakes to use processing means located in an EU Member State or in a country that has been recognized by the European Commission as providing an adequate level of protection, provided that the processing does not fall within the limits mentioned in the adequacy decision of the European Commission. In the event that these limits are applicable, the Data Processor, and if required by the Data Controller, any involved Sub-Processor, undertake to enter into Standard Contractual Clauses as defined below.
The processing of Personal Data outside the EEA may not take place unless the conditions mentioned below are strictly complied with:
The Data Controller agrees to such processing;
The Data Processor carries out an impact assessment on the transfer of the data before choosing a Sub-Processor located outside the EU, under the conditions provided for by the European Data Protection Board;
The Data Processor provides the Data Controller with a map of the locations outside the EEA from which the Processing are carried out (for example: hosting, backup, maintenance, administration and helpdesk);
The Parties shall enter into a data transfer agreement in due and proper form in accordance with the conditions set forth in the current European Commission Decision on Standard Contractual Clauses for the transfer of personal data to processors established in third countries (hereinafter the “Standard Contractual Clauses”) or any other mechanism recognized and validated by the European authorities as providing an adequate legal framework to secure the processing of personal data of European residents outside the EU;
The Data Processor guarantees the signature and compliance by its Sub-Processors with the Standard Contractual Clauses;
The security measures agreed by the Parties to this Agreement are applicable to the Data Processor as well as to its Sub-Processors established outside the EU.
Data protection officer
The Data Controller has appointed, in compliance with article 37 of the General Data Protection Regulation, the following Data protection officer (“DPO”):
Salim Semaoune
113 avenue du général Michel Bizot, 75012 Paris
(+33) 6.63.68.60.87
Termination of the Agreement
The Parties acknowledge that the termination of the Agreement, at any time and for any reason whatsoever, does not relieve them of their obligations under the General Data Protection Regulation and any other applicable laws regarding the Processing in accordance with the Agreement.
Provided that the Data Controller is given the time necessary to find an alternative solution to the Processing, and provided that this solution works satisfactorily, the Data Processor shall, as necessary, delete or anonymize all existing copies of Personal Data collected by the Data Controller, held and processed by the Data Processor.
In the event that, for practical reasons, the Personal Data processed by the Data Controller cannot be deleted or anonymized, the Data Processor shall take the necessary measures to ensure that such data will no longer be processed, or disclosed, or used, except to ensure their deletion when it becomes possible.
Liability
With regard to the Data Processor’s liability for the Processing of Personal Data within the meaning of the General Data Protection Regulation, the Parties acknowledge that the Data Processor may be held liable for losses suffered by the Data Subjects, in exact application of Article 82 and may also be sanctioned directly by the competent data protection authorities (Article 83).
Since these two mechanisms balance the respective responsibilities of the Data Controller and the Data Processor, the Parties waive the right to make specific provisions relating to any failure by the other Party to comply with its obligations regarding the protection of personal data, it being specified that the provisions of any superseding Agreement remain applicable.
Governing Law – Agreement Language
By express agreement between the Parties, this Agreement is governed by French law, to the exclusion of any other legislation.
Resolution of disputes
For any dispute arising from the execution of this Agreement, the most diligent Party shall take action before the competent courts.
APPENDIX 1 – DETAILS OF THE PROCESSING SUBJECT TO PROCESSING
* File available upon request
APPENDIX 2 – SECURITY MEASURES
Our duty to keep your data secure
Contrast is a platform that helps businesses create videos and hosts webinars. Because of the sensitive nature of the content that businesses create on Contrast, we understand the importance of security.
It's our duty to ensure that your data is secure at all times. This is why, data security is embedded within our processes and ways of working. This document will give full transparency on these processes.
Security at the organizational level
At Contrast, the security initiative and program are managed and supervised by co-founder and Chief Technical Officer (CTO hereafter) Salim Semaoune.
The scope of this program includes:
Security Architecture
Product Security
Security Engineering
Operations
GDPR & Privacy Policy
Risk and Compliance
Customer Data Protection Program (CDPP)
The goal of this program is to prevent unauthorized access to our customer's data. The program puts in place different policies, best practices and continuous improvement to ensure the security of our customer's data.
You can find more information about the practical implications of this program below.
Embedded security in product development process
Together, the product and tech team mitigate risk by making security a priority inside the design process. This includes, understanding upfront risks, possible vulnerabilities and data access management (product analytics e.g.).
Throughout the development process risks and vulnerabilities are accessed and mitigated where possible. After delivery of said features and products, we continue to monitor and access potential risks.
TLS
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. Contrast is using TLS (version 1.3 and 1.2) across all the components of the platform. TLS certificates are issued by Let’s Encrypt, which is an open certificate authority. Every certificates are renewed every 90 days.
Video conference security
Contrast uses the WebRTC protocol to exchange audio and video packages within a browser without any downloads. Please refer to the official documentation to understand why WebRTC is secure by design.
Contrast employs Transport Layer Security (TLS) to encrypt both voice and video data. The core protocols used are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, both of which are defined by the IETF. The endpoints use strong encryption protocol on both ends to encrypt audio and video and verify data integrity.
Video streaming security
Contrast employs the HTTP Live Streaming (HLS) protocol to stream the videos on the Internet. The content is encrypted using Transport Layer Security (TLS) to provide security and legitimacy, protecting against man-in-the-middle attacks and malicious eavesdropping.
