Brightcove has developed a comprehensive compliance program for its EEA, Swiss and UK Customers and their Viewers. In addition to the disclosures in these Privacy Policies, we have provided links to key documentation that outlines our processing activities, data transfer practices and Brightcove’s stance on government requests, to make it easy for our Customers to comply with their own obligations as Controllers when using Brightcove Services in those regions.
We collect and process personal data where it is necessary to satisfy a contract with our Customers or Service Providers, to comply with our legal obligations, for our legitimate business purposes or with your consent. Where the term “personal information" is used in these Privacy Policies it covers the same type of information as “personal data,” as that term is defined in the General Data Protection Regulation (“GDPR”).
DATA PROCESSING AGREEMENTS
We only process Customer and Viewer personal data in accordance with the terms of a data protection agreement, entered into in each instance by Brightcove and the Customer, that limits the processing in accordance with your instructions and as necessary to provide the services, for our legitimate business interests and in the other ways permitted by law. You can review our standard data processing addendum. To learn more about how we treat and transfer personal data we receive from Customers.
We are also transparent about our use of subprocessors, which are also contractually obligated to protect your personal data under these standards. Those subprocessors are listed on the Services Subprocessors page, where you can also sign up to receive alerts whenever we add any additional service providers to the list.
Brightcove is certified under the EU-U.S. Data Privacy Framework and the UK Extension to the Data Privacy Framework and processes personal data in line with our obligations and Data Privacy Framework principles, including purpose limitations, data minimization and providing a direct means of dispute resolution. For further information, please see our Data Privacy Framework Notice below. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
For those transfers of personal data that are not covered by the Data Privacy Framework, Brightcove relies on the most recent versions of the European Commission Standard Contractual Clauses as a transfer compliance mechanism to transfer personal information collected in the EEA, Switzerland and UK.
We have also conducted a transfer impact assessment (“TIA”) for transfers to the United States, where our primary processing takes place for transfers out of the EEA/UK/Swiss region. This TIA takes into account the personal information involved and the laws of the importing country around government access to that information. We will continue to compile TIAs for any countries which do not have adequacy or qualified state status. We monitor any changes in the law that may impact this assessment and will update the TIAs accordingly. Our TIAs are available for Customers or Prospective Customers upon request.
Brightcove may be required to disclose personal data in response to lawful requests by public authorities, including disclosures necessary to meet national security or law enforcement requirements, or pursuant to judicial orders.
FISA Warrant Statement
Only “electronic communication service providers,” within the meaning of 50 U.S.C § 1881(b)(4) are subject to an order for “Upstream” surveillance under Section 702 of the U.S. Foreign Intelligence Surveillance Act (“FISA”) – the type of order that was of principal concern to the Court of Justice of the European Union in the Schrems II decision. In practice, the U.S. government uses “Upstream” orders only to target traffic flowing through internet backbone providers that carry traffic for third parties (i.e., telecommunications carriers). For more information see Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014) pp. 35-40, available at https://fas.org/irp/offdocs/pclob-702.pdf. Brightcove does not provide such backbone services, as we only handle traffic involving our own Customers, so “Upstream” orders are inapplicable to Brightcove.
Brightcove also does not process personal data that is within scope of a FISA 702 order. The Department of Commerce was clear that companies that transfer personal data involving commercial information like employee, customer or sales records, could have no basis to believe intelligence agencies interpret the law to ever seek to collect that data. For more information see Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II(Sept. 2020) pp.2-3, 6, available at https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF
DATA RIGHTS REQUESTS
Customers may have certain rights to their personal data, namely:
- To object to processing for direct marketing purposes;
- To withdraw consent for data collected based on your consent and not for any other lawful basis;
- To restrict processing; and
- To portability in a commonly used and machine-readable form.
Where Brightcove receives a request from a Viewer, we will refer the request to the Customer and support the Customer in responding to the request.
Certain Brightcove Services offer Customers self-service options in the Administrator (or similar) mode of their accounts at no additional cost, including the ability to access, download and export your Viewer data, delete Viewer data and restrict the use of that data. Before you exercise your options, please be aware that deletion of Viewer data is irreversible. If you need further instructions on how to access and use those features, or if you use other Brightcove products and services that may not include these self-service options, please reach out to your customer success representative with your request.
Please keep in mind that when you ask us for your personal data or ask us to delete it, we may need to retain or withhold some of the information for security or legal reasons. For instance, we need Customer and Customer Usage data to maintain your account and requested services. That means if you ask us to delete that information, we may not be able to continue providing those services or products.
To exercise a data right, on your own behalf (as a Customer) or on behalf of a Viewer, please contact Support or email@example.com with the Subject Line: GDPR Data Rights Request. Within the request, please provide the following: your name, corporate email, company name and country and, if applicable, state of residence. We will process any requests within a reasonable period of time, and in any case in accordance with applicable law.
