Data Processing Addendum
Last Updated: March 17, 2021
This Data Processing Addendum (this “DPA”) is an addendum to, and forms part of, a Customer Agreement that governs your access to and use of the ManageXR Platform and related Services made available by Mighty Immersion.
Capitalized terms used in this DPA have the meaning set forth herein or have the respective meanings provided in your Customer Agreement. In the event of any direct conflicts between the terms of your Customer Agreement and the terms of the DPA, the terms of this DPA shall control. This DPA shall be effective contemporaneously with your agreement to and acceptance of your Customer Agreement and shall terminate automatically upon the expiration or termination of your Customer Agreement.
While our Services are not designed to collect significant levels of Personal Information, Mighty Immersion does require certain Personal Information from Authorized Users (e.g. name, email address, etc.) in order to register those Authorized Users with the Services and to facilitate their ongoing use of the Services. This DPA applies to that Authorized User Personal Information that Mighty Immersion accesses or receives during the course of performing the Services. With the exception of Personal Information from Authorized Users, please note that Mighty Immersion does not collect any other Personal Information during the course of performing the Services and Customer is not authorized to use the Services to process or store any Personal Information under the Customer Agreement.
The Parties hereby agree as follows:
- Definitions. For purposes of this DPA, the following terms shall have the following meanings:
- “Mighty Immersion”, “Company”, “us”, “we” or similar terms means Mighty Immersion, Inc.
- “Customer Agreement” means the ManageXR Terms of Service or another written contract mutually agreed to between Mighty Immersion and Customer that incorporates this DPA by reference.
- “Data Protection Laws” means (a) the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any applicable laws and/or regulations that implement and/or exercise derogations under it and/or replace or supersede it (including as it forms part of retained EU law as defined in the European Union (Withdrawal) Act 2018) (“GDPR”); (b) all applicable data protection and privacy legislation in force from time to time in the UK including (without limitation) the Data Protection Act 2018; (c) any other European legislation relating to personal data and all other European legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data; (d) the California Consumer Privacy Act of 2018 (Cal. Civ. Code 1798.100 – 1798.199) (“CCPA”) and other data protection or privacy laws applicable to personal information or personal data in the United States; and (e) each of the aforementioned as amended or updated from time to time.
- “European Economic Area” or “EEA” means the Member States of the European Union together with Switzerland, Iceland, Norway, and Liechtenstein.
- “Personal Information” means (i) the Personal Information (as defined in your Customer Agreement) processed by Mighty Immersion on Customer’s behalf in the course of providing the Services to Customer, and (ii) any other data or information that is considered “personal data” as defined by GDPR, “personal information” as defined by CCPA, and other similar terms as defined by applicable Data Protection Laws to the extent that such information is processed by Mighty Immersion on Customer’s behalf in the course of providing the Services to Customer. Personal Information that is subject to GDPR includes the Personal Information described in Exhibit 1.
- The terms “controller”, “data protection impact assessment”, “data subject”, “personal data”, “personal data breach”, “processor”, “processing”, “service provider” and “supervisory authority” shall be as defined under relevant Data Protection Laws.
- Processing of Personal Information.
- General. Mighty Immersion shall comply with its obligations under applicable Data Protection Laws when processing Personal Information. The subject-matter of such processing is providing and making available our ManageXR Platform and related Services to Customer and such processing will continue until Customer’s Customer Agreement terminates or expires. Exhibit 1 attached hereto sets out the nature and purpose of the processing, the types of Personal Information we process and the data subjects whose Personal Information is processed.
- Roles of the Parties. Mighty Immersion and Customer acknowledge that the status of each Party is a question of fact determined under applicable Data Protection Laws. Without limiting the foregoing, Mighty Immersion and Customer agree that in relation to the Personal Information processed under this Agreement, for purposes of the CCPA, Mighty Immersion is a “service provider” and may collect, retain, access, maintain, use, disclose, process and transfer the Personal Information of its Customer and their Authorized Users solely for the purpose of performing the Services, and for no other commercial purpose. For purposes of the CCPA, Customer is a “business”. In such capacity, Customer is primarily responsible for determining the processes and means by which their Personal Information is processed, and for ensuring their processing of Personal Information is compliant with all relevant Data Protection Laws, including the CCPA. For purposes of GDPR, the Parties acknowledge and agree that Mighty Immersion acts as a “Processor” and the Customer act as a “Controller.”