Data in transit
Video transmission is encrypted using the TLS protocol (v1.2)
Both the administration panel, the viewer application and the video producing studio traffic is encrypted using the TLS protocol (v1.2)
Data flows to 3rd parties like Zapier or Hubspot is also using End-to-End encryption with the TLS protocol (v1.2) and authorized by OAuth systems
Transmission to our monitoring platform is encrypted using TLS and HSTS
Data at rest
Videos are stored in a private bucket using encryption keys
Customer data are stored in an encrypted database provided by AWS RDS
Audience data are stored in an encrypted database provided by AWS RDS
Covers, logos and avatars are stored in a private AWS S3 bucket
Contact data on HubSpot is stored in encrypted systems
Telemetry data on Datadog is stored in encrypted systems
Payments
Payment processing is done through our payment provider Stripe and up to date with the latest and strictest level of payment security available within the industry.
A PCI-certified auditor has audited Stripe. We’re a certified PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we use the best-in-class security tools and practices to maintain a high level of security at Stripe.
Provisioning
To minimize the risk of data exposure, we limit access to data to the furthest extend. Permitting, employees are able to fulfil their responsibilities. Access is accessed timely and revoked where needed.
Authentication
To minimize further risk, we employ multi-factor authentication (2FA) on all third-party services where possible.
Password Management
Contrast requires employees to use an approved password manager. Our current password manager is 1Password. [More about their security model here.]
A password manager assists in generating and retrieving complex passwords, storing such passwords in an encrypted database or calculating them on demand.
System Monitoring, Logging, and Alerting
Contrast is using the AWS WAF to mitigate DDOS attacks and prevent several other threats by providing protections against the OWASP top 10 list.
Contrast has implemented a monitoring infrastructure leveraging Datadog softwares to proactively detect security breaches, abnormal activities and automatically trigger alerts and escalation processes.
Data retention and disposal
Customer data is hard deleted upon request to our customer service or DPO. All information is then deleted from our infrastructure.
Personal customer data is retained for a defined period, until opt-out or maximum 1 year after the last contact with our services. Below are all the specific duration that may apply to the retention of personal data.
(i) Regarding data relating to customer and prospect management:
Your personal data shall not be retained any longer than is strictly necessary for the management of our business with you. However, data proving the existence of a right or a contract must be kept in order to adhere to legal obligations and shall be held for the term stipulated by the applicable law.
Regarding potential prospecting operations for customers, their data may be held for a period of one (1) year after the last contact with the customer.
Personal data relating to a prospective customer, who is not already a customer, may be held for a period of one (1) year from the moment it is collected or from the last contact with the prospective customer.
(ii) Regarding user data:
Your personal data is kept for a period of 1 (one) year from the date of your last use of the application.
(iv) Regarding the management of opt-out lists compiled during prospecting activities:
Information enabling recognition of your right to opt-out is retained for a minimum of one (1) year following the exercising of your right to opt out.
(v) Regarding web audience tracking statistics:
Information stored in users' terminals, or any other means used to identify users and enabling them to be tracked or to measure the frequency of their visits, shall be retained for no longer than twelve (12) months after collection of their consent.
(vii) Regarding call recording data:
The data collected from the recordings of telephone calls are kept for a maximum period of six (6) months.
(viii) Regarding the management of your requests to exercise your rights under the GDPR:
Information enabling the management of your requests to exercise your rights under the GDPR will be kept for 1 (one) year from the date of your request.
Customer data is hard deleted up request to our customer service or DPO. All information is then deleted from our infrastructure.
Responding to Security Incidents
Contrast has an incident escalation policy and tools in place to organize and decrease the time to remediation. Engineering team members have been onboarded and trained to follow the escalation policy. This includes:
monitoring tools and alerts to pro-actively detect abnormal patterns
internal communication guidelines and dedicated incident threads
public communication about incident status
root cause analysis and post-mortems to strengthen infrastructure and processes
A complete Disaster Recovery and Business Continuity Plan can be found in the next section.
Disaster Recovery and Business Continuity Plan
Vendors and third-party-services
Our operations require the use of vendors and third-party-services. The use of these, implies a risk out of our control. We take appropriate steps to ensure our security posture is maintained by establishing agreements that require service organizations to adhere to data protection commitments we have made to users.
Contrast Application
The Contrast application exists out of multiple components that are accessible depending on somebody's role.
Admin application
This application is used to create and manage webinars. You can recognize the application by the prefix in the application's domain admin.getcontrast.io.
Access to this application is managed by the admin (creator) of the account. Admins can invite an unlimited number of team members to the application.
Invitees and members are managed on a global organization level. It is possible to revoke invites and remove members as the admin sees fit.
Registration pages and channels
Registration pages and channels are publicly available on the internet. You can recognize these pages by the prefix in the application's domain app.getcontrast.io
To gain access to content that's behind the registration pages and channels, visitors must sign up. Once a visitor signs up, it becomes a tracked registrant that is visible on the admin application.
Contrast Studio
Contrast Studio is a live streaming solution that broadcasts the webinar or records content. You can recognize this application by the prefix in the application's domain studio.getcontrast.io
Each Studio session has its unique and algorithmically generated ID to prevent unauthorized access. All team members of an organization have access to Studio sessions.
This studio URL to a session may also be shared externally, with for example a speaker.
Questions or remarks
If you have questions or remarks regarding security or privacy at Contrast, do not hesitate to reach out to
DPO at dpo@getcontrast.io
CTO at salim@getcontrast.io