View General Terms
Back to Supplemental Terms

Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by Wistia, Inc. ("Wistia") and the Customer identified in the Order Form. This DPA governs Wistia’s Processing of Personal Information. Capitalized terms used but not defined in this DPA have the meanings set forth in the Agreement.

1. Definitions

a. Agreement

“Agreement” means the Master Subscription Agreement governing Customer’s use of the Services.

b. Breach

“Breach” means the following: (i) any Processing of Personal Information that (a) is not authorized by Customer under the Agreement or DPA, (b) is not otherwise authorized by Customer expressly and in writing, (c) exceeds the scope of either such authorization, (d) compromises the confidentiality, integrity or availability of Personal Information, (e) is a breach of the DPA, or (f) violates Data Protection Law; (ii) any access to, use of, or activity on or in any Wistia network, system, equipment, device, cloud, or online or offline account that is unauthorized or exceeds to scope of authority and involves Personal Information; provided that (iii) this term does not include (a) a Breach of encrypted Personal Information, as long as the decryption key also has not been compromised, or (b) the unintended or good faith Processing of Personal Information by an employee of Wistia, or the disclosure of Personal Information by an employee of Wistia to another employee of Wistia, as long as the Personal Information is not otherwise further Processed without authorization, beyond the scope of authorization, or in a manner or to an extent that compromises the confidentiality, integrity or availability of the Personal Information or violates Data Protection Law.

c. Confidential Information

“Confidential Information” means all documents, data, information and other materials that a Party receives, acquires or learns or are provided to that Party ("Receiving Party") by, for, or on behalf of the other Party ("Disclosing Party") that are not generally known by persons who are not employees, representatives, or agents of Disclosing Party. This term: (i) includes documents, data, information and other materials (a) related to customers, potential customers, goods and services, Services, developments, personnel, operations, manufacturing, production, maintenance, distribution, sales, marketing, customer service, agreements, costs, prices, business plans, purchase orders, invoices, account information, and billing records, (b) marked or designated with a word or symbol indicating that it should be considered confidential, such as “Confidential,” “Personal” or “Privileged,” (c) that Disclosing Party informs Receiving Party are confidential, and (d) that Receiving Party knows or should know are confidential or proprietary information or trade secrets of Disclosing Party or a third-party; but (ii) does not include documents, data, information and other materials that are (a) available from a publicly accessible source, (b) known to Receiving Party at the time of disclosure, (c) obtained by Receiving Party on a non-confidential basis from a third-party without violation of any contractual, statutory, common law, or other duty or obligation, and (d) independently developed by Receiving Party.

d. Data Protection Laws

“Data Protection Laws” means the following (i) all domestic and foreign laws, rules, regulations, and judicial, administrative, and other precedents interpreting such laws, rules and regulations that govern (a) Processing or Breach of Personal Information, or (b) technological, physical, or administrative safeguards for protecting the confidentiality, integrity, or availability of Personal Information; provided that (ii) this term only includes Data Protection Law applicable to (a) Customer or Wistia, and (b) Processing of Personal Information.

e. Data Privacy Framework or DPF

“Data Privacy Framework or DPF” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.

f. Liability

“Liability” means costs, expenses, losses, obligations, damages, actions, suits, demands, settlements, judgments, awards, fines, penalties, fees (including attorney’s fees), and any other form of liability whatsoever.

g. Process

“Process” means any operation performed on or with Personal Information, including, but not limited to, the following: creation; collection; receipt; recording; storage; organization; management; adaptation; alteration; access; retrieval; consultation; use; analysis; disclosure; transmission; transportation; making available; making accessible; aggregation; combination; de-identification; re-identification; restriction; deletion; destruction; and erasure.

h. Personal Information

“Personal Information” means information that identifies or is identifiable to a natural person, and that Wistia receives from Customer or Processes for or on behalf of Customer.

i. Sub-Processor

“Sub-Processor” means any third-party that Processes Personal Information by, for, or on behalf of Wistia arising out of or related to Wistia’s performance of its obligations under the Agreement.

j. Standard Contractual Clauses or SCCs

“Standard Contractual Clauses or SCCs” mean the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded, or replaced.

k. UK Addendum

“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2. Roles

Customer is the data controller of Personal Information under Data Protection Laws. Wistia is a data processor of Personal Information under Data Protection Laws.

