This Data Processing Addendum (the "DPA") forms part of the agreement between Intravo Corp ("Intravo", "Processor"), and the customer identified in the applicable order, agreement, or terms of service ("Customer", "Controller") (each a "Party" and collectively the "Parties") for the provision of services by Intravo (the "Agreement").
This DPA reflects the Parties' agreement on the processing of Personal Data in connection with the European Union General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws (collectively, "Data Protection Laws").
By executing the Agreement or accepting Intravo's terms of service, Customer also accepts this DPA. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Agreement or applicable Data Protection Laws.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Intravo on behalf of Customer in connection with the Services.
- "Process" / "Processing" has the meaning given in the GDPR.
- "Subprocessor" means any third party engaged by Intravo to process Personal Data on Customer's behalf, as listed at intravo.com/subprocessors.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2. Roles & Scope
The Parties acknowledge that, with respect to the processing of Personal Data under this DPA, Customer is the Controller and Intravo is the Processor. Where Customer acts as a Processor on behalf of a third-party Controller, Intravo will act as Sub-Processor.
Intravo will process Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by law. The Agreement, this DPA, and Customer's authorized configuration of the Services constitute Customer's documented instructions.
3. Details of Processing
The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex 1.
4. Customer Obligations
Customer represents and warrants that:
- It has provided all required notices and obtained all required consents and permissions for Intravo to process Personal Data as contemplated by the Agreement and this DPA.
- Its instructions to Intravo comply with applicable Data Protection Laws.
- It will not provide to Intravo any "special categories" of Personal Data (as defined in Article 9 of the GDPR) except where the Services are configured to handle such data and where Customer has a lawful basis to do so.
5. Confidentiality of Processing
Intravo will ensure that personnel authorized to process Personal Data are bound by written confidentiality obligations as a condition of access. All employees and contractors with access to Personal Data must complete information security training within a reasonable time after hire and on at least an annual basis thereafter, in accordance with Intravo's Information Security Policy. Acknowledgment of the Information Security Policy and Personal Data Protection Policy is retained for each workforce member. Where lawful, Intravo conducts background screening on personnel whose duties involve access to Confidential or Highly Confidential information (which includes Personal Data) under its Background Check Policy.
6. Security Measures
Intravo will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk to Data Subjects.
These measures are anchored in Intravo's documented internal policy framework, which includes (without limitation) its Information Security Policy, Personal Data Protection Policy, Cyber Incident Response Plan, Audit Trail Policy, Key Management Policy, Patch Management Policy, Vulnerability Assessment and Management Policy, Cybersecurity Supply Chain Risk Management Policy, BYOD Policy, Wireless Network Security Policy, Change Management and Control Policy, Business Impact Analysis Policy, and Document Retention Policy. Intravo's Information Security Coordinator is accountable for the program and reviews each policy at least annually.
A description of these measures is set forth in Annex 2 (Technical and Organizational Measures) and summarized in our public Security Overview.
7. Subprocessors
7.1 General Authorization
Customer provides general authorization for Intravo to engage Subprocessors to process Personal Data, subject to the requirements of this Section 7.
7.2 Current Subprocessors
The current list of Subprocessors is published at intravo.com/subprocessors. Customers may subscribe to change notifications by emailing [email protected].
7.3 New Subprocessors
Intravo will provide at least thirty (30) days' notice prior to engaging any new Subprocessor that processes Personal Data, by updating the public Subprocessors list and notifying subscribed Customers. Customer may object on reasonable grounds relating to data protection by notifying Intravo within thirty (30) days. The Parties will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected Services and receive a pro-rata refund of any prepaid fees for the unused portion of the term.
