In honor of the General Data Protection Regulation (GDPR) going into effect today, we are reposting an earlier post about how Kaltura is addressing the GDPR.
Q: What is the GDPR?
A: The General Data Protection Regulation (GDPR) is an act of EU legislation intended to give individuals greater control over their personal data while harmonizing and strengthening privacy law across EU countries. The European Parliament approved the GDPR on April 14, 2016, and its requirements will become mandatory across the 28 EU Member States on May 25, 2018. The GDPR will apply to Kaltura and many of our customers. We are committed to complying fully with the GDPR and supporting our customers in their own GDPR compliance process.
Q: What categories of personal data does Kaltura collect?
A: The categories of personal data we collected and processed depends on the specific configuration and use case of the customer’s account. Our collection and processing of personal data is solely for the purpose of providing its services to the customer. Kaltura does not collect personal data from end users except as necessary for the performance of its services.
We typically collect the following categories of personal data from a customer’s authorized end-users:
- Technical identifiers, including user IDs and IP addresses;
- End user names and email addresses in cases where the customer’s user authentication configuration requires this information (the authentication flow can be configured to avoid collection of names and email addresses); and
- Video content and metadata, to the extent they contain personal data.
Kaltura’s SaaS platform includes various configuration options and tools, such as anonymization, to address privacy concerns and support customers’ compliance with data protection regulations. To learn more about the tools and configuration options available, please contact your Kaltura representative.
Q: Where does Kaltura process customer data?
A: Kaltura currently hosts our SaaS platform and associated customer data in our US data centers. In addition, Israel and EU-based members of our R&D and customer support teams may access the data solely for troubleshooting and otherwise maintaining the services. In appropriate circumstances, customized hosting options in the EU can be configured for components of the Kaltura solution (such as single-tenant hosting on a public cloud provider’s data center). However, such deployment options require careful technical planning and may require significant additional costs. Customized hosting should only be considered after careful consultation with a Kaltura solution architect.
Q: How does Kaltura address the issue of transferring personal data outside of the European Union?
A: For transfers of data to Kaltura’s US data centers, we rely on the EU-U.S. and Swiss-U.S. Privacy Shield Framework. We self-certify under the Privacy Shield and our certification can be viewed at www.privacyshield.gov. For transfers of data to our R&D and customer support teams in Israel, we rely on the European Commission’s adequacy decision of January 31, 2011 (2011/61/EU).
In addition, the European Commission has recognized that reliance on the European Commission’s set of model contractual “Standard Clauses” remains a valid approach to transfers of personal data across borders. Once signed, an agreement incorporating the Standard Clauses contractually commits cloud service providers to comply with the EU’s data protection principles. For customers who wish to sign data processing agreements incorporating the Standard Clauses, we have a template agreement ready for execution. Please request a copy by contacting [email protected].
Q: What technical and organizational security measures does Kaltura have in place?
A: We implements appropriate technical and organizational security measures to safeguard the confidentiality and integrity of customer data. These measures include user authentication, session verification, access control settings, transportation layer encryption and security, and more. Some technical security measures are non-default and can be implemented by the customer through the Kaltura platform’s administrator settings. Kaltura’s data centers hold SSAE16 SOC-1 Type II and SOC-2 Type II certifications. In addition, we hold ISO27001 and ISO27799 certifications. More information regarding Kaltura’s security measures, including Kaltura’s disaster recovery and business continuity plans, are found in Kaltura’s Security Policies. Please contact your Kaltura representative to request a copy.
Q: How will Kaltura address data subject requests?
A: Currently, data subject requests will be handled on a case-by-case basis. We are implementing a procedure for handling data subject requests so that customers will be able to seek assistance directly through Kaltura’s online customer care portal. Upon a customer’s request, we are able to generate a copy of personal data in a commonly used and machine-readable format. We are also able to selectively delete personal data stored/processed.
Q: Does Kaltura engage any sub-processors?
A: We currently engage sub-processors to carry out data delivery to end users over a content delivery network (CDN) and content transcription and captioning services. The exact sub-processors used in any given case may depend on the specific deployment and combination of products and services purchased. Customers may request details about the particular sub-processors used in their deployment and can request that they be notified of changes to those sub-processors and given a chance to object to any changes in the applicable sub-processors.
A: We have privacy policies regarding how Kaltura collects, uses, process, protects, and discloses data through the Kaltura websites and the Kaltura SaaS platform. Our privacy policies can be accessed at https://corp.kaltura.com/privacy-policy.
Q: Does Kaltura have an EU data protection representative?
A: We have designated our wholly-owned UK subsidiary, Kaltura Europe, Ltd., as our EU data protection representative. The contact information for our EU data protection representative is as follows:
Kaltura Europe, Ltd.
4th Floor, Northumberland House
303-306 High Holborn
London, WC1V 7JZ UK
Phone: +44 (0) 203 116 7700
Email: [email protected]
Q: How can I learn more about Kaltura’s privacy program?
A: For more information about our privacy program, please contact Kaltura’s Data Protection Officer (email: [email protected]). Legal inquiries can be directed to Emily Dong, Legal Counsel, CIPP/E (email: [email protected]).