This Data Processing Addendum (the “Addendum”), including its Exhibits, forms a part of the Order Form and Terms of Service, Enterprise SaaS Agreement or other written agreement entered into by the Parties (the “Agreement”) between HeyGen Technology Inc. (“Company”) and Customer (Customer together with Company, the “Parties”).
a) Subject Matter. This Addendum reflects the Parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Company’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this Addendum; and (3) the Agreement. For purposes of Data Protection Laws, Company is the “data processor” and Customer is the “data controller” with respect to Customer Personal Data.
b) Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement. Company will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Company’s obligations and Customer’s rights under this Addendum will continue in effect so long as Company Processes Customer Personal Data.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) “Authorized Persons” means (i) personnel of Company and (ii) third parties engaged by Company in accordance with Sections 3(b)-(d) of this Addendum.
b) “Customer” means the entity that entered into the Agreement.
c) “Customer Personal Data” means Personal Data Processed by Company on behalf of Customer. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A attached hereto.
d) “Data Protection Laws” means any applicable laws and regulations in any relevant jurisdiction relating to the use or Processing of Personal Data including: (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act (“CPRA”); (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) (together, collectively, the “GDPR”); (iii) the Swiss Federal Act on Data Protection; (iv) the UK Data Protection Act 2018; (v) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (vi) the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575 et seq.) (“VCDPA”); in each case, as updated, amended or replaced from time to time.
e) “EU SCCs” means the standard contractual clauses which have been approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Customer Personal Data to countries not otherwise recognized as offering an adequate level of protection for Customer Personal Data by the European Commission (as amended and updated from time to time), as modified by Section 4(c) of this Addendum.
f) “ex-EEA transfer” means the transfer of Customer Personal Data, which is Processed in accordance with the GDPR, from Customer to Company (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
g) “ex-UK Transfer” means the transfer of Customer Personal Data covered by Chapter V of the UK GDPR, which is Processed in accordance with the UK GDPR and the Data Protection Act 2018, from Customer to Company (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
h) “Personal Data” means any information relating to: (i) an identified or identifiable natural person (e.g., a data subject or consumer); (ii) a household under CPRA; and/or (iii) any elements that constitute personal information or a similar construct under applicable law, in each case, where such information is maintained on behalf of the Customer by the Company within its Services environment and is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws.
i) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
j) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
k) “Services” means any and all products and services that Company provides and/or performs under the Agreement.
l) “Standard Contractual Clauses” means the EU SCCs and the UK SCCs.
m) “Subprocessor(s)” means Company’s authorized contractors, agents, vendors and third-party service providers (i.e., sub-processors) that Process Customer Personal Data.
n) “UK Addendum” means the addendum attached hereto as Exhibit D.
o) “UK SCCs” means the EU SCCs, as amended by the UK Addendum.
a) Documented Instructions. Company and its Subprocessors shall Process Customer Personal Data solely for the purpose of providing the Services to Customer, and solely to the extent necessary to provide the Services to Customer, in each case, in accordance with the Agreement, this Addendum and Data Protection Laws. Company will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law.
b) Authorization to Use Subprocessor. To the extent necessary to fulfill Company’s contractual obligations under the Agreement or any Order Form, Customer hereby authorizes Company to engage Subprocessors. Any Subprocessor Processing of Customer Personal Data shall be consistent with Customer’s documented instructions and comply with Data Protection Laws. Prior to engaging any Subprocessors, Company shall carry out appropriate due diligence on the Subprocessor and enter into a written agreement with each Subprocessor which provides for sufficient guarantees from the Subprocessor to implement appropriate technical and organizational measures containing substantially the same level of data protection obligations with respect to the protection of Customer Personal Data such that the processing will meet the requirements of applicable Data Protection Laws.
c) Company and Subprocessor Compliance. Company shall (i) enter into a written agreement with Subprocessors regarding such Subprocessor’s Processing of Customer Personal Data that imposes on such Subprocessors (and their sub-processors) confidentiality obligations and data protection and security requirements for Customer Personal Data that are at least as restrictive as the obligations in this Addendum; and (ii) remain responsible to Customer for Company’s Subprocessors’ (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data. Customer approves the Subprocessors referenced in Exhibit B of this Addendum.
d) Right to Object to Subprocessor. A list of approved Subprocessors is set forth on Exhibit A. Prior to engaging any new Subprocessors that Process Customer Personal Data, Company will notify Customer via email and allow Customer 10 days to object. If Customer has, in good faith, reasonable objections to the appointment of any new Subprocessor, the Parties will work together in good faith to resolve the grounds for the objection for no less than 10 days, and failing any such resolution, Customer may terminate the part of the Services performed under the Agreement that cannot be performed by Company without use of the objectionable Subprocessor. Company shall refund any pre-paid fees to Customer in respect of the terminated part of the Services.
e) Personal Data Inquiries and Requests. Company agrees to provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
f) CPRA.
