1. Background

1.1 This data processing agreement ("Data Processing Agreement") forms an integral part of the Agreement between SEEN and the Client and shall apply to processing of Personal Data carried out by SEEN (the "Processor") on behalf of the Client (the "Controller") in providing the services set out in the Agreement, unless otherwise agreed. Interpretations and defined terms set forth in the Terms apply to the interpretation of this Data Processing Agreement. 

1.2 This Data Processing Agreement does not regulate SEEN’s processing of personal data when SEEN is acting as a data controller. This applies, for example, to subscriber information, service history, payment information, communication content, and data shared by the Client and processed by SEEN as part of its provision of access to and use of the Platform. In these circumstances, SEEN’s  processing is governed by its Privacy Policy.

1.3 This Data Processing Agreement governs the parties’ rights and obligations and shall ensure that personal data are not used improperly or disclosed without prior authorisation or otherwise in contravention to the applicable data protection legislation in the European Union and the United Kingdom, including, hereunder Regulation (EU) 2016/679 (the "EU GDPR"), and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time) (the "UK GDPR") (together, collectively, the "GDPR"); (ii) the UK Data Protection Act 2018; and (iii) all other applicable laws and regulations relating to the processing of personal data (the "Data Protection Laws").

1.4 The terms “Personal Data”, “Processing”, “Data Subject”, “Supervisory Authority”, “Personal Data Breach”, “Sub-processor”, and “Third Country” shall have the meanings given in the GDPR.

1.5 By entering into this Data Processing Agreement, the Controller authorises the Processor to process personal data on its behalf in accordance with the protocol in Appendix 1.

2. The Controller’s Obligations

2.1 The Controller shall comply with the obligations that are stipulated in Data Protection Laws, as well as this Data Processing Agreement.

2.2 The Controller shall be responsible, among other, for ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.

2.3 It is the Controller who determines the purpose of the processing of personal data and the means to be used during such processing, cf. the GDPR article 4 no. 7 and the data protection legislation.

2.4 The Processor has no control over whether personal data is uploaded by the Users or the purpose of Processing such Personal Data. The Processor does not process any personal data unless the Controller’s Users decide to upload or share it and have determined the purpose of the processing.

 2.5 The Processor does not require, and the Controller shall ensure that it does not provide, any special categories of data or other unnecessary identifiers, unless expressly agreed in writing.     

3. The Processor’s Obligations

3.1 The Processor shall comply with the obligations that are stipulated in Data Protection Laws, as well as this Data Processing Agreement.

3.2 The Processor shall process personal data in accordance with the Controller’s documented routines and instructions and not process personal data provided under the Data Processing Agreement in any other way or for any purpose, unless processing is required by Data Protection Laws, in which case the Processor shall, to the extent permitted by applicable laws, inform the Controller of that legal requirement before the relevant processing of that personal data. The Controller's instructions to the Processor are set out in the Agreement and this Data Processing Agreement.

3.3 The Processor shall only process personal data as necessary for the purposes and nature of processing described in Appendix 1.     .

3.4 The Processor is obliged to notify the Controller without undue delay if the Processor considers that the Controller’s instructions are in violation of the Data Protection Laws.

3.5 The Controller has, unless otherwise agreed or stipulated by law, the right to access and review the personal data being processed by the Processor.

3.6 If an approved code of conduct exists according to Article 40 of the GDPR or other approved certification scheme according to Article 42 of the GDPR, which the Processor has undertaken to comply with or be certified under, the Processor is required to comply with such code of conduct or certification requirements in the processing of personal data on behalf of the Controller.

4. Data Subjects

4.1 The Controller shall be the point of contact for the data subjects and provide necessary information about the processing. The Controller is solely responsible for handling the data subjects' requests for access, rectification, erasure, restriction, data portability, etc., and ensuring such requests are met. 

4.2 The Processor shall, taking into account the nature of the Processing and to the extent possible using appropriate technical and organisational measures, assist the Controller in safeguarding the rights of the data subjects in accordance with Chapter III of the GDPR. This applies to, but is not limited to, providing information on how the personal data is processed, handling inquiries concerning access to personal data and fulfilling the data subjects’ rights to demand correction or deletion of the personal data. 

4.3 If the Processor receives a request from a data subject for access to their personal data or to exercise any of their other rights under the Data Protection Laws, the Processor shall notify the Controller without undue delay. The Processor shall not respond to such requests unless instructed to do so by the Controller.

