Data Processing Addendum

Last Updated: September 01, 2020

VisionX, Inc. (“VisionX”) and the counterparty agreeing to these terms (“CUSTOMER”) have entered into a written agreement (the “AGREEMENT”) for subscription software and services provided by VisionX (collectively, the “SERVICE”). This Data Processing Addendum, including, the appendices (the “DPA”), forms part of the Agreement. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.

By entering into the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of the Customer Group, if and to the extent VisionX processes Personal Data for which such members of Customer Group qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, “Customer” includes the Customer Group.

This DPA replaces any previously applicable terms relating to their subject matter (including any data processing amendment, agreement or addendum relating to the Service).

DATA PROCESSING TERMS

In connection with the Service, the parties anticipate that VisionX may process outside of the European Economic Area (“EEA”) and United Kingdom, certain Personal Data (as hereinafter defined) in respect of which the Customer or its affiliates may be a data controller or data processor, as applicable, under applicable EU Data Protection Laws.

The parties have agreed to the terms of this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws. Accordingly, VisionX agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to VisionX or collected and processed by or for Customer using the Service.

1. Definitions

  • 1.1 The following definitions are used in this DPA:

    • a) “ADEQUATE COUNTRY” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data.
    • b) “AFFILIATE” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists).
    • c) “VISIONX GROUP” means VisionX and any of its Affiliates.
    • d) “CUSTOMER GROUP” means Customer and any of its Affiliates which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement but has not signed its own Order with VisionX and is not a "Customer" as defined under the Agreement.
    • e) “EU DATA PROTECTION LAWS” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR.
    • f) “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
    • g) “PERSONAL DATA” means all data which is defined as ‘personal data’ under EU Data Protection Laws and to which EU Data Protection Laws apply and which is provided by the Customer to VisionX, and accessed, stored or otherwise processed by VisionX as a data processor as part of its provision of the Service to Customer.
    • h) “processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” shall have the meanings ascribed to them in EU Data Protection Laws.
  • 1.2 An entity “CONTROLS” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in “COMMON CONTROL” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

2. Status of the parties

  • 2.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1.
  • 2.2 Each party warrants in relation to Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with EU Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
  • 2.3 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that the Customer is the data controller or processor, and VisionX is a data processor or sub-processor, as applicable, and accordingly VisionX agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
  • 2.4 If Customer is a data processor, Customer warrants to VisionX that Customer’s instructions and actions with respect to the Personal Data, including its appointment of VisionX as another processor and concluding the standard contractual clauses (Annex 2), have been authorized by the relevant controller. Where and to the extent that VisionX processes data which is defined as ‘personal data’ under EU Data Protection Laws as a data controller as set out in the VisionX Privacy Policy, viewable at https://visionx.io/privacy-policy
  • 2.5 VisionX will comply with applicable EU Data Protection Laws in respect of that processing.
  • 2.6 Each party shall appoint an individual within its organization authorized to respond from time to time to enquiries regarding the Personal Data and each party shall deal with such enquiries promptly.

3. VisionX obligations

  • 3.1 With respect to all Personal Data, VisionX warrants that it shall:

    • (a) only process Personal Data in order to provide the Service, and shall act only in accordance with: (i) this DPA, (ii) the Customer’s written instructions as represented by the Agreement and this DPA, and (iii) as required by applicable laws;
    • (b) upon becoming aware, inform the Customer if, in VisionX’s opinion, any instructions provided by the Customer under Section 3.1(a) infringe the GDPR;
    • (c) implement technical and organizational measures specified in Annex 3 (the “VISIONX SECURITY STANDARDS”). The VisionX Security Standards are designed to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
    • (d) take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality;
    • (e) without undue delay after becoming aware, notify the Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by VisionX, its sub-processors, or any other identified or unidentified third party (a “SECURITY BREACH”);
    • (f) promptly provide the Customer with reasonable cooperation and assistance in respect of a Security Breach and all reasonable information in VisionX’s possession concerning such Security Breach insofar as it affects the Customer, including the following to the extent then known:
    • (i) the possible cause and consequences for the Data Subjects of the Security Breach;
    • (ii) the categories of Personal Data involved;
    • (iii) a summary of the possible consequences for the relevant data subjects;
    • (iv) a summary of the unauthorized recipients of the Personal Data; and
    • (v) the measures taken by VisionX to mitigate any damage;
    • (g) not make any public announcement about a Security Breach (a “BREACH NOTICE”) without the prior written consent of the Customer, unless required by applicable law;
    • (h) promptly notify the Customer if it receives a request from a data subject to access, rectify or erase that individual’s Personal Data, or if a data subject objects to the processing of, or makes a data portability request in respect of, such Personal Data (each a “DATA SUBJECT REQUEST”). VisionX shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer, to which the Customer hereby agrees. To the extent that the Customer does not have the ability to address a Data Subject Request, then upon Customer’s request VisionX shall provide reasonable assistance to the Customer to facilitate such Data Subject Request to the extent able and in line with applicable law. Customer shall cover all costs incurred by VisionX in connection with its provision of such assistance;
    • (i) other than to the extent required to comply with applicable law, following termination or expiry of the Agreement or completion of the Service, VisionX will delete all Personal Data (including copies thereof) processed pursuant to this DPA;
    • (j) taking into account the nature of processing and the information available to VisionX, provide such assistance to the Customer as the Customer reasonably requests in relation to VisionX’s obligations under EU Data Protection Laws with respect to:
    • (i) data protection impact assessments (as such term is defined in the GDPR);
    • (ii) notifications to the supervisory authority under EU Data Protection Laws and/or communications to data subjects by the Customer in response to any Security Breach; and
    • (iii) the Customer’s compliance with its obligations under the GDPR with respect to the security of processing;

