Vimeo Enterprise Data Processing Addendum

Last Updated: February 24, 2025

This Data Processing Addendum (“DPA”) is a part of the Vimeo Enterprise Terms and sets forth the parties’ rights and obligations in respect of the processing of Company User Data in relation to the Enterprise Services, to the extent that the same is subject to Applicable Privacy and Data Protection Laws.

Where the Standard Contractual Clauses apply, if there is any conflict between the Standard Contractual Clauses and the terms of this DPA, the Standard Contractual Clauses shall prevail.

1. Definitions

• “Agreement” means the Order Form, together with Vimeo’s Enterprise Terms, available at https://vimeo.com/enterpriseterms, unless there is a separately negotiated agreement for Enterprise Services between you and Vimeo, then “Agreement” means that agreement.

• “Applicable Privacy and Data Protection Laws” means collectively all national, federal, state, provincial, and local privacy and data protection laws, rules, and regulations that apply to the parties with regard to the processing of Personal Data in connection with the Agreement, including, only to the extent applicable and when legally effective (including those that come into effect after the “Last Updated” date above): Brazil’s Lei Geral de Proteção de Dados (“LGPD”); the California Consumer Privacy Act (including as amended by the California Privacy Rights Act of 2020) (“CCPA”), the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“CDPA”), the Utah Consumer Privacy Act (“UCPA”), and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CTPA”) and the regulations promulgated under any of the foregoing; Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); the European Union’s General Data Protection Regulation (“GDPR”); Japan’s Act on the Protection of Personal Information (“APPI”); Switzerland’s Federal Act on Data Protection (“FADP”); and the United Kingdom’s General Data Protection Regulation (“UK GDPR”).

• “Business Purpose” means the enumerated Business Purposes set forth in Cal. Civ. Code section 1798.140(d)(1)-(7) and, on or after January 1, 2023, Cal. Civ. Code section 1798.140(e)(1)-(8) that are applicable to the Enterprises Services.

• “Company,” “you,” and “your” mean the Vimeo customer that has entered into the Agreement for Vimeo Enterprise Services.

• “Company User” means a Data Subject for whom Company initiates and administers a Vimeo account (i.e. via single sign-on), a Data Subject who submits Personal Data to Vimeo in connection with an Event hosted by Company, and/or Data Subjects acting on behalf of Company to administer the Enterprise Service. A Company User may also include a Data Subject appearing in Company-submitted content.

• “Company User Data” means the Personal Data of Company Users that is submitted to Vimeo in connection with the Enterprise Services. Company User Data does not include Personal Data collected by Vimeo outside of and independent from the Enterprise Services. Company User Data does not include Vimeo Account Data.

• “Controller” means the party that controls the purposes and means of processing, and shall include ‘controller’, ‘business’, and other similar terms under Applicable Privacy and Data Protection Laws.

• “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK-U.S. extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.

• “Data Subject” means ‘data subject’, ‘consumer’, or similar terms under Applicable Privacy and Data Protection Laws.

• “Enterprise Services” means the Vimeo Enterprise-branded services provided by Vimeo pursuant to an individually negotiated order form executed by Vimeo and Company (each, an “Order Form”) that involves the transfer of Company User Data to Vimeo.

• "Event" means a live streamed or recorded webinar or other streamed event powered by the Enterprise Services.

• “Personal Data” means all ‘personal data’, ‘personal information’, or similar terms under Applicable Privacy and Data Protection Laws.

• “Processor” means a party that processes Personal Data on behalf of another party, and shall include ‘processor’, ‘service provider’, and other similar terms under Applicable Privacy and Data Protection Laws.

• “Restricted Transfer” means: (a) where the GDPR or FADP applies, a transfer of Personal Data from the European Economic Area or Switzerland (as applicable) to a country outside of the European Economic Area or Switzerland (as applicable) which is not subject to an adequacy determination by the European Commission or Swiss Federal Data Protection and Information Commissioner (as applicable); and (b) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018. A transfer of Personal Data to the United States pursuant to the Data Privacy Framework shall not be a Restricted Transfer.

