Viber Business Accounts Terms and Conditions

Last Updated: April 17, 2023

These Viber Business Accounts Terms and Conditions (“Business Accounts Terms”) are legally binding agreement by and between Viber Media S.à r.l. (“Viber”, “we”, or “our”) and you, the company or business (“Business” or “you”) using the Viber services, app, account and features designed and developed for businesses as detailed below and may change from time to time (“Business Services”).

BY CREATING AND ENTERACTING WITH THE BUSINESS ACCOUNT AND THE BUSINESS SERVICES, YOU AGREE TO BE BOUND BY THESE BUSINESS ACCOUNTS TERMS AND ALL OTHER APPLICABLE TERMS AND POLICIES, AND ACKNOWLEGDE THAT YOU HAVE READ AND UNDERSTOOD THEM. PLEASE READ THESE TERMS CAREFULLY BEFORE ACCEPTING THEM. IF YOU DO NOT AGREE TO ALL OR PARTS OF THESE BUSINESS ACCOUNTS TERMS, YOU ARE NOT ALLOWED TO INTERACT WITH THE VIBER BUSINESS SERVICES IN ANY MANNER. 

FURTHER, BY INTERACTING WITH THE BUSINESS SERVICES YOU HEREBY AGREE THAT YOU WILL USE THE BUSINESS SERVICES SOLELY FOR BUSINESS, COMMERCIAL AND AUTHORIZED PURPOSES, AND NOT FOR PERSONAL USE.

1. ELIGIBILITY

1.1 You hereby represent and warrant that you: (a) have the authority to do so; (b) are at least 18 years old; (c) have not been previously suspended or removed from our Business Services, or engaged in any activity that could result in suspension or removal and (d) you will use our Business Services solely for business, commercial, and authorized purposes, and not for personal use.

1.2 For users in the European Economic Area (EEA) – the Business Services are solely offered to and should be used only by the companies, businesses or enterprises, which employ fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million, i.e. they qualify as micro or small enterprises under Recommendation 2003/361/EC. If your company, business or enterprise exceeds the above threshold and you are interested to explore our business solutions, you are welcome to contact us at https://b2b.viber.com/viber-for-business-form.

2. AMENDMENTS

2.1 Viber is always working on adding additional features to the services we provide and improving existing services. As such, and since there may be changes to applicable laws, we may update or change our Business Services, including their functionality from time to time, and revise and reissue these Business Accounts Terms occasionally to reflect the updates and practices correctly. We will only make changes if the provisions are no longer appropriate or incomplete. Changes to these Business Accounts Terms shall become effective upon prior notice. Once updated Business Accounts Terms come into effect, you will be bound by them if you continue to use the Business Services. If you do not agree with any changes to the Business Services or the Business Accounts Terms, you may notify us or terminate your relationship with us. Notwithstanding the above, changes to these Business Accounts Terms or the Business Services, will take effect immediately without prior notice where such changes are: (a) exclusively to the Business’ benefit; (b) where they are of a purely administrative nature and have no negative effect the Business; (c) where they are directly imposed by law; or (d) due to important security compliance or risk conditions.

3. ADDITIONAL TERMS FOR SPECIFIC SERVICES

3.1 Some features of our Business Services may be subject to additional terms and conditions, which you should read before making use of those features and such Business Services, and they add up to these Business Accounts Terms where applicable. The following additional terms are:

To the extent that any of the additional terms and policies conflict with these Business Accounts Terms, these Business Accounts Terms will govern.

4. BUSINESS ACCOUNT

4.1 In order to access and use the Business Services, you will need to register and create a business account (“Business Account”) and profile, including your business’ name, contact information, business’ location (through Google Places API), your website and profile picture (i.e., your business banner or logo), as applicable (“Business Profile”). You can update your Business Profile at any time through the “Manage Profile” screen.

