This Data Transfer Agreement (“Agreement”) is made and entered into by and between
each end-user “Customer” who has purchased a subscription order for Crestron Cloudware, which for the purposes of this Agreement shall have the same meaning as defined in the Crestron Cloudware License Agreement,
on behalf of itself and its affiliates and subsidiaries, located outside of located outside of the European Economic Area (EEA) member states, the territory of Switzerland, and the territory of the United Kingdom (regardless of its membership status within the European Union), including such affiliates and entities that may be added during the term of this Agreement
Crestron Electronics, Inc
15 Volvo Drive
Rockleigh, NJ 07647 (US),
on behalf of itself and its affiliates and subsidiaries (collectively “Crestron”). Customer and Crestron shall individually be referred to as “Party” and collectively as “Parties”.
WHEREAS, the Parties agree that this Agreement shall apply to all Transfers of Personal Information from Customer to Crestron and to the Processing of Personal Information by Crestron as reflected in commercial agreements between the parties;
WHEREAS, the subject-matter, duration, nature, and purposes of the Processing, as well as the type of Personal Information and categories of Individuals whose data are Processed shall be set forth Appendix 1, hereto, as amended from time to time;
WHEREAS, the terms of this Agreement shall prevail in the event of any conflict with any terms in any other written agreements between the parties, to the extent the conflict relates to the transfer of Personal Information;
WHEREAS, if any Transfer is subject to any law or regulation of any country which requires a change in the terms of this Agreement or additional actions, the parties will use reasonable commercial efforts to promptly amend this Agreement or otherwise comply with any such laws;
NOW, THEREFORE, in consideration of the covenants, promises, obligations and conditions set forth below, the receipt, adequacy, and sufficiency of which are hereby acknowledged, the Parties to this Agreement, intending to be legally bound, agree as follows:
The following capitalized terms shall have the following meanings when used in this Agreement:
1.1 “Applicable Law” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this Agreement is subject and which is applicable to a party's information protection and privacy obligations.
1.2 “Approved Cloud Computing Provider” means an entity, approved by both Customer and Crestron that provides Internet accessible data centers and network infrastructure having the following characteristics: on-demand self-service; broad network access; resource pooling; rapid elasticity; and measured service in particular, Amazon Web Services™, IBM® Cloud™, Google Cloud™, and Microsoft Azure®.
1.3 “Cloud Infrastructure” means the hardware, software, virtualization technology, storage devices and array, servers, power, HVAC systems, networks, hosting, facilities, and other tangible elements that are provided by an Approved Cloud Computing Provider to Crestron and provide functionality to configure, operate, host, monitor and/or manage Cloudware and related services.
1.4 “Collect” (including the usage of “Collected” or “Collection”) means to conduct the initial gathering and recording of data regarding Individuals, whether or not the data constitutes Personal Information.
1.5 “Data Controller” means any entity that determines the purposes and means of Processing.
1.6 “Data Exporter” means any entity that discloses or transfers Personal Information to a Data Importer
1.7 “Data Importer” means any entity that receives or accesses Personal Information from a Data Exporter.
1.8 “Data Processor” means any entity (other than the Data Controller) that Processes Personal Information on the Data Controller's behalf.
1.9 “Data Subject” or “Individual” means a natural person to whom Personal Information relates and about whom Personal Information may be Processed under this Agreement.
1.10 “Personal Data”, “Personal Information”, “Personally Identifiable Information”, or “PII” means any information that identifies an Individual or relates to an identifiable individual. Examples of Personal Information include, but are not limited to, name, address, telephone number, and email address.
1.11 “Process” (including the usage of “Processes”, “Processed”, or “Processing”) means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, including, without limitation, any Collection, Transfer, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, blocking, erasure or destruction thereof.
1.12 “Sensitive Personal Information” means any of the following types of Personal Information: (i) social security number, taxpayer identification number, passport number, driver's license number or other government-issued identification number; or (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account; credit history, or (iii) Special Categories of Personal Data.
1.13 “Special Categories of Personal Data” means Personal Information revealing race, religion, ethnicity, sexual orientation, medical or health information, genetic or biometric information, political or philosophical beliefs, trade union membership, background check information, judicial data such as criminal records or information on other judicial or administrative proceedings.
1.14 “Transfer” (including the usage of “Transfers”, “Transferred”, “Transference”, or “Transferring”) means the access to or sharing of Personal Information by electronic or other means.
2. Processing of Personal Data
2.1 The transfer of Personal Data from Customer, the data controller, to Crestron and its Approved Cloud Computing Provider pursuant to this Agreement is solely intended to enable Crestron to provide the relevant subscription order for Crestron Cloudware as a data processor. Crestron is prohibited from using Personal Data for any purposes other than fulfilling its contractual obligations related to its obligations to provide the relevant subscription order for Crestron Cloudware. Crestron agrees to process Personal Data transferred to Crestron only on behalf of Customer and in accordance with this Agreement and Customer's instructions.
