FAQ – Kaltura’s Compliance with European Union Data Protection Laws
Q: What is the GDPR?
A: The General Data Protection Regulation (GDPR) is an act of EU legislation intended to harmonize and strengthen privacy law across EU countries. The European Parliament approved the GDPR on April 14, 2016, and its requirements became mandatory on May 25, 2018. Kaltura is committed to complying fully with the GDPR and supporting our customers in their own GDPR compliance process.
Q: What categories of personal data does Kaltura process in connection with providing its products and services to customers?
A: The categories of personal data collected and/or processed by Kaltura will depend on the specific configuration and use case of the customer’s account. Kaltura is a data processor to our customers with respect to their users’ personal information. Kaltura’s collection and processing of personal data is solely for the purpose of providing its services to the customer. Kaltura does not collect or process personal data from end users except as necessary for the performance of its services.
Kaltura typically processes the following categories of personal data from a customer’s end-users:
- Technical identifiers, including user IDs, user agents, and IP addresses;
- End user names and email addresses in cases where the customer’s user authentication configuration requires this information (the authentication flow can be configured to avoid collection of names and email addresses); and
- Account activity (including media files uploaded, recorded live sessions, viewing history, likes and comments, chat history in live meeting solutions, account analytics, and any quizzes taken).
A customer’s media content and metadata hosted on Kaltura’s SaaS platform may also contain personal data. However, please note that Kaltura is a platform. It does not screen or monitor customer content or metadata uploaded to the platform to determine whether it contains personal or sensitive data.
Q: What kind of cookies are used by the Kaltura platform and player?
Kaltura also uses a cookie to collect analytics where non-authenticated users interact with MediaSpace. Customers with a use case involving non-authenticated users may wish to enable Kaltura’s Privacy Banner module, which requests user consent before placing the analytics cookie. If the cookie is declined, the user may still interact with MediaSpace, but individualized analytics for that user will not be collected.
Some Kaltura customers leverage third-party analytics cookies (such as Google Analytics, Omniture, or ComScore) and/or third-party advertising or marketing automation cookies (such as Marketo or Eloqua), and these third-party cookies have been enabled to interoperate with the Kaltura platform. If a customer is using third-party analytics or advertising tools in connection with the Kaltura platform, the customer should consider whether it needs to provide notice to users about those cookies.
Q: What tools does Kaltura offer to facilitate GDPR compliance?
A: Kaltura’s SaaS platform includes various configuration options and tools, such as anonymization, to address privacy concerns and support customers’ compliance with data protection regulations. For example, we offer a First Login Disclaimer module that can be customized to display privacy notices and/or document consent when the end user accesses the Kaltura platform for the first time. To learn more about the tools and configuration options available, please contact your Kaltura representative.
As a data processor to our customers, Kaltura offers a Data Processing Agreement that contains relevant GDPR terms. Customers may access the Kaltura Data Processing Agreement at https://corp.kaltura.com/Kaltura-data-processing-agreement.
Q: Where does Kaltura process customer data?
A: Kaltura’s SaaS platform and associated customer data are currently hosted in the US. Regional cloud environments hosted in the EU, Singapore, Australia and Canada are also available for customers who have special requirements with respect to the hosting location. In appropriate circumstances, customized regional hosting options can be configured for components of the Kaltura solution (such as single-tenant hosting on a public cloud provider’s data center). However, such deployment options require careful technical planning and may require significant additional costs for the customer. To learn more about Kaltura’s regional cloud environments and/or customized hosting options, please contact your Kaltura representative.
Additional processing of customer data (e.g. transmission over a content delivery network or temporary caching on local proxy servers) may take place in jurisdictions where the customer’s end users upload media content or call content for playback.
Members of Kaltura’s R&D, customer support, and business operations teams located in the EU, the United Kingdom, Israel, and the US may access customer data solely for troubleshooting, maintaining the services, and providing customer support and account management. Kaltura also engages personnel in other locations to provide support, development, and testing services.
Q: How does Kaltura address the issue of transferring personal data outside of the European Union?
A: For transfers of data to the US data centers hosting Kaltura’s SaaS platform, as well as remote access to customer data by Kaltura’s technical and customer support personnel, Kaltura relies on the European Commission’s set of Standard Contractual Clauses, which remain a valid approach to transfers of personal data across borders. Once signed, an agreement incorporating the Standard Contractual Clauses commits cloud service providers to complying with the EU’s data protection principles. Customers can access the Kaltura Data Processing Agreement incorporating the Standard Contractual Clauses at https://corp.kaltura.com/Kaltura-data-processing-agreement. For transfers of data to Kaltura’s R&D and customer support teams in Israel, Kaltura relies on the European Commission’s adequacy decision of January 31, 2011 (2011/61/EU).