- Data Processing, Transfers and Sales. Each Customer hereby instructs Mighty Immersion to retain, use, disclose and otherwise process the Personal Information of its Authorized Users for the following purposes, and each Customer shall provide the Personal Information to Mighty Immersion only for the following purposes, and Mighty Immersion shall only retain, use, disclose or otherwise process the Personal Information of Authorized Users for the following purposes:
- to provide the Services to the Customer in accordance with the Customer Agreement;
- as otherwise set out in the Customer Agreement and this DPA; and/or
- as otherwise instructed in writing by the Customer to Mighty Immersion, which Mighty Immersion acknowledges to be instructions for the purposes of this DPA, unless a different manner of processing is required pursuant to any other applicable law to which Mighty Immersion is subject, in which case Mighty Immersion shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before processing that particular Personal Information.
- Final Agreement. The Customer Agreement and this DPA shall be and are the Customer’s complete and final instructions to Mighty Immersion in relation to the processing of the Personal Information. Processing outside the scope of this DPA and the Customer Agreement will require prior written agreement between Customer and Mighty Immersion on additional instructions for such processing. If we reasonably believe any instruction Customer has provided with respect to the processing of Personal Information violates applicable Data Protection Laws, we shall notify Customer.
- Limited Use. Mighty Immersion shall not retain, use, disclose or otherwise process Personal Information for any purpose other than for the specific purposes identified above, in the Customer Agreement or as otherwise permitted or required by applicable Data Protection Laws or otherwise pre-approved by Customer in writing. Mighty Immersion does not “sell” (as defined by applicable Data Protection Laws) Personal Information of Authorized Users, which means that Mighty Immersion does not and shall not rent, disclose, transfer, make available or otherwise communicate Personal Information of Customer to any third party for monetary or other valuable consideration. In other words, neither Mighty Immersion, nor any of its nor any of its employees, agents, consultants or assigns shall have any right to process any of Customer’s Personal Information for their own commercial benefit in any form.
- Aggregated or Anonymized Information. Mighty Immersion may collect, use, retain, access, share, transfer, sell, or disclose information that (i) has been deidentified, anonymized or aggregated consistent with the terms and conditions of applicable Data Protection Laws or (ii) any information that is not Personal Information consistent with the terms of the Customer Agreement. Among other things, this means that Mighty Immersion may share aggregated and/or anonymized information regarding the use or results of the Services with third parties to assist with developing and improving the Services or to third parties for commercial purposes. Without limiting the above, this DPA does not apply to any data related to a Customer’s and its Authorized User’s use of the Services unless it is Personal Information (e.g. this does not apply to Platform analytics, activity logs, use patterns, etc.).
- Certification. Mighty Immersion hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
- Required Consents. As the data Controller or business under applicable Data Protection Laws, please note that Customer is responsible for obtaining all necessary consents, and giving all necessary notices, to its Authorized Users related to Mighty Immersion’s processing of Personal Information in connection with the Services, including any consents or notices required by this DPA or your applicable Customer Agreement. With this in mind, Customer hereby warrants and represents that: (a) it has provided all applicable notices to its Authorized Users required for the lawful processing of their Personal Information by Mighty Immersion in accordance with the Customer Agreement and this DPA; and (b) in respect of any Personal Information collected or processed by Mighty Immersion on behalf of the Customer, it has obtained all necessary consents and rights for the lawful processing of that Personal Information by Mighty Immersion in accordance with the Customer Agreement and this DPA.
- Assistance. Where applicable, taking into account the nature of the processing, and to the extent required under applicable Data Protection Laws, Mighty Immersion shall provide the Customer with any information or assistance reasonably requested or required by the Customer for the purpose of complying with any of the Customer’s obligations under applicable Data Protection Laws, including: (i) using reasonable efforts to assist the Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfillment of Customer’s obligation to respond to requests by Authorized Users to exercise rights laid provided by applicable Data Protection Laws, including providing reasonable documentation, product functionality and/or processes to assist Customer in retrieving, deleting or restricting Personal Information; and (ii) providing reasonable assistance to the Customer with any data protection impact assessments and responding to or assisting with any requests from or consultations to any governmental, regulatory or supervisory authorities relevant to Customer, in each case solely in relation to processing of the Personal Data and taking into account the information available to Mighty Immersion.
- Access Requests. If Mighty Immersion receives a request submitted by an Authorized User to exercise a right it has under any Data Protection Laws in relation to that Authorized User’s Personal Information, it will provide a copy of the request to the Customer. The Customer will be responsible for handling and communicating with the Authorized User in relation to such requests and, to the extent permitted by applicable law, Mighty Immersion shall not respond to the Authorized User.