3. Term

In the event of termination of the Agreement, the Parties' obligations under this DPA will continue until Wistia has either returned or (if authorized by Customer) permanently destroyed all confidential Information and Personal Information. Once Wistia has done so, the Parties' obligations under this DPA terminate.

4. Details of Processing

Wistia may Process Personal Information for the purpose of performing its obligations under the Agreement, and for the duration of the Agreement. Such Processing shall include collecting, accessing, storing, altering, using, transferring and disclosing to a Sub-Processor, and deletion of Personal Information.

5. Confidentiality

Wistia shall maintain Confidential Information and Personal Information as strictly confidential. Wistia shall not disclose or provide access to any third party to any Confidential Information or Personal Information except as otherwise provided in the Agreement or this DPA, and except transfers and disclosures of Personal Information to a Sub-Processor permitted by this DPA.

6. Security Measures

Wistia shall implement and maintain reasonable physical, technological, and administrative controls designed to safeguard the confidentiality, integrity, and availability of Personal Information. In addition to the foregoing, Wistia has conducted an audit of its information security policies, practices and controls based on the criteria set forth in DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC2® Report ("SOC 2 Type 2"). For more information about Wistia’s certifications and security practices, and to obtain copies of SOC 2 Type 2 audit reports, please visit Wistia’s Trust Center at https://security.wistia.com/. Wistia retains the right to update and change its security practices, which shall be reflected at Wistia’s Trust Center. Notwithstanding the previous sentence, Wistia acknowledges that throughout the duration of the Term, Wistia will not materially reduce the security of the Services.

7. Customer Responsibilities

Customer shall comply with all Data Protection Laws governing Processing of Personal Information by Wistia, including, but not limited to: (i) ensuring all instructions given by it to Wistia in respect of the Processing of Personal Information comply with Data Protection Laws; (ii) providing all notices and obtaining all consents required by Data Protection Laws for Wistia’s Processing of Personal Information under the Agreement and this DPA; and (iii) addressing all requests made by individuals to assert any right afforded under Data Protection Laws. Customer is liable to Wistia for Liability incurred by Wistia arising out of or related to any breach by Customer of this section.

8. Wistia Responsibilities

a. Processing of Personal Information

Wistia shall comply with all applicable Data Protection Laws. Wistia shall Process Personal Information pursuant to Customer’s instructions. Customer instructs Wistia to Process Personal Information for the following purposes: (i) Processing in accordance with the Agreement to provide, operate, maintain, secure, support, develop, and improve the Services; (ii) Processing for Wistia’s legitimate business purposes related to the Services, including billing, account management, internal reporting, fraud detection, information security, business continuity, research, analytics, and product development; (iii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the DPA; and (iv) Processing necessary to comply with Data Protection Laws, or any other applicable law. Wistia may also de-identify and/or aggregate Personal Information and use such data for any lawful purpose, including analytics, benchmarking, research, and improving or developing products and Services.

b. Sub-Processors

When Wistia engages a Sub-Processor, Wistia shall contractually obligate such Sub-Processor to comply with terms that are comparable to the terms in this DPA governing Wistia’s Processing of Personal Information. Wistia shall only retain Sub-Processors that are capable of appropriately protecting the privacy, confidentiality and security of Personal Information. Wistia shall remain fully liable to Customer for its obligations under this DPA with respect to any and all acts or omissions of any Sub-Processor. A current list of Wistia’s Sub-Processors is available at https://security.wistia.com/. Wistia may update this Sub-Processor list from time to time to reflect the addition or replacement of Sub-Processors. Customers can subscribe to receiving updates about the Sub-Processor list using the subscription functionality available at https://security.wistia.com. Customers who do not subscribe to such notifications are responsible for periodically reviewing the Sub-Processor list available at that link to stay informed of any updates.

c. Wistia Employees

Wistia will ensure that employees engaged in the Processing of Confidential Information and Personal Information are informed of the confidential nature of such information, have received appropriate training on their responsibilities concerning such information, and are contractually required to maintain the confidentiality of such information. Wistia shall ensure that such obligations survive the termination of employment. Wistia will ensure that Wistia’s access to Personal Information is limited to those personnel who require such access to perform the Services.