4.2 By creating a Business Account and providing a Business Profile you acknowledge that Viber (directly or through our third-parties) will use your registration information in order to send you certain notices, including but not limited to, notices regarding abuse reports, information about our Business Services, promotions offered, surveys, and other notices about your Business Account. Please note that any information provided through the registration process to your Business Profile is governed by the Viber Privacy Policy.

4.3 You hereby represent and warrant that you will provide true, complete and updated information in your Business Profile, during the use of the Business Account, and any other information as may be required by Viber from time to time, including your valid legal business phone number, Business’ name, logo and website, and other information, and that such information will not: (i) be false, misleading, deceptive, or defamatory; (ii) parody a third party or include character symbols, excessive punctuation, or third-party trademark designations; and (iii) infringe any trademark, violate any right of publicity, or otherwise violate any third-party’s rights. We reserve the right to reclaim account names on behalf of any business or individual that holds legal claim in those names. If we, at Viber, believe the information presented on your Business Profile is not correct, update, or complete, you will be required to remedy such breach without undue delay, Viber further reserves the right to prevent you from accessing our Business Services, or any of its resources and to terminate, suspend or restrict your Business Account.

4.4 Business may only allow authorized individuals acting on behalf of Business to access and use its Business Account for purposes authorized under these Business Accounts Terms. Business is solely responsible for all activities occurring under its Business Account and therefore shall be bound to: (a) maintain the security of its credentials; (b) prevent unauthorized use of or access to our Business Services; and (c) immediately notify Viber of any unauthorized use of the Business Account or any breach of security with respect to your Business Account. Business will implement and follow generally recognized industry standards and best practices for data and information security to protect Business’ data, network, and systems from unauthorized access, use, or copying. Viber is entitled to monitor your Business Account, Business Profile, at our discretion.

5. SCOPE OF SERVICES; LICENSE GRANT

5.1 As part of the Business Services, Viber allows you to interact directly with your customers, who are Viber users, through one-on-one chat messages, and to promote and provide them with the Business’ goods and services, information, and host all business-related chats in a dedicated folder.

5.2 Subject to your compliance with these Business Accounts Terms, we grant you a limited, revocable, non-exclusive, non-sublicensable, and non-transferable license to use the Business Services. Viber grants you a limited, revocable, non-exclusive, non-sublicensable, and non-transferable license to use the Viber trademarks, solely for promoting your Business Profile and subject to the Viber Brand Guidelines available here.

5.3 Through the Business Services you will be able to create, post, store, send, and receive content, such as text, images, videos, and other materials, including your Business’ trademarks, logos, slogans, and other proprietary materials, and any other information presented on your Business Profile (collectively, “Business Content”). By using the Business Services, you grant Viber and its affiliates, a worldwide, non-exclusive, sub-licensable, and transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, and publicly perform or display your Business Content, solely for the purposes of providing, operating, developing, promoting, updating, and improving our Business Services, and researching and developing new services, features, or uses. Except for the Viber License granted to Viber, you retain all ownership and other rights in and to your Business Content.

5.4 Except as specifically granted herein, Viber reserves all rights, title, interest in and to Business Services and all content therein provided by Viber, including images, trademarks, tradenames, patent rights, copyrights, moral rights, rights of publicity, service mark rights, goodwill, trade secret rights, or other intellectual property rights that may exist now or come into existence in the future, whether registrable or not. You may not use Viber’s tradenames and logos or any other intellectual property rights, except if we authorized you, in writing, to do so.

Viber always appreciate feedback or other suggestions concerning our services. You agree that any questions, comments, suggestions, ideas, original or creative materials, or other information about Viber or our products or services that you post, submit, or otherwise communicate to us (collectively “Feedback”) is non-confidential by nature and that we will be entitled to the unrestricted use and dissemination of Feedback for any purpose, commercial or otherwise, without acknowledgment or compensation to you.