5. Sub-processors

5.1 The Processor is entitled to use sub-processors to process personal data on behalf of the Controller, provided that the Processor remains fully liable to the Controller for the sub-processor’s performance of its obligations under this Data Processing Agreement. A list of Seen’s current sub-processors is included at: https://trust.seen.io/subprocessors 

5.2 The Processor shall ensure that all sub-processors are informed of and bound by similar requirements for information security, confidentiality, use and other requirements set forth in this Data Processing Agreement and applicable Data Protection Laws.

5.3 If the Processor wishes to engage a new sub-processor, the Processor must notify the Controller of this at least one (1) month before the sub-processor begins processing the personal data. The Controller may only deny the use of such a sub-processor only if the Controller has well-grounded doubts about the ability of the sub-processor to comply with the applicable Data Protection Laws. If the Controller has not opposed the intended sub-processor within 14 days of the Processor's notice, the sub-processor shall be deemed approved by the Controller. If the Controller opposes the use of the sub-processor, the Parties shall negotiate in good faith on how to resolve this issue. If the Platform cannot be provided without the use of the relevant sub-processor, the Processor's responsibility to provide the Platform is suspended.

5.5 The Controller shall be entitled to receive a copy of any sub-processing agreement between the Processor and a sub-processor. The Processor is entitled to redact such parts of relevant contract documents that are irrelevant for the control purposes of this Data Processing Agreement (e.g. financial conditions).

5.6 At the conclusion of this Data Processing Agreement, the Controller has approved the sub-processors listed in Appendix 1 of this Data Processing Agreement.

6. Confidentiality

6.1 The Processor is subject to a duty of confidentiality regarding the personal data that the Processor has access to under this Data Processing Agreement. The duty of confidentiality also applies after the termination of the DPA. 

6.2 The Processor shall only grant access to the personal data to persons under the Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The Processor shall at the request of the Controller demonstrate that the concerned persons under the Processor’s authority are subject to the above-mentioned confidentiality.

6.3 The Processor shall not disclose personal data or information that it processes on behalf of the controller to third parties or data subjects without explicit instruction or permission from the Controller, unless otherwise provided by law. Third-party inquiries to the Processor must be forwarded to the Controller as soon as possible.

7. Security

7.1 The Processor shall comply with the requirements for security measures imposed by the at all times applicable Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons To that end, the Processor shall implement appropriate the organisational and technical measures described in Appendix 2 to this Data Processing Agreement. The Processor’s ISO/IEC 27001, ISO/IEC 27701 certificates, and/or other relevant certificates and security and privacy attestations, are available at trust.seen.io. 

7.2 The technical and organisational measures of the Processor are subject to technical development, and the Processor may implement adequate alternative measures in the course of the Data Processing Agreement. Such measures shall comply with the legal provisions set out in Article 32 of the GDPR and must not fall short of the level of security previously held. No special agreement is required if these changes lead to an improvement to the level of security that was previously part of this Data Processing Agreement in the context of commissioned processing.

8. Non-conformity

8.1 The Processor shall notify the Controller without undue delay if the Processor discovers that personal data is or has been exposed to unauthorised access, dissemination, alteration, damage, destruction or inaccessibility or another form of security breach or otherwise used in an unauthorised manner or handled in violation of the Data Protection Laws and/or the terms of this Data Processing Agreement.

8.2 The breach notification shall document the breach and contain, as a minimum:

a) A description of the nature of the breach, including where possible the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.

b) The name and contact details of the data protection officer or other contact point with the Processor.

c) A description of the likely or realised consequences of the breach.

d) A description of the measures that has been taken or which is proposed to be taken to address the breach, including where relevant, measures to mitigate its possible adverse effects.

8.4 If the Processor is unable to provide all of the above-mentioned information at the same time, the information can be provided in phases without further undue delay.

8.5 In the event of a breach, the Processor is obliged to ensure the security of the personal data by implementing appropriate measures and co-operate with the Controller in the investigation and mitigation of each such breach. Such assistance shall be provided to the Controller at no extra cost.

8.6 The Processor agrees and understands that, except when the Processor is required to do so by applicable law, the Controller has the sole right and responsibility to determine:

a) whether to provide notice of the breach to any data subjects or to the data protection authority, as required by law or regulation or at the Controller’s discretion, including the contents and delivery method of the notice; and

b) whether to offer any type of remedy to affected data subjects, including the nature and extent of such remedy.