7.4 Subprocessor Diligence and Agreements
Before engaging a Subprocessor that will process Personal Data, Intravo evaluates the prospective provider under its Cybersecurity Supply Chain Risk Management Policy. This evaluation includes, where applicable, review of the provider's information security program, data protection policies and procedures, financial standing, sanctions and embargo screening, and independent assurance documentation (such as SOC 1, SOC 2, ISO 27001, or PCI DSS Attestation of Compliance). Engagements are formalized in a written contract signed by an authorized signatory and specifying information security and personal-data protection requirements.
Intravo will impose data protection obligations on each Subprocessor that are no less protective than those set forth in this DPA, and reviews material Subprocessors on a periodic basis to confirm continued compliance. Intravo remains liable to Customer for the performance of each Subprocessor's obligations.
8. Assistance with Data Subject Rights
Taking into account the nature of the processing, Intravo will provide reasonable assistance to Customer through appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligations to respond to Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
If Intravo receives a request directly from a Data Subject relating to Customer's Personal Data, Intravo will promptly forward the request to Customer and will not respond except on Customer's instructions or as required by law.
9. Data Protection Impact Assessments
Intravo will provide Customer with reasonable assistance for any data protection impact assessments and prior consultations with supervisory authorities required of Customer, taking into account the nature of the processing and information available to Intravo.
10. Personal Data Breach Notification
Intravo maintains a documented Cyber Incident Response Plan ("IRP") under the accountability of its Information Security Coordinator. The IRP is exercised and reviewed at least annually, and defines the Incident Response Team, escalation paths, evidence preservation, containment, recovery, and notification procedures.
Intravo will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's Personal Data. Where information is not yet fully available, Intravo will provide an initial notification within the same time frame and supplement it in phases without undue further delay. The notification will include, to the extent then known:
- A description of the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records concerned;
- The likely consequences of the breach;
- The measures taken or proposed to address the breach and mitigate its possible adverse effects;
- The contact point for further information.
Intravo will reasonably cooperate with Customer in investigating, containing, mitigating, and remediating the breach, including coordinating any necessary notifications to regulators, affected individuals, and Intravo's cyber insurance carrier as contemplated by the IRP. Information regarding the incident will be treated as Highly Confidential and shared with Customer through a designated, authorized channel.
11. Audits
Intravo will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Data Protection Laws. Intravo does not currently hold its own SOC 2, ISO 27001, or PCI DSS certification, and is working toward a SOC 2 Type II examination; the public Security Overview reflects current status. Available diligence materials include: (a) Intravo's documented internal policy framework referenced in Section 6, made available under NDA; (b) summaries of annual internal and external penetration testing performed under Intravo's Vulnerability Assessment and Management Policy; (c) executive summaries of independent third-party assessments held by Intravo's Subprocessors (such as SOC 2 reports, ISO 27001 certifications, or PCI DSS Attestations of Compliance), where Intravo is permitted to share them; (d) completed security questionnaires (e.g., CAIQ, SIG Lite); and (e) the public Security Overview.
Where the foregoing is not sufficient to demonstrate compliance, Customer may, no more than once per calendar year and on reasonable prior written notice (and at Customer's expense), conduct an audit of Intravo's processing activities relevant to Customer. Audits must be conducted during business hours, with minimal disruption, under reasonable confidentiality obligations, and shall not require disclosure of information that would compromise the confidentiality, security, or integrity of Intravo's environment or other customers' data.
12. International Data Transfers
Where Customer Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland is transferred to a country not subject to an adequacy decision, the Parties agree that such transfers shall be subject to:
- The EU Standard Contractual Clauses (Module 2: Controller-to-Processor; or Module 3: Processor-to-Processor where applicable), incorporated by reference and completed by the information in Annex 1 and Annex 2;
- The UK International Data Transfer Addendum issued by the UK Information Commissioner's Office, where applicable;
- The Swiss FDPIC guidance on the application of the SCCs to Swiss data transfers, where applicable.
In the event of any conflict between the SCCs and this DPA, the SCCs prevail.