• “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data.

• “Sensitive Data” means ‘sensitive personal information’, ‘sensitive data’, ‘special categories of personal data’, and Personal Data similarly classified under Applicable Privacy and Data Protection Laws.

• “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to the European Commission's decision (EU) 2021/914 of 4 June 2021, populated in accordance with Section 8 of this DPA. For transfers of Personal Data subject to UK GDPR, the Standard Contractual Clauses also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”), populated in accordance with Section 8 of this DPA.

• “Vimeo” means, for the purpose of this DPA, Vimeo.com, Inc.

• “Vimeo Account Data” means information relating to Company’s relationship with Vimeo, including: (a) Vimeo’s internal account identifiers; (b) billing and contact information of individual(s) associated with Company’s Vimeo Enterprise account (e.g. billing address, email address, name); (c) Company Users’ device and connection information (e.g. IP address); and (d) content of technical support requests and product feedback.

• “Vimeo Policies” mean internal information security policies, including applicable retention schedules.

• The terms “commercial purpose”, “process”, “sell”, “share”, and their cognates shall have the same meaning as under Applicable Privacy and Data Protection Laws.

2. Roles

2.1. To the extent Company User Data is subject to Applicable Privacy and Data Protection Laws, the parties agree that with respect to processing Company User Data in the provision of the Enterprise Services, Company is the Controller, and Vimeo is a Processor.

2.2. Vimeo will process Vimeo Account Data as a Controller for the following purposes: (a) to manage the relationship with Company (communicating with Company and Company Users in accordance with their account preferences, providing technical support, etc.); (b) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; (c) to inform Vimeo’s business strategy; and (d) to carry out core business functions such as accounting, billing, and filing taxes.

2.3. The parties agree and acknowledge that the subject matter and details of processing are set out in Annex I.

3. Terms of Processing by Vimeo

3.1. Vimeo agrees that it will:

3.1.1. Process Company User Data in accordance with the documented lawful instructions of Company as stated in the Agreement (including this DPA) and respective Order Forms, as necessary to (a) provide the Enterprise Services to Company and enable Company’s use of various features and functionalities; (b) investigate Security Incidents and enforce the Acceptable Use Policy; and (c) comply with its legal obligations (collectively, the “Agreed Purposes”);

3.1.2. Ensure that anyone acting on its behalf will process Company User Data according to the provisions of this DPA and Applicable Privacy and Data Protection Laws, and is bound by an appropriate obligation of confidentiality;

3.1.3. Notify Company if Vimeo becomes aware of any circumstance which would prevent it from fulfilling Company’s instructions under this DPA;

3.1.4. Notify Company if Vimeo becomes aware that any applicable law or regulation prevents it from fulfilling the instructions received from Company and its obligations under this DPA;

3.1.5. Notify Company within the time period required by Applicable Privacy and Data Protection Laws if it determines it can no longer meet its obligations under Applicable Privacy and Data Protection Laws and allow Company to take reasonable and appropriate steps to stop and remediate unauthorized processing of Company User Data;

3.1.6. Upon Company’s request, provide information to reasonably enable Company to conduct and document data protection assessments; and

3.1.7. To the extent required under Applicable Privacy and Data Protection Laws, not more than once annually, allow and cooperate with reasonable assessments by Company or its designated assessor (or if mutually agreed and at Vimeo’s expense, Vimeo’s qualified assessor), to conduct an assessment of Vimeo’s policies and technical and organizational measures in support of the obligations under Applicable Privacy and Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments, and subject to reasonable access and confidentiality restrictions. If Vimeo engages its own assessor, it shall provide a summary report to Company upon request, which shall satisfy Vimeo’s obligations under this Section 3.1.7.