(i) Definitions
(ii) Obligations
(iii) Consumer Rights
(iv) Audit Rights
g) VCDPA
(i) Definitions
(ii) Obligations
(iii) Audit Rights
a) If Company transfers Customer Personal Data protected under this Addendum outside the EEA to a jurisdiction for which the European Commission has not issued an adequacy decision (each, a “Restricted Transfer”), Company represents, warrants, and covenants that (i) Restricted Transfers by Company may only be made to Authorized Persons; (ii) any Restricted Transfer conducted by Company or any Authorized Person shall be undertaken in accordance with the appropriate Standard Contractual Clauses entered into in accordance with applicable Data Protection Laws; and (iii) that each Restricted Transfer will be made after appropriate safeguards have been implemented for the Restricted Transfer of Customer Personal Data in accordance with applicable Data Protection Laws.
b) Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, which are deemed entered into (and incorporated into this Addendum by this reference) and completed: (i) under Module Two (Controller to Processor) of the EU SCCs to the extent Company is acting as Customer’s data processor; and (ii) under Module Three (Processor to Processor) of the EU SCCs to the extent Company is acting as Customer’s subprocessor.
c) For each module, where applicable the following applies:
d) Ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this Addendum by reference, and amended and completed in accordance with the UK Addendum, which is incorporated herein as Exhibit D of this Addendum.
e) Transfers from Switzerland. The Parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
f) Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Customer Personal Data. Exhibit C sets forth additional information about Company’s technical and organizational security measures.
a) Security Incident Procedure. Company will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
b) Notice. Company agrees to provide prompt written notice without undue delay (and in any event within 48 hours) to Customer’s Designated POC if it verifies that a Security Incident has taken place. Such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
a) Company shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s rights of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Company receives a Data Subject Request in relation to Customer Personal Data, Company will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
b) Company shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Company’s assistance and (ii) Company is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.
a) Right to Audit; Permitted Audits. In addition to any other audit rights described in the Agreement, Customer and its regulators shall have the right, upon at least 30 days’ prior written notice, to an on-site audit (at a date and time mutually agreed upon) of Company’s architecture, systems, policies and procedures relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator: (i) following any notice from Company to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data; (ii) as required by governmental regulators; and (iii) for compliance purposes, once annually.
b) Audit Terms. Any audits described in this Section shall be: (i) conducted by Customer or its regulator, or through a third-party independent contractor selected by one of these parties and paid for by Customer; (ii) conducted during reasonable times; (iii) to the extent possible, conducted upon reasonable advance notice (but no less than 30 days’ prior notice) to Company; and (iv) of reasonable duration and shall not unreasonably interfere with Company’s day-to-day operations.
c) Third Parties Auditor. In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Company’s and Company’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.
d) Audit Results. Upon Company’s request, after conducting an audit, Customer shall notify Company of the manner in which Company does not comply with any of the applicable security, confidentiality or privacy obligations or Data Protection Laws herein. Upon such notice, Company shall make any reasonably necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six 6 months of Company’s notice of completion of any necessary changes. To the extent that a Company audit and/or Customer audit identifies any material security vulnerabilities, Company shall remediate those vulnerabilities within a commercially reasonable amount of time of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time.
a) Data Storage. Company will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.
b) Data Deletion. Company will abide by the following with respect to deletion of Customer Personal Data:
Each Party’s liability, including the liability of all of its affiliates, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference to the liability of a Party means the total liability of that Party and all of its affiliates under the Agreement and this Addendum together.
a) The Customer Designated POC shall be the contact specified for the Data Exporter in Exhibit B.
The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.
1. The Parties
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: ... As designated by Customer in the Order Form to the Agreement
Address: ... As designated by Customer in the Order Form to the Agreement
Contact person’s name, position and contact details: As designated by Customer in the Order Form to the Agreement
Activities relevant to the data transferred under these Clauses: The provision of the Services under the Agreement.
Signature and date: By entering into this Addendum, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Agreement.
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: HeyGen Technology Inc.
Trading Name (if different): N/A
Address: 12130 Millennium Drive, STE 300, Los Angeles, CA 90094
Official Registration Number (if any) (company number or similar identifier): N/A
Contact person’s name, position and contact details: Rui Zhang, rui@heygen.com
Activities relevant to the data transferred under these Clauses: The provision of the Services under the Agreement.
Signature and date: ... By entering into this Addendum, Data Importer is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Agreement.
Role (controller/processor): Processor
2. Description of the Transfer
3. Competent Supervisory Authority
The supervisory authority shall be the supervisory authority of the Customer, as determined in accordance with Clause 13 of the EU SCCs. The supervisory authority for the purposes of the UK Addendum shall be the UK Information Commissioner’s Officer.
4. List of Authorized Subprocessors
See https://security.heygen.com/#subprocessors
Description of the Technical and Organisational Security Measures implemented by the Data Importer
The following includes the information required by Annex I and Annex III of the EU SCCs, and Table 1, Annex 1A, and Annex 1B of the UK Addendum.
1. Adopting and implementing reasonable policies and standards related to security;
2. Assigning responsibility for information security management;
3. Devoting adequate personnel resources to information security;
4. Conducting appropriate background checks and requiring employees, vendors and others with access to the Personal Data to enter into written confidentiality agreements;
5. Conducting training to make employees and others with access to Personal Data aware of information security risks and to enhance compliance with its policies related to data protection;
6. Preventing unauthorized access to Personal Data through the use, as appropriate, of physical and logical entry controls, secure areas for data processing, procedures for monitoring the use of data processing, audit trails, use of secure passwords, network intrusion detection technology, authentication technology, secure log-on procedures, and virus protection, on-going monitoring of compliance with its policies related to data protection, including:
UK Addendum
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
Part 1: Tables
Table 1: Parties
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this UK Addendum is set out in:
Table 4: Ending this UK Addendum when the Approved UK Addendum Changes
Entering into this UK Addendum:
Interpretation of this UK Addendum
Hierarchy
Incorporation and Changes to the EU SCCs:
Amendments to the UK Addendum
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that party may end this UK Addendum at the end of a reasonable notice period, by providing written notice for that period to the other party before the start date of the revised Approved UK Addendum.