13. CCPA / CPRA Service Provider Terms
To the extent Intravo processes Personal Information of California residents on Customer's behalf, the Parties agree that Intravo acts as a "Service Provider" as defined under the CCPA/CPRA. Intravo will:
- Process Personal Information solely for the business purposes specified in the Agreement and this DPA;
- Not "sell" or "share" Personal Information as those terms are defined under the CCPA/CPRA;
- Not retain, use, or disclose Personal Information for any purpose other than for the business purposes specified, or as otherwise permitted by the CCPA/CPRA;
- Not combine Personal Information received from Customer with Personal Information from other sources, except as permitted by the CCPA/CPRA;
- Promptly comply with any reasonable Customer request to enable Customer to respond to verifiable consumer requests.
14. Return & Deletion of Personal Data
Upon termination or expiration of the Agreement, Intravo will, at Customer's choice, delete or return Customer Personal Data within a reasonable period (and in any event within ninety (90) days), except to the extent required to be retained by applicable law, regulatory obligations, or a documented litigation hold under Intravo's Document Retention Policy. Customer may export Customer Data through the Services prior to termination. Backup copies containing Customer Personal Data will be retained and rotated out in the ordinary course in accordance with Intravo's documented retention schedules, and remain subject to the security measures described in Annex 2 until deletion.
15. Liability
Each Party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement.
16. General
- Term. This DPA is effective on the date the Agreement is executed and continues for the duration of Intravo's processing of Personal Data on Customer's behalf.
- Order of Precedence. In the event of any conflict, this DPA prevails over the Agreement with respect to the processing of Personal Data, except that the SCCs prevail over both.
- Governing Law. This DPA is governed by the law of the Agreement, except that mandatory provisions of Data Protection Laws apply.
- Updates. Intravo may update this DPA from time to time to reflect changes in law or operations, provided that no update will materially diminish the protections it provides.
Annex 1 — Details of Processing
A. Subject Matter
The provision of the Services described in the Agreement.
B. Duration
For the duration of the Agreement, plus the period necessary to fulfill legal retention obligations.
C. Nature and Purpose of Processing
Intravo processes Personal Data to deliver the Services, including hosting customer events, distributing meeting and webcast content, providing live interpretation, processing registrations, sending communications, generating analytics, and providing customer support.
D. Categories of Data Subjects
- Customer's employees, contractors, and authorized administrators
- Customer's end users, attendees, registrants, and meeting participants
- Other individuals whose data Customer chooses to submit to the Services
E. Categories of Personal Data
- Identification and contact data (name, email address, phone number, mailing address)
- Account credentials
- Professional data (job title, employer, professional affiliation)
- Audio, video, and chat content during meetings, webcasts, and interpretation sessions
- Survey, poll, and Q&A responses
- Device and connection data (IP address, browser, device type, geolocation)
- Usage data (pages viewed, sessions attended, content interacted with)
- Other data Customer chooses to submit to the Services
F. Special Categories of Data
None, unless Customer specifically configures the Services to receive such data and has a lawful basis to do so.
G. Frequency of Transfer
Continuous, for the duration of the Agreement.
H. Retention
Personal Data is retained for the duration of the Agreement and deleted in accordance with Section 14, unless retention is required by law.
Annex 2 — Technical & Organizational Measures
The measures below summarize the controls Intravo applies to Personal Data. They are derived from Intravo's documented internal policies, are implemented under the accountability of the Information Security Coordinator, and are reviewed at least annually. A high-level public version is available in the Security Overview.
A. Governance & Program Management
- Designated accountability. An Information Security Coordinator owns the information security program, approves policies, and reviews them on at least an annual basis.
- Policy framework. Written policies covering information security, personal data protection, incident response, audit logging, key management, patch management, vulnerability management, supply chain risk management, change management, business impact analysis, document retention, BYOD, wireless network security, and acceptable use of AI tools.