3.2. Subject to Section 3.1.1., Vimeo will not:

3.2.1. Sell or share the Company User Data;

3.2.2. Retain, use or disclose the Company User Data for any purpose other than the Agreed Purposes;

3.2.3. Retain, use or disclose the Company User Data outside of the direct business relationship between Company and Vimeo; or

3.2.4. Combine Company User Data with Personal Data Vimeo receives from other customers.

4. Terms of Processing by Company

4.1. Company agrees that it will:

4.1.1. Collect, use and process Company User Data in accordance with Applicable Privacy and Data Protection Laws, including obtaining any necessary consents, licenses, and approvals;

4.1.2. Have sole responsibility for the accuracy, quality, and legality of Company User Data and the means by which it was obtained; and

4.1.3. Not submit to Vimeo or otherwise cause Vimeo to Process any Sensitive Data unless it has satisfied all applicable requirements under Applicable Privacy and Data Protection Laws, including as may be applicable, providing notice and obtaining consent from the Data Subject to whom the Sensitive Data relates. Company acknowledges that Vimeo will not assess the contents of Company User Data to identify information subject to any specific legal requirements.

5. Security & Compliance

5.1. Vimeo shall implement reasonable technical, organizational and security measures to protect the privacy and security of the Company User Data.

5.2. Vimeo shall assist Company, within reasonable timetables, by the appropriate measures and as reasonably possible (considering the nature of the processing and the information available to Vimeo), in complying with its obligations under Articles 32 to 36 of the GDPR.

5.3. Any storage and/or transfer of Company User Data by Company to any third party or platform other than Vimeo shall be at the sole risk and responsibility of Company.

5.4. If Vimeo becomes aware of any Security Incident, Vimeo will, without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware, provide notification to Company in accordance with applicable regulations. Vimeo’s notification of a Security Incident will not be deemed as an acknowledgement by Vimeo of any fault or liability with respect to such incident. In the event of a Security Incident, Company shall be obligated to take the measures required under applicable laws in connection with its Company User Data. Where requested, Vimeo will assist Company in communicating with regulators regarding the Security Incident.

5.5. Upon reasonable written request, Vimeo will make available to Company information necessary to demonstrate compliance with its obligations under this DPA and Applicable Privacy and Data Protection Laws.

6. Sub-processors

6.1. Vimeo is hereby generally authorized by Company to engage any sub-processor, provided that Vimeo shall (i) ensure in each case that the sub-processor is bound by data protection obligations that are substantially the same as, and in any event no less onerous than those contained in this DPA; and (ii) subject to the terms of the Agreement (including but not limited to any limitations on liability agreed therein), remain fully liable to Company for the performance of that sub-processor’s obligations. For a list of current sub-processors, see https://vimeo.com/enterpriseterms/dpa/subprocessors

6.2. Vimeo shall notify Company of any intended changes concerning the addition or replacement of sub-processors, thereby giving Company the opportunity to object to such changes. Notice will be provided by email to the email address(es) submitted by Company using this form. If Company objects to any sub-processing by Vimeo, Company should immediately discontinue its use of the Enterprise Services.

7. Individual Rights Requests

7.1. To the extent required under Applicable Privacy and Data Protection Laws, Vimeo will take appropriate measures to assist Company in complying with its obligations under Applicable Privacy and Data Protection Laws in responding to Data Subject rights requests.

7.2. Vimeo will notify Company when it receives a Data Subject rights request for erasure or access to information directed towards Company User Data. Company shall provide direction to Vimeo regarding whether to fulfill such request.

8. International Transfers

8.1. Restricted Transfers. Company understands and agrees that Vimeo operates the Enterprise Service primarily from the United States and as such, Company User Data will be transferred from Company’s location and/or the applicable Data Subject’s location to Vimeo in the United States. Where Company User Data is the subject of a Restricted Transfer, Vimeo will ensure such transfers are made in compliance with Applicable Privacy and Data Protection Law by relying on the Standard Contractual Clauses, which are hereby incorporated into this DPA, and which are deemed to be completed, populated and incorporated as outlined in this Section 8.1.

