TokBox and GDPRA secure, compliant platform for all our customers

www.tokbox.com 2

03

04

05

06

09

10

12

13

14

15

17

ContentsWHAT IS GDPR?

SHOULD I BE CONCERNED ABOUT GDPR?

THE 5 W’S OF GDPR FOR TOKBOX CUSTOMERS

PREPARING TOKBOX FOR GDPR

WHAT OUR CUSTOMERS NEED TO KNOW ABOUT GDPR COMPLIANCE

ABOUT TOKBOX

1. WHO IS RESPONSIBLE FOR THE RIGHTS OF DATA SUBJECTS?

2. IF A DATA SUBJECT ASKS TO BE FORGOTTEN, WHO FULFILLS THIS REQUEST?

3. HOW WILL THE NOTIFICATION PROCESS WORK IN THE EVENT OF A DATA BREACH?

4. HOW DOES TOKBOX MANAGE THE COMPANY CONTACT INFORMATION IT HOLDS?

5. HOW DO WE KNOW WHERE DATA IS BEING PROCESSED, STORED AND TRANSFERRED TO?

Contents // TokBox and GDPR

www.tokbox.com 3

By now, we’re sure that you’ve heard of the General

Data Protection Regulation, more commonly known as

GDPR. This regulation from the EU is overhauling the

requirements for businesses who collect, process and

transfer the personal data of EU citizens.

The regulation has already been approved by the EU and

the deadline for companies to become compliant is May

25th 2018 - a date which is fast approaching at the time

of publication.

The new EU data protection regulation

A quick legal caveat

The GDPR is an extensive piece of legislation which has

been several years in the making. In this guide, we’ve

tried to provide information in a simple, straightforward

way to make it easy for our customers to understand the

key elements of the legislation and to continue working

with us.

However, this guide should not be considered as legal

advice. We recommend you seek out specialist legal

counsel to discuss your company’s specific situation.

A list of additional resources which we think you’ll find

useful is provided at the end of this guide.

What is GDPR?

What is GDPR? // TokBox and GDPR

www.tokbox.com 4

Although the GDPR has been agreed upon by the

European Union, its impact is going to be felt worldwide.

It is designed to protect EU citizens wherever they have

transactions with a company. That means that:

• if you are a business which has customers in the EU,

you need to care about GDPR

• If you are a business which might have EU citizens

as customer, even if they access your services from

somewhere else in the world, you need to care about

GDPR

My company isn’t based in the EU - I’m off the hook, right?

Should I be concerned about GDPR?

Introduction // Live Video In Asia Guide

TokBox’s approach to the question

We’ll go into it in more detail in this guide, but we want to

make it as easy as possible for our customers to focus on

building great applications, and not on trawling through

legal documents and regulatory questions. That’s why

our GDPR-compliant data privacy policy will be applied

across the board to all our customers’ data. TokBox

enforces one privacy policy for all our customers.

That way, you can rest assured that with TokBox as your

trusted live video supplier, you can get on with building a

great business.

Should I be concerned about GDPR? // TokBox and GDPR

www.tokbox.com 5

The 5 W’s of GDPR for TokBox customers

Who

When

What

Where

WhyGDPR compliance is necessary for any

company handling the personal data

of individuals who are EU citizens,

regardless of where the company is

based or where the individual is when

accessing services.

TokBox is committed to being compliant

with GDPR by May 25th, 2018, when the

regulation becomes enforceable.

The scope of GDPR compliance

includes the OpenTok Cloud platform

and the Customer Relationship

Management system where Personal

Data is processed and stored.

Our customers in the European Union,

United States, and all TokBox customers

and website visitors around the world.

GDPR is designed to strengthen

data protection around personal

information for EU citizens, to

remove the barrier of mistrust which

can hamper the development of

innovative online services. TokBox is

committed to being GDPR compliant

to make it easy for our customers to

access the European market.

We know you’re busy, so here is GDPR at TokBox in brief.

The 5 W’s of GDPR for TokBox customers // TokBox and GDPR

www.tokbox.com 6

Preparing TokBox for GDPR

6 Preparing TokBox for GDPR // TokBox and GDPRwww.tokbox.com

www.tokbox.com 7

Here at TokBox, we’ve been preparing for GDPR for a long

time, in order to be able to work with customers and have

everything in place for the May 25th 2018 deadline.

A cross-department effort led by our Information

Security and Compliance team, our journey has involved

almost all TokBox departments. Engineering, Product,

Marketing, Customer Success, Legal and Finance have

all been involved, making sure that no stone is left

unturned on the road to compliance.

Following a thorough audit of our website and all

documentation, a Data Impact Assessment was

produced which allowed us to identify and address any

areas which would be impacted by the GDPR rules.