- Risk assessment. Periodic risk assessments to identify reasonably foreseeable internal and external risks to confidentiality, integrity, and availability of Personal Data, with documented remediation and mitigation plans.
- Exceptions. Any deviation from policy requires written approval by the Information Security Coordinator, is documented, and is periodically reviewed.
B. Data Classification & Handling
- Three-tier classification. Information is classified as Public, Confidential, or Highly Confidential, with handling, transmission, and storage requirements scaled to classification.
- Personal Data. Personal Data and other personal information are treated as Highly Confidential and segmented from the rest of the network where technically feasible.
- Need-to-know. Access to Personal Data is restricted to personnel whose duties require it.
- Secure disposal. Media containing Confidential or Highly Confidential information is wiped using generally accepted standards or physically destroyed prior to disposal; paper records containing such information are shredded.
C. Access Control & Authentication
- Unique identities. Each user is assigned a unique account; sharing of credentials is prohibited.
- Least privilege & RBAC. Access is granted based on documented business need, applying the principle of least privilege and role-based access controls. Administrative privileges are restricted and reviewed.
- Strong authentication. Strong password requirements, account lockout after five failed login attempts, screen-lock after a maximum of fifteen (15) minutes of inactivity, and two-factor authentication for remote access.
- Joiner / mover / leaver. Access changes are routed through documented approvals; accounts are deactivated promptly upon termination of an individual's relationship with the company.
- Periodic review. System and application administrators periodically review user accounts and access levels to confirm continuing business need.
D. Encryption & Key Management
- Data in transit. Personal Data is encrypted in transit using TLS 1.2 or higher (TLS 1.3 for sites accepting payment card data or transmitting protected health information). Approved transport protocols include TLS 1.2/1.3, SSH, SFTP, and VPN.
- Data at rest. Industry-standard encryption is applied to Personal Data at rest; portable assets such as laptops use full-disk encryption.
- Key management. Cryptographic keys are generated, stored, rotated, and retired under a written Key Management Policy. Key-encrypting keys are at least as strong as the data-encrypting keys they protect and are stored separately. Access to keys is restricted, logged, and never limited to a single individual.
- Passwords. Passwords are stored only as the output of a one-way cryptographic function.
E. Network & Infrastructure Security
- Perimeter controls. Firewalls separate trusted networks from untrusted networks; additional controls (intrusion detection/prevention, monitoring) are layered based on risk.
- Segmentation. Networks containing Highly Confidential information, including Personal Data, are segmented from the rest of the environment to the extent technically feasible.
- Wireless. Wireless networks are configured under the Wireless Network Security Policy with industry-standard encryption (WPA2 / WPA3), unique SSIDs, hardened access points, segmented guest access, and quarterly rogue-AP scanning.
- Endpoint protection. Servers, workstations, and laptops run anti-malware/endpoint protection with alerting on unusual behavior.
- BYOD. Personal devices used for work are subject to the BYOD Policy, including password protection, automatic lock, current operating system and security patches, and the ability for Intravo to remotely wipe company content.
F. Vulnerability & Patch Management
- Penetration testing. Internal and external penetration testing is performed at least annually and following significant infrastructure or application changes; results are retained for at least twelve (12) months.
- Vulnerability scanning. Vulnerability scanning uses industry-standard tooling aligned with CVE naming and CVSS scoring, with coverage of the OWASP Top 10 and SANS CWE Top 25 at the application layer.
- Remediation timelines. Findings are remediated based on risk: Critical within 72 hours to 2 weeks; Severe within 2 weeks to 1 month; Moderate within 1 month to 3 months. Re-testing confirms successful remediation.
- Patch management. Security patches are evaluated, prioritized (High / Medium / Low), and deployed through change management. Critical/urgent vendor patches are installed within a reasonable time of release.
G. Logging & Monitoring
- Audit logging. Security-relevant events on servers, firewalls, routers, and workstations are logged, including authentication events, account management changes, privilege use, and system events. Sensitive identifiers (e.g., government IDs, payment card numbers, passwords) are not logged or are masked.