There is also the right to lodge a complaint with your local supervisory data protection authority (“DPA”) if you believe our processing is inconsistent with the applicable data protection laws. You need to lodge any such complaint directly with the relevant DPA.
If you utilize a Payment Service for payments related to Brightcove Services, please contact us at firstname.lastname@example.org, and note in your email that you would like Brightcove to facilitate the correction or deletion of your personal data with the Payment Service.
Accuracy of data is very important to us. Customers should ensure that any information provided to us is up-to-date and Customers may correct information by either logging into their Customer account or by contacting Brightcove’s customer support team. In certain situations, Customers may need assistance from customer support in making a change. We will respond to requests to make changes to Customer records as soon as reasonably practicable. We may require Customer representatives to verify their identity before granting access to, or agreeing to update, correct or delete personal data belonging to Customers.
EU-U.S. DATA PRIVACY FRAMEWORK NOTICE
We have certified our compliance with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the Data Privacy Framework (collectively, the “Data Privacy Framework”) with respect to the Personal Data of users of the Website who are residents of the European Union (“EU”), European Economic Area (“EEA”), the United Kingdom and Switzerland that we receive and process through the Website. We certify that we adhere to the Data Privacy Framework principles of notice, choice, onward transfer, security, data integrity, access and enforcement (the “Data Privacy Framework Principles”) for Personal Data of users of the Website in the countries participating in the Data Privacy Framework. We are responsible for the processing of personal data we receive under the Data Privacy Framework and subsequently transfer to a third party agent, and may be liable for onward transfers in violation of the Data Privacy Framework Principles. Our certification is available here. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. Brightcove’s commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
If you are a resident of a country participating in the Data Privacy Framework, you may direct any questions or complaints concerning our Data Privacy Framework compliance to our Data Privacy Framework and Data Protection Contact listed below. We will work with you to resolve your issue.
Your Data Privacy Framework and Data Protection Contact for the personal data that we process in connection with the Website is:
Attn: Chief Privacy Officer
281 Summer Street
Boston, MA 02210
Phone: +1 617 500 4947
If you have not received a timely or satisfactory response to your concern relating to data processed under the Data Privacy Framework, you may contact our U.S.-based dispute resolution provider, at no cost to you, at https://feedback-form.truste.com/watchdog/request. If neither Brightcove nor our independent dispute resolution provider resolves your complaint, you may have the right to invoke binding arbitration through the Data Privacy Frameworkield panel. However, prior to initiating such arbitration, a resident of a country participating in the Data Privacy Framework must first: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from our designated independent dispute resolution provider; and (3) contact the U.S. Department of Commerce (either directly or through a European DPA) and afford the Department of Commerce time to attempt to resolve the issue. If a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Pursuant to the Data Privacy Framework, the arbitrator(s) may impose only individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Data Privacy Framework Principles with respect to the resident.
DIGITAL SERVICES ACT DISCLOSURES
Your use of Brightcove Services to disseminate content and videos is subject to the General Terms and Conditions found here (the “Terms”). The Terms outline restrictions on use, what content is prohibited and how you can report illegal content.
We will review each properly submitted report in a timely manner, and typically within 24-48 hours. Brightcove will review your report for procedural propriety, such as DMCA notice requirements (as outlined in the Terms), and if those legal requirements are met, the video will be deactivated and the title deleted, with a copy created until review is complete. Brightcove will then provide the report to the offender with instructions on applying for restored access. The reporter will also be notified that the video is being reviewed. Any appeals of the decision are referred to the Brightcove legal team.
If, after following the proper reporting procedures, you have not received a timely or satisfactory response to your concern relating to content removal or suspension or termination of your account due to your violation of the Terms, you may (but do not have to) contact our U.S.-based dispute resolution provider, as provided in the EU-US Data Privacy Framework Notice above, at no cost to you, at https://feedback-form.truste.com/watchdog/request. If neither Brightcove nor our independent dispute resolution provider resolves your complaint, you may have the right to file in a court of competent jurisdiction. Any disputes relating to this section shall be referred to and conducted in accordance with the procedures provided in the EU-U.S. Data Privacy Framework Notice Section.
In the past calendar year, for all regions, not just the EEA, of the eleven (11) reports Brightcove received alleging illegal content, Brightcove:
- Denied 9 reports;
- Removed 2 reported videos;
- Responded to properly submitted reports within 24 hours;
- Reported video content fell into two categories: copyright infringement claims and alleged terrorist materials;
- Received zero (0) appeals of any content removal decisions.
We only remove content when we have actual knowledge of a violation of our Terms.
Single Point of Contact:
Attn: Chief Privacy Officer
281 Summer Street
Boston, MA 02210
Phone: +1 617 500 4947
If you would prefer, you can contact the below EEA-based representative for DSA-specific inquiries and disputes, with the Subject Line: DSA Inquiry, and it will be routed to the appropriate department.
Phone: +44 207 148 6450