Podbean Podcaster Data Processing Addendum – Controller to Controller

Last Updated: March 9, 2023

This Podcaster Data Processing Addendum ("DPA") forms part of the agreement(s) (collectively, the "Agreement") between Podbean Inc, with its principal place of business at 5940 S Rainbow Blvd Ste 400 #56077, Las Vegas, NV 89118-2507 ("Podbean") and the podcaster(s) entering into the Agreement with Podbean (“Podcaster,” collectively with Podbean the “Parties” and each a “Party”), and reflects the Parties' agreement with regard to the Processing of Personal Data.

BACKGROUND

Podbean provides podcast hosting services to its podcasters, including monetization and advertising services and integrations with third-party platforms, and Processes certain Personal Data in connection with the provision of such services and its own business and operations. This DPA sets forth the data protection terms and obligations that apply when Podbean Processes Personal Data (defined below) received from or on behalf of the Podcaster. The Parties have agreed to enter into this DPA to address the rights and obligations that apply to the Parties under the Applicable Data Protection Laws (as defined below) concerning each Party’s Processing (as defined below) of Personal Data.

DEFINITIONS

Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

"Applicable Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data under the Agreement, including without limitation, the laws and regulations of the United States and its states, the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”) together with any national implementing laws in any Member State of the European Union or, to the extent applicable, laws and regulations in any other country, as any such law or regulation may be amended, repealed, consolidated or replaced from time to time;

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and includes the term “business” as may be defined by certain Applicable Data Protection Laws;

"Data Subject(s)" means the individual(s) to whom Personal Data relates;

"EEA" means the European Economic Area;

"End Users" means Podcaster’s listeners;

"Services" are the services provided by or on behalf of Podbean to Podcaster pursuant to the Agreement;

"Personal Data" means any information relating to an identified or identifiable Data Subject or that describes, is reasonably capable of being associated with, or is reasonably linkable, directly or indirectly, to a particular individual or household, and includes without limitation any information that constitutes "personal information" and/or “personal data” as defined under Applicable Data Protection Law;

"Processing" means any operation or set of operations which is performed upon data or information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. The terms "Process", "Processes" and "Processed" will be construed accordingly; and

"Security Breach" means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1. PROCESSING OF PERSONAL DATA

   1. Scope and Role.

      Podcaster and Podbean are each Controllers with respect to the Processing of Personal Data hereunder. Information about the Processing of Personal Data by Podbean is set forth in Appendix A to this DPA, including without limitation the nature and purpose of the Processing and the types of Personal Data Processed.

   2. Data Processing.

      Podbean will Process Personal Data for the limited and specified purposes set forth in the Agreement and this DPA or as otherwise permitted or required by Applicable Data Protection Law.

   3. Compliance.

      Podbean and Podcaster will comply with Applicable Data Protection Laws and will take steps to protect Personal Data as required by Applicable Data Protection Laws. Without limiting the foregoing, Podcaster represents, warrants, and covenants that it has all rights and has complied with all obligations necessary for the Processing of Personal Data by Podbean and, if applicable, advertisers and other monetization partners, which may include without limitation complying with any applicable requirement for Podcaster to provide notice to, provide opt-out or opt-in rights regarding, and/or obtain appropriate consent from Data Subjects to the Processing by Podbean and, if applicable, advertisers and other monetization partners. Podcaster shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Podcaster acquired Personal Data. Podcaster specifically acknowledges that the Processing of Personal Data by Podbean and, if applicable, advertisers and other monetization partners, in compliance with the Agreement and this DPA will not violate Applicable Data Protection Laws.

   4. Requests Regarding Personal Data.

      If a Party receives a request from one or more Data Subjects to exercise their rights with respect to the Personal Data under Applicable Data Protection Laws (including, but not limited to, the right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or the right not to be subject to an automated individual decision making), or a Data Subject complaint or request from a competent authority in relation to the Personal Data, the Party will independently respond to the request based on the Personal Data within its possession or control and the Processing carried out by such Party. To the extent that Podcaster requires assistance from Podbean to comply with the requirements of Applicable Data Protection Laws or other legal obligations applicable to Podcaster, Podcaster will reimburse the Podbean for Podbean’s reasonable time and expenses.

   5. Security Breach.

      If Podbean becomes aware of a Security Breach, Podbean will comply with any Security Breach-related obligations directly applicable to it under the Applicable Data Protection Laws. Podcaster will reimburse Podbean for all reasonable expenses resulting from Podbean’s assistance related to any Security Breach caused by or on behalf of Podcaster and/or Podcaster’s End Users.