provided that the Customer shall cover all costs incurred by VisionX in connection with its provision of such assistance.

4. Sub-processing

  • 4.1 The Customer grants a general authorization: (a) to VisionX to appoint other members of the VisionX Group as sub-processors, and (b) to VisionX to appoint third party data center operators, and outsourced marketing, business, engineering and customer support providers as sub-processors to support the performance of the Service.
  • 4.2 VisionX will maintain a list of sub-processors on its website and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data. If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify VisionX of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If VisionX is reasonably able to provide the Service to the Customer in accordance with the Agreement without using the sub-processor and decides in its discretion to do so, then the Customer will have no further rights under this Section 4.2 in respect of the proposed use of the sub-processor. If VisionX requires use of the sub-processor in its discretion and is unable to satisfy the Customer as to the suitability of the sub-processor or the documentation and protections in place between VisionX and the sub-processor within ninety (90) days from the Customer’s notification of objections, the Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the applicable Order Form and/or Insertion Orders with at least thirty (30) days written notice, solely with respect to the service(s) to which the proposed new sub-processor’s processing of Personal Data relates. If the Customer does not provide a timely objection to any new or replacement sub-processor in accordance with this Section 4.2, the Customer will be deemed to have consented to the sub-processor and waived its right to object. VisionX may use a new or replacement sub-processor whilst the objection procedure in this Section 4.2 is in process.
  • 4.3 VisionX will ensure that any sub-processor it engages to provide an aspect of the Service on its behalf in connection with this DPA is subject to a written contract which imposes on such sub-processor terms substantially no less protective of Personal Data than those imposed on VisionX in this DPA (the “RELEVANT TERMS”). VisionX shall procure the performance by such sub-processor of the Relevant Terms and shall be liable to the Customer for any breach by such person of any of the Relevant Terms.

5. Audit and records

  • 5.1 If to and to the extent required under EU Data Protection Laws, VisionX shall make available to the Customer such information in VisionX’s possession or control as the Customer may reasonably request with a view to demonstrating VisionX’s compliance with the obligations of data processors under EU Data Protection Law in relation to its processing of Personal Data.
  • 5.2 VisionX may satisfy Customer’s right of audit under EU Data Protection Laws in relation to Personal Data, by providing an audit report not older than eighteen (18) months, prepared by an independent external auditor demonstrating that VisionX’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard.
  • 5.3 VisionX reserves the right to refuse audit requests from an entity who is a competitor of VisionX.

6. Data transfers

  • 6.1 To the extent any processing of Personal Data by VisionX takes place in any country outside the EEA (except if in an Adequate Country), the parties agree that the standard contractual clauses approved by the EU authorities under EU Data Protection Laws and set out in Annex 2 will apply in respect of that processing, and VisionX will comply with the obligations of the ‘data importer’ in the standard contractual clauses and the Customer will comply with the obligations of the ‘data exporter’.
  • 6.2 The Customer acknowledges and accepts that the provision of the Service under the Agreement may require the processing of Personal Data by sub-processors in countries outside the EEA.
  • 6.3 If, in the performance of this DPA, VisionX transfers any Personal Data to a sub-processor located outside of the EEA (without prejudice to Section 4), VisionX shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:

    • (a) the requirement for VisionX to execute or procure that the sub-processor execute to the benefit of the Customer standard contractual clauses approved by the EU authorities under EU Data Protection Laws and set out in Annex 2;
    • (b) the requirement for the sub-processor to be certified under the EU-U.S. Privacy Shield Framework; or
    • (c) the existence of any other specifically approved safeguard for data transfers (as recognized under EU Data Protection Laws) and/or a European Commission finding of adequacy.
  • 6.4 The following terms shall apply to the standard contractual clauses set out in Annex 2:

    • (a) The Customer may exercise its right of audit under clause 5.1(f) of the standard contractual clauses as set out in, and subject to the requirements of, Section 5.2 of this DPA; and
    • (b) VisionX may appoint sub-processors as set out, and subject to the requirements of, Sections 4 and 6.3 of this DPA.

