In providing the services described in our Terms of Service ("Terms of Service" or "Agreement"), we (Sessionize owned by Web-ideja Ltd., here and thereafter "Sessionize" or "we") process personal data on behalf of the users of those services ("Users"), for which we act as the processor under applicable data protection laws and our Users act as the controllers. That personal data is referred to as "Controller Data," as further described below.
This Data Processing Addendum ("Addendum") to our Terms of Service explains our data protection obligations and rights as a processor of the Controller Data, as well as the data protection obligations and rights of our Users as the controllers. Except in respect of the data protection obligations and rights of the parties set out in this Addendum, the provisions of the Agreement shall remain unchanged and shall continue in force.
This Addendum is between the User and Sessionize.
1. Role of the Parties
Sessionize and the User agree that with regard to the processing of the Controller Data, Sessionize is the processor and the User is the controller.
2. Scope of the Processing
2.1. Sessionize shall process the Controller Data on behalf of and in accordance with the instructions of the User. If Sessionize is legally required to process Controller Data for another purpose, Sessionize will inform the User of that legal requirement unless the law prohibits Sessionize from doing so.
2.2. The processing of Controller Data by Sessionize occurs for the purpose of managing User's event content, and Controller Data is comprised exclusively of personal data relating to data subjects who use a User's event, which may include a User's speakers, organizers, team members, developers, employees, or other administrative users. Controller Data does not include content or personal data provided by any of the foregoing persons to Sessionize in that person's capacity as a speaker of Sessionize.com or another service provided directly to the person by Sessionize.
The type of Controller Data processed by Sessionize depends on the services and features that the User decides to implement for the User's event, and may include name, tagline, biography, photo, email address and all other personal data that User has defined for User's event. Also, for analytics purposes it may include an IP address, and other technical data such as browser type, unique device identifiers, language preference, referring site, the date and time of access, operating system, mobile network information and approximate location data (from IP address).
The duration of processing corresponds to the duration of the Agreement, which is described in the Terms of Service.
2.3. The instructions of the User are in principle conclusively stipulated and documented in the provisions of this Addendum. Individual instructions which deviate from the stipulations of this Addendum or which impose additional requirements shall require Sessionize's consent.
2.4. The User is responsible for the lawfulness of the processing of the Controller Data. In case third parties assert a claim against Sessionize based on the unlawfulness of processing Controller Data, the User shall release Sessionize of any and all such claims.
2.5. Sessionize reserves the right to anonymize the Controller Data or to aggregate data in a way which does not permit the identification of a natural person, as well as the right to use the data in this form for purposes of designing, further developing, optimizing, and providing its services to the User as well as to other users of the service. The parties agree that the Controller Data rendered anonymous or aggregated as above-mentioned are no longer classified as Controller Data in terms of this Addendum.
3. Sessionize's Personnel Requirements
3.1. Sessionize shall require all personnel engaged in the processing of Controller Data to treat Controller Data as confidential.
3.2. Sessionize shall ensure that natural persons acting under Sessionize's authority who have access to Controller Data shall process such data only on Sessionize's instructions.
4. Security of Processing
4.1. Sessionize takes appropriate technical and organisational measures, taking into account the state of the art, the implementation costs, and the nature, the scope, circumstances, and purposes of the processing of Controller Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subject, in order to ensure a level of protection appropriate to the risk of Controller Data.
4.2. In particular, Sessionize shall establish prior to the beginning of the processing of Controller Data and maintain throughout the term the technical and organisational measures as specified in Annex 1 to this Addendum and ensure that the processing of Controller Data is carried out in accordance with those measures.
4.3. Sessionize shall have the right to modify technical and organisational measures during the term of the Agreement, as long as they continue to comply with the statutory requirements.
5.1. The User hereby authorizes Sessionize to engage subprocessors in a general manner in order to provide its services to the User. The User can find the current list of subprocessors on our web-site at sessionize.com/legal/subprocessors. In general, no authorization is required for contractual relationships with service providers that are not actively processing Controller Data but are only concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Controller Data cannot be excluded, as long as Sessionize takes reasonable steps to protect the confidentiality of the Controller Data.
