Data Protection Addendum

Last Updated on May 3, 2023

Data Protection Addendum

(Veritone as Service Provider) (US)

THIS DATA PROTECTION ADDENDUM (this “Addendum”) is governed by and incorporated into those certain Terms and Conditions (the “Terms and Conditions”) referencing this Addendum that set forth the rights and obligations of a client (“Client”) accessing and/or using the Platform and/or Services (as such capitalized terms are respectively defined in such Terms and Conditions) from Veritone, Inc. or one of its direct or indirect subsidiaries (collectively, “Veritone”). Pursuant to the terms and conditions of this Addendum, Client hereby authorizes Veritone to Process Personal Information on behalf of Client. The Parties agree to comply with the terms and conditions set forth in this Data Protection Addendum with respect to any Personal Information.

1. Definitions.

   a. “Data Protection Laws” means all applicable national, local, state, federal, provincial, and divisional, statutes, rules or regulations, reporting requirements, ordinances, orders, decrees, judgments, consent decrees, settlement agreements and laws that are applicable to a respective party relating to data protection and privacy and including, state laws requiring notice of breaches involving Personal Information, the Illinois Biometric Information Privacy Act, the California Consumer Privacy Act Of 2018, as amended, and its implementing regulations, the Virginia Consumer Data Protection Act (when effective), the Colorado Privacy Act (when effective) and any equivalent legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed, consolidated, replaced, or re-enacted from time-to-time.

   b. “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Any definition of “personal information”, “personal data”, or equivalent, provided under Data Protection Laws shall apply when relevant.

   c. “Process” or “Processing” (or any of its cognates, such as “Processes” or “Processed”) means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

   d. “Sale of Data” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, information, including Personal Information, to another business or a third party for monetary or other valuable consideration.

   e. “Security Incident” means any actual or reasonably suspected theft or accidental, unauthorized, or unlawful access to or acquisition, use, loss, destruction, alteration, compromise or disclosure of any information, including Personal Information.

   f. “Services” means the services provided or made available by Veritone to Licensee pursuant to the Agreement.Any capitalized terms used herein but not defined in this Addendum, shall have the meanings provided under applicable Data Protection Laws.

2. Compliance with Applicable Data Protection Laws. Veritone and Licensee agree that in performance of the Agreement and in compliance with this Addendum, Veritone and Licensee will comply with applicable Data Protection Laws regarding the use, disclosure, and other Processing of any Licensee data. Veritone shall take reasonable steps to ensure the reliability of any employee, subcontractor or agent who may have access to Licensee data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. To the extent Veritone determines that it is no longer able to meet the requirements of applicable Data Protection Laws with regards to the Processing of Licensee data and/or comply with its obligations under this Addendum, it shall promptly notify Licensee of such determination.
3. Ownership of Data. To the extent Veritone collects or Processes Licensee data, it does so on behalf of Licensee and pursuant to Veritone’s obligations under the Agreement and this Addendum. As between Licensee and Veritone, Licensee is the owner of all data collected or Processed by Veritone on Licensee’s behalf, to the extent permissible under Data Protection Laws.
4. Details of the Processing. For the purposes of this Addendum, Licensee shall be considered a “Data Controller” or “Business” and Veritone shall be considered a “Data Processor” or “Service Provider” as those terms are defined under applicable Data Protection Laws.a. The subject matter and duration of the Processing are set out in this Addendum and this Section. The nature and purpose of the Processing is in connection with the provision of the Services. The types of Personal Information Processed pursuant to this Agreement are as contemplated in the Agreement. The categories of consumers or other individuals whose Personal Information is Processed pursuant to this Agreement are as contemplated in the Agreement. Veritone will act only on Licensee’s documented instructions in relation to any Licensee Personal Information that Veritone Processes on Licensee’s behalf and as permitted by applicable laws. In so far as Veritone Processes any Licensee data, Veritone shall:
   1. not Process, transfer, modify, amend or alter the Licensee data or disclose or permit the disclosure of the Licensee data to any third party other than in accordance Licensee’s documented instructions (whether in the Agreement or otherwise) unless Processing is required by an applicable law to which Veritone is subject, in which case Veritone shall, to the extent permitted by such law, inform Licensee of that legal requirement before Processing that Licensee data;
   2. Veritone shall not combine Licensee Personal Information with Personal Information it receives from or on behalf of another person or that it collects from its own interactions with a Data Subject or Consumer (each term as defined under Data Protection Laws); and
   3. Veritone will not engage in the Sale of Licensee data.
   4. To the extent Veritone Processes any Licensee data, including Personal Information, collected in the European Economic Area (“EEA”), United Kingdom (“UK”) or Switzerland, the Parties shall execute additional data protection contractual provisions in accordance with applicable Data Protection Laws, including the Standard Contractual Clauses and the UK International Data Transfer Agreement, where applicable.
5. Licensee Obligations. Licensee, in its use of the Services, shall comply with all applicable Data Protection Laws with respect to the Processing of Personal Information. Licensee shall ensure that all Personal Information has been collected in accordance with applicable Data Protection Laws and upon proper notice to the individuals about whom the Personal Information is collected.
6. Privacy Rights Requests. Veritone shall promptly notify Licensee if it receives a request from a Data Subject or Consumer to exercise a right under Data Protection Laws. Veritone shall cooperate as requested by Licensee to enable Licensee to comply with the exercise of such rights by a Data Subject or Consumer, including in the deletion of Personal Information, where required. Veritone shall notify Licensee immediately if it believes that it is not required under applicable Data Protection laws to complete a privacy rights request from a Data Subject or Consumer.
7. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Veritone shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and shall take all measures required pursuant to Data Protection Laws. Without limitation to the foregoing, Veritone shall implement and maintain each of the technical and organisational measures set out and referred to in the Agreement.
8. Notification of Security Incident. Veritone shall notify Licensee promptly and without undue delay upon becoming aware of or reasonably suspecting a Security Incident involving Licensee Personal Information and will provide Licensee with sufficient information which allows Licensee to meet any obligations to report a Personal Information Security Incident under the applicable Data Protection Laws.
9. Assessments. Veritone shall provide reasonable assistance to Licensee in the completion of any data protection assessments, which may be required under applicable Data Protection Laws or may otherwise be necessary to demonstrate Licensee’s compliance with its obligations under this Agreement. Upon request by Licensee and at least once every twelve (12) months, Veritone agrees to complete an audit questionnaire regarding Veritone’s data privacy and information security program.
10. Subcontractors.