d. Privacy Rights

Wistia shall provide reasonable assistance to Customer with respect to Customer’s compliance with Data Protection Laws.

e. Data Protection Impact Assessment

Taking into account the nature, scope, context, and purposes of the Processing, if Customer reasonably requires assistance with a data protection impact assessment ("DPIA") or related consultations with a supervisory authority that is required by Data Protection Laws, Wistia shall provide Customer with reasonable cooperation and assistance to the extent necessary and proportionate to Wistia’s role in the Processing of Personal Information. Such assistance shall be limited to information in Wistia’s possession and control and relevant to the Services and shall not relieve Customer of its own obligations to conduct the DPIA or comply with Data Protection Laws. Wistia may charge Customers on a time and materials basis for any such assistance beyond Wistia’s standard obligations under this DPA.

9. Data Transfers

a. Data Privacy Framework

Customer understands and agrees that Wistia has self-certified to and complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, and may transfer Personal Information from EEA, Switzerland or the UK to the United States under such DPF. Wistia’s certification status is available in the U.S. Department of Commerce’s Data Privacy, which can be found here: https://www.dataprivacyframework.gov/.

b. EEA Customer Personal Information

In the event that Wistia is required to adopt, or chooses to adopt, an alternative transfer mechanism for Processing of Personal Information from the EEA in the U.S other than the EU-U.S. DPF, then the Parties agree that the SCCs will apply to the Processing of such Personal Information. For the purposes of the SCCs:

  1. Module two applies where Customer is a Controller and Wistia is a Processor, and Module Three applies where both Customer and Wistia are Processors;

  2. Clause 7 of the SCCs (Docking Clause) does not apply;

  3. Clause 9, Option 2, of the SCCs (General Written Authorization for Use of Sub-Processors) applies, and period for prior notice of Sub-Processor changes is set forth in Section 8(b) of this DPA;

  4. In Clause 11 of the SCCs (Redress), the optional language does not apply;

  5. In Clause 17 of the SCCs (Governing Law), Option 1 applies with the governing law being that of the Netherlands;

  6. In Clause 18(b) (Choice of Forum and Jurisdiction) of the SCCs, disputes will be resolved before the courts in Amsterdam, Netherlands;

  7. Annex I(A), I(B), and I(C) shall be deemed to incorporate the information in Exhibit A of the DPA;

  8. Annex II of the SCCs shall be deemed to incorporate the information in Section 6 of this DPA;

  9. Annex III shall be deemed to incorporate the information in Section 8(b) of this DPA.

c. Personal Information from Switzerland

In the event that Wistia is required to adopt an alternative transfer mechanism for Processing of Personal Information from Switzerland in the U.S other than the Swiss-U.S. DPF, then the Parties agree that the SCCs will apply to the Processing of such Personal Information in accordance with section 9(b) along with the following modifications:

  1. In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner;

  2. References to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland; and

  3. References to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).

d. Personal Information from the UK (and Gibraltar)

In the event that Wistia is required to adopt an alternative transfer mechanism for Processing of Personal Information from the UK (and Gibraltar) in the U.S other than the UK Extension to the EU-U.S. DPF, then the Parties agree that the SCCs will apply to the Processing of such Personal Information in accordance with section 9(b) along with the following modifications:

  1. Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the Information provided in Exhibit A of this DPA.

  2. For the purposes of Table 4 in Part 1 (Tables) of the UK Addendum, the parties select the “neither party” option;

  3. References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;

  4. References to Regulation (EU) 2018/1725 are removed;

  5. Reference to the “Unions,” “EU” and “EU Member State” are all replaced with the UK;

  6. The “competent supervisory authority” shall be the Information Commissioner;

  7. Clause 17 of the SCCs is replaced with the following: “These Clauses are governed by the laws of England and Wales.”

  8. Clause 18 of the SCCs is replaced with the following: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”

  9. Any footnotes to the SCCs are deleted in their entirety.

10. Notice of Process

If Wistia receives a subpoena or other request to disclose any Personal Information, Wistia will (to the extent permitted by law) do the following: (i) promptly notify Customer; (ii) provide Customer with a copy of the subpoena or request unless the law prohibits Wistia from doing so; (iii) where possible, and to the extent permitted by law, direct the requesting authorities to request the information directly from Customer; and (iv) not disclose any such Personal Information unless and until (a) Customer authorizes such disclosure in writing, or (b) a judicial, legislative, executive, or administrative body orders Wistia to disclose such Personal Information, the time for Customer to appeal or challenge the order has expired, and Customer has not appealed or challenged the order within that time.