7. General

  • 7.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
  • 7.2 VisionX’s liability under or in connection with this DPA (including under the standard contractual clauses set out in Annex 2), whether in contract, tort or under any other theory of liability, is subject to the limitations on liability contained in the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, VisionX and its Affiliates’ total liability for all claims from the Customer and all of its Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Affiliate that is a contractual party to any such DPA.
  • 7.3 This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
  • 7.4 This DPA and any action related thereto shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts of the Commonwealth of Virginia.
  • 7.5 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorized signatory of each party. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this DPA. Each party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such party’s obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.

The parties’ authorized signatories have duly executed this DPA:

CUSTOMER: Signature: Customer Legal Name: Print Name: Title: Date:

VISIONX, INC: Signature: Print Name: Title: Date:

Appendix 1

to the Standard Contractual Clauses

This Appendix forms part of the Sections and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The counterparty agreeing to these terms and all affiliates of such entity established within the EEA, which have purchased services from VisionX or its Affiliates.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

VisionX, Inc. (“VisionX”), which processes Personal Data upon the instruction of the data exporter in accordance with the terms of the agreement between the data exporter and VisionX.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

The data exporter may submit Personal Data to VisionX and its Affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospective customers, customers, resellers, referrers, business partners, and vendors of the data exporter (who are natural persons);
  • Employees or contact persons of the data exporter’s prospective customers, customers, resellers, referrers, subcontractors, business partners, and vendors (who are natural persons);
  • Employees, agents, advisors, and freelancers of the data exporter (who are natural persons); and/or
  • Natural persons authorized by the data exporter to use the services provided by VisionX to the data exporter.

Categories of data

The personal data transferred concern the following categories of data (please specify):

The data exporter may submit Personal Data to VisionX and its Affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

  • Names, titles, position, employer, contact information (email, phone, fax, physical address etc.), identification data, professional life data, personal life data, connection data, or localization data (including IP addresses).

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

The data exporter may submit special categories of data to VisionX and its Affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion. Such special categories of data include, but may not be limited to, Personal Data with information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The objective of the processing of Personal Data by VisionX is to provide the Service, pursuant to the Agreement.

Appendix 2

to the Standard Contractual Sections

This Appendix forms part of the Sections and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Sections 4(d) and 5(c) (or document/legislation attached):

See the VisionX Security Standards.

Annex 3

VisionX Security Standards

Our infrastructure

Data encryption

We encrypt all data sent from our server to your device (and vice-versa). We protect all access to the VisionX Servers with TLS v1.2 and above encryption over HTTPS. All data housed on VisionX servers is not shared with any 3rd party or used by VisionX in any manner, except by the user in the operation of the system. All data imported into or generated by VisionX remains the property of the user. We do not expose any insecure endpoints; all API calls are made over SSL or TLS, which effectively eliminates the possibility of eavesdroppers reading your data as it is sent over the network. We encrypt all data at rest on all our servers. We maintain all access logs and every action by every VisionX user. Secure deletion will occur upon written notification from the user.

Data storage

When your Mobile app is connected to a network, package records are stored in VisionX’s database. Backups are taken every day and stored off-site on our cloud service provider. Cloud Service Provider oversees the physical security of these facilities and tightly controls who has access. VisionX never stores customer data on local devices or any other internal network.

Data retention

VisionX stores your video feed for 24 hours in order to cater for any latency related delays and validation required while you are a customer unless defined separately in a contract. VisionX may retain customer data for up to 30 days after termination of the contract.

Device Security

The VisionX app balances security and usability to provide a fluid customer experience while protecting valuable information. VisionX does not store any PII (Personally Identifiable Information) on the mobile devices. VisionX is a native iOS and Android App, as a result all updates are approved by Apple and Google for security and compliance.

Reliability

Up time

We understand the importance of reliability and aspire to a 99.9% uptime. VisionX proactively protects against denial-of-service (DoS) attacks using WAF advanced distributed DoS protection. We continually monitor uptime of our application using Cloud Service Provider Tools and Services.