    a. Veritone shall not permit Processing by, or disclose, or make any data available to, any affiliate, subcontractor, or other third party without consent of and right to objection by Licensee and subject to a requirement that such affiliate, subcontractor, or third party comply with all of the provisions of this Addendum and only use the data in the provision of the Services. Veritone shall ensure that each person Processing the Personal Information of Licensee, including any subcontractors, commits to the duty of confidentiality with respect to the Personal Information.

    b. With respect to any permitted subcontractors, in addition to the requirements outlined in the Agreement and this Addendum, Veritone is responsible for the conduct and performance of each approved subcontractor or agent, is responsible to carry out adequate due diligence to make sure the subcontractor or agent is capable of providing the level of protection required by the Agreement, this Addendum, and applicable Data Protection Laws, and is responsible to make sure each permitted subcontractor or agent performs the obligations under the Agreement as if it were a party to the Agreement.

    c. Veritone shall execute a written agreement with such approved subcontractor or agent containing terms at least as protective with respect to data as the Agreement and this Addendum (provided that Veritone shall not be entitled to permit the subcontractor or agent to further subcontract or otherwise delegate all or any part of its responsibilities). Veritone shall not disclose any data to a permitted subcontractor or agent unless and until the subcontractor or agent needs to have access to perform the contracted services and the subcontractor or agent receives access only to the least amount of data needed to complete the contracted services.  Veritone will remain liable for the acts and omissions of any permitted subcontractor to the same extent it would be liable if performing the services of such subcontractor directly under the terms of this Addendum and the Agreement.

11. Termination or Expiration of Agreement. Veritone shall cease Processing Licensee’s Personal Information as soon as reasonably practicable upon the termination or expiration of the Agreement (or, if sooner, the service to which it relates).
12. Term. The terms and conditions of this Addendum will terminate upon termination or expiration of the Agreement. Notwithstanding the foregoing, provisions by which their nature are intended to survive the expiration or earlier termination of this Addendum or the Agreement are intended by Veritone and Licensee to survive such expiration or earlier termination of this Addendum or the Agreement.
13. Counterparts. This Addendum may be executed in multiple counterparts and by facsimile signature, each of which will be deemed an original and all of which together will constitute one instrument.
14. Certification. Where required by applicable Data Protection Laws, Veritone understands and accepts the restrictions outlined within this Addendum with respect to the Personal Information from Licensee. Veritone permits Licensee to monitor Veritone’s compliance with this Addendum through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months.