Data ProcessingAgreement

This Data Processing Agreement (“DPA”) shall apply if and to the extent Acast AB (“Acast”, “We” or “Us”) collects or otherwise processes Personal Data on Your behalf as a Processor in connection with the hosting, distribution and/or monetization of the Podcaster Content and/or Publication under the Agreement (the “Services”). The parties agree that this DPA shall be incorporated into and form part of the Agreement. 

1. DEFINITIONS

The terms used in this DPA shall have the meanings set forth below. Capitalized terms used but otherwise not defined herein shall have the meaning given to them in the Agreement or Data Protection Laws, as applicable.

"Authorized Personnel" means duly authorized employees, consultants, officers, agents, contractors and subcontractors who need access to Personal Data to meet Acast’s obligations under  this DPA.

"Controller" is as defined in Data Protection Laws.

"Data Protection Laws" mean the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), the UK General Data Protection Regulation 2018/679 as implemented by the Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”) and any similar or equivalent laws, regulations or rules applicable to the Parties and relating to the processing of Personal Data as amended, replaced and/or supplemented from time to time, together with any enforceable guidance and codes of practice issued by any competent supervisory authority  responsible for administering such data protection legislation.

"Data Subject" is as defined in Data Protection Laws and as further specified in Schedule 1 of this DPA.

"Data Security Breach" means breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use of Personal Data.

"Personal Data" is as defined in Data Protection Laws and as further specified in Schedule 1 of this DPA. 

"Processing", "Process" or "Processed" is as defined in Data Protection Laws.

"Processor" is as defined in Data Protection Laws.

"Third Country" means a country that is deemed not to provide an adequate level of protection for Personal Data within the meaning of Data Protection Laws.

"Sub-Processor" means another Processor engaged by Acast to Process Personal Data in connection with the Services. 

2. GENERAL; ROLE OF THE PARTIES

2.1 For the purposes of the Processing of Your Personal Data under the Agreement, You shall be regarded as a Controller and Acast shall be regarded as a Processor. Additional details on the collection and Processing of Your Personal Data are described in Schedule 1 “Data Processing Instructions” attached to this DPA. 

2.2 This DPA supersedes and replaces all prior agreements and understandings between You and Acast, whether written or oral, relating to the subject-matter hereof. All such prior agreements and understandings are hereby deemed of no further force or effect.

3. ACAST UNDERTAKINGS

3.1 Acast undertakes to: 

(a) comply with all applicable requirements of Data Protection Laws; 

(b) only Process Your Personal Data in accordance with the Agreement, this DPA and the Data Processing Instructions described in Schedule 1 attached hereto. Acast may, however, without instructions process information as required by laws to which Acast is subject, but shall to the extent permitted by law, inform You of such requirement prior to Processing. If any instruction issued by You, in Acast’s reasonable opinion, infringes Data Protection Laws, Acast will as soon as reasonably practicable revert to You for the purpose of seeking clarification or further instructions; 

(c) grant access to the Personal Data undergoing Processing to Authorized Personnel only to the extent strictly necessary for the performance of the Services. Acast shall also ensure that Authorized Personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(d) taking into account the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of Processing and the risks involved in the Processing for the Data Subjects, implement all appropriate technical and organisational measures to protect the Personal Data against a Personal Data Breach. The measures implemented by Acast are described here: https://security.acast.com/; 

(e) reasonably assist You in responding to any valid request from a Data Subject and in ensuring compliance with Your obligations under Data Protection Laws, with respect to security, breach notifications, data protection assessments, and consultations with supervisory authorities;

(f) notify You without undue delay on becoming aware of a Data Security Breach affecting Your Personal Data, and take reasonable steps to mitigate the impact of any such Data Security Breach and reasonably cooperate with You to enable You to comply with Your obligations under Data Protection Laws; and

(g) notify You without undue delay if We receive an enquiry or a request for inspection or audit from a supervisory authority relating to the Processing of Your Personal Data under the Agreement, unless We are otherwise prohibited by law from making such disclosure.