- Government Requests. Mighty Immersion shall notify Customer of any request for the disclosure of Personal Information by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
- Audits. Provided that Customer has or does enter into a non-disclosure agreement acceptable to Mighty Immersion, Mighty Immersion shall (i) allow Customer and its authorized representatives who are reasonably acceptable to Mighty Immersion (who have also signed a non-disclosure agreement acceptable to Mighty Immersion) to access and review any Mighty Immersion documentation, certifications or other reports or files reasonably required to ensure compliance with the terms of this DPA; or (ii) where required by Data Protection Law or the Standard Contractual Clauses (and in accordance with this Section), allow Customer and its authorized representatives who are reasonably acceptable to Mighty Immersion (who have also signed a non-disclosure agreement acceptable to Mighty Immersion) to conduct reasonable audits (including inspections) during the term of the Customer Agreement to ensure compliance with the terms of this DPA.
Notwithstanding the foregoing, any audit must be conducted during our regular business hours, with reasonable advance notice to us (at least 20 business days) and subject to reasonable confidentiality procedures. The scope of any audit shall not require us to disclose to Customer or its authorized representatives, or to allow Customer or its authorized representatives to access: (1) any data or information of any other Mighty Immersion customer; (2) any Mighty Immersion internal accounting or financial information; (3) any Mighty Immersion trade secret; (4) any information that, in our reasonable opinion could: (a) compromise the security of our systems or premises; or (b) cause us to breach our obligations under Data Protection Law or our security, confidentiality and or privacy obligations to any other Mighty Immersion customer or any third party; or (5) any information that Customer or its authorized representatives seek to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws and our compliance with the terms of this DPA.
In addition, audits shall be limited to once per year, unless (x) we have experienced a security breach within the prior twelve (12) months which has impacted Customer Personal Information; or (y) an audit reveals a material noncompliance. If we decline or are unable to follow your instructions regarding audits permitted under this Section (or the Standard Contractual Clauses, where applicable), Customer may terminate this Addendum and the Customer Agreement for convenience.
- International Transfers. Mighty Immersion is located in the USA. Therefore, any Personal Information we collect will be collected and stored in the USA. For Authorized Users that are in the EU, EEA, Switzerland or UK, this means that their Personal Information will be stored in a jurisdiction that offers a level of protection that may, in certain instances, be less protective of their Personal Information than the jurisdiction the Authorized User is typically resident in. Notwithstanding the foregoing, please note that Mighty Immersion adheres to the Standard Contractual Clauses and other applicable requirements when handling Personal Information of a Customer. For this purpose, “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Information from controllers in the EU to data processors established outside the EU or EEA issued by the European Commission under decision 2010/87/EU attached hereto as Exhibit 2. It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, in the event of any conflict or inconsistency between the provisions of the Customer Agreement (including this DPA) and the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail to the extent of such conflict.
- Subprocessors. Mighty Immersion may from time to time use certain subcontractors (i.e., subprocessors) in connection with providing the Services (“Subprocessors”). See our Subprocessor List for more information regarding the specific Subprocessors we use. For the avoidance of doubt, Customer hereby approves all applicable Subprocessors identified on our Subprocessor List to the extent applicable to the Services received by Customer. We may update our Subprocessor List from time to time and we recommend for each Customer to periodically review the Subprocessor List. By continuing to use our Services after any changes or modifications are made to the Subprocessor List, Customer is deemed to have automatically accepted the updated Subprocessor List. If a Customer (acting reasonably) does not approve of any new Subprocessor added to such list, they should (i) contact us at firstname.lastname@example.org so we can discuss the basis for the Customer’s disapproval and possible alternative Subprocessors, or (ii) object within forty-five (45) days by terminating the Customer Agreement for convenience.
Our Subprocessors may have access to Personal Information of Authorized Users to the extent that Mighty Immersion actually receives or collects any such information. Please know that Mighty Immersion carefully selects its Subprocessors based on their security practices and availability levels and we perform due diligence on the technical and organizational security measures of all Subprocessors. We have entered into agreements with each Subprocessor which impose in all material respects the same obligations on the Subprocessor with regard to their processing of Personal Information as are imposed on Mighty Immersion under this DPA and any Customer Agreements and which, as applicable, otherwise comply with the requirements of the Data Protection Laws. Mighty Immersion is responsible for the acts and omissions of Subprocessors in relation to Mighty Immersion’s obligations under this DPA and any Customer Agreements
With respect to all Subprocessors having access to Personal Information of Authorized Users that are in the EU, EEA, Switzerland or UK: Customer acknowledges that in order for Mighty Immersion to provide the Services it may be necessary for certain Subprocessors to access or otherwise process the Personal Information outside the EEA, Switzerland or United Kingdom. In those circumstances, Customer will only use Subprocessors that have and maintain certification to the EU-U.S. Privacy Shield (or a successor thereto or comparable privacy shield under other Data Protection Laws) or that comply with the Standard Contractual Clauses or other applicable requirements of the Data Protection Laws.