9. Assistance

9.1 The Processor shall assist the Controller so that it can fulfil its own duties in regard to information security, personal data breaches and data protection impact assessments pursuant to Articles 32 to 36 of the GDPR and the at all times applicable Data Protection Laws. At the request of the Controller where required to handle the privacy risk as identified through impact assessments, the Processor is obliged to assist in assessing the privacy-related consequences prior consultations, as well as in the dialogue with, where the EU GDPR applies, the relevant European data protection authority, and where the UK GDPR applies, the UK Information Commissioner’s Office.

10. Audit

10.1 The Processor shall make available to the Controller all reasonably required information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

10.2 The Controller or a third party appointed by the Controller may request access to and verification of the Processor's processing of personal data, including access to and verification of documentation for fulfilment of the requirements for information security and this Data Processing Agreement. If the Controller uses a third party to carry out the audit, such third party cannot be a direct competitor to Processor and must be bound by a duty of confidentiality before commencing with the audit.

10.3 The Controller has the right to carry out audits at its own cost, a maximum of once a year, with four weeks' prior written notice.

10.4 Audits shall not impair the confidentiality, integrity and access to personal data, nor shall it impair the confidentiality, integrity and access to the Processor’s internal reports, prices or other clients’ information.

10.5 The Processor is obliged to give the supervisory authorities or representatives acting on behalf of such authorities’ access to the Processor's physical facilities after presentation of appropriate identification and basis for the access.

10.6 If the audits reveal defects, the Processor shall promptly rectify such deficiencies at no cost to the Controller. Any material deficiencies that constitute an obvious threat to information security should be corrected immediately.

11. Third Country Transfer

11.1 Personal data processed by the Processor on behalf of the Controller may be transferred to, stored and processed in those countries listed in Appendix 1.

11.2 The Processor shall not transfer personal data to or allow persons outside of the countries listed in Appendix 1 to gain access to personal data, without the prior written consent of the Controller, unless the European Commission has determined that the country or international organisation ensures an adequate level of protection. 

11.3 The Processor shall ensure that the transfer takes place in accordance with applicable EU or UK transfer mechanisms and data protection laws. 

12. Term

12.1 This Data Processing Agreement shall apply for as long as the Processor processes personal data on behalf of the Controller.

12.2 In the event of a breach of this Data Processing Agreement or the data protection legislation, the Controller may instruct the Processor to discontinue further processing of the personal data with immediate effect.

13. Termination

13.1 Upon termination or expiry of this Data Processing Agreement, the Processor shall cease the processing of all personal data. The provisions regarding confidentiality of documentation and personal data that the Processor may access pursuant to this Data Processing Agreement shall survive this Data Processing Agreement.

13.2 Upon termination or expiry of this Data Processing Agreement, or upon the Controller’s written request, the Processor shall either, at the choice of the Controller, return and/or destroy personal data processed (including security copies).

13.3 If shared infrastructure is used where direct erasure is not directly possible, the Processor shall ensure that personal data is rendered unavailable until such data is overwritten by the system.

13.4 Unless otherwise required by law, the Processor may not retain any copies of personal data provided by the Controller under this Data Processing Agreement, in any format, and any physical and logical access to such personal data shall be erased.

Appendix 1 - Protocol

1. Notices

All notices under this Data Processing Agreement shall be sent in writing to the representatives listed in the Order Form.

2. The Purpose and Nature of Processing

The purpose is to assist the Client with its use of the Platform under the Agreement.

3. The Nature of Processing

The Processor processes personal data solely for the purpose of assisting the Client with personalised video creation and analysis on behalf of the Controller.

Input data: Personal data relating to the Controller’s end customers, members, or employees (such as name, age, birth date, language, location, purchase history, gender, and interests) is transmitted by or on behalf of the Controller to the Processor via secure API, as encrypted data file, or uploaded directly by authorised users of the Controller.

The categories of personal data processed are determined solely by the Controller, who remains responsible for ensuring that only data which is adequate, relevant, and limited to what is necessary for the agreed purposes is provided to the Processor.

Processing activities: Through the self-service functionality of SEEN’s Platform, the Controller and its authorised users may use this data to generate and deliver personalised video experiences to identified recipients. Where SEEN undertakes such activities on behalf of the Controller, it does so strictly under the Controller’s documented instructions and in accordance with this Data Processing Agreement.

Analytics: In connection with the distribution and playback of such video content, the Processor collects event-level engagement data (e.g. video play, pause, completion, errors, clicks on embedded links or calls-to-action, device/browser information, IP address at time of access, and time spent engaging with the video). These analytics are made available to the Controller through SEEN’s reporting dashboard to enable assessment of campaign performance.

