In honor of the General Data Protection Regulation (GDPR) going into effect today, we are reposting an earlier post about how Kaltura is addressing the GDPR.

FAQ – Kaltura’s Compliance with European Union Data Protection Laws

Q: What is the GDPR?

• The General Data Protection Regulation (GDPR) is an act of EU legislation intended to harmonize and strengthen privacy law across EU countries. The European Parliament approved the GDPR on April 14, 2016, and its requirements became mandatory on May 25, 2018. Kaltura is committed to complying fully with the GDPR and supporting our customers in their own GDPR compliance process.

Q: What categories of personal data does Kaltura collect?

• The categories of personal data collected and processed by Kaltura will depend on the specific configuration and use case of the customer’s account. Kaltura’s collection and processing of personal data is solely for the purpose of providing its services to the customer. Kaltura does not collect personal data from end users except as necessary for the performance of its services.

Kaltura typically collects the following categories of personal data from a customer’s authorized end-users

• –  Technical identifiers, including user IDs and IP addresses;
• –  End user names and email addresses in cases where the customer’s user authentication configuration requires this information (the authentication flow can be configured to avoid collection of names and email addresses); and
• –  Account activity (including media files uploaded, viewing history, likes and comments, and any quizzes taken).

A customer’s media content and metadata hosted on Kaltura’s SaaS platform may contain also personal data. However, please note that Kaltura does not screen or monitor customer content for personal or sensitive data.

For media and telecom customers using Kaltura’s OTT platform, we may also process end-user account information, including telephone numbers, subscription details, account usage, payment history, transaction history, and user analytics.

Q: What kind of cookies are used by the Kaltura platform and player?

• Session cookies are used as part of the Kaltura platform and player for authentication and transmission security purposes. Cookies are also used within the Kaltura player for some of its basic functionality, such as storing player volume choice and other player preferences to give viewers a better user experience. Kaltura also uses session cookies to implement the “save the user’s chosen language feature” in MediaSpace or the Kaltura Application Framework (KAF).

Some Kaltura customers leverage third-party analytics cookies (such as Google Analytics, Omniture, or ComScore) and/or third-party advertising or marketing automation cookies (such as Marketo or Eloqua), and these third-party cookies have been enabled to interoperate with the Kaltura platform. If a customer is using third-party analytics or advertising tools in connection with the Kaltura platform, the customer should consider whether it needs to provide notice to EU users about those cookies.

Q: What tools does Kaltura offer to facilitate GDPR compliance?

• Kaltura’s SaaS platform includes various configuration options and tools, such as anonymization, to address privacy concerns and support customers’ compliance with data protection regulations. For example, we offer a “First Login Disclaimer” module that can be customized to display privacy notices and/or document consent when the end user accesses the Kaltura platform for the first time. In addition, where Kaltura’s analytics plugins are used, we offer a solution that allows the end user to directly opt out of tracking. To learn more about the tools and configuration options available, please contact your Kaltura representative.

Q: Where does Kaltura process customer data?

• Kaltura currently hosts its SaaS platform and associated customer data in its US data centers. In addition, Israel and EU-based members of Kaltura’s R&D and customer support teams may access the data solely for troubleshooting and otherwise maintaining the services. Kaltura also engages personnel in India and the Ukraine to provide support, development, and testing services. These individuals may remotely access our database solely to the extent necessary to provide technical support to our customers. In appropriate circumstances, customized hosting options in the EU can be configured for components of the Kaltura solution (such as single-tenant hosting on a public cloud provider’s data center). However, such deployment options require careful technical planning and may require significant additional costs for the customer. Customized hosting should only be considered after careful consultation with a Kaltura solution architect.

Q: How does Kaltura address the issue of transferring personal data outside of the European Union?

• For transfers of data to Kaltura’s US data centers, Kaltura relies on the EU-U.S. and Swiss-U.S. Privacy Shield Framework. Kaltura self-certifies under the Privacy Shield and was one of the first to do so when it opened for registration in August 2016. Kaltura’s certification can be viewed at privacyshield.gov. For transfers of data to Kaltura’s R&D and customer support teams in Israel, Kaltura relies on the European Commission’s adequacy decision of January 31, 2011 (2011/61/EU).