- Data Retention and Deletion. If a Customer wishes to delete any Personal Information processed by the Service, the Customer should send a deletion request to email@example.com. Mighty Immersion will strive to respond to all such requests as soon as reasonably practical. If a Customer ceases to subscribe to and use the Services, or Mighty Immersion permanently discontinues or terminates a Customer’s access to the Services, Mighty Immersion will handle all of that Customer’s Personal Information as follows:
- Subject to subsections (b) and (c) below, Mighty Immersion shall, to the greatest extent reasonably possible, within ninety (90) days of the date of termination of the Customer Agreement: (1) upon the written request of Customer, return a complete copy of all Personal Information by secure file transfer in such reasonable format as notified by Customer to Mighty Immersion; and (2) delete and use reasonable efforts to procure the deletion of all other copies of Personal Information processed by Mighty Immersion or any Subprocessors.
- Subject to subsection (c) below, Customer may in its absolute discretion notify Mighty Immersion in writing within thirty (30) days of the date of termination of the Customer Agreement to require Mighty Immersion to delete and procure the deletion of all copies of the Personal Information processed by Mighty Immersion. In such case, Mighty Immersion shall, to the greatest extent reasonably possible, within ninety (90) days of the date of termination of the Customer Agreement: (1) comply with any such written request; and (2) use reasonable efforts to procure that its Subprocessors delete all Personal Information processed by such Subprocessors.
- Notwithstanding the foregoing, Customer acknowledges that it may be impossible to completely delete certain residual Personal Information. Additionally, Mighty Immersion and its Subprocessors may retain Personal Information to the extent required by and only to the extent and for such period as required by applicable laws and always provided that Mighty Immersion shall ensure the confidentiality of all such Personal Information and shall ensure that such Personal Information is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. To the extent permitted by applicable Data Protection Laws, Mighty Immersion may deidentify/anonymize or aggregate the Personal Information and may continue to collect, use, retain, access, share, transfer, sell or disclose such deidentified/anonymized or aggregated information following the termination of the Customer Agreement consistent with the terms and conditions of applicable Data Protection Laws.
- Data Security Measures. Mighty Immersion shall utilize industry standard practices on information security management to safeguard sensitive information (such as Personal Information), including the measures set out in Exhibit 3. Our information security systems apply to people, processes and information technology systems on a risk management basis. Without limiting the foregoing, Mighty Immersion shall treat Personal Information as the Confidential Information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of such data and information. Upon request by the Customer, but no more frequently than once per calendar year (or more frequently if circumstances reasonably require) and only upon ten business days prior written notice, Mighty Immersion shall make available information reasonably necessary to demonstrate compliance with this DPA. Customer has assessed the security measures offered by Mighty Immersion to meet the standards required by applicable Data Protection Laws as at the effective date hereof.
If Mighty Immersion becomes aware of a security incident involving a Customer’s Personal Information, Mighty Immersion will (a) notify the Customer of the security incident within 72 hours, (b) investigate the security incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the security incident, and (c) take steps to remedy any non-compliance with this DPA. Notwithstanding the foregoing, because no method of transmission over the Internet, or method of electronic storage, is 100% secure, Mighty Immersion cannot guarantee that unauthorized parties will not gain access to Personal Information processed by the Services. To the extent permitted by applicable law, Mighty Immersion expressly excludes any liability arising from any unauthorized access to Personal Information.
- Affiliates. Depending on the terms of your Customer Agreement, we may in certain circumstances collect, receive or otherwise process Personal Information in connection with use of the Services by a Customer’s affiliates. In such cases, the Customer will act as a single point of contact for its affiliates with respect to compliance with applicable Data Protection Laws, such that if Mighty Immersion gives notice to the Customer, such information or notice will be deemed received by the Customer’s affiliates. Customer shall be responsible for such affiliates’ compliance with this DPA and all acts and/or omissions by a Customer affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer. The Parties acknowledge and agree that any claims in connection with this DPA (or applicable Data Protection Laws) will be brought by the Customer, whether acting for itself or on behalf of an affiliate.