11. Use of Artificial Intelligence

a. AI Features

Certain features or functionalities made available through the Services may incorporate artificial intelligence or algorithmic analysis tools (AI). Customers may elect to opt-in or opt-out of such AI features where applicable. Customer use of such AI is governed by Wistia’s Artificial Intelligence Policy for Customers, available at https://wistia.com/privacy-ai. This policy also includes a current list of the AI tools and functionalities incorporated into the Services. Wistia may update, modify, replace, or discontinue any AI tools or features at any time, in its sole discretion. Customers are encouraged to periodically review the Artificial Intelligence Policy for the most up-to-date information. Wistia reserves the right to suspend or cease providing any AI features without notice. Wistia will ensure that it enters into appropriate agreements with each third-party AI provider so that such third-party AI will be fair, reliable, and safe.

b. Customer Responsibilities

To the extent Customer elects to use AI incorporated within the Services, Customer shall: (i) ensure that its use of such AI complies with all applicable laws, regulations, and industry standards, including Data Protection Laws; (ii) obtain and maintain all necessary rights, notices, and consents required for Customer’s use of AI, including any submission of Personal Information or Confidential Information; (iii) be solely responsible for reviewing, validating, and determining the suitability of any AI outputs for Customer’s use and not rely on AI outputs as a substitute for professional judgment or human oversight; (iv) implement appropriate safeguards when using or sharing AI outputs to prevent harm, misuse, or violations of applicable laws; (v) not use AI in any manner that could give rise to unlawful bias, discrimination, misinformation, harassment, intimidation, defamation, infringement of third-party rights, or other harmful or abusive conduct; (vi) not use AI for purposes that involve high-risk or life-critical decisions (including medical, financial, legal, or employment-related determinations) unless such outputs are independently reviewed and validated by qualified professionals; (vii) not use AI in any manner intended to develop or distribute malware, compromise system security, or otherwise disrupt or damage networks or data; and (viii) promptly notify Wistia of any actual or suspected misuse, incident, or complaint relating to Customer’s use of AI. Customer is liable to Wistia for Liability incurred by Wistia arising out of or related to any breach by Customer of this section.

12. Breach Notification

Wistia will notify Customer of a Breach of Personal Information promptly after Wistia confirms that such Breach occurred. At the time of such initial notification and continuing thereafter, Wistia will disclose to Customer non-privileged information that Wistia has or receives concerning such Breach, including, but not limited to, the following: (i) names and other information available about individuals affected by the breach; (ii) the nature and scope of information compromised or potentially compromised in the breach or as a result of the breach; (iii) timing, manner, and cause of the breach; and (iv) acts taken in response to the breach. Wistia will provide Customer with assistance and cooperation reasonably requested by Customer related to such Breach, and shall follow and comply with reasonable requests made by Customer related to such breach. Unless otherwise required by applicable law, Wistia shall not disclose to any person, other than its attorneys and other agents, information related to such Breach without express written authorization from Customer, including by not notifying any individual affected or potentially affected by the breach, any local, state, or federal government authority or agency, any media outlet, or any other person or entity.

13. Limitation of Liability

Wistia’s Liability taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.

14. Audits

Customers may obtain copies of Wistia’s SOC 2 Type 2 audit reports by visiting Wistia’s Trust Center at https://security.wistia.com/. Customer may request (directly or through a third-party auditor subject to written confidentiality obligations) an audit or inspection of Wistia to verify Wistia’s compliance with this DPA if such audit is required by Data Protection Laws or if Wistia’s compliance cannot be demonstrated by less burdensome means (including by reviewing information and documentation available on the Trust Center). Any audit conducted under this Section shall meet the following requirements: (i) Customer must provide Wistia at least 30 days' prior written notice of a proposed audit, unless otherwise required by a competent supervisory authority or by Data Protection Laws; (ii) Customer may not perform more than one audit in any 12-month period, except where required by a competent supervisory authority; (iii) Customer and Wistia must mutually agree in advance on the time, scope, and duration of the audit; (iv) Customer shall reimburse Wistia for its time expended in connection with an audit at Wistia’s reasonable professional service rates, which will be made available to Customer upon request; (v) Customer shall ensure that its representatives performing the audit protect the confidentiality of all information obtained in accordance with the Agreement; (vi) Wistia shall not be required to disclose any of its Confidential or privileged Information, or any data or information relating to other customers; and (vii) Customer shall promptly provide Wistia with a copy of any written audit report and disclose any findings of noncompliance identified during the audit.