8.1.1. For Restricted Transfers protected by the GDPR or UK GDPR, the Standard Contractual Clauses will apply completed as follows:

• Where Company is a controller, Module Two will apply. Where Company is a processor, Module Three will apply. Where Vimeo and Company are each a controller (i.e. for Vimeo Account Data), Module One will apply;

• Clause 7: the optional clause is included;

• Clause 11(a): the optional clause is disregarded;

• Clause 13(a): the competent supervisory authority shall be selected according to Section C of Annex I;

• Clause 17: the parties select the laws of Ireland to govern disputes arising from these Standard Contractual Clauses;

• Clause 18: any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Ireland; and

• Any conflict between the terms of the Standard Contractual Clauses and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

8.1.2. For Restricted Transfers protected by the FADP, the Standard Contractual Clauses, completed as set out above in Section 8.1.1 shall apply, except that:

• The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;

• Clause 17: the governing law shall be the laws of Switzerland;

• References to “Member State(s)” shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the Standard Contractual Clauses in Switzerland; and

• References to the “General Data Protection Regulation” in the Standard Contractual Clauses shall be understood to be references to the Swiss FADP.

8.1.3. Company and Vimeo agree that signature of an Order Form will constitute and have effect as signature of Annex IA and Annex II of the Standard Contractual Clauses in relation to any Restricted Transfers that are required in relation to the Enterprise Services to which that Order Form relates, and which are set out in a relevant, fully and appropriately populated version Annex I, Annex II and Annex III (below) to the Standard Contractual Clauses together (where applicable) with the UK Addendum.

8.2. Data Privacy Framework. Company acknowledges that Vimeo complies with the Data Privacy Framework and that transfers of Company User Data to Vimeo made under the Data Privacy Framework shall not be a Restricted Transfer. If Vimeo’s Data Privacy Framework certification lapses, or the Data Privacy Framework is invalidated, transfers of Company User Data shall immediately be considered a Restricted Transfer, and the provisions of Section 8.1 will apply.

8.3. Supplementary Measures. If Vimeo receives an order from any third party for compelled disclosure of Company User Data that has been the subject of a Restricted Transfer, Vimeo will:

8.3.1. Use every reasonable effort to redirect the third party to request the data directly from Company;

8.3.2. Promptly notify Company, unless prohibited by law;

8.3.3. Request a reasonable extension of time from the third party to allow Company to evaluate the request; and

8.3.4. Use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies or conflicts with the laws of the EU, Switzerland, UK or applicable EU member state law.

If, after exhausting these steps, Vimeo remains compelled to disclose Company User Data to a third party, Vimeo will disclose only the minimum necessary to satisfy the request.

9. Term and Termination

9.1. This DPA shall be in effect for as long as Company uses any of the Enterprise Services, provided however, that where Vimeo is obligated, according to the terms of this DPA or any Vimeo Policies, to retain Company User Data following the termination or expiration of the Enterprise Services, this DPA shall continue to be in effect for as long as Vimeo holds such data.

9.2. Vimeo shall enable Company, through its admin account, to delete its Vimeo account, which will initiate deletion of Company User Data. If Company does not take any action to delete its Vimeo account, Vimeo will delete it when retention is no longer necessary for the purposes for which it was collected or required to be retained under applicable law.

9.3. Vimeo shall have the right to amend and/or adjust any of the terms of this DPA as may be required from time-to-time, in order to comply with any applicable laws or regulations.

9.4. Any questions regarding this DPA or requests from Company to support the fulfillment of Data Subject rights requests should be addressed to [email protected]. Vimeo will attempt to resolve any complaints regarding the use of Company User Data in accordance with this DPA and Vimeo Policies.

9.5. In the event of inconsistency with the terms of this DPA and any other agreement between the parties, the terms of this DPA shall prevail.

Annex I: Details of the Processing

A. List of Parties

B. Description of Transfer

C. Competent Supervisory Authority

Where Company is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Company is established.

Where Company is not established in an EU Member State, Article 3(2) of the GDPR applies and Company has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Company’s EU representative is based.

Where Company is not established in an EU Member State, Article 3(2) of the GDPR applies, but Company has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which the majority of the data subjects whose personal data is transferred under these Clauses are located.