- Customer Agreements. Customer agrees that it: (i) will comply with its obligations under all applicable Data Protection Laws and related laws with respect to its processing and handling of Personal Information; (ii) will make appropriate use of the Services to ensure a level of security appropriate to the particular content of the Customer Personal Information, such as pseudonymizing or backing-up Customer personal information; (iii) has obtained all consents, permissions and rights necessary applicable Data Protection Laws and related laws for Mighty Immersion to lawfully process Customer’s Personal Information for the purposes, including, without limitation, Customer’s sharing and/or receiving of Customer Personal Information with third-parties via the Services; and (iv) unless the Parties have agreed otherwise in an Order, Customer shall only provide, deliver or otherwise make available to Mighty Immersion Personal Information to the extent required for the Customer’s Authorized Users to access and receive the Services and shall not provide, deliver or otherwise make available to Mighty Immersion any other Personal Information for any other purpose.
- Limitation of Liability. Mighty Immersion’s aggregate liability to a Customer arising from or related to this DPA is subject to the applicable terms and conditions of the Customer’s respective Customer Agreement.
- Indemnity. Customer agrees to indemnify Mighty Immersion and its officers, directors, employees, agents, affiliates, successors and permitted assigns (each an “Indemnified Party”, and collectively the “Indemnified Parties”) against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including legal fees and court fees, that are incurred by the Indemnified Parties (collectively, “Losses”) arising out of any third party claim brought against Mighty Immersion relating to or arising out (i) any instructions given by the Customer to Mighty Immersion with respect to processing of Personal Information, (ii) any failure to obtain the consents or provide the notices required under Section 3, or (iii) any other breach or violation by the Customer of any of its obligations under this DPA or any breach or violation of any Data Protection Laws.
- Enforceability of this Addendum. Any provision of this DPA that is prohibited or unenforceable shall be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof. The Parties will attempt to agree upon a valid and enforceable provision that is a reasonable substitute and shall then incorporate such substitute provision into the Customer Agreement.
EXHIBIT 1: DETAILS OF THE PROCESSING OF GDPR PERSONAL INFORMATION
This EXHIBIT 1 includes certain details of the processing of Personal Information that is subject to GDPR (“GDPR Personal Data”) as required by Article 28(3) of the GDPR.
Subject matter and duration of the processing of GDPR Personal Data
The subject matter of the processing of GDPR Personal Data is the use of and access to the Service by the Customer in accordance with Customer’s Customer Agreement.
The duration of the processing of GDPR Personal Data is the term specified in the Customer Agreement, subject to Section 10 of this DPA.
The nature and purpose of the processing of GDPR Personal Data
The nature and purpose of the Processing of GDPR Personal Data is to provide the Services in accordance with the terms of the Customer Agreement, including to: enable Authorized Users to access and receive the Services, to communicate with Customer and Authorized Users regarding the Services, to evaluate and improve the Services, to identify usage trends and for data analysis regarding the Services, to comply with our legal obligations, to resolve disputes, and enforce our agreements.
The types of GDPR Personal Data to be processed
The following types of GDPR Personal Data may be processed:
- Direct identifying information (e.g., name, email address, telephone number)
- Indirect identifying information (e.g., job title)
- Payment information
- Device identification data and traffic data (e.g., IP addresses, device IDs)
- Any personal data supplied by users of the Services
The categories of data subjects to whom the GDPR Personal Data relates
Authorized Users (as defined in Customer Agreement) as well as individuals whose personal data is supplied by Authorized Users of the Services.
The obligations and rights of the Customer
The obligations and rights of the Customer are as set out in this DPA and the Customer Agreement.
EXHIBIT 2: STANDARD CONTRACTUAL CLAUSES
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, CUSTOMER (the “data exporter”), and MIGHTY IMMERSION, INC. (the “data importer”) (each a ‘party’; together ‘the parties’) HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1 – Definitions
For the purposes of the Clauses:
- ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);
- ‘the data exporter’ means the controller who transfers the personal data;
- ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
- ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2 – Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 – Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4 – Obligations of the data exporter
The data exporter agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
- that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
- that it will ensure compliance with Clause 4(a) to (i).
Clause 5 – Obligations of the data importer
The data importer agrees and warrants:
- to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
- that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- any accidental or unauthorised access; and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
- to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
- that the processing services by the sub-processor will be carried out in accordance with Clause 11;
- to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6 – Liability
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7 – Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 – Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9 – Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely that Member State in which the data exporter’s address, as maintained in its user profile on data importer’s Services, is located.