4. YOUR UNDERTAKINGS

4.1 You undertake to: 

(a) comply with all applicable requirements of Data Protection Laws;

(b) ensure that You have a lawful basis for the Processing of Personal Data under the Agreement and this DPA;   

(c) ensure that You have all necessary rights and permissions to provide the Personal Data to Acast for Acast and its Sub-Processors to carry out the Processing under the Agreement and this DPA, including without limitation, obtaining and maintaining any and all required consents and opt-in and/or opt-out consents or permissions; 

(d) promptly inform Acast of any Data Subject request made pursuant to Data Protection Laws that You must comply with and provide Acast with the information necessary for You to comply with such request; and 

(d) inform Data Subjects of the Processing of Personal Data under the Agreement and this DPA, including by providing all required privacy notices and privacy policies to Data Subjects which are (i) easily accessible to the Data Subjects, and (ii) compliant with applicable Data Protection Laws.

5. USE OF SUB-PROCESSORS

5.1 You hereby authorise Acast to use Sub-Processors to Process Personal Data under the Agreement and this DPA. Sub-Processors engaged by Acast can only process Personal Data according to instructions which are reasonably equivalent to Your Data Processing Instructions set forth in Schedule 1. Acast’s current Sub-Processors are listed in Schedule 2 of this DPA. Acast reserves the right to update the list of Sub-Processors at any time. Upon request, Acast shall provide You with an updated list of Sub-Processors. 

5.2 Acast remains liable to You for the Sub-Processor’s performance of its agreement obligations.

6. AUDIT

6.1 Subject to at least sixty (60) days’ prior written notice by You, Acast shall grant You access to relevant information required in order to verify that the obligations set out in the DPA are complied with. Acast shall, at Your expense, facilitate and participate in audits, including inspections, carried out by You or by a mutually agreed third party auditor provided that such audits are carried out during regular business hours and no more than once per calendar a year. If You use a third party to carry out the audit, that third party shall not be a competitor of Acast and shall undertake confidentiality in relation to Acast’s business information. Any information or documentation provided by Acast to You under this Section shall be considered Acast’s Confidential Information and subject to the confidentiality provisions set out in the Agreement. 

6.2 We accept and agree that supervisory authorities may request information from Us, and carry out investigations in the form of data protection audits, in accordance with Data Protection Laws.

7. TRANSFERS

7.1 Acast will not Process or transfer Your Personal Data in a Third Country without Your prior written consent, which consent shall not be unreasonably withheld, conditioned or delayed. 

7.2 You hereby consent to transfers of Personal Data to Acast’s Sub-Processor (including Acast affiliates) established in a Third Country, provided that  Acast has entered into appropriate safeguards with such Sub-Processor, such as (i) an adequacy decision pursuant to Article 45 GDPR/UK GDPR (for e.g. the EU-US Data Privacy Framework or UK-US Data Bridge) or (ii) the latest standard contractual clauses as approved by the European Commission. 

8. INDEMNIFICATION

8.1 Each Party (the “Indemnifying Party”) shall defend, indemnify and hold harmless the other and their respective officers, directors, employees and agents (each, an “Indemnified Party”) from all third-party claims or liabilities (including, without limitation, reasonable attorneys’ fees and costs) arising out of or related to the Indemnifying Party’s breach of this DPA. 

8.2 Nothing in the Agreement shall limit or restrict either Party’s liability for indemnification under this Section. 

9. TERM AND DELETION

9.1  The DPA is effective as from the date You enter into an Agreement with Us and shall continue for the duration of the Agreement. 

9.2  Each Party shall have the right to terminate this DPA immediately upon notice in writing to the other if:

  • the other Party commits a material breach of this DPA which is not capable of being remedied or, if capable of being remedied, is not remedied within fourteen (14) days of a request to do so; or
  • the other Party is prevented from performing any of its material obligations pursuant to this DPA as a consequence of circumstances beyond its reasonable control for more than fourteen (14) days.

9.3  Upon termination or expiration of this DPA and upon Your written request, Acast shall, based on Your instructions, delete all Personal Data Processed, or return to You, in a manner acceptable to You, all Personal Data Processed and delete existing copies unless storage of Personal Data is required pursuant to applicable laws to which Acast is subject. 

9.4 If You request deletion of Your account, Acast will delete all Personal Data Processed in connection with such account.

10. GOVERNING LAW AND DISPUTES

10.1  This DPA shall be governed by and construed in accordance with laws of the Agreement. 

10.2  Disputes regarding interpretation and application of the DPA shall be settled in accordance with the provisions in the Agreement regarding dispute resolution.