Q: What technical and organizational security measures does Kaltura have in place?
A: Kaltura implements appropriate technical and organizational security measures to safeguard the confidentiality and integrity of customer data. These measures include user authentication, session verification, access control settings, transportation layer encryption and security, and more. Some technical security measures are non-default and can be implemented by the customer through the Kaltura platform’s administrator settings. The US and regional cloud data centers hosting Kaltura’s SaaS platform conduct SSAE16 SOC-1 Type II and SOC-2 Type II assessments and reporting. In addition, Kaltura holds ISO27001 and ISO27799 certifications. For more information regarding Kaltura’s security measures, including Kaltura’s disaster recovery and business continuity plans, please contact your Kaltura representative.
Q: Does Kaltura have an incident response plan?
A: Kaltura has detailed policies and procedures in place to evaluate, respond to, report, and document all incidents involving the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. For more information about our incident response procedures, please contact your Kaltura representative.
Q: What is Kaltura’s data retention policy?
A: In general, customer content and user data are retained throughout the entire contract term. However, if the customer’s administrative users mark specific content for deletion, that content will be deleted from our database. Customers may also set custom deletion rules and schedules for their content. In addition, if a customer instructs Kaltura to delete user data relating to a specific user, we will promptly comply with the request.
If a customer terminates their contract with Kaltura, customer content and user data will be deleted at the end of the subscription term. In the event of termination, the customer can always migrate their data to another storage location or medium for retention purposes. Migration can be performed directly by the customer through Kaltura APIs or with the assistance of our Professional Services team. Upon termination, data recorded in Kaltura’s production logs and information relating to Kaltura’s business transactions with the customer are retained in accordance with Kaltura’s data retention policies.
Q: How will Kaltura address data subject requests?
A: Data subject requests are handled on a case-by-case basis. Customers are able to seek assistance for data subject requests through Kaltura’s online customer care portal. Upon request by the customer, Kaltura is able to generate a copy of personal data in a commonly used and machine-readable format. Kaltura is also able to selectively delete personal data stored/processed. Unless otherwise required by applicable law, any requests regarding personal information that Kaltura receives directly from the end user will be promptly forwarded to the relevant customer, and Kaltura will proceed only as instructed by the customer. For more information, please refer to the Kaltura Data Subject Access Request Policy and Procedures, a copy of which is available upon request.
Q: Does Kaltura engage any sub-processors?
A: Kaltura currently engages sub-processors to provide cloud infrastructure and hosting services, to carry out data delivery to end users over a content delivery network (CDN), and to provide video enrichment functions (such as content transcription, captioning, and translation services), and to provide various customer support, CRM, accounting, payment, and similar services to our customers. For media and telecom customers utilizing Kaltura’s Cloud TV platform, Kaltura may engage additional sub-processors depending on the scope of the deployment.
The exact sub-processors used in any given case depends on the specific deployment and combination of products and services purchased. Customers may request details about the particular sub-processors used in their deployment. Customers can also request that they be notified of changes to those sub-processors and given a chance to object to any changes in the applicable sub-processors. Please submit these requests to your Kaltura representative or to Kaltura’s DPO (email: [email protected]).
Q: Does Kaltura maintain a record of data processing activities?
A: Kaltura maintains a central record of data processing activities in connection with the products and services we provide to our customers. The record of processing activities is reviewed and updated on an ongoing basis (such as when new functionalities are introduced or when new partners are brought on as sub-processors). The record of processing activities applicable to any particular customer can be provided upon request.
A: Kaltura has privacy policies regarding how Kaltura collects, uses, process, protects, and discloses data through the Kaltura websites and the Kaltura SaaS platform. Kaltura’s privacy policies can be accessed at https://corp.kaltura.com/privacy-policy.
Q: Does Kaltura have an EU data protection representative?
A: Kaltura has appointed its wholly-owned German subsidiary, Kaltura Germany GmbH, as its EU data protection representative. The contact information for Kaltura’s EU data protection representative is as follows:
Kaltura Germany GmbH
c/o Mazars Tax GmbH
Phone: +1 800 871 5224
Email: [email protected]
Q: How can I learn more about Kaltura’s privacy program?
A: To get additional information about Kaltura’s privacy program, please contact Kaltura’s Data Protection Officer (email: [email protected]). Legal inquiries can be directed to Emily Dong, Legal Counsel, CIPP/E (email: [email protected]).