5.6 Our Business Services may allow you to access, use, or interact with other websites, apps, content, products and services that are not provided by Viber. For example, through the Business Services you can provide your customers with you Business’ location by using Google Places API. By using the Google Places API you are bound by Google Maps/Google Earth Additional Terms of Service and Google Terms of Service, and your use is subject to Google Privacy Policy. Please note that when you use these other services, their own terms and privacy policies will govern such use of those services. Viber will not be responsible or liable for your use of those services, the third-party’s terms, or any actions you take under the third-party’s terms.

6. RESTRICTIONS OF USE

6.1 Business is solely responsible for its conduct while using our Business Services and it is the Business sole responsibility to comply with all applicable laws and any regulatory requirement imposed while using the Business Services.

6.2 In addition to any other restriction imposed by these Business Accounts Terms, you hereby acknowledge and agree that your use of the Business Services will comply with Viber Acceptable Use Policy.

6.3 Furthermore, you hereby represent and warrant you will not: (a) use our Business Services for personal, family, or household purposes; (b) instigate, engage in, or encourage any harassing, threatening, intimidating, predatory, or stalking conduct, or any other conduct that would be illegal or otherwise inappropriate, such as promoting violent crimes, endangering or exploiting children or others, or coordinating harm; (c) use or attempt to use another user’s account without prior authorization from that user; (d) impersonate or register on behalf of any person or entity or otherwise misrepresent your affiliation with a person or entity, perpetrate fraud, or publish falsehoods or misleading statements; (e) collect information of or about other users in any impermissible or unauthorized manner; (f) use our Business Services other than for their intended purpose or interfere with, disrupt, negatively affect, or inhibit other users; (g) damage, disable, overburden, or impair our Business Services; (h) send, distribute, or post spam, unsolicited electronic communications, chain letters, pyramid schemes, or illegal or impermissible communications; (i) post, upload, or share any content which is unlawful, libelous, defamatory, obscene, pornographic, indecent, lewd, suggestive, harassing, hateful, ethnically or racially offensive, threatening, invasive of privacy or publicity rights, abusive, inflammatory, fraudulent, or is in our sole judgment objectionable; (j) encourage or provide instructions for a criminal offense; (k) distribute any viruses, corrupted data, or other harmful, disruptive, or destructive files or content; (l) bypass, ignore, or circumvent instructions in our robots.txt file or any measures we employ to prevent or limit access to any part of our Business Services, including content-filtering techniques; or (m) expose Viber or others to any type of harm or liability.

6.4 Furthermore, you shall not at any time, directly or indirectly, and shall not permit any third-party on your behalf to: (a) copy, modify, or create derivative works of our Business Services, in whole or in part; (b) rent, lease, lend, assign, sell, license, sublicense, assign, distribute, publish, transfer, or otherwise make available Viber Business Services to a third party without Viber prior written authorization; (c) reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to any software component of the Business Services, in whole or in part; (d) remove any proprietary notices contained in the Business Services; (e) access the Business Services or any content therein for benchmarking purposes; and (f) access the Business Services for any illegal, fraudulent, inappropriate manner, immoral, or unauthorized purpose (including that which would infringe upon the rights of a third party) or that is in breach of applicable law, legislation, rules and regulations, including anti-money laundering laws.

7. BUSINESS CONTENT AND PRODUCTS

7.1 You represent and warrant that you have all rights to your Business Content, and that the Business Content and Viber’s use of it will: (a) comply with the terms of Viber Acceptable Use Policy; and (b) not violate any third-party rights including intellectual property rights and privacy rights.

7.2 You may offer, promote and market your goods or services for sale (“Business Products”). The Business shall ensure that the Business Products comply with the Viber Acceptable Use Policy, applicable laws and these Business Accounts Terms. Viber does not exercise control over Business Products, purchases, returns, delivery of goods or services. The Business is solely responsible for displaying any and all disclosure required, such as but not limited to, age limitation, health disclosures, safety instructions, etc. all as required by law. Viber is not responsible for providing any goods or services and assumes no liability for the Business’ failure to provide the Business Products, or applicable disclaimers or otherwise for any dissatisfaction with the Business Products.