2.2 Crestron shall process the Personal Data identified in Appendix 1 to this Agreement solely to perform the processing operations set forth therein.
3. Customer Obligations
3.1 Customer hereby acknowledges and authorizes Crestron’s use of: (a) an Approved Cloud Computing Provider as a processor of Personal Data; and (b) the associated Cloud Infrastructure. Crestron shall inform Customer of any intended changes concerning the addition or replacement of other processors.
3.2 Customer shall collect, process, and provide Personal Data to Crestron including, as applicable, via transfer of Personal Data from its country of origin to Crestron and its Approved Cloud Computing Provider in the United States, for the purpose of Customer's access to and use of the subscription order for Crestron Cloudware.
3.3 Customer agrees not to provide Crestron with any access to Sensitive Personal Information and Crestron refuses to accept any Sensitive Personal Information.
3.4 Customer is solely responsible for the content and accuracy of the Personal Data, and represents and warrants to Crestron that it has (i) collected and processed Personal Data in compliance with all Applicable Laws, and (ii) obtained all rights and consents necessary under the Applicable Laws to provide and transfer the Personal Data from its country of origin to Crestron and its Approved Cloud Computing Provider in the United States, and to permit Crestron and its Approved Cloud Computing Provider to collect and process such Personal Data, all for the purpose of providing the subscription order for Crestron Cloudware.
4. Crestron Obligations
4.1 Crestron shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Crestron shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2 Crestron shall take commercially reasonable steps to ensure the reliability of any Crestron personnel performing the subscription order for Crestron Cloudware. Crestron shall ensure that Crestron's access to Personal Data is limited to those personnel performing duties relating to the subscription order for Crestron Cloudware.
5. Technical and Organizational Measures
Crestron shall ensure that it has in place appropriate technical and organizational measures against unauthorized or unlawful processing of the Personal Data or its accidental loss, destruction or damage, as specified in Appendix 2 to this Agreement.
6. Incident Management Procedures
Crestron will maintain a data management security policy that provides for incident reporting, which is updated from time to time, and which is designed to address the security, availability, and integrity of the Crestron Cloudware and to protect Personal Data from unauthorized access, destruction, and/or disclosure and shall promptly notify Customer of any actual unauthorized access to or disclosure of Personal Data of which Crestron becomes aware.
7.1 The Recitals and the Appendices are hereby incorporated into this Agreement. This Agreement may be executed by facsimile and/or by secure digital means, and in counterpart copies.
7.2 In the event of any conflict or inconsistency between any provision of this Agreement, and any provisions of Appendix 1 and Appendix 2, the Appendices shall prevail.
7.3 This Agreement shall commence on the beginning date of the Subscription Term, and terminate (together with any further data transfers) when the Subscription Term is terminated or expires, provided, however, the provisions of this Agreement shall survive with respect to the Personal Data until such time as Crestron no longer has any Personal Data in its possession or under its control.
8. Governing Law and Dispute Resolution
8.1 This Agreement shall be governed by, and construed in accordance with, the laws of the State of New York without regard to conflict of laws principles.
8.2 All disputes arising out of or in connection with this Agreement shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said Rules. The arbitration proceeding shall be conducted in New York City, New York. The language to be used in the arbitration proceeding shall be English.
8.3 Notwithstanding the foregoing requirement that disputes be subject to binding arbitration, the parties shall retain the right to seek injunctive relief from a court of competent jurisdiction.
* * * * *
Appendix 1 to the Data Transfer Agreement
The data exporter is:
Customer, a purchaser of subscription cloudware products from the data importer. The data exporter will transfer certain personal data to the data importer for the purpose of using the cloudware products.
The data importer is:
Crestron, a provider of subscription cloudware products. Data importer will process the personal data transferred by data exporter solely for the purpose of providing the subscription cloudware products at the direction of the data exporter.
The personal data transferred concern the following categories of data subjects:
Data exporter’s (including its affiliates’) employees, contractors, representatives and agents;
Invitees and participants in live or teleconferenced meetings conducted by data exporter or its affiliates using the subscription services.
Categories of data
The personal data transferred concern the following categories of data (please specify):
1. Contact Information for Data exporter’s (including its affiliates’) employees, contractors, representatives and agents – applicable to all Crestron Cloudware subscription services:
(a) IP Address;
(b) First Name;
(c) Middle Name;
(d) Last Name;
(e) Business Phone Number;
(f) Business Email Address;
(g) Business Address;
(h) Job Title; and
2. Meeting Scheduling Information - only applicable to Crestron Cloudware products that provide hosted scheduling functionality:
(a) Meeting Data and Time;
(b) Meeting Subject;
(c) Meeting Location;
(d) Meeting Call-in Information;
(e) First Name (for each Invitee);
(f) Middle Name (for each Invitee);
(g) Last Name (for each Invitee);
(h) Phone Number (for each Invitee); and
(i) Email Address (for each Invitee).
