Brightcove has developed a comprehensive compliance program for its EEA, Swiss and UK Customers and their Viewers. In addition to the disclosures in these Privacy Policies, we have provided links to key documentation that outlines our processing activities, data transfer practices and Brightcove’s stance on government requests, to make it easy for our Customers to comply with their own obligations as Controllers when using Brightcove Services in those regions.
We collect and process personal data where it is necessary to satisfy a contract with our Customers or Service Providers, to comply with our legal obligations, for our legitimate business purposes or with your consent. Where the term “personal information" is used in these Privacy Policies it covers the same type of information as “personal data,” as that term is defined in the General Data Protection Regulation (“GDPR”).
DATA PROCESSING AGREEMENTS
We only process Customer and Viewer personal data in accordance with the terms of a data protection agreement, entered into in each instance by Brightcove and the Customer, that limits the processing in accordance with your instructions and as necessary to provide the services, for our legitimate business interests and in the other ways permitted by law. You can review our standard data processing addendum. To learn more about how we treat and transfer personal data we receive from Customers.
We are also transparent about our use of subprocessors, which are also contractually obligated to protect your personal data under these standards. Those subprocessors are listed on the Services Subprocessors page, where you can also sign up to receive alerts whenever we add any additional service providers to the list.
Brightcove is certified under the EU-U.S. Data Privacy Framework and processes personal data in line with our obligations and Data Privacy Framework principles, including purpose limitations, data minimization and providing a direct means of dispute resolution. For further information, please see our Data Privacy Framework Notice below. For those transfers of personal data that are not covered by the Data Privacy Framework, Brightcove relies on the most recent versions of the European Commission Standard Contractual Clauses as a transfer compliance mechanism to transfer personal information collected in the EEA, Switzerland and UK.
We have also conducted a transfer impact assessment (“TIA”) for transfers to the United States, where our primary processing takes place for transfers out of the EEA/UK/Swiss region. This TIA takes into account the personal information involved and the laws of the importing country around government access to that information. We will continue to compile TIAs for any countries which do not have adequacy or qualified state status. We monitor any changes in the law that may impact this assessment and will update the TIAs accordingly. Our TIAs are available for Customers or Prospective Customers upon request.
Brightcove may be required to disclose personal data in response to lawful requests by public authorities, including disclosures necessary to meet national security or law enforcement requirements, or pursuant to judicial orders.
FISA Warrant Statement
Only “electronic communication service providers,” within the meaning of 50 U.S.C § 1881(b)(4) are subject to an order for “Upstream” surveillance under Section 702 of the U.S. Foreign Intelligence Surveillance Act (“FISA”) – the type of order that was of principal concern to the Court of Justice of the European Union in the Schrems II decision. In practice, the U.S. government uses “Upstream” orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers). For more information see Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014) pp. 35-40, available at https://fas.org/irp/offdocs/pclob-702.pdf. Brightcove does not provide such backbone services, as we only handle traffic involving our own Customers, so “Upstream” orders are inapplicable to Brightcove.
Brightcove also does not process personal data that is within scope of a FISA 702 order. The Department of Commerce was clear that companies that transfer personal data involving commercial information like employee, customer or sales records, could have no basis to believe intelligence agencies interpret the law to ever seek to collect that data. For more information see Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II(Sept. 2020) pp.2-3, 6, available at https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF
DATA RIGHTS REQUESTS
Customers may have certain rights to their personal data, namely:
- To object to processing for direct marketing purposes;
- To withdraw consent for data collected based on your consent and not for any other lawful basis;
- To restrict processing; and
- To portability in a commonly used and machine-readable form.
Where Brightcove receives a request from a Viewer, we will refer the request to the Customer and support the Customer in responding to the request.
Certain Brightcove Services offer Customers self-service options in the Administrator (or similar) mode of their accounts at no additional cost, including the ability to access, download and export your Viewer data, delete Viewer data and restrict the use of that data. Before you exercise your options, please be aware that deletion of Viewer data is irreversible. If you need further instructions on how to access and use those features, or if you use other Brightcove products and services that may not include these self-service options, please reach out to your customer success representative with your request.
Please keep in mind that when you ask us for your personal data or ask us to delete it, we may need to retain or withhold some of the information for security or legal reasons. For instance, we need Customer and Customer Usage data to maintain your account and requested services. That means if you ask us to delete that information, we may not be able to continue providing those services or products.
To exercise a data right, on your own behalf (as a Customer) or on behalf of a Viewer, please contact Support or firstname.lastname@example.org with the Subject Line: GDPR Data Rights Request. Within the request, please provide the following: your name, corporate email, company name and country and, if applicable, state of residence. We will process any requests within a reasonable period of time, and in any case in accordance with applicable law.
There is also the right to lodge a complaint with your local supervisory data protection authority (“DPA”) if you believe our processing is inconsistent with the applicable data protection laws. You need to lodge any such complaint directly with the relevant DPA.
If you utilize a Payment Service for payments related to Brightcove Services, please contact us at email@example.com, and note in your email that you would like Brightcove to facilitate the correction or deletion of your personal data with the Payment Service.
Accuracy of data is very important to us. Customers should ensure that any information provided to us is up-to-date and Customers may correct information by either logging into their Customer account or by contacting Brightcove’s customer support team. In certain situations, Customers may need assistance from customer support in making a change. We will respond to requests to make changes to Customer records as soon as reasonably practicable. We may require Customer representatives to verify their identity before granting access to, or agreeing to update, correct or delete personal data belonging to Customers.
EU-U.S. DATA PRIVACY FRAMEWORK NOTICE
We have certified our compliance with the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework d (collectively, the “Data Privacy Framework”) with respect to the Personal Data of users of the Website who are residents of the European Union (“EU”), European Economic Area (“EEA”), the United Kingdom and Switzerland that we receive and process through the Website. We certify that we adhere to the Data Privacy Framework principles of notice, choice, onward transfer, security, data integrity, access and enforcement (the “Data Privacy Framework Principles”) for Personal Data of users of the Website in the countries participating in the Data Privacy Framework. We are responsible for the processing of personal data we receive under the Data PrivacyFramework and subsequently transfer to a third party agent, and may be liable for onward transfers in violation of the Data Privacy Framework Principles. Our certification is available here. Brightcove’s commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
If you are a resident of a country participating in the Data PrivacyFramework, you may direct any questions or complaints concerning our Data Privacy Framework compliance to our Data Privacy Framework and Data Protection Contact listed below. We will work with you to resolve your issue.
Your Data Privacy Framework and Data Protection Contact for the personal data that we process in connection with the Website is:
Attn: Chief Privacy Officer
281 Summer Street
Boston, MA 02210
Phone: +1 617 500 4947
If you have not received a timely or satisfactory response to your concern relating to data processed under the Data Privacy d Framework, you may contact our U.S.-based dispute resolution provider, at no cost to you, at https://feedback-form.truste.com/watchdog/request. If neither Brightcove nor our independent dispute resolution provider resolves your complaint, you may have the right to invoke binding arbitration through the Data Privacy Frameworkield panel. However, prior to initiating such arbitration, a resident of a country participating in the Data Privacy Framework must first: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from our designated independent dispute resolution provider; and (3) contact the U.S. Department of Commerce (either directly or through a European DPA) and afford the Department of Commerce time to attempt to resolve the issue. If a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Pursuant to the Data Privacy Framework, the arbitrator(s) may impose only individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Data Privacy Framework Principles with respect to the resident.