7.3 If you rank your Business Products, or determine an order in which you display the Business’ Products, you shall disclose to end users the factors taking into consideration. For avoidance of doubt, Viber will not rank, compare or rate any of the Business Profiles.

7.4 The Business Services do not offer any payment processing features, to conduct a sale the Business must redirect or instruct the end user how to conduct the payment. You hereby acknowledge and agree that all payment transactions are not operated or processed by Viber and Viber is not liable for payments, refunds, chargebacks, the provisioning (or addition) of cards, or other commercial activity relating to payments made using the Business Services.

7.5 The Business Content and Business’ Products shall: (a) not encourage violence, or any sale or purchase of any type of weapon ,with or without any substantial value, do not threaten to hurt a person or property, do not post any type of violent content, or encourage self-harm; (b) do not encourage or use any violent extremism, terrorism content or hate speech, and do not encourage or allow the exchange of hate or violent goods or services; (c) do not encourage, use or offer any pornographic or child sexual content, goods or services; (d) do not harass or bully anyone; (e) do not send, distribute, or post spam, unsolicited electronic communications, chain letters, pyramid schemes, or illegal.

7.6 Viber will, subject to applicable law, monitor and review all Business Content you share through the Business Account and Business Profile in order to verify your compliance with these Business Accounts Terms, applicable laws and our policies as indicated herein. If we believe, in our sole discretion, that the Business Content is in such breach, we have the right to remove the infringing Business Content, limit your interaction with the Business Account and the Business Services, or terminate your access to the Business Account indefinitely. In the event that we terminate your Business Account, you or anyone on your behalf, will not create another Business Account without our express written permission.

7.7 Viber is not liable for any acts or omissions by the Business. The Viber users may block the Business Profile, mark Business Content, Business Products, marketing materials or messages or report the content as spam, harmful, infringing applicable laws, harassing, violent, and more, or notify us that Business is violating our terms and policies. Viber will then take appropriate action, which could result in Viber’s suspending or terminating your use of our Business Services.

8. TERMINATION

8.1 Viber may modify, suspend, or terminate a Business’ access to or use of our Business Services and these Business Accounts Terms at any time and for any reason, including if we determine, in our sole discretion, that the Business had violated these Business Accounts Terms, receives excessive negative feedback, or creates harm, risk, or possible legal exposure for us, our other users, or others. To the extent permissible and practicable, subject to Viber’s sole discretion, we will endeavor to give you prior notice containing the relevant reasons for termination or suspension.

8.2 Upon termination or suspension: (a) all licenses granted to you herein shall terminate immediately. We will remove your Business Account from Viber, and your Business Content will not be presented any more to other users. However, we will retain certain data associated with your Business Account for a limited period of time, including data you have provided to us or which we have collected from your use of the Business Services as described herein; (b) you must promptly discontinue all use of the Business Services; (c) upon Viber’s written request, you shall delete or return to us, any Viber confidential information; (d) pay any outstanding fees to Viber if applicable; and (e) the provisions herein that by their nature are intended to continue indefinitely will continue to apply.

8.3 Termination for any reason of these Terms shall not derogate from your rights and obligations accrued prior to the effective date of termination and shall not limit Viber from pursuing other available remedies.

9. CONFIDENTIALITY

9.1 Viber communications with you pursuant with the Business Services may contain Viber confidential information. Viber confidential information includes any materials, communications, and information that would usually be considered confidential under the applicable circumstances. If you receive any such information, you will not disclose it to any third party without Viber’s prior written consent. Viber confidential information does not include information that you independently developed, that was rightfully given to you by a third party without confidentiality obligation, or that becomes public through no fault of your own. You may disclose Viber confidential information when compelled to do so by law, provided you provide us reasonable prior notice and cooperate with us in order to minimize any harm that might be caused to Viber.

