プライバシーポリシー

最終改訂日:2023年12月19日
A signed copy of this DPA can be downloaded here.

This Data Processing Addendum (“Addendum”) supplements the Terms of Service, or other written or electronic agreement between Imgix, Inc and Client for the purchase of Services from Imgix (the “Agreement”), to reflect the parties’ agreement with regard to the processing of Personal Information.  By accepting the Agreement, Client enters into and accepts this Addendum on behalf of itself and any applicable affiliates. All capitalized terms not otherwise defined in this Addendum will have the meaning given to them in the Agreement.  In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum will govern.  This Addendum will survive termination of the Agreement.  Client and Imgix agree as follows:

1. Personal Information.  In connection with performing its obligations under the Agreement, Imgix will Process Personal Information on behalf of Client.  “Personal Information” means information that relates, directly or indirectly, to an identified or identifiable person (a “Data Subject”), including without limitation, names, email addresses, postal addresses, identification numbers, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the Data Subject.  Specific categories of Personal Information that Imgix will Process in connection with the Agreement are set forth in Schedule 1 (Scope of Processing).  As between Client and Imgix, all Personal Information is the sole and exclusive property of Client.

2. Imgix and Client Responsibilities. The parties acknowledge and agree that: (a) Imgix is a processor of Personal Information under Applicable Law (defined below); (b) Client is a controller of Personal Information under Applicable Law; and (c) each party will comply with the obligations applicable to it under Applicable Law with respect to the Processing of Personal Information.

3. Client Responsibilities. If Client is a processor, Client warrants to Imgix that Client’s instructions and actions with respect to Client Personal Data, including its appointment of Imgix as another processor, have been authorized by the relevant controller. Client will ensure that its instructions for the Processing of Personal Data shall comply with Applicable Law. Client shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which Client obtained the Personal Data.

4. Imgix Responsibilities.  As part of providing Services under the Agreement, Imgix will use commercially reasonable efforts to Process Personal Information.  “Process” or “Processing” means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as the access, collection, use, storage, disclosure, dissemination, combination, recording, organization, structuring, adaption, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure and/or destruction of Personal Information. Imgix will use commercially reasonable efforts to:

(a) Process Personal Information solely in accordance with Client’s documented instructions, including those set forth in this Addendum and the Agreement;

(b) Process Personal Information in accordance with laws, rules, and regulations that apply to Imgix’s provision, and Client’s use, of Services provided under the Agreement, including the General Data Protection Regulation (EU) 2016/679 and the California Consumer Protection Act of 2018 (collectively, “Applicable Law”);

(c) not disclose or otherwise make available in any form any Personal Information to any third party without first, except to the extent prohibited by Applicable Law, (i) notifying Client of the anticipated disclosure (so as to provide Client the opportunity to oppose the disclosure and obtain a protective order or seek other relief); (ii) obtaining Client’s prior written consent to the disclosure; and (iii) imposing contractual obligations on the third party recipient that are at least equivalent to those obligations imposed on Imgix under this Addendum Without limiting the foregoing, Imgix will not retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing the Services and complying with Licensee’s instructions, including collecting, selling, retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services and complying with Client’s instructions;

(d) amend, correct or erase Personal Information at Client’s written request and provide a means for Client to update and make accurate Personal Information Processed by Imgix;

(e) notify Client of any third party request to (i) restrict the Processing of Personal Information, (ii) port Personal Information to a third party, or (iii) access, rectify or erase Personal Information. Imgix will use commercially reasonable efforts to assist Client, at Client’s reasonable written request, in complying with Client’s obligations to respond to requests and complaints directed to Client with respect to Personal Information Processed by Imgix;

(f) at the reasonable written request of Client, cooperate and assist Client in conducting a data protection impact assessment and related consultations with any supervisory authority, if Client is required to do so under Applicable Law;

(g) ensure that Imgix personnel who Process Personal Information are subject to obligations of confidentiality; and

(h) keep all Personal Information compartmentalized or otherwise logically distinct from other information of Imgix or its personnel, suppliers, customers or other third parties.

5. Subcontractors.  Client hereby provides its general written authorization for Imgix’s use of subprocessors to Process Personal Information in connection with fulfilling Imgix’s obligations under the Agreement or this Addendum and Imgix is authorized to engage additional subprocessors to process Personal Information. Imgix will provide Client with notice of any such additional subprocessors at least ten (10) days prior to their processing of Personal Information.  Upon receipt of such notice, Client shall have ten (10) days to object to an additional subprocessor and may terminate its subscription for the Services without penalty by providing, before the end of the ten (10) day notice period, written notice of termination that includes an explanation of the grounds for the objection. Imgix will impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Imgix under this Addendum.  Imgix will be responsible to Client for any material failure of such subprocessor to fulfill Imgix’s data protection obligations under this Addendum.