The Processor does not track recipients across websites, combine analytics with third-party datasets, or perform behavioural profiling outside the scope of the agreed campaign engagement.

Limitations: The Processor does not process personal data for its own purposes, combine it with third-party datasets, or perform profiling beyond the scope of campaign engagement reporting, except as otherwise permitted under the Agreement and applicable Data Protection Laws.

4. Categories of Data Subjects

The Processor may process personal data relating to the following categories of data subjects, as determined by the Controller:

• End customers and prospects of the Controller (e.g. individuals receiving marketing or service communications).
• Members or subscribers of the Controller’s services.
• Employees, contractors, or other personnel of the Controller, where the Controller elects to use the Platform for internal communications.
• Any other category of data subject that the Controller elects to include, provided such use is within the agreed purpose and compliant with applicable Data Protection Laws.

5. Categories of Personal Data

Personal data that may be processed under this Agreement, as determined by the Controller, typically includes attributes such as:

• Name
• Age
• Birth date
• Language
• Location
• Purchase history
• Gender
• Interests

This list is illustrative and not exhaustive. The Controller decides which categories of personal data are provided to the Processor and remains solely responsible for ensuring that only data which is adequate, relevant, and limited to what is necessary for the agreed purposes is shared.

The Processor does not require, and the Controller shall ensure that it does not provide, any special categories of personal data (as defined in Article 9 GDPR) or unnecessary identifiers (e.g. phone numbers, email addresses), unless expressly agreed in writing.

Appendix 2 - SEEN's Security Baseline

Introduction

1.1 The Processor is certified to ISO/IEC 27001 (Information Security Management) and ISO/IEC 27701 (Privacy Information Management). These certifications confirm that the Processor maintains and operates a formally audited management system for information security and privacy in line with internationally recognised best practice.

1.2 Current certificates and audit information are available at trust.seen.io

1.3 The Processor commits to maintaining these certifications during the term of the Agreement and to applying equivalent or higher standards should they be replaced or updated.

1.4 The purpose of this Appendix is to reassure the Controller that the Processor applies robust administrative, physical, organisational and technical safeguards designed to protect personal data against unauthorised or unlawful processing, accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access.     

Governance & Risk Management

2.1 The Processor maintains an Information Security Management System (ISMS) and Privacy Information Management System (PIMS), with policies approved at senior management level and reviewed on a regular basis.

2.2 Risk assessments are carried out for new applications, changes and ongoing operations to ensure that risks to the confidentiality, integrity, and availability of personal data are identified and mitigated.

Access Control

3.1 Logical and physical access controls follow the principle of least privilege and role-based access.

3.2 Access rights are reviewed regularly, revoked promptly when no longer required, and monitored through audit logs.

3.3 Multi-factor authentication and strong password policies are applied in line with ISO requirements.

Cloud & Infrastructure Security

4.1 The Processor uses Google Cloud Platform for hosting and storage, with all data encrypted in transit and at rest using industry standard AES-256 and FIPS 140-2 validated modules.

4.2 Data centres are subject to Google Cloud’s own ISO/IEC 27001, 27017, 27018, and SOC certifications.

Encryption & Secure Communications

5.1 All data in transit is protected using secure protocols (e.g. HTTPS/TLS, SSH v2).

5.2 Encryption key management follows ISO-certified controls.

Monitoring, Logging & Testing

6.1 Systems that process personal data generate audit logs which are reviewed and protected against tampering.

6.2 Regular security testing, vulnerability scanning, and patch management are conducted as part of the ISMS.

Backups & Data Disposal

7.1 Personal data is backed up in accordance with SEEN’s business continuity policies and retained for no longer than ninety (90) days, after which backups are automatically overwritten. During the backup retention period, data remains securely stored, is not processed for any other purpose, and is only accessible for disaster recovery.

7.2 Upon deletion from active systems, personal data will be removed from backups within the above retention period. Data deletion and disposal are carried out securely in line with ISO/IEC 27001 and 27701 controls.

Incident Response

8.1 The Processor maintains an incident response plan covering detection, escalation, investigation, and reporting.

8.2 The Processor will notify the Controller without undue delay upon becoming aware of a personal data breach, in line with Article 33 GDPR.

Training & Awareness

9.1 All employees and contractors with access to personal data receive mandatory training on security, privacy, and confidentiality obligations.

9.2 Confidentiality commitments are included in contracts of employment and supplier agreements.

‍