10. DATA PROTECTION

10.1 We make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality or security requirements for Personal Data, Personal Information, Financial Information, information on children or Personal Health Information (as such terms are defined under applicable federal law, state law, union law, regulation or directive and shall be defined herein as “Personal Data” for the purpose of these Business Accounts Terms). The Business must provide all necessary data disclosures and notices, including by maintaining a privacy policy or labelling marketing messages. The Business must also secure all necessary rights, consents, and permissions to process, share and transfer end users’ information. Viber is not and will not be held liable for breach by Business of any applicable laws.

10.2 You understand and agree that Viber collects, stores, and uses: (a) information from your Business Account and registration; (b) usage, log, and functional information generated from your use of our Business Services; (c) performance, diagnostics, and analytics information; and (d) information related to your technical or other support requests, all subject to and in accordance with the Viber Privacy Policy.

10.3 The Business understands and agrees that the transfer and processing of information that Viber collects, stores, and uses under these Business Terms, are transferred to other countries globally where we have or use facilities, service providers, or partners, regardless of where you use our Business Services. You acknowledge that the laws, regulations, and standards of the country in which your information is stored or processed may be different from those of your own country. For more information, please see the Viber Privacy Policy under “International Data Transfers” Section.

10.4 As part of the Business Services, Viber and the Business will process certain Personal Data of Viber users (“Collected Data”). The Business and Viber are each an independent controller, business, or other equivalent term (as defined under data protection regulations) of the Collected Data. Except as otherwise stated herein the Business Accounts Terms, each party hereby undertakes to independently comply with any applicable data protections and security law, regulations, either state, federal, union, or directive, and industry best standards. Each party agrees that it shall process the Collected Data that it collects only for the purposes permitted by this Agreement and applicable data protection Law.

10.5 Where required by law, the transfer of the Collected Data will be governed by the EU Standard Contractual Clauses, UK Standard Contractual Clauses and Swiss Standard Contractual Clauses. As between Viber and the Business, the Module I of the EU Standard Contractual Clauses, as may be updated from time to time, shall apply, including the Standard Contractual Clauses Annexes as attached herein, including respective specification regarding the UK Standard Contractual Clauses and Swiss Standard Contractual Clauses.

11. AVAILABILITY, SUPPORT AND COMPLAINTS

11.1 Viber Business Services may be interrupted, including for maintenance, repairs, upgrades, or network or equipment failures. Events beyond our control may affect our Business Services, such as events in nature and other force majeure events. If you require support, please contact Viber Support through our Contact Us Form. Depending on your interaction with us, you may be assigned an account manager that can assist in need of technical support and customer service issues.

11.2 Further, you may contact us at: dsa@viber.com regarding any suspension and termination of your Account or the Business Services, or any alleged breach by Viber of the Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (“Digital Services Act”).

11.3 We will acknowledge all complaints and follow-up with you to address your complaint within a reasonable timeframe. We will communicate the outcome of our complaint investigation to you if you have provided us with your valid email address.

12. DISCLAIMER; LIMITATION OF LIABILITY

12.1 BUSINESS USES OUR BUSINESS SERVICES AT ITS OWN RISK AND SUBJECT TO THE FOLLOWING DISCLAIMERS. UNLESS PROHIBITED BY APPLICABLE LAW, VIBER PROVIDES THE BUSINESS SERVICES ON AN “AS IS” AND “AS-AVAILABLE” BASIS WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND FREEDOM FROM COMPUTER VIRUS OR OTHER HARMFUL CODE. WE DO NOT WARRANT THAT ANY INFORMATION PROVIDED BY US IS ACCURATE, COMPLETE, OR USEFUL; THAT THE BUSINESS SERVICES OR ANY OTHER SERVICES WILL BE OPERATIONAL, ERROR FREE, SECURE, SAFE OR WILL FUNCTION WITHOUT DISRUPTIONS, DELAYS, OR IMPERFECTIONS. WE ARE NOT RESPONSIBLE FOR THE ACTIONS OR INFORMATION (INCLUDING BUSINESS CONTENT) MADE BY THE BUSINESS OR BY OTHER THIRD PARTIES.