Infrastructure Security

Our primary infrastructure uses a Cloudmine backend which runs on Amazon's AWS platform, which has passed numerous third-party security audits and certifications including ISO, SOC2, HIPPA & FEDRAMP.

Security Implication for Onboarding

While onboarding camera and sending the video feed, VisionX follows a secure onboarding and camera configuration process.

VisionX is using Kinesis video for live streaming process, Kinesis Video streaming is highly securable solution for video feed managed and owned by AWS. It durably stores, encrypts, and indexes video data in streams, and allows to access data through easy-to-use APIs. Kinesis Video Streams provides a number of security features which includes restricted policies as well.

To onboard video stream into Kinesis, we use an automated script using AWS’s recommended GStreamer Plugin. It has all dependencies to install before onboarding of camera. All scripts are based on containerized concept, which adds an extra layer of security to secure information of camera. All base images are pushing to Elastic container registry. VisionX has no local data anywhere throughout the process.

There are two ways to onboard Camera:

  1. Cameras are running on local network: If cameras are not remotely accessible, a local server is hosted (and managed) by the client, with VisionX’s onboarding and feed-transfer container running. This can be done using the camera IP along with the username and password for users with access to the stream.
  2. Cameras are already remotely accessible: If the feed is already configured for remote viewing, VisionX hosts and manages the feed transfer container themselves, with the user able to onboard camera directly from the secure dashboard by providing camera IP along with the username and password.

Additional Verifications

OWASP ASVS Compliance

We have ensured the OWASP Application Security Verification Standards compliance while developing the VisionX applications. The application complies against relevant controls defined by OWASP ASVS. This advocates the security conscious development approach by VisionX.

Vulnerability Testing

We seek out and proactively address vulnerabilities and exposures in VisionX’s code and dependencies through automated as well as manual vulnerability assessment tools, peer-review, and penetration tests. All public access to our applications is proxied through a Web Application Firewall, which detects and automatically blocks unexpected traffic.

Access Management

VisionX makes it easy to centrally manage data and permissions for multiple facilities, no matter where you’re located. Role-based administration allows customers to provide the right VisionX access to specified team members on global- or location-specific levels.

PII Handling Process

PII data consists on following main properties:

  • Identify the PII
  • Classify PII in terms of sensitivity
  • Delete old PII if no longer need
  • Encrypt PII

Identify the PII

VisionX are well aware of product data which is consider in to PII classifications.

Classify PII in terms of sensitivity

VisionX have data classification policy to sort your PII data based on sensitivity. This is a vital part of PII protection. As prioritize our PII, there are three major factor that we are considering in our product side.

  • Identifiable: If we have any single record can identify an individual by itself it is a sign that the data is highly sensitive
  • Combined data: if we have two or more pieces of data that, when combined, can identify a unique individual
  • Storage: In addition to those steps, we are assessing how many people access the PII data that is store and how frequently it is transmitted over networks. Taking into higher priority we want to make sure to secure data at the top level

Delete old PII no longer need

VisionX is making sure to not save any data which are not required to store, we have lifecycle management policies where we are controlling retention period according to the requirement of product.

Encrypt PII

Encrypting PII at rest and in transit is a non-negotiable component of PII protection. VisionX use strong encryption and key management system and always make sure that PII is encrypted before it is shared over an untrusted network or uploaded to the cloud.

PII Data Dashboard Alerts

All data Dashboards alerts screenshots are for some retention period, it depends on customer requirement, for how long they want to keep alert live. Retention can set up to N number of Hours/days. By default, alerts and associated screenshots will expire after 1 week.

The follow are alerts come with associated screenshots shown on dashboard:

  • No mask detected: Screenshot is attached and shown in alert panel.
  • Occupancy count exceeded: Screenshot is attached and shown in alert panel.
  • Heatmaps: Screenshot overlaid with heatmap.

GDPR and CCPA Compliance Information:

VisionX processes personal information solely on behalf of its customers. Personal data is not used cross-customer and VisionX does not use personal information for its own purposes, outside of limited training of its AI. Accordingly, we think it was appropriate to consider VisionX to be a “service provider” under the CCPA and a “data processor” under the GDPR. These are defined as follows:

  • Service Provider is defined in the CCPA as a for profit entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title….” Cal. Civ. Code 1798.140(v).
  • Processor is defined in the GDPR as “a natural or legal person … which processes personal data on behalf of a controller.” GDPR, Art. 4(8).

Under both regimes, VisionX as service provider/processor is required to have a contract in place that meets these obligations. Such a contract is only necessary if VisionX’s customer is subject to the CCPA and/or GDPR.