3. Other Personal Data. Data that Customer or its third party integrator has programmed the Crestron Cloudware to collect and transfer to data importer, such as employee badge numbers or similar company identification.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
None – Crestron refuses to accept and Customer agrees not to provide Crestron with access to any Special categories of data.
The personal data transferred will be subject to the following basic processing activities (please specify):
1. For all Crestron Cloudware products, data processing operations include:
Control processors for the purpose of controlling audio/video and other equipment (i.e. lighting, shades, HVAC, occupancy sensors, etc.), within a space such as a conference room, that communicate with Internet web-servers to report meeting room and equipment status, usage data and configuration settings.
2. For those Crestron Cloudware products that provide hosted scheduling functionality, data processing operations include the following additional operations:
(a) Touchpanels and other display devices that interact with a scheduling program, such as Microsoft Exchange®, to receive meeting specific information for display, such as on touchpanel devices located outside a meeting room and which display meeting subjects, meeting times, meeting locations, and room locations within a building;
(b) Mobile device applications that interact with control processors and scheduling programs, such as Microsoft Exchange®, to report and modify meeting subjects, meeting times, meeting locations, and room location within a building and optionally report individual location within a region or building; and
(c) Human controller interaction with cloud based servers including report generation, which is accomplished with standard web browsers, such as Microsoft Internet Explorer® or Google Chrome™.
3. During the applicable Cloudware subscription term, upon written request of the data exporter, the data importer will delete data exporter’s personal data from the Cloudware products.
4. After termination or expiration of the subscription for a Cloudware product, the data importer will delete the data exporter’s personal data in accordance with the data importer’s Data Management Security Policy.
5. During the subscription term for a Cloudware product, the data importer will respond to written requests from the data exporter regarding access to, and the ability to correct, block, delete, and export the data exporter’s personal data from the Cloudware product.
Data importer also engages subprocessors to provide certain services including:
The data importer may engage subprocessors to provide parts of the subscription services.
As of the effective date of these Clauses, the data importer has engaged Microsoft Corporation for hosting its Cloudware products on its Microsoft Azure® Cloud Computing Platform product.
* * * * *
Appendix 2 to the Data Transfer Agreement
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Production Data Centers
1. The data importer uses a well-known subprocessor provided cloud based service environment known as Microsoft Azure®. Microsoft’s compliance with EU Data Protection Directives is shown at: https://www.microsoft.com/en-us/TrustCenter/Compliance/EU-Model-Clauses.
2. This cloud based service is contractually required to maintain geographically distributed and physically secure data centers that are typically interconnected via high-speed private links. The data importer stores all production data in these data centers.
Data Storage and Isolation
1. The data importer stores data in a multi-tenant environment at the subprocessor provided production data centers by logically isolating the data exporter’s data from other client data .
2. Data that is transferred from the production data centers to the data importer premises is handled in accordance with Crestron’s Data Management Security Policy (see, “Data Management” below), which defines data importer’s employee access to the data for specific purposes, such as trouble shooting and report generation. This policy is available for review upon request to: Crestron Electronics Inc., 15 Volvo Drive, Rockleigh NJ 07647 (USA).
The cloud based production data centers are provided as part of the Microsoft Azure® service environment and are connected to both the data exporter and data importer using HTTPS encryption (also referred to as SSL or TLS connection) via Internet standard protocols. Data at rest in the production data centers is stored in encrypted format.
Data importer premises
Technical and organizational security measures addressing physical access to the data importer’s buildings and facilities are covered under the company’s “Physical Access Security Policy”.” Physical access security measures include restricted building access (employee specific key cards) and a written log for any visitors. Physical access, by data importer’s employees, to personal data is further covered under the company’s Data Management Security Policy.
Data importer premises
Technical and organizational security measures addressing availability, separation, and access control to company computing assets including employee workstations, are covered in the company’s “Data Management Security Policy”. Data management security measures include password procedures, permission policies, termination of access rules, security exception procedures, and access auditing.
[Signature of Crestron Electronics, Inc. appears on the following page.]
Signing the International Data Transfer Agreement, Appendix 1, and Appendix 2 on behalf of the data importer:
Executive VP, Product and Technology
Crestron Electronics, Inc.
15 Volvo Drive
Rockleigh NJ, USA 07647
If you have any questions , please contact Crestron at any of the following.
Via e-mail: firstname.lastname@example.org, or email@example.com
Crestron Electronics, Inc.
15 Volvo Dr.
Rockleigh, NJ 07647 USA
Crestron Europe BV
Oude Keerbergsebaan 2,
2820 Rijmenam, Belgium
VAT No. BE0699.717.121
Crestron ANZ PTY LIMITED
Level 5, 15 Help Street,
Chatswood NSW 2067, Australia
Crestron Singapore Pte. Ltd.
31 Kaki Bukit Road 3
#01-04 & #01-05
Please visit www.crestron.com to find the phone number for Crestron support in your region.