Annex II: Technical and Organizational Measures to Ensure the Security of the Data

Vimeo maintains internal Information Security and Privacy Policies, which are approved annually and must be reviewed and accepted by all Vimeo employees. These policies include standards for information security management as required by the EU's General Data Protection Regulation (GDPR), Sarbanes Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Security Trust Principles of SOC 2 Type 2 and other privacy or data security laws, regulations, or standards. The following spotlight controls demonstrate Vimeo’s information security framework:

Governance

Vimeo’s security program is based on the concept of in-depth security: securing our organization, and user data at every stage. Our security program is aligned with ISO (International Standards Organization) 27001 and NIST (National Institute of Standards and Technology) standards and is constantly evolving with updated guidance and new industry best practices. Vimeo maintains a dedicated security team led by Vimeo’s Chief Information Security Officer, who is responsible for the implementation and management of our security program.

Vimeo maintains and implements a written information security program, including appropriate policies, procedures, and risk assessments that are reviewed at least annually. The program applies to Vimeo’s employees, contractors, and suppliers. Vimeo maintains a process to monitor and enforce program compliance and log program violations.

Security Awareness Training

Vimeo provides annual security training to its personnel on relevant threats and business requirements such as social-engineering attacks, sensitive data handling, causes of unintentional data exposure, and security incident identification and reporting.

Incident Response

Vimeo has established incident response plans and procedures that set forth guidelines for effectively detecting, responding to, mitigating, and recovering from security incidents within its organization, ensuring minimal impact on operations and safeguarding sensitive data. They include processes for incident preparation, detection/analysis, containment, eradication, recovery, remediation and communications to customers where necessary.

Vulnerability Management

Vimeo maintains a process to timely identify and remediate system, device, and application vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the security of customer data. Vimeo aims to mitigate critical vulnerabilities within 7 days of discovery. High risk vulnerabilities are mitigated within 30 days of discovery.

Audit Logs

Vimeo Enterprise provides customers access to a protected audit trail of user activities as an encrypted continuous export stream or downloadable file in a SIEM compatible format, and can clearly demonstrate the user performing the action, the action taken, success or failure, date and time.

Malware Defenses

Vimeo deploys endpoint detection and response and anti-malware software on workstations and servers to control, detect and remediate the installation, spread, and execution of malicious code.

Data Retention

Vimeo users are given tools within their account settings to delete user-submitted account data (including videos, comments, group participation and channel participation). Vimeo hard deletes user-submitted account data within a reasonable time following a deletion request or account closure.

Encryption

Vimeo encrypts customer data at rest and when in transit across open networks in accordance with industry best practices. For encryption at rest, AES128, or greater is used. For encryption at transit, TLS 1.2 or higher is used.

Firewalls

Vimeo maintains and configures firewalls to protect systems containing customer data from unauthorized access. Vimeo reviews firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.

Access Control

Vimeo adheres to the principles of least privilege and role-based permissions when provisioning system access. Employees are only permitted to access data that they reasonably must handle in order to fulfill their job roles and responsibilities. User access certifications are performed on critical systems on a quarterly basis.

Single Sign-on and Authentication

Where possible, Vimeo employs Single Sign On (SSO) and/or multi-factor authentication (MFA) for all access to systems with sensitive data.

For Enterprise customers, Vimeo supports integration with a SAML and/or OAUTH Single sign-on identity provider such as OKTA and Azure active directory. Vimeo also supports SCIM for automated user lifecycle management to manage user, entitlement and role management within the software, including provisioning, deprovisioning, role and entitlement query, assignment and removal.

Security Testing

Vimeo conducts penetration testing of systems to identify vulnerabilities and attack vectors that can be used to exploit those systems. Identified vulnerabilities are addressed as part of Vimeo’s vulnerability management program. Vimeo also leverages support from the security community through HackerOne Bug Bounty programs.

Vendor Management

Vimeo conducts an information security review of all vendors that will access personal data, and imposes heightened data security requirements for vendors which have access to Vimeo’s critical systems. This review includes both initial onboarding and annual recertification.

Annex III: Sub-Processors

The controller has provided a general authorization for use of sub-processors per Section 6.1 of the DPA. For a list of current sub-processors, see https://vimeo.com/enterpriseterms/dpa/subprocessors.