In addition, the European Commission has recognized that reliance on the European Commission’s set of model contractual “Standard Clauses” remains a valid approach to transfers of personal data across borders. Once signed, an agreement incorporating the Standard Clauses contractually commits cloud service providers to comply with the EU’s data protection principles. For customers who wish to sign data processing agreements incorporating the Standard Clauses, Kaltura has a template agreement ready for execution. Customers may request a copy by contacting legal@kaltura.com.

Q: What technical and organizational security measures does Kaltura have in place?

• Kaltura implements appropriate technical and organizational security measures to safeguard the confidentiality and integrity of customer data. These measures include user authentication, session verification, access control settings, transportation layer encryption and security, and more. Some technical security measures are non-default and can be implemented by the customer through the Kaltura platform’s administrator settings. Kaltura’s data centers hold SSAE16 SOC-1 Type II and SOC-2 Type II certifications. In addition, Kaltura holds ISO27001 and ISO27799 certifications. More information regarding Kaltura’s security measures, including Kaltura’s disaster recovery and business continuity plans, are found in Kaltura’s Security Policies, a copy of which is available upon request.

Q: Does Kaltura have an incident response plan?

• Kaltura has detailed policies and procedures in place to evaluate, respond to, report, and document all incidents involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. More information about our incident response procedures can be found in Kaltura’s Security & Privacy Incident Response Plan, a copy of which is available upon request.

Q: What is Kaltura’s data retention policy?

• In general, customer content and user data are retained indefinitely during the contract term. However, if the customer’s admin users mark specific content for deletion, that content will be deleted from our database. Customers may also set custom deletion rules and schedules for their content. In addition, if a customer instructs Kaltura to delete user data relating to a specific user, we will promptly comply with the request.

If a customer terminates their contract with Kaltura, customer content and user data will be deleted at the end of the subscription term. In the event of termination, the customer can always migrate their data to another storage location or medium for retention purposes. Migration can be performed directly by the customer through Kaltura APIs or with the assistance of our Professional Services team.

Q: How will Kaltura address data subject requests?

• Data subject requests are handled on a case-by-case basis. Customers are able to seek assistance for data subject requests through Kaltura’s online customer care portal. For customers using Kaltura’s OTT platform, APIs are available that enable end-users to directly manage how their personal data is collected and shared. Upon request by the customer, Kaltura is able to generate a copy of personal data in a commonly used and machine-readable format. Kaltura is also able to selectively delete personal data stored/processed. For more information, please refer to the Kaltura Data Subject Access Request Policy and Procedures, a copy of which is available upon request.

Q: Does Kaltura engage any sub-processors?

• Kaltura currently engages sub-processors to carry out data delivery to end users over a content delivery network (CDN) and to provide video enrichment functions (such as content transcription and captioning services). For media and telecom customers utilizing Kaltura’s OTT platform, Kaltura may engage additional sub-processors such as providers of recommendation engines, live encoding, cloud DVR, analytics, and DRM management services. The exact sub-processors used in any given case depends on the specific deployment and combination of products and services purchased. Customers may request details about the particular sub-processors used in their deployment. Customers can also request that they be notified of changes to those sub-processors and given a chance to object to any changes in the applicable sub-processors.

Q: Does Kaltura maintain a record of data processing activities?

• Kaltura maintains a central record of data processing activities in connection with the products and services we provide to our customers. The record of processing activities is reviewed and updated on an ongoing basis (such as when new functionalities are introduced or when new partners are brought on as sub-processors). The record of processing activities applicable to any particular customer can be provided upon request.

Q: Does Kaltura have a privacy policy?

• Kaltura has privacy policies regarding how Kaltura collects, uses, process, protects, and discloses data through the Kaltura websites and the Kaltura SaaS platform. Kaltura’s privacy policies can be accessed at https://corp.kaltura.com/privacy-policy.

Q: Does Kaltura have an EU data protection representative?

• Kaltura has appointed its wholly-owned UK subsidiary, Kaltura Europe, Ltd., as its EU data protection representative. The contact information for Kaltura’s EU data protection representative is as follows:

Kaltura Europe, Ltd.

4th Floor, Northumberland House

303-306 High Holborn

London, WC1V 7JZ UK

Phone: +44 (0) 203 116 7700

Email: DPO@kaltura.com

Q: How can I learn more about Kaltura’s privacy program?

• To get additional information about Kaltura’s privacy program, please contact Kaltura’s Data Protection Officer, Yossi Binyamin (email: DPO@kaltura.com). Legal inquiries can be directed to Emily Dong, Legal Counsel, CIPP/E (email: dong@kaltura.com).