12.2 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, VIBER WILL NOT BE HELD LIABLE TO BUSINESS FOR ANY LOST OF PROFITS OR CONSEQUENTIAL, SPECIAL, PUNITIVE, INDIRECT, OR INCIDENTAL DAMAGES RELATING TO, ARISING OUT OF, OR IN ANY WAY IN CONNECTION WITH THESE BUSINESS ACCOUNTS TERMS, OUR ACTIONS OR INACTIONS, OR OUR BUSINESS SERVICES, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. OUR AGGREGATE LIABILITY RELATING TO, ARISING OUT OF, OR IN ANY WAY IN CONNECTION WITH THESE BUSINESS ACCOUNTS TERMS, OUR ACTIONS OR INACTIONS, OR OUR BUSINESS SERVICES WILL NOT EXCEED THE GREATER OF ONE HUNDRED DOLLARS ($100) OR THE AMOUNT BUSINESS HAS PAID US IN THE PAST TWELVE MONTHS TO USE OUR BUSINESS SERVICES.

13. INDEMNIFICATION

13.1 Business agrees to defend, indemnify, and hold harmless Viber and its directors, officers, employees, affiliates, and agents, from and against any and all liabilities, damages, losses, and expenses of any kind (including reasonable legal fees) relating to, arising out of, or in any way in connection with any of the following (“Claim”): (a) Business’s access to or use of our Business Services, including the Business’ provision the Business Products; (b) Business’ breach or alleged breach of these Business Accounts Terms or applicable law; (c) business breach of any third party’s rights, including intellectual property rights and privacy rights, while interacting with the Business Services including through the use of the Business Content; and (d) any misrepresentation made by the Business. Viber has the right to solely control in the defense or a settlement of such Claim, and the Business will fully cooperate with Viber in this regard.

14. MISCELLANEOUS

14.1 Viber Business Services are not intended for distribution to or use in any country where such distribution or use would violate local law. We reserve the right to limit our Business Services in any country and at any time, to the extent permissible by applicable law. Business shall comply with all applicable U.S. and non-U.S. export control and trade sanctions laws (“Export Laws”). Business will not, directly or indirectly, export, re-export, provide, or otherwise transfer our Business Services: (a) to any individual, entity, or country prohibited by Export Laws; (b) to any individual or entity, or anyone owned or controlled by any individual or entity, on U.S. or non-U.S. government restricted parties lists; or (c) for any purpose prohibited by Export Laws, including nuclear, chemical, or biological weapons, or missile technology applications, without the required government authorizations. Furthermore, Business shall not use our Business Services: (a) if it is located, or owned or controlled by anyone located in a restricted country, including in any territory which is the target for sanctions imposed by the US government, the European Union, Her Majesty’s Treasury of the United Kingdom, or other relevant sanctions authority, such as Cuba, Iran, North Korea, Sudan, and Syria; (b) if it is currently listed, or owned or controlled by anyone listed, on any U.S. or non-U.S. restricted parties list; (c) for the benefit or on behalf of a restricted country or anyone listed on any U.S. or non-U.S. restricted parties list; or (d) for any purpose prohibited by Export Laws. Business will not disguise its location through IP proxying or other methods.

14.2 The laws of England and Wales govern these Business Accounts Terms and any disputes that may arise, without regard to conflict of law provisions. Any dispute will be resolved exclusively by the courts of England and Wales.

14.3 You may not assign or transfer any of your rights or delegate your duties under the Business Accounts Terms, without the prior written authorization from Viber.