   6. Protected Health Information; Sensitive Data.

      Podcaster agrees that it will not include within Personal Data made available to Podbean hereunder any data which is “protected health information” regulated under the United States Health Insurance Portability and Accountability Act or any data considered sensitive or special categories data under Applicable Data Protection Laws.

   7. Security Responsibilities.

      Podbean will implement and maintain reasonable and appropriate technical and organizational measures designed to protect any Personal Data Processed hereunder against Security Breaches and against all other unlawful forms of Processing. These measures may depend on the Services and will include, at a minimum, the measures set out in Annex II of Appendix A to this Agreement.

   8. Demonstration of Compliance.

      Where and to the extent required by Applicable Data Protection Laws, Podcaster may take reasonable and appropriate steps, upon notice to and in cooperation with Podbean, designed to ensure that Podbean Processes Personal Data in a manner consistent with Podcaster’s obligations under Applicable Data Protection Laws. If Podbean determines that it can no longer meet its own obligations under Applicable Data Protection Laws, Podbean will notify Podcaster of such determination. Upon such notice or in the event Podcaster otherwise becomes aware of unauthorized Processing of Personal Data by Podbean, Podcaster may take reasonable and appropriate steps to stop and remediate the unauthorized Processing. Podcaster and Podbean agree to negotiate in good faith to determine what steps are “reasonable and appropriate” under this Section in each instance.

2. INTERNATIONAL DATA TRANSFERS

   1. The Parties acknowledge and agree that Personal Data Processed by Podbean may be Processed in or originate from the UK, Switzerland, and/or the EEA and/or be Processed by Podbean outside the UK, Switzerland, and/or the EEA.
   2. This Section shall apply in the event of a Restricted Transfer (as defined below) of Personal Data. In the event that any provision of this DPA or the Agreement conflicts with the SCCs (as defined below), the SCCs shall prevail solely to the extent of any Restricted Transfer.
   3. “European Data Protection Laws” means, to the extent applicable to Podcaster, Podbean, or the Processing of Personal Data under the Agreement, the EU GDPR; the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); and the Swiss Federal Data Protection Act (“Swiss DPA”), in each case as may be updated, amended, or replaced from time to time.
   4. “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 as may be updated, amended, or replaced from time to time; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner as may be updated, amended, or replaced from time to time.
   5. “SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be updated, amended, or replaced from time to time.
   6. “UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018, as may be updated, amended or replaced from time to time.
   7. To the extent the transfer of Personal Data from Podcaster to Podbean is a Restricted Transfer and European Data Protection Laws require that appropriate safeguards be put in place with respect to such transfer, such transfer shall be subject to the SCCs, which shall be incorporated by reference into this DPA as follows:
   8. EU GDPR. For Personal Data that is protected by the EU GDPR, the SCCs will apply as follows: (1) Module One (controller to controller) will apply; (2) in Clause 7, the optional docking clause will apply; (3) in Clause 11, the optional language will not apply; (5) in Clause 17, Option 2 will apply, and the SCCs will be governed by the law of the EU Member State in which the data exporter is established or, where such law does not allow for third-party beneficiary rights, by the law of the Republic of Ireland; (6) in Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland; and (7) Annexes I and II of the SCCs will be deemed completed with the information in Annexes I and II of Appendix A to this Addendum, respectively.
   9. UK GDPR. For Personal Data that is protected by the UK GDPR, the SCCs: (1) shall apply as completed in accordance with paragraph (i) above; and (2) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this Addendum. In addition, Tables 1 to 3 in Part 1 of the UK Addendum shall be completed respectively with the information set out in Annexes I and II of Appendix A of this DPA, and Table 4 in Part 1 shall be deemed completed by selecting “neither party.”
   10. Swiss DPA. For Personal Data that is protected by the Swiss DPA, the SCCs shall apply as completed in accordance with paragraph (i) above, with the following modifications: (1) references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA and references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA; (2) references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland”, or “Swiss law”; (3) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (4) Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; (5) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; (6) in Clause 17, the SCCs shall be governed by the laws of Switzerland; and (7) with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.

3. LIABILITY

   1. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
   2. Podcaster acknowledges that Podbean (and if applicable, advertisers and other monetization partners) is reliant on Podcaster for obtaining all required consents,rights, and licenses and providing all notices as to the extent to which Podbean (and if applicable, advertisers and other monetization partners) is entitled to use and process Personal Data hereunder. Consequently, Podbean will not be liable under the Agreement for any claim brought by a Data Subject arising from or related to Podcaster’s failure to comply with its obligations under the Applicable Data Protection Law or this DPA.