During this time we also worked closely with customers

to understand what they would need to be confident

working with us as a GDPR-compliant supplier. The

information you can find in the rest of this guide is

a direct result of the feedback we received from

these customers: information which is clear, easy to

understand and above all which will help our customers

avoid duplication of efforts.

Our journey towards compliance

Preparing TokBox for GDPR // TokBox and GDPR

www.tokbox.com 8

With many experts offering advice on implementing

GDPR, we found it helpful to choose which authoritative

sources we could rely on for guidance.

We chose The International Association of Privacy

Professionals (IAPP) because they certify privacy

professionals who advocate for Fair Information Privacy

Principles originating from the Privacy Act of 1974 and

enforced by the US Federal Trade Commission.

To implement these principles for GDPR, we chose

ISACA, a professional association of certified IT auditors.

ISACA has published, “Implementing the General Data

Protection Regulation”, and a Data Protection Impact

Analysis worksheet.

Authoritative sources

To make it as easy as possible for our customers to

understand what they need to do with regards to GDPR,

we developed a clear Shared Responsibility model for

data management.

The concept of a “Shared Responsibility Model” is

widely used by today’s cloud providers to delineate

ownership of resources and responsibilities between

provider and tenant. Tenant responsibilities differ

depending on cloud service model and provider,

so there is no standard shared responsibility model.

However, you may be familiar with this type of model if

your company uses any other cloud services.

To understand their cloud security responsibilities,

tenants should reference the contractual agreements

they have with their providers. Regarding GDPR, this

division of responsibility is typically defined in a Data

Processing Agreement (DPA).

TokBox is able to provide a Data Processing Agreement

to customers who require it. Please get in touch with

your Account manager or support@tokbox.com in order

to arrange this.

A Shared Responsibility model

Preparing TokBox for GDPR // TokBox and GDPR

www.tokbox.com 9

What our customers need to know about GDPR Compliance

9 www.tokbox.com

Following extensive consultation with customers who are preparing for GDPR compliance, we have identified the principle areas where TokBox may have a role to play.

The following Shared Responsibility Model provides specific answers to the most common general questions on GDPR. Use it to help determine audit scope of privacy practices between TokBox and your organization.

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 10

Customer acts as a Data Controller for End Users

of the customers’ applications built on the OpenTok

Platform, which includes their customers and

employees as Data Subjects.

If you ever choose to sit down and read the full text of the GDPR, you will see the term “Data Subjects” many times.

“Data Subjects” are the natural persons whose privacy rights must be protected. Whoever the Data Subject entrusts with their

personal information (the “Data Controller”), is ultimately responsible.

Customer TokBox

TokBox acts as a Data Processor on behalf of the

customer as Data Controller, with no knowledge of

the customer’s End Users. TokBox is responsible for

personal information stored in the Account Portal, which

contains contact information for our direct customers as

Data Subjects.

WHO IS RESPONSIBLE FOR THE RIGHTS OF DATA SUBJECTS?

Customer will not use the TokBox Services in any manner

that violates the privacy and legal rights of its End Users

under all applicable laws and regulations.

Customer will obtain and maintain any required consents

from End Users to allow, as applicable, Customer’s

access, monitoring, use, recording, storage and/or

disclosure of End User Data.

TokBox maintains records of consent, and records of all

requests to be forgotten for audit purposes. Each record

consists of an identifier, date, and request type.

01

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 11

If you ever choose to sit down and read the full text of the GDPR, you will see the term “Data Subjects” many times.

“Data Subjects” are the natural persons whose privacy rights must be protected. Whoever the Data Subject entrusts with their

personal information (the “Data Controller”), is ultimately responsible.

Customer TokBox

WHO IS RESPONSIBLE FOR THE RIGHTS OF DATA SUBJECTS?

If TokBox Services are used by our customers to collect,

display or transmit any personal information about their

users, those customers will prominently display a privacy

policy that complies with all applicable laws and that

makes it clear to users what data is collected and how it

will be used, displayed or shared. Customers will collect

and use user data only in accordance with their privacy

policy and all applicable laws and regulations.

TokBox routinely scrubs personally-identifiable

information from all logs, including IP addresses. Our

Privacy Policy is prominently displayed on our website,

which contains all the required notice of what data we

collect, how it is used, and what our retention schedules

are for storing the information.

01

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 12

02

Customers are responsible for handling any claims

related to their End Users including any content, services

or advertising. Customers are responsible for properly

handling and processing notices sent to you (or any of

your agents or affiliates) by any person claiming that you

have violated such person’s rights, including notices

pursuant to the Digital Millennium Copyright Act, or

“requests to be forgotten” according to GDPR.