14.4 If any provision of these Business Accounts Terms is deemed unlawful, void, or for any reason unenforceable, then that provision shall be deemed severable from these Business Accounts Terms and shall not affect the validity and enforceability of the remaining provisions.

14.5 Failure to enforce any of Viber rights herein shall not be considered as a waiver of such right.

 

Annexes to the EU Standard Contractual Clauses referred in Section 10

Annex I

(Controller to Controller)

A. LIST OF PARTIES

Where Viber shares the categories of Collected Data listed below with the Business, Viber acts as the Data Exporter and Business acts as the Data Importer.

B. DESCRIPTION OF PROCESSING AND TRANSFER

Categories of data subjects whose personal data is processed or transferred:

Viber users interacting with the Business’ Profile.

Categories of personal data processed or transferred:

Viber will share certain data sets of the Collected Data with the Business, which include profile photo of the user (if it exists) and the user’s profile name.

Sensitive data processed or transferred:

N/A

The frequency of the processing or transfer (e.g., whether the data is transferred on a one-off or continuous basis):

Continuous basis

Nature of the processing or transfer:

Collection, storage, organization, communication, transfer, host and other uses in performance of the Business Services as set out in these Business Accounts Terms.

Purpose(s) of the data transfer and further processing:

Provide the Business Services.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

As long as required by applicable laws or to provide the Business Services.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

C. COMPETENT SUPERVISORY AUTHORITY

The National Commission for Data Protection of the Grand-Duchy of Luxembourg (“CNPD”).

Furthermore, Viber and Business agree that the following terms regarding the transfer of Collected Data shall apply:

  1. In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
  2. In Clause 18(b) the parties choose the courts of the Luxembourg, as their choice of forum and jurisdiction.

 

UK Standard Contractual Clauses specifications:

  1. The parties agree that the terms of the EU Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and detailed herein below, are hereby incorporated by reference and shall apply to the transfer of Collected Data from the UK as required by law.
  2. Terms used herein below that are defined herein, shall have the same meaning as in the EU Standard Contractual Clauses.
  3. the terms herein below shall (i) be read and interpreted in the light of the provisions of the applicable UK data protection laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in the applicable UK data protection laws.
  4. Amendments to the UK Standard Contractual Clauses:

a) Part 1: Tables

b) Table 1 Parties: shall be completed as set forth above.

c) Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth above.

d) Table 3 Appendix Information:

  • Annex 1A: List of Parties: shall be completed as set forth in this Annex I above.
  • Annex 1B: Description of Transfer: shall be completed as set forth in this Annex I above.
  • Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth under Annex II below.

e) Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “Importer” & “Exporter”.

Swiss Standard Contractual Clauses specifications:

The parties agree that the terms of the Swiss Standard Contractual Clauses as detailed herein below, supplements the EU Standard Contractual Clauses’ and the UK Standard Contractual Clauses’ provisions, and applies for the transfer of Collected Data from Swiss as required by applicable Swiss data protection laws, and specifically the Swiss Federal Data Protection Act (‘FDPA’):

  1. The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
  2. The applicable clauses in these Business Accounts Terms including the Annexes, protect the Collected Data of legal entities until the entry into force of the Revised Swiss FDPA.
  3. Any obligation under the EU Standard Contractual Clauses shall refer to a respective obligation under the Swiss Standard Contractual Clauses and applicable Swiss data protection laws and regulations, as applicable.
  4. The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.