- Retention. Audit logs on firewalls, routers, and servers are retained for a minimum of one (1) year (longer where law requires); workstation logs target six (6) months of retention where feasible.
- Integrity. Logs are write-protected against tampering, with access restricted to authorized administrators, security investigators, and auditors.
- Review. Logs are reviewed regularly — and no less frequently than monthly — with automated alerting on anomalous activity routed to the Information Security Coordinator.
H. Change Management & Secure Development
- Formal change control. All changes to production systems follow a documented change-management process with risk and impact assessment, peer or change-board review, authorization, testing in lower environments, version control, communication, rollback procedures, and post-change review. Emergency changes follow defined parameters and are documented as soon as reasonably possible after resolution.
- Secure development. Development is segregated from production. Secure-by-design principles, defensive coding, code review, and application-level scanning are applied to identify and remediate issues before release.
- Asset management. Hardware, software, and operating-system inventories are tracked to support patching and vulnerability management.
I. Personnel Security
- Background screening. Where lawful, applicants and employees whose duties involve access to Confidential or Highly Confidential information undergo background screening under the Background Check Policy.
- Confidentiality. All employees and contractors are bound by written confidentiality obligations and acknowledge the Information Security Policy and Personal Data Protection Policy.
- Training. Information security and data-protection training is delivered within a reasonable time after hire and on at least an annual basis. Cyber Incident Response Plan training and tabletop exercises are conducted at least annually.
- Sanctions. Violations of policy may result in disciplinary action up to and including termination.
J. Subprocessor / Supply Chain Security
- Pre-engagement diligence. Prospective vendors with access to Personal Data are evaluated under the Cybersecurity Supply Chain Risk Management Policy, including review of information security programs, financial standing, sanctions/embargo status, and third-party assurance reports (e.g., SOC 1/2, ISO 27001, PCI DSS AoC) where applicable.
- Contractual obligations. Subprocessors must be engaged under written contracts that impose data-protection obligations no less protective than those in this DPA.
- Ongoing oversight. Material Subprocessors are reviewed periodically to confirm continued compliance and fitness for purpose.
K. Incident Detection & Response
- Documented IRP. A written Cyber Incident Response Plan defines preparation, detection, escalation, investigation, containment, recovery, evidence preservation, communications, post-incident review, and notifications.
- Incident Response Team. A predefined IRT, led by the Information Security Coordinator, is activated based on initial risk assessment and may include external counsel, forensic, and insurance resources.
- Regulator and customer notifications. Notifications to authorities, affected individuals, customers, and Intravo's cyber insurance carrier are coordinated through the IRP. EEA/UK affected-individual notifications are issued within 72 hours of the qualifying determination.
- Testing. The IRP is exercised at least annually, with documented results and lessons learned feeding back into plan reviews.
L. Business Continuity & Disaster Recovery
- Business Impact Analysis. A documented BIA identifies Mission Essential Functions and Primary Business Functions, the resources required to restore them, and Recovery Time and Recovery Point Objectives for IT systems supporting them. The BIA is reviewed annually and updated no less than every two years.
- Backups. Regular, documented backups are taken for systems supporting essential operations; backups are protected in line with the data classification of the source data; restoration procedures are documented and periodically tested.
M. Physical Security
- Production infrastructure. Production systems are hosted in cloud data centers operated by enterprise providers that maintain physical security controls (perimeter security, access controls, environmental protections) and provide independent assurance reports.
- Office and media. Workforce areas containing Confidential or Highly Confidential information are physically secured; portable media is stored securely when not in use; equipment screens are positioned to avoid casual observation.
Contact
For DPA-related questions or to request a counter-signed copy of this DPA:
Privacy Team — Intravo
Intravo Corp
1756 Topaz Dr
Loveland, CO 80537
Email: [email protected]