4. GENERAL PROVISIONS

   • Where applicable, Schedules, Annexes and Appendices to this DPA will be deemed to be an integral part of this DPA. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. In the event the Agreement ends or is terminated, the obligations under this DPA shall cease.

APPENDIX A: ANNEXES DESCRIBING PROCESSING

ANNEX I

• LIST OF PARTIES

  Data exporter, when applicable:

  Name: Podcaster (on behalf of itself and permitted Affiliates)

  Address: Podcaster’s address, as set out in the Agreement

  Contact person’s name, position and contact details: Podcaster’s contact details, as set out in the Agreement

  Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the Agreement.

  Role (controller/processor): Controller

  Data importer, when applicable:

  Name: Podbean Inc. (on behalf of itself and permitted Affiliates)

  Address: 5940 S Rainbow Blvd Ste 400 #56077, Las Vegas, NV, 89118-2507, or as set out in the Agreement and/or a SOW

  Contact person’s name, position and contact details: Podbean’s contact details, as set out in the Agreement and/or SOW

  Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with the Agreement.

  Role (controller/processor): Controller

• DESCRIPTION OF TRANSFER

  Categories of data subjects whose personal data is transferred:
  Podcaster’s business representatives and podcast listeners

  Categories of personal data transferred:

  • IP addresses
  • Listening history, including podcast name, episode title, and play time
  • Any personal data mentioned in podcast content (such as the host’s name, any guest names mentioned by the host, etc.)
  • Email addresses and other contact information of each Party’s business representatives

  Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
  None

  The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
  Continuous

  Nature of the processing

  Purpose of the data transfer and further processing
  Business contact emails will be used to allow those individuals to login, and other personal data will be Processed to provide the Services under the Agreement including advertising Services requested by Podcaster, to administer the business relationship with Podcaster, and for Podbean’s business and operations. When Podcaster has requested advertising Services, personal data will be further transferred to third parties including advertisers and monetization partners to support the requested Services. Such third parties may use the data in any manner permitted by applicable law, their respective privacy policies, and their agreements with Podbean.

  The period for which the personal data will be retained, or if that is not possible, the criteria used to determine that period
  Personal data will be retained pursuant to Podbean’s data retention policies and practices, which are designed to ensure that personal data is not processed for longer than is necessary for the purposes for which it is obtained by Podbean, to allow Podbean to protect and defend legal claims, or as required by law.

  For transfers to (sub-)processors, also specify subject matter, nature, and duration of the processing
  Podbean may transfer Personal Data to processors or sub-processors for Processing in accordance with the subject matter, nature, and duration of processing noted above.

• COMPETENT SUPERVISORY AUTHORITY

  For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either (i) where Podcaster is established in an EU Member State, the supervisory authority responsible for ensuring Podcaster’s compliance with the GDPR; (ii) where Podcaster is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Podcaster’s representative is established; or (iii) where Podcaster is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. Notwithstanding the foregoing, in relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons

Podbean has taken and will maintain the appropriate administrative, technical, physical and procedural security measures designed for protection of the security, confidentiality and integrity of the Personal Data.

• Access Control
  • Preventing Unauthorized Service Access

    Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual agreements with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

    Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

    Authentication: We implement a uniform password policy for our Podcaster products. Podcasters who interact with the products via the user interface must authenticate before accessing non-public Podcaster data.

    Authorization: Podcaster data is stored in multi-tenant storage systems accessible to Podcasters via only application user interfaces and application programming interfaces. Podcasters are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

    Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.

  • Preventing Unauthorized Service Use

    We implement industry standard access controls and detection capabilities for the internal networks that support our services.

    Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

    Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted Podcaster websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

    Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.

    Penetration testing: We maintain Personal Data with industry recognized penetration testing service providers for annual penetration testing. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

  • Limitations of Privilege & Authorization Requirements

    Service access: A subset of our employees have access to the services and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.

    Background checks: All Podbean employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Podbean employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

• Transmission Control

  In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer podcast site hosted on the Podbean. Our HTTPS implementation uses industry standard algorithms and certificates.

  At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.

• Input Control

  Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

  Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Podcaster damage or unauthorized disclosure. Notification to Podcaster will be in accordance with the terms of the Agreement.

• Availability Control

  Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

  Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Podcaster data is backed up to multiple durable data stores and replicated across multiple availability zones.

  Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

  Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.