6. Data Transfers.  Imgix will use commercially reasonable efforts not to transfer, or cause to be transferred, any Personal Information from one jurisdiction to another without Client’s prior written consent.  Where Client consents to such transfer, the transfer will be in accordance with Applicable Law. Imgix has certified its compliance to the EU-U.S. Data Privacy Frameworks Principles (collectively, the “Principles”) with the U.S. Department of Commerce (the “Department”). Imgix will provide commercially reasonable assistance to Client in responding to requests from the Department or other applicable data protection regulators in the U.S. and European Union related to compliance with the Principles. Upon request of the Department, Imgix may disclose the terms of this Addendum to the Department.

7. Security Safeguards.  Imgix will use commercially reasonable efforts to implement and maintain appropriate technical and organizational measures consistent with industry standards to protect and ensure the confidentiality and integrity of Personal Information.

8. Records and Audits.  Imgix will keep at its normal place of business records of its Processing of Client Personal Information. At Client’s reasonable request and with advance written notice, Imgix will use commercially reasonable efforts to make available to Client such records and information as is necessary to demonstrate its compliance with Applicable Law with respect to Personal Information and allow Client or an independent third party to conduct an audit to verify such compliance. Any such audit will be conducted (a) on reasonable advance written notice to Imgix; (b) no more than once per year; (c) during Imgix’s standard business hours; and (d) in such a manner to minimize disruption to Imgix’s operations. Any information provided by Imgix in connection with such audit must be protected as Imgix’s confidential information subject to a separate non-disclosure agreement entered into between Imgix and the recipient of such information before such audit. To request an audit, Client must submit a detailed audit plan at least 30 days in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Any request for Imgix to provide assistance with an audit is considered a separate service and Client will bear all costs of such audit.

9. Security Breach.  If Imgix has actual or constructive notice of any actual or potential Security Breach (defined below), Imgix will take commercially reasonable efforts to, without undue delay: (a) notify Client of the Security Breach and any third-party legal processes relating to the Security Breach; (b) help Client investigate, remediate, and take any necessary action regarding the Security Breach and any dispute, inquiry, investigation, or claim concerning the Security Breach; and (c) provide Client with assurance that such Security Breach will not recur.  “Security Breach” means any unauthorized access to Imgix owned or controlled networks or systems where Personal Information resides or any misuse or unlawful or accidental loss, destruction, alteration, or unauthorized Processing of Personal Information under Imgix’s possession or control. This obligations in this Section do not apply to incidents that are caused by Client or Client’s personnel or users.

10. Return or Destruction of Personal Information.  Upon written request by Client or when Imgix no longer is required to Process Personal Information to fulfill its obligations under the Agreement, Imgix will use commercially reasonable efforts to (a) cease all use of Personal Information; and (b) return all Personal Information to Client or, at Client’s option, destroy all Personal Information and all copies thereof, except to the extent that Imgix is required under Applicable Law to keep a copy of Personal Information for a specified period of time.

11. DISCLAIMER. COMPANY MAKES NO REPRESENTATION OR WARRANTY THAT THIS ADDENDUM IS LEGALLY SUFFICIENT TO MEET CLIENT’S NEEDS UNDER APPLICABLE LAW. COMPANY EXPRESSLY DISCLAIMS ALL REPRESENTATIONS OR WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, THROUGH A COURSE OF DEALING, OR OTHERWISE THAT THIS ADDENDUM WILL COMPLY WITH OR SATISFY ANY OF CLIENT’S OBLIGATIONS UNDER APPLICABLE LAW. CLIENT FULLY UNDERSTANDS THAT IT IS SOLELY RESPONSIBLE FOR COMPLYING WITH ALL OF ITS OBLIGATIONS IMPOSED BY APPLICABLE LAW. THE PARTIES AGREE THAT THERE WILL BE NO PRESUMPTION THAT ANY AMBIGUITIES IN THIS ADDENDUM WILL BE CONSTRUED OR INTERPRETED AGAINST THE DRAFTER.

12. Limitation of Liability.  Imgix’s liability for breach of its obligations in this Addendum are subject to the limitation of liability provision in the Agreement.