Back to legal documents

Visionify Data Processing Agreement (DPA)

Last Updated: Sep 4, 2024

This Data Processing Agreement (“DPA”) forms part of the Customer License Agreement ("CLA") between Visionify Inc. (“Processor”) and the Customer (“Controller”) for compliance with the EU General Data Protection Regulation ("GDPR").

1. Scope and Application

This DPA applies to Visionify’s processing of Personal Data provided by the Customer under the CLA and governs all related obligations. If a conflict arises between the CLA and this DPA, the provisions of this DPA will prevail.

2. Definitions

Terms not defined herein shall have the meanings set forth in the GDPR or the CLA.

  • Controller: The Customer, who determines the purposes and means of Personal Data processing.
  • Processor: Visionify Inc., which processes Personal Data on behalf of the Controller.
  • Sub-processor: Any third-party provider appointed by Visionify to process Personal Data.
  • Data Transfer: Transfer of Personal Data by the Processor within its own or to third-party establishments.

3. Obligations of the Controller

The Controller shall:

  • Confirm lawful grounds for processing Personal Data and maintain records of any required consents.
  • Ensure proper privacy notices are given to Data Subjects.
  • Communicate any revocation of consent from Data Subjects and notify Visionify of regulatory inquiries, complaints, or requests for data access, correction, or deletion.

4. Obligations of the Processor

Visionify shall:

  • Process Personal Data only on documented instructions from the Controller, including as detailed in the CLA and related documentation.
  • Assist the Controller with data access requests, rectification, or deletion requests from Data Subjects, and regulatory requirements.
  • Maintain appropriate technical and organizational measures to secure Personal Data per Annex II of this DPA.

5. Personal Data Breach Notification

Visionify will notify the Controller without undue delay upon becoming aware of any Personal Data Breach. Visionify will provide reasonable support to address and mitigate the impact of the breach.

6. Data Transfer Mechanism

Any Data Transfer outside the European Economic Area (EEA) shall be in compliance with the GDPR. Standard Contractual Clauses, as specified in Schedule 1, apply where required.

7. Audit Rights

Upon reasonable notice, Visionify will provide information or allow audits to verify its compliance with GDPR obligations. The Controller shall bear the costs of any such audit.

8. Sub-processors

Visionify is authorized to engage Sub-processors listed in Annex III. Visionify remains liable for any Sub-processor’s failure to meet obligations as set forth in this DPA.

9. Return or Deletion of Personal Data

Upon termination or expiration of the CLA, Visionify shall, at the Controller’s choice, either return or delete all Personal Data within 30 days, unless retention is required by law.

10. Annexes and Technical Measures

The following annexes are incorporated by reference and specify the data protection requirements:

  • Annex I: Categories of Data Subjects and Personal Data (types, duration, and purposes)
  • Annex II: Technical and Organizational Security Measures
  • Annex III: Authorized Sub-processors

Annex I: Categories of Data Subjects and Personal Data

  1. Data Subjects
    The categories of Data Subjects whose Personal Data is processed by Visionify may include, but are not limited to:

    • Customer’s authorized users of the VisionAI Services
    • Customer’s employees, contractors, and personnel monitored by the VisionAI Services

  2. Categories of Personal Data
    The following categories of Personal Data may be processed:

    • Basic Identifiers: Name, User ID, Username
    • Contact Information: Email address, phone number
    • Images and Video: Video footage and images processed by Visionify's workplace safety solutions for safety and compliance monitoring

  3. Purpose and Duration of Processing

    • Purpose: To provide the VisionAI Services as outlined in the Customer License Agreement, including safety compliance, monitoring, and reporting.
    • Duration: Personal Data is processed for the duration of the Customer License Agreement or as otherwise specified by the Customer, subject to deletion requests and legal obligations.

Annex II: Technical and Organizational Security Measures

Visionify is committed to safeguarding Personal Data through the following technical and organizational measures:

  1. Access Controls

    • Multi-factor authentication and Single Sign-On (SSO) for system access.
    • Role-based access to restrict data access based on user responsibilities.
    • Periodic access reviews to ensure access only for authorized personnel.

  2. Data Encryption

    • Data in transit is encrypted using HTTPS (TLS/SSL).
    • Data at rest is encrypted within storage environments to prevent unauthorized access.

  3. Physical Security

    • Secure data centers with restricted access and 24/7 monitoring.
    • Servers located in facilities compliant with recognized security standards (e.g., ISO 27001, SOC 2).

  4. Incident Management

    • Documented incident response policies and escalation procedures.
    • Continuous monitoring for unusual activities, with procedures to contain and mitigate security incidents.

  5. Personnel Security and Training

    • Security and privacy training provided to employees with access to Personal Data.
    • Confidentiality agreements signed by all personnel handling customer data.

  6. Data Backup and Recovery

    • Regular data backups and testing of recovery protocols to ensure data integrity and availability.

  7. Audit Logs and Monitoring

    • Logging and monitoring access to systems and data for audit and investigation purposes.

  8. Vulnerability Management

    • Regular vulnerability scans and timely patch management to address security risks.

Annex III: Authorized Sub-processors

The following Sub-processors are authorized by the Controller to process Personal Data on behalf of Visionify:

Sub-processor Description of Processing Location
Microsoft Azure Cloud services for data processing and storage Global
Cloudinary CDN (Content Delivery Network) Global

Visionify will inform the Customer of any new Sub-processors before engaging them, allowing the Customer to raise objections if any Sub-processor fails to meet security requirements.