In the event that TokBox is contacted by a customer’s

End User with a request to be forgotten, the request will

be entered into our records. If no matching identifier is

found in our database of customers and website visitors,

TokBox will take no action.

The GDPR includes an articles which enshrines the right of an EU citizen to request that his or her personal data be deleted by

a company or organization.

The Data Controller must have a Data Protection Officer who is responsible for documenting and fulfilling requests from Data

Subjects to have all their personal information removed from the Data Controller’s possession, and may also request that

deleted information is returned to them in a secure, portable format.

Customer TokBox

IF A DATA SUBJECT ASKS TO BE FORGOTTEN, WHO FULFILLS THIS REQUEST?

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 13

03

You agree to comply, and require that your users comply,

with all applicable laws, whether federal, state, local or

international, relating to the privacy of communication for

all parties to a conversation, including, when required,

advising all participants in a recorded video chat that the

video chat is being recorded.

TokBox is responsible for notifying customers of any

issues that may impact service, security, or regulatory

compliance.

A data breach is when information, including personal information of Data subjects, is made available to unauthorised parties.

For example, this could be as a result of a third party hacking into a company’s systems, or due to carelessness by employees.

Several high profile Data breaches have appeared in the media in the last few years, often a long time after the data itself was

lost or stolen.

GDPR mandates that all data breaches must be reported within 72 hours.

Customer TokBox

HOW WILL THE NOTIFICATION PROCESS WORK IN THE EVENT OF A DATA BREACH?

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 14

As a Data Subject, Customers are responsible for

providing consent with any data it voluntarily submits to

TokBox. This includes personal contact details used for

business purposes, provided with explicit consent upon

agreeing to our Terms of Service.

TokBox strongly encourages our customers to refrain

from transmitting any sensitive or personally-identifiable

information in emails, support tickets, or during media

sessions with our staff.

04Company contact information may include personally-identifiable data such as: Contact name, job title, email, phone, etc.

Customers who voluntarily provide this information understand why we need it and what it is used for, because they have

agreed to our Privacy Policy and Terms of Service.

Customer TokBox

HOW DOES TOKBOX MANAGE THE COMPANY CONTACT INFORMATION IT HOLDS?

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 15

Customers are responsible for Personal Data,

Sensitive Data, Protected Health Information, and PCI

Cardholder Data.

Customers retain control of where their data is stored and

how it is encrypted.

By default, the TokBox data retention policy on

confidential customer data is to keep it for the minimum

time possible to securely and reliably process it whether

in-flight or at-rest.

TokBox and its affiliates are not responsible or liable

for the deletion of or failure to store any customer data

and other communications maintained or transmitted

through use of the TokBox services. Customer is solely

responsible for securing and backing up its customer

application and customer data.

05TokBox has a robust Data Governance Program, which includes controls for data quality and data access.

Customer TokBox

HOW DO WE KNOW WHERE DATA IS BEING PROCESSED, STORED AND TRANSFERRED TO?

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 16

05TokBox has a robust Data Governance Program, which includes controls for data quality and data access.

Customer TokBox

HOW DO WE KNOW WHERE DATA IS BEING PROCESSED, STORED AND TRANSFERRED TO?

Customers retain control of classifying their data and

governing how it is accessed.

All Customer Data on the OpenTok platform is classified

as “Confidential”. By default, TokBox staff have no access

to customer content. Customers retain control of their

data, and are responsible to their End Users for securing

content and credentials which may contain personally-

identifiable or sensitive information.

What our customers need to know about GDPR Compliance // TokBox and GDPR

www.tokbox.com 17

Need more information?TokBox & GDPR webinar

https://www.crowdcast.io/e/tokbox-gdpr

Help center information (updated as required)

https://support.tokbox.com/hc/en-us/articles/360000108304-EU-General-

Data-Protection-Regulation-GDPR-

TokBox Privacy Policy (updated as required)

https://tokbox.com/support/privacy-policy

Headquarters

501 2nd Street

Suite 310

San Francisco, CA

94107

Offices in

San Francisco

Sydney

New York

Barcelona

London

bizdev@tokbox.com

facebook.com/tokbox

twitter.com/tokbox

linkedin.com/company/tokbox

Contact Us

About TokBoxTokBox develops and operates OpenTok, a global

cloud platform for embed-ding live video into website

and mobile applications. The scalable, customizable

platform gives developers the creative freedom to

build any communication ex-perience from one-to-

one chats to multi-party calls or large scale

broadcasts. The first platform to incorpo-rate support

for WebRTC, OpenTok caters to enter-prises,

entrepreneurs and developers with powerful APIs

and a cloud infrastructure. OpenTok is trusted by

leading organizations including Esurance, Royal Bank

of Scotland and InTouch Health.

For more information, visit tokbox.com

About TokBox // TokBox and GDPR