Clause 10 – Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 – Sub-processing
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (3). Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
- The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely that Member State in which the data exporter’s address, as maintained in its user profile on data importer’s Services, is located.
- The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12 – Obligation after the termination of personal data-processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 – to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Data exporter. Data exporter (Customer) is seeking to supply certain data for use with the products and/or services of the data importer, as agreed in the Customer Agreement.
Data importer. Data importer (Mighty Immersion) is a technology and services provider that provides a proprietary platform known as “ManageXR” that is made available on a platform-as-a-service basis as well as related Services.
Subject Matter and Duration of Processing of Personal Data. The subject-matter and duration of processing of Personal Data by data importer and data exporter are set out in the Customer Agreement and this Data Processing Addendum.
Data subjects. Authorized Users (i.e., employees and agents) of Customer in addition to individuals whose personal data is supplied by Authorized Users of the Services.
*All of the above categories include current, past or prospective data subjects.
Categories of data. Set forth in the Customer Agreement but generally personal data as required to facilitate use of (or as permitted by the use of) the ManageXR Platform and related Services by the Customer and its Authorized Users.
Special categories of data (if appropriate). Mighty Immersion does not knowingly collect (and Customer or Authorized Users shall not submit or upload) any special categories of data (as defined under the Data Protection Legislation).
Processing operations. The Customer Personal Data transferred will be subject to the following basic Processing activities, as further described in the Customer Agreement and the Data Processing Addendum:
The Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Appendix pursuant to the provision of the “Services” as defined under the data exporter’s Customer Agreement.
The nature and purpose of the Processing of GDPR Personal Data is to provide the Services in accordance with the terms of the Customer Agreement, including to: enable Authorized Users to access and receive the Services, to communicate with Customer and Authorized Users regarding the Services, to evaluate and improve the Services, to identify usage trends and for data analysis regarding the Services, to comply with our legal obligations, to resolve disputes, and enforce our agreements.
The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its Sub-processors maintain facilities as necessary for it to provide the Service.
The Data Importer may engage Sub-processors to provide parts of the Service. The Data Importer will ensure Sub-processors only access and use the Data Exporter’s personal data to provide the Service and not for any other purpose.
Processing locations. The personal data transferred will be processed in the following countries/locations:
- United States
We will revise this in the future if additional countries are applicable.
Sub-processors in use:
See our Sub-Processer list here.
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and accepted by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer maintains administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer’s GDPR Personal Data provided to data importer by data exporter (if any), as specified in the Customer Agreement. In particular, Data importer will implement measures designed to:
- deny unauthorized persons access to data-processing equipment used for processing GDPR Personal Data (equipment access control);
- prevent the unauthorized reading, copying, modification or removal of data media (data media control);
- prevent the unauthorized input of GDPR Personal Data and the unauthorized inspection, modification or deletion of stored GDPR Personal Data (storage control);
- prevent the use of automated data-processing systems by unauthorized persons using data communication equipment (user control);
- ensure that persons authorized to use an automated data-processing system only have access to the GDPR Personal Data covered by their access authorization (data access control);
- ensure that it is reasonably possible to verify and establish to which individuals GDPR Personal Data have been or may be transmitted or made available using data communication equipment (communication control);
- ensure that it is subsequently possible to verify and establish which GDPR Personal Data have been put into automated data-processing systems and when and by whom the input was made (input control);
- prevent the unauthorized reading, copying, modification or deletion of GDPR Personal Data during transfers of those data or during transportation of data media (transport control);
- ensure that installed systems may, in case of interruption, be restored (recovery);
- ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored GDPR Personal Data cannot be corrupted by means of a malfunctioning of the system (integrity).
The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a material degradation in the security of the service during the term of the Agreement.
EXHIBIT 3: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
- Mighty Immersion maintains internal policies and procedures, and requires that its Subprocessors do the same, which are designed to:
- secure any personal data processed by Mighty Immersion against accidental or unlawful loss, access or disclosure;
- identify reasonably foreseeable and internal risks to security and unauthorized access to the personal data processed by Mighty Immersion;
- minimize security risks, including through risk assessment and regular testing.
- Mighty Immersion will, and will use reasonable efforts to require its Subprocessors to, conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
- Mighty Immersion will, and will use reasonable efforts to require its Subprocessors to, periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
- Mighty Immersion has implemented the security measures set forth in Appendix 2 to Exhibit 2 (Standard Contractual Clauses).