 

 

Annex II

Technical and Organizational Security Measures

This Annex II summarizes the technical, organizational, and physical security measures implemented by the parties:

The Business shall comply with the following:

Business undertakes to implement, maintain, and continuously control and update appropriate technical and organizational security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. These include:

  1. Preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used (physical access control); in particular, by taking the following measures:
  • Controlled access for critical or sensitive areas
  • Video monitoring in critical areas
  • Incident logs
  • Implementation of single-entry access control systems,
  • Automated systems of access control,
  • Permanent door and windows locking mechanisms,
  • Key management
  • Permanently staffed reception
  • Code locks on doors
  • Monitoring facilities (e.g., alarm device, video surveillance)
  • Logging of visitors
  • Compulsory wearing of ID cards
  • Security awareness training.
  1. Preventing data processing systems from being used without authorization (logical access control); in particular, by taking the following measures:
  • Network devices such as intrusion detection systems, routers, and firewalls
  • Secure log-in with unique user-ID, password, and a second factor for authentication (OTP, MFA, 2FA).
  • Policy mandates locking of unattended workstations. Screensaver password is implemented such that if the user forgets to lock the workstation, automatic locking is ensured.
  • Logging and analysis of system usage
  • Role-based access for critical systems containing personal data
  • Process for routine system updates for known vulnerabilities
  • Encryption of laptop hard drives
  • Monitoring for security vulnerabilities on critical systems
  • Deployment and updating of antivirus software
  • individual allocation of user rights, authentication by password and username, use of smartcards for login, minimum requirements for passwords, password management, password request after inactivity, password protection for BIOS, blocking of external ports (such as USB ports), encryption of data, virus protection and use of firewalls, intrusion detection systems.
  1. Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorization (access control to data); in particular, by taking the following measures:
  • Network devices such as intrusion detection systems, routers, and firewalls
  • Secure log-in with unique user-ID, password, and a second factor for authentication (OTP, MFA, 2FA).
  • Logging and analysis of system usage
  • Role-based access for critical systems containing personal data
  • Encryption of laptop hard drives
  • Deployment and updating of antivirus software
  • Compliance with Payment Card Industry Data Security Standard
  • Definition and management of role-based authorization concept, access to personal data only on a need-to-know basis, general access rights only for a limited number of admins, access logging and controls, encryption of data, intrusion detection systems, secured storage of data carriers, secure data lines, distribution boxes, and sockets.
  1. Ensuring that personal data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport or storage and that it is possible to verify and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (data transfer control); in particular, by taking the following measures:
  • Encryption of communication, tunneling (VPN = Virtual Private Network), firewall, secure transport containers in case of physical transport, encryption of laptops.
  1. Ensuring that it is possible retrospectively to examine and establish whether and by whom personal data have been inserted into data processing systems, modified or removed (entry control); in particular, by taking the following measures:
  • Logging and analysis of system usage
  • Role-based access for critical systems containing personal data
  • Logging and reporting systems, individual allocation, of user rights to enter, modify or remove based on role-based authorization concept.
  1. Ensuring that personal data processed on the basis of a commissioned processing of personal data are processed solely in accordance with the directions of the data exporter (job control); in particular, by taking the following measures:
  • Mandatory security and privacy awareness training for all employees
  • Employee hiring procedures which require the completion of a detailed application form for key employees with access to significant personal data.
  • Periodic audits are conducted.
  • Implementation of processes that ensure that personal data is only processed as instructed by the data exporter, covering any sub-processors, including diligently selecting the appropriate personnel and service providers and monitoring of contract performance, entering into appropriate data processing agreements with sub-processors, which include appropriate technical and organizational security measures.
  1. Ensuring that personal data are protected against accidental destruction or loss (availability control); in particular, by taking the following measures:
  • Backup procedures and recovery systems, redundant servers in a separate location, mirroring of hard disks, uninterruptible power supply, and auxiliary power unit, remote storage, climate monitoring and control for servers, fire-resistant doors, fire, and smoke detection, fire extinguishing system, anti-virus/firewall systems, malware protection, disaster recovery, and emergency plan.
  1. Ensuring that data collected for different purposes or different principles can be processed separately (separation control); in particular, by taking the following measures:
  • Internal client concept and technical logical client data segregation, development of a role-based authorization concept, separation of test data and live data.