15. Returning Information

Upon written request from Customer or upon termination of the Agreement, Wistia shall delete or return all or any portion of Confidential Information and Personal Information to Customer and shall delete existing copies of Personal Information, unless otherwise required by law; provided that Wistia may temporarily retain Personal Information on backup media as long as such media is periodically erased or overwritten, and such temporarily retained Personal Information shall remain subject to this DPA for as long as Wistia retains it.

16. Entire Agreement

This DPA and the Agreement contains all of the promises and representations and the entire agreement and arrangement between Wistia and Customer with respect to the subject matter thereof. All prior promises, representations, agreements and arrangements with respect to such subject matter are superseded by this DPA.

17. Conflict

In the event of any conflict or inconsistency between the terms of this DPA and the Agreement, any statement of work between the Parties, or any other agreement between the Parties, the terms of this DPA shall control.

18. Modification

Wistia may modify or update this DPA from time to time to reflect changes in legal requirements, industry standards, or Wistia’s business practices. The current version of this DPA will be made available at https://security.wistia.com/documents, and material changes will be communicated to Customer by reasonable means (which may include email or in-product notification). Customer’s continued use of the Services after the effective date of any modified DPA constitutes acceptance of the updated DPA.

Exhibit A

Details of Data Processing

List of Parties

Data exporter:

Name: Customer\ Address: The address for Customer associated with its Wistia account or as otherwise stated in the Agreement.\ Contact person’s name, position and contact details: The contact details for Customer associated with its Wistia account or as otherwise stated in the Agreement.\ Activities relevant to the data transferred under these Clauses: Processing Personal Information for the purpose of providing, supporting, and improving the Services as provided in the Agreement and the DPA.

Signature and date: The parties agree that execution of the Agreement constitutes execution of this Exhibit B by both Parties.

Role (controller/processor): Processor or Controller.

Data importer(s):

Name: Wistia, Inc.

Address: 120 Brookline St, Cambridge, Massachusetts, United States 02139

Contact person’s name, position and contact details:

Activities relevant to the data transferred under these Clauses:

Signature and date: The parties agree that execution of the Agreement constitutes execution of this Exhibit B by both Parties.

Role (controller/processor): Processor

Description of Transfer

(a) Categories of data subjects whose personal data is transferred

The data subjects may include Customer’s employees, customers, vendors, and end users.

(b) Categories of personal data transferred

Any or all of the following: identification and contact information, such as name, phone number, username, email address, and password or security question; payment and billing information; user-generated content and media, such as videos, audio recordings, images, and other uploaded content, and any related or connected data; information generated through or provided to its AI tools and platforms, including transcripts, summaries, translations, scripts, captions, and other AI-generated or enhanced content derived from user media or input; and technical and usage information, such as IP address, browser and device data, cookie information, interaction and viewing data, pages visited, and analytics and performance information.

(c) Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Please see response to 2(b) above.

(d) The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal Information is transferred on a continuous basis.

(e) Nature of the processing

Analysis, storage, collection, alteration, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction as further described in the Agreement and the DPA.

(f) Purpose(s) of the data transfer and further processing

For Wistia to provide, support, and improve the Services as provided in the Agreement and the DPA.

(g) The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained for the life of the Agreement, although that time period may be longer or shorter on (a) the nature of Wistia’s relationship with Customer, (b) the existence of other ongoing or expected projects with Customer, (c) the nature of the Personal Data in question, (d) relevant Data Protection Laws, and (e) privacy rights requests from end users.

(h) For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter of Personal Data transferred to Sub-Processors is Customer Personal Information, which is transferred to Sub-Processors to provide, support, and improve the Services, as outlined in the Agreement and the DPA.

Competent Supervisory Authority

(a) Identify the competent supervisory authority/ies in accordance with Clause 13 of SCCs

The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, shall act as competent supervisory authority.

Effective Date: