This Data Transfer Agreement (“Agreement”) is made and entered into by and between

each end-user “Customer” who has purchased a subscription order for Crestron Cloudware, which for the purposes of this Agreement shall have the same meaning as defined in the Crestron Cloudware License Agreement,

    on behalf of itself and its affiliates and subsidiaries, located outside of located outside of the European Economic Area (EEA) member states, the territory of Switzerland, and the territory of the United Kingdom, including such affiliates and entities that may be added during the term of this Agreement

and

    Crestron Electronics, Inc
    15 Volvo Drive
    Rockleigh, NJ 07647 (US),

    on behalf of itself and its affiliates and subsidiaries (collectively “Crestron”).  Customer and Crestron shall individually be referred to as “Party” and collectively as “Parties”.

Recitals

WHEREAS, the Parties agree that this Agreement shall apply to all Transfers of Personal Information from Customer to Crestron and to the Processing of Personal Information by Crestron as reflected in commercial agreements between the parties;

WHEREAS, the subject-matter, duration, nature, and purposes of the Processing, as well as the type of Personal Information and categories of Individuals whose data are Processed shall be set forth Appendix 1, hereto, as amended from time to time;

WHEREAS, the terms of this Agreement shall prevail in the event of any conflict with any terms in any other written agreements between the parties, to the extent the conflict relates to the transfer of Personal Information;

WHEREAS, if any Transfer is subject to any law or regulation of any country which requires a change in the terms of this Agreement or additional actions, the parties will use reasonable commercial efforts to promptly amend this Agreement or otherwise comply with any such laws;

NOW, THEREFORE, in consideration of the covenants, promises, obligations and conditions set forth below, the receipt, adequacy, and sufficiency of which are hereby acknowledged, the Parties to this Agreement, intending to be legally bound, agree as follows:

1.    Definitions

The following capitalized terms shall have the following meanings when used in this Agreement:

1.1    “Applicable Law” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule, or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this Agreement is subject and which is applicable to a party's information protection and privacy obligations.

1.2    “Approved Cloud Computing Provider” means an entity, approved by both Customer and Crestron that provides Internet accessible data centers and network infrastructure having the following characteristics: on-demand self-service; broad network access; resource pooling; rapid elasticity; and measured service in particular, Amazon Web Services™, IBM® Cloud™, Google Cloud™, and Microsoft Azure®.

1.3    “Cloud Infrastructure” means the hardware, software, virtualization technology, storage devices and array, servers, power, HVAC systems, networks, hosting, facilities, and other tangible elements that are provided by an Approved Cloud Computing Provider to Crestron and provide functionality to configure, operate, host, monitor and/or manage Cloudware and related services.

1.4    “Collect” (including the usage of “Collected” or “Collection”) means to conduct the initial gathering and recording of data regarding Individuals, whether or not the data constitutes Personal Information.

1.5    “Data Controller” means any entity that determines the purposes and means of Processing.

1.6    “Data Exporter” means any entity that discloses or transfers Personal Information to a Data Importer

1.7    “Data Importer” means any entity that receives or accesses Personal Information from a Data Exporter.

1.8    “Data Processor” means any entity (other than the Data Controller) that Processes Personal Information on the Data Controller's behalf.

1.9    “Data Subject” or “Individual” means a natural person to whom Personal Information relates and about whom Personal Information may be Processed under this Agreement.

1.10    “Personal Data”, “Personal Information”, “Personally Identifiable Information”, or “PII” means any information that identifies an Individual or relates to an identifiable individual.  Examples of Personal Information include, but are not limited to, name, address, telephone number, and email address.

1.11    “Process” (including the usage of “Processes”, “Processed”, or “Processing”) means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, including, without limitation, any Collection, Transfer, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, blocking, erasure or destruction thereof.

1.12    “Sensitive Personal Information” means any of the following types of Personal Information: (i) social security number, taxpayer identification number, passport number, driver's license number or other government-issued identification number; or (ii) credit or debit card details or financial account number, with or without any code or password that would permit access to the account; credit history, or (iii) Special Categories of Personal Data.

1.13    “Special Categories of Personal Data” means Personal Information revealing race, religion, ethnicity, sexual orientation, medical or health information, genetic or biometric information, political or philosophical beliefs, trade union membership, background check information, judicial data such as criminal records or information on other judicial or administrative proceedings.

1.14    “Transfer” (including the usage of “Transfers”, “Transferred”, “Transference”, or “Transferring”) means the access to or sharing of Personal Information by electronic or other means.

2.    Processing of Personal Data

2.1    The transfer of Personal Data from Customer, the data controller, to Crestron and its Approved Cloud Computing Provider pursuant to this Agreement is solely intended to enable Crestron to provide the relevant subscription order for Crestron Cloudware as a data processor.  Crestron is prohibited from using Personal Data for any purposes other than fulfilling its contractual obligations related to its obligations to provide the relevant subscription order for Crestron Cloudware.  Crestron agrees to process Personal Data transferred to Crestron only on behalf of Customer and in accordance with this Agreement and Customer's instructions.

2.2    Crestron shall process the Personal Data identified in Appendix 1 to this Agreement solely to perform the processing operations set forth therein.

3.    Customer Obligations

3.1    Customer hereby acknowledges and authorizes Crestron’s use of: (a) an Approved Cloud Computing Provider as a processor of Personal Data; and (b) the associated Cloud Infrastructure.  Crestron shall inform Customer of any intended changes concerning the addition or replacement of other processors.

3.2    Customer shall collect, process, and provide Personal Data to Crestron including, as applicable, via transfer of Personal Data from its country of origin to Crestron and its Approved Cloud Computing Provider in the United States, for the purpose of Customer's access to and use of the subscription order for Crestron Cloudware.

3.3    Customer agrees not to provide Crestron with any access to Sensitive Personal Information and Crestron refuses to accept any Sensitive Personal Information.

3.4    Customer is solely responsible for the content and accuracy of the Personal Data, and represents and warrants to Crestron that it has (i) collected and processed Personal Data in compliance with all Applicable Laws, and (ii) obtained all rights and consents necessary under the Applicable Laws to provide and transfer the Personal Data from its country of origin to Crestron and its Approved Cloud Computing Provider in the United States, and to permit Crestron and its Approved Cloud Computing Provider to collect and process such Personal Data, all for the purpose of providing the subscription order for Crestron Cloudware.

4.    Crestron Obligations

4.1    Crestron shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.  Crestron shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2    Crestron shall take commercially reasonable steps to ensure the reliability of any Crestron personnel performing the subscription order for Crestron Cloudware.  Crestron shall ensure that Crestron's access to Personal Data is limited to those personnel performing duties relating to the subscription order for Crestron Cloudware.

5.    Technical and Organizational Measures

Crestron shall ensure that it has in place appropriate technical and organizational measures against unauthorized or unlawful processing of the Personal Data or its accidental loss, destruction, or damage, as specified in Appendix 2 to this Agreement.

6.    Incident Management Procedures

Crestron will maintain a data management security policy that provides for incident reporting, which is updated from time to time, and which is designed to address the security, availability, and integrity of the Crestron Cloudware and to protect Personal Data from unauthorized access, destruction, and/or disclosure and shall promptly notify Customer of any actual unauthorized access to or disclosure of Personal Data of which Crestron becomes aware.

7.    General

7.1    The Recitals and the Appendices are hereby incorporated into this Agreement.

7.2    In the event of any conflict or inconsistency between any provision of this Agreement, and any provisions of Appendix 1 and Appendix 2, the Appendices shall prevail.

7.3    This Agreement shall commence on the beginning date of the Subscription Term, and terminate (together with any further data transfers) when the Subscription Term is terminated or expires, provided, however, the provisions of this Agreement shall survive with respect to the Personal Data until such time as Crestron no longer has any Personal Data in its possession or under its control.

8.    Governing Law and Dispute Resolution

8.1    This Agreement shall be governed by, and construed in accordance with, the laws of the State of New York without regard to conflict of laws principles.

8.2    All disputes arising out of or in connection with this Agreement shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said Rules.  The arbitration proceeding shall be conducted in New York City, New York.  The language to be used in the arbitration proceeding shall be English.

8.3    Notwithstanding the foregoing requirement that disputes be subject to binding arbitration, the parties shall retain the right to seek injunctive relief from a court of competent jurisdiction.

 

* * * * *

Appendix 1 to the Data Transfer Agreement

Last updated: 13 April 2022

 

Data exporter
The data exporter is:  The company which has purchased a subscription order for Crestron cloudware from a Crestron authorized reseller.

(a)  Name, address, and contact details.  The legal company name, address, and contact information as listed by the account administrator who has registered a Crestron subscription cloudware product on behalf of the company which has purchased this subscription order.

(b)  Activities relevant to the data transferred under this Agreement.  The company which has purchased this subscription order will transfer certain personal data, as listed below, to the data importer for the purposes of using the cloudware products.

(c)  Signature and date.  Provided by the account administrator who has registered a Crestron subscription cloudware product.  More specifically, the account administrator has acknowledged, accepted, and agreed to be bound by this Agreement.

Data importer
The data importer is:  Crestron Electronics, Inc., 15 Volvo Drive, Rockleigh, NJ 07647 (US).

(a)  Contact person’s name, position, and contact details.  Sameh Sabet, Senior VP, Engineering - Product Development & Delivery; telephone +1 201.767.3400; e-mail:  support@crestron.com.

(b)  Activities relevant to the data transferred under this Agreement.  Data importer will process the personal data transferred by data exporter solely for the purpose of providing the cloudware products at the direction of the data exporter.

Data subjects
The personal data transferred concern the following categories of data subjects:

    Employees, contractors, representatives, and agents of the data exporter and/or its affiliates.

Categories of Data
The personal data transferred concern the following categories of data (please specify):

1.  Contact Information such as: (a) IP Address; (b) First Name; (c) Middle Name; (d) Last Name; (e) Business Phone Number; (f) Business Email Address; (g) Business Address; (h) Job Title; and; (i) Profession.

2.  Meeting Scheduling Information (only applicable to Crestron subscription cloudware products that provide hosted scheduling functionality):  (a) Meeting Data and Time; (b) Meeting Subject; (c) Meeting Location; (d) Meeting Call-in Information; (e) First Name (for each Invitee); (f) Middle Name (for each Invitee); (g) Last Name (for each Invitee); (h) Phone Number (for each Invitee); and (i) Email Address (for each Invitee).

3.    Sensitive Data Transferred: None.

Processing Operations

1.  The frequency of transfer.  Contact information is transferred on a one-off basis.  Meeting Scheduling Information (only applicable to Crestron subscription cloudware products that provide hosted scheduling functionality) is transferred on a continuous basis.

2.  Nature of the processing.  Data exporter hereby instructs the data importer to Process the personal data for the purposes of providing the cloudware subscription services and as otherwise necessary to perform its obligations, where applicable, with regard to transfers of personal data to a third country outside the European Union or the UK or to an international organisation.

3.  Purpose(s) of the data transfer and further processing.  In order to provide the cloudware subscription services as set forth in 2 above, data importer will use the personal data to: (i) monitor the operation of Crestron and certain third party devices; (ii) centralize device control settings at a remote location; (ii) report device status; (iv) manage software/firmware updates; (v) manage software licenses to certain product features; and (vi) transfer the Meeting Scheduling Information (only applicable to Crestron subscription cloudware products that provide hosted scheduling functionality) between scheduling software (e.g., Microsoft Outlook) and certain Crestron display devices (e.g., wall-mounted touchscreens).

(a)  For all Crestron subscription cloudware products, data processing operations include receiving operational data from control processors that function to control audio/video and other equipment (i.e., lighting, shades, HVAC, occupancy sensors, etc.), within a space such as a conference room, and report meeting room and equipment status, usage data and configuration settings.

(b)  For certain Crestron display devices such as touchscreens located outside a meeting room, data processing operations include interacting with a scheduling program, such as Microsoft Outlook®, to receive meeting specific information for display, such as meeting subject, meeting time, and meeting location within a building.

(c)  For human controller interaction with Crestron cloudware including control dashboards and report generation, data processing operations are accomplished with standard web browsers, such as Microsoft Internet Explorer® or Google Chrome™.

4.  The period for which the personal data will be retained.  The collected information is retained until Crestron deletes or edits it in response to your request or for as long as you remain a customer of the associated Crestron products and services.  Because of the way Crestron maintains its server data, after your information is deleted, back-up copies may linger for some time before they are deleted.  Meeting Scheduling Information (only applicable to Crestron subscription cloudware products that provide hosted scheduling functionality) is retained for a maximum of 30 days after the relevant meeting date/time has expired.

5.  Transfers to sub-processors.  All data is transferred from a data exporter location to Microsoft Azure® cloud services at an IP address provided by Crestron to the data exporter.

 

* * * * *

Appendix 2 to the Data Transfer Agreement

Last updated: 13 April 2022

 

1.  Measures for the protection of data during transmission.  The cloud-based production data centers are provided as part of the Microsoft Azure® service environment and are connected to both the data exporter and data importer using HTTPS encryption (also referred to as SSL or TLS connection) via Internet standard protocols.

2.  Measures for the protection of data during storage.  Data at rest in the production data centers is stored in encrypted format, for example by using functions provided by Microsoft Datalake.

3.  Measures for ensuring physical security of locations at which personal data are processed.  The data importer relies on physically secure data centers provided by Microsoft Azure.

4.  Measures for user identification and authorization.  Crestron maintains a password configuration system that conforms to ‘now-current’ industry standards (password length, reset interval, and requirements for non-alphabetic and non-numeric characters)

5.  Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.  The data importer uses a sub-processor which  maintains geographically distributed and physically secure data centers that are interconnected via high-speed private public links (e.g., Microsoft Azure regions US-East and US-West).

6.  Measures for certification/assurance of processes and products.  Data importer receives an annual  SOC 2 Type II Report from Microsoft Azure®.

7.  Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.  Crestron regularly performs penetration testing of its cloudware.

9.  Measures for ensuring events logging.  Crestron cloudware creates a permanent log of all user and administrator interactions.

10.  Measures for ensuring data minimization.  Crestron has a Design for Privacy Policy which requires a demonstrated need for any item of personal data that is processed or stored.

11.  Measures for internal IT and IT security governance and management.  Crestron policies that address this subject: (a) Acceptable Use Policy; (b) Asset Management Policy; (c) Configuration Management Policy; (d) Crestron Information Security Program; (e) Cryptographic Protections Policy; (f) Data Classification Policy; (g) Endpoint Security Policy; (h) Human Resources Security Policy; (i) Identification & Authentication Policy; (j) Information Security Exception Policy; (k) Information Security Governance Policy; (l) Remote Work Policy & Agreement; (m) Risk Management Policy; (n) Secure Engineering & Architecture Policy; (o) Security Awareness & Training Policy; (p) Security Incident Response Plan; (q) Security Incident Response Policy; (r) Technology Development & Acquisition Policy; (s) Third-Party Management Policy; (t) Threat Management Policy; and (u) Vulnerability & Patch Management Policy.

 

* * * * *

Signing the International Data Transfer Agreement, Appendix 1, and Appendix 2 on behalf of the data importer:

By signing, we agree to be bound by this Agreement.

 

Contact Crestron

If you have any questions , please contact Crestron at any of the following.

Via e-mail: satisfaction@crestron.com, or support@crestron.com

Via post:

The Americas:
Crestron Electronics, Inc.
15 Volvo Dr.
Rockleigh, NJ 07647 USA

Australia and New Zealand:
Crestron ANZ Pty. Ltd.
Level 5, 15 Help Street,
Chatswood NSW 2067, Australia

Asia:
Crestron Singapore Pte. Ltd.
30 Cecil Street
#21-05, Prudential Tower
Singapore 049712

Via phone:

Please visit www.crestron.com to find the phone number for Crestron support in your region.

* * * * *