11. CHANGES TO THIS DPA

Acast may revise this DPA from time to time at our sole discretion. When there is a new version of the DPA, You will receive notice via email. If you continue to use the Services after receipt of the notice of the new version of the DPA, you will be deemed to have accepted the new version of the DPA. If You do not agree to the new version of the DPA, You may not continue to use the Services.

 


SCHEDULE 1

DATA PROCESSING INSTRUCTIONS

In accordance with the Agreement by and between You and Acast, Acast Processes Your Personal Data for the purposes of hosting, distributing and/or monetizing Podcaster Content and/or Publication and complying with other reasonable written instructions provided by You from time to time, provided that such instructions are consistent with the terms of the Agreement.

These Data Processing Instructions describe Your instructions relating to Processing activities to be carried out by Acast under the Agreement. Any capitalized terms used herein shall have the meaning set out in the Agreement and/or in the DPA, as applicable.

1. SUBJECT MATTER OF THE PROCESSING

The subject matter of the data processing includes the hosting, distribution and/or monetization of the Podcaster Content and/or Publication as described in the Agreement. 

2. THE PURPOSES OF THE PROCESSING

You instruct and authorize Acast to Process Your Personal Data for the purposes of hosting, distributing and/or monetizing Podcaster Content and/or Publication pursuant to the Agreement. 

3. CATEGORIES OF DATA SUBJECTS

Talent, guest(s) and any other identified or identifiable individual included in the Podcaster Content and/or Publication. 

4. CATEGORIES OF PERSONAL DATA

Data Subject’s voice, name, images and any other Personal Data included in the Podcaster Content and/or Publication. 

5. DURATION OF THE PROCESSING

Acast shall Process Your Personal Data for the duration of the Agreement. 

6. LOCATION OF THE PROCESSING

Sweden.


SCHEDULE 2

LIST OF SUB-PROCESSORS

Sub-Processor NameSub-Processor AddressSub-Processor Activity
Amazon Web Services2121 7th Ave Seattle, WA 98121, USHosting cloud infrastructure
Barometer300 W 57th St, Floor 33, New York, NY 10019Brand safety & suitability solution
Comscore Inc11950 Democracy Drive, Suite 600, Reston, VA 20190, USBrand safety solution
IBM Watson1 New Orchard Road Armonk, New York 10504-1722 USIAB category targeting
SpareMin IncC/O Neil Mody, 85 Broad Street, 18th Floor, New York, NY, 10004, USEditing tool to create promotional videos based on the Podcaster Content and/or Publication 
Podchaser, Inc2326 SW 122nd St Oklahoma City, OK 73170 United StatesIAB category targeting and keyword targeting
Acast Stories Inc408 Broadway, Second Floor
New York, NY 10013, US
Assist Acast AB in performing its Agreement obligations
Acast Stories Canada Incc/o Business Sweden 2 Floor St. W., Suite 2120 Toronto, ON M4W 3E2 CanadaAssist Acast AB in performing its Agreement obligations
Acast Stories Ltd2nd floor 168 Shoreditch High Street London, E1 6RA United KingdomAssist Acast AB in performing its Agreement obligations
Acast Stories Ireland LtdThe Greenway, 112- 114 St Stephen's Green, Dublin D02 TD28Assist Acast AB in performing its Agreement obligations
Acast Stories GMBHC/O Mindspace Friedrichstrasse 68 10117 Berlin GermanyAssist Acast AB in performing its Agreement obligations
Acast Stories SAS64 avenue Parmentier 75011 Paris FranceAssist Acast AB in performing its Agreement obligations
Acast Stories ASElisabeth Von Hubsch gate 6 1534 Moss NorwayAssist Acast AB in performing its Agreement obligations
Acast Stories Pty LtdLevel 2, 17 Randle Street, Surry Hills, NSW 2010 AustraliaAssist Acast AB in performing its Agreement obligations
Acast Stories Mexico, S . de R.L. de C. V.Blvd. Miguel de Cervantes Saavedra 193, int. 802 Granada, Miguel Hidalgo CP. 11520 Mexico City, MexicoAssist Acast AB in performing its Agreement obligations