This Data Processing Agreement (DPA) forms part of the Gloam Terms of Service and applies where a customer acts as a controller (or, in rare cases, a processor) of personal data processed through Gloam in the course of their business, and where the GDPR requires a written data processing agreement between the parties.
Personal customers using Gloam for household viewing do not need a signed DPA. The agreement below is offered to business customers and is available on request as a signed counterpart.
This DPA is an annex to the main Terms of Service. It supplements but does not replace them. Where this DPA and the Terms conflict on data protection matters, this DPA prevails.
Subject matter: the provision of the Gloam live television streaming service to the customer.
Duration: for the term of the customer’s subscription, ending when the underlying Terms of Service terminate.
Nature and purpose: the processing of personal data necessary to deliver the service, including authentication, viewing session logging, billing, and support.
Type of personal data: account identifiers (email, hashed password, name), viewing session logs, device type, and payment tokens held by our payment processor on our behalf.
Categories of data subjects: the customer’s end users (household members named on the account), and the customer’s own staff where contact details are supplied for billing or support.
The customer is the data controller. Gloam Limited is the data processor. We process personal data on the customer’s documented instructions only, which are given by the customer’s use of the service and any configuration made in the dashboard.
Gloam processes personal data only on the customer’s documented instructions, including with regard to transfers of personal data to a third country, unless required to disclose by a law to which we are subject. In that case we inform the customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
We ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
We take all measures required under Article 32 of the GDPR (security of processing). The technical and organisational measures in force are described in the security documentation, available on request.
We respect the conditions referred to in paragraphs 2 and 4 for engaging another processor. The current list of sub-processors is published at /legal/sub-processors and is updated with at least thirty days’ notice before a new sub-processor is engaged.
We assist the controller, insofar as this is possible, in fulfilling the controller’s obligations to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.
We assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessment, and prior consultation), taking into account the nature of processing and the information available to us.
At the controller’s choice, we delete or return all the personal data after the end of the provision of services relating to processing, and delete existing copies, unless law requires storage of the personal data.
We make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
The customer grants general written authorisation for Gloam to engage the sub-processors listed at /legal/sub-processors. Gloam will notify the customer of any intended changes concerning the addition or replacement of sub-processors, giving the customer the opportunity to object to such changes before they take effect.
Notice of a change will be sent by email to the address on the account at least thirty days before the new sub-processor begins processing. The notice will include the identity of the sub-processor, the location of processing, the processing activities, and the security guarantees in place.
If the customer objects to a planned sub-processor within the notice period, Gloam will make reasonable efforts to accommodate the objection, for example by routing the customer’s data away from the new sub-processor or offering an alternative configuration.
If no workaround is feasible, the customer may terminate the affected services without penalty. Gloam will provide a pro-rata refund for the unused portion of the subscription. The customer’s termination right under this paragraph is in addition to, and does not affect, any other rights the customer may have under the Terms of Service or applicable law.
Where a sub-processor fails to fulfil its data protection obligations, Gloam remains fully liable to the controller for the performance of that sub-processor’s obligations (Article 28(4)).
Personal data may be transferred outside the European Economic Area only on the basis of an adequacy decision under Article 45 of the GDPR (including the EU-U.S. Data Privacy Framework for certified providers), or appropriate safeguards under Article 46, including Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914).
The current list of transfer mechanisms for each sub-processor is available on request from privacy@gloam.tv.
The controller may audit Gloam’s compliance with this DPA once per calendar year, on at least thirty days’ written notice, during business hours, and in a manner that does not interfere with Gloam’s operations or breach the confidentiality of other customers’ data.
Gloam maintains records of processing activities carried out on the controller’s behalf and makes them available on reasonable request.
Where an audit reveals a deficiency, Gloam will remedy it within a reasonable timeframe agreed with the controller, taking into account the severity of the deficiency.
Gloam will notify the controller without undue delay after becoming aware of a personal data breach affecting the controller’s data. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
This notification supports the controller’s obligation under Article 33 to notify the supervisory authority within 72 hours of becoming aware of a breach.
This DPA terminates automatically when the underlying Terms of Service between the parties terminate, at which point the deletion and return obligations in the processor obligations section take effect.
Any breach of this DPA by either party shall be treated as a material breach of the Terms of Service.