5.2. Sessionize shall inform the User of any intended changes concerning the addition or replacement of sub processors. The User is entitled to object to any intended change. An objection may only be raised by the User for important reasons which have to be proven to Sessionize. If the User objects, Sessionize is prohibited from making the intended change. Insofar as the User does not object within 14 days after receipt of the notification, the User's right to object to the corresponding engagement lapses. If the User objects, Sessionize and/or User are entitled to terminate the Agreement on reasonable notice.
5.3. Contracting Parties agree that data processing shall be carried out in countries of EEA or as listed in the list of subprocessors at the moment of accepting the Addendum. Sessionize is obliged to previously inform the User of any change in location of processing outside of EEA. In case that Services are provided in country outside European Economic Area, Contracting Parties are obliged to ensure compliance with the Right to Protection of Personal Data regarding any such transfer of personal data and shall undertake to conclude relevant agreements in accordance with the framework established by European Commission for cases of data transmission to third countries.
5.4. Sessionize shall monitor the technical and organisational measures taken by the subprocessors.
6. Support obligations of Sessionize
6.1. Sessionize shall to a reasonable extent support the User with technical and organisational measures in fulfilling the User's obligation to respond to requests for exercising data subjects' rights.
6.2. Sessionize shall notify the User promptly after becoming aware of any breach of the security of Controller Data in terms of Art. 4 no. 12 GDPR, in particular any incidents that lead to the destruction, loss, alteration, or unauthorized disclosure of or access to Controller Data. If possible, the notification shall contain a description of:
- the nature of the breach of Controller Data, indicating, as far as possible, the categories and the approximate number of affected data subjects, the categories and the approximate number of affected personal data sets;
- the likely consequences of the breach of Controller Data
- the measures taken or proposed by Sessionize to remedy the breach of Controller Data and, where appropriate, measures to mitigate their potential adverse effects.
6.3. In the event that the User is obligated to inform the supervisory authorities and/or data subjects in accordance with Art. 33, 34 of GDPR, Sessionize shall, at the request of the User, assist the User to comply with these obligations.
7. Deletion and return of Controller Data
Upon termination of the Terms of Service Sessionize shall delete all Controller Data, unless Sessionize is obligated by law to further store Controller Data.
Sessionize maintains commercially reasonable safeguards designed to protect Controller Data from unauthorised access, use and disclosure. Sessionize currently abides by the security standards below. Sessionize may update or modify these security standards from time to time, provided that such updates and modifications will not result in a degradation of the overall security of Sessionize's services during the term of the User's Agreement with Sessionize.
1. Information Security Organisational Measures
- Sessionize's product team is committed to protecting Controller Data and addressing potential security risks.
- Sessionize and its third parties performs regular internal security testing to perform application, service and network vulnerability assessments.
- Sessionize requires all employees with access to Controller Data to observe the confidentiality of that data, and trains employees on confidentiality and security.
- Sessionize uses commercially reasonable measures for software, services, and application development, including routine dynamic testing and training personnel on coding techniques that promote security.
2. Physical Security
- Sessionize's servers are located in state-of-the-art cloud data centres designed to meet the regulatory demands of multiple industries. These data centres strictly control physical access to the areas where the data is stored.
3. Access Controls
- Sessionize maintains commercially reasonable access control procedures designed to limit access to Controller Data, including processes addressing password and account management for employees with access to Controller Data and virus scanning.
- Sessionize use third parties capabilities for additional security measures, such as firewalls and protection against denial of service (DDOS) attacks.
- Sessionize encrypts (serve over SSL) Sessionize.com website, including sub-domains hosted on Sessionize.com.
4. Data Backup and Recovery
- Sessionize or its third parties use industry standard systems to help protect against loss of Contoller Data due to power supply failure or line interference, which may include fire protection and warning measures, emergency power generators, and data recovery procedures.
Last updated: 22 Jan 2021