Last Updated: May 22, 2024

ArborXR Data Processing Agreement

The ArborXR Data Processing Agreement (“DPA”) is a part of and incorporated into the ArborXR Terms of Service (“Terms”) between you, the individual or entity accepting the Terms (“Customer”, “you”, “your”) and ABXR Labs, Inc. d/b/a ArborXR (“ArborXR” or “we” or “us”), (each a “Party” and collectively the “Parties”) and is made effective on the date on which you accepted the Terms. Capitalized terms used but not otherwise defined in the DPA will have the meanings set forth in the Terms.

The mutual agreement by ArborXR and you to the terms of this Data Processing Agreement is evidenced (a) by your online electronic or written acceptance of the Terms by you or your authorized representative, and/or (b) by your use of ArborXR’s Services and Materials after an update to the Terms incorporating this DPA. A Customer enters into this DPA on behalf of itself, and, if required by applicable data protection laws and regulations, on behalf of its Authorized Affiliates to the extent that ArborXR processes Personal Data for which such Authorized Affiliate acts as the data controller. For the purposes of this DPA, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates.

BY ACCEPTING THE DPA OR USING THE SERVICES, YOU AGREE TO THE DPA, INCLUDING THAT ARBORXR MAY PROCESS PERSONAL DATA ON YOUR BEHALF AS SET FORTH HEREIN.

You may be required to take additional steps for compliance including but not limited to notifying the data protection authority of transfers of data or notifying said authority of the existence of this DPA. Should you require a separately signed copy of the Data Processing Agreement, you must submit an email request to privacy@arborxr.com.

Data, including Personal Data, may be transferred to, processed, maintained or stored on servers or databases by ArborXR or third-party service providers outside of the European Union (“EU”) or European Economic Area (“EEA”). You are responsible for compliance with the particular national requirements of your European Union member state, as applicable.

ArborXR agrees and you agree to the terms of the Data Processing Agreement as follows:

1. Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the EU, the EEA and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Terms with ArborXR, but has not signed its own Terms and does not own a Subscription with ArborXR.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended, and its implementing regulations.

“Controller” means the entity or individual, if applicable, which determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the EU, the EEA and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement (e.g., the CCPA, GDPR, the Swiss Federal Data Protection Act (“Swiss FADP”), and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”)).

“Data Subject” means the identified or identifiable person to whom Personal Data relates including Users.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/E C (General Data Protection Regulation).

“Personal Data” means any information relating to an identified or identifiable natural person or as such are defined under applicable Data Protection Laws and Regulations.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

“Standard Contractual Clauses” means refers to the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described herein.

“Sub-processor” means any Processor engaged by ArborXR.

“Supervisory Authority” means an independent public authority which is established by a pursuant to applicable Data Protection Laws and Regulations.

“UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of 12 April 2023 at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as described herein.

2. Processing of Personal Data

2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data submitted to the Services by you or your Users, you are the Controller, ArborXR is the Processor and that ArborXR will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.

2.2. Processing of Personal Data by You. You shall, in your use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of your use of ArborXR as a Processor. For the avoidance of doubt, your instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which you acquired Personal Data. You specifically acknowledge that your use of the Services will not violate the rights of any Data Subject.

2.3 Processing of Personal Data by ArborXR. ArborXR shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with your documented instructions for the following purposes: (a) processing in accordance with the Terms (which includes our Privacy Policy, Cookie Policy, and any consents provided by your agreement and/or interactive opt-in through our Website) and applicable Supplemental Terms; (b) processing initiated by Users in their use of the Services; and (c) processing to comply with other documented reasonable instructions provided by you (e.g., via email) where such instructions are consistent with the Terms.

2.4 Details of the Processing. The subject-matter of Processing of Personal Data by ArborXR is the performance of the Services pursuant to the Terms. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 to this DPA.

3. Rights of Data Subjects

3.1 Personal Data Subject Request. ArborXR shall, to the extent legally permitted, promptly notify you if we receive a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making related to Data Subject’s Personal Data (“Data Subject Request” or “DSR”). Taking into account the nature of the Processing, we will provide commercially reasonable efforts to assist you in responding to such DSR, to the extent we are legally permitted to do so and the response to such DSR is required under Data Protection Laws and Regulations. To the extent legally permitted, you shall be responsible for any costs arising from ArborXR’s provision of such assistance.

3.2 Assistance with Personal Data Requests. With regard to the processing of User’s Personal Data, ArborXR shall, if not prohibited by applicable law, notify you without unreasonable delay after receipt, if ArborXR: (a) receives a request for information from the Supervisory Authority or any other competent authority regarding User’s Personal Data; (b) receives a complaint or request from a third party regarding obligations of yours or of ArborXR under applicable law; or (c) receives any other communication which directly pertains to the Processing or protection of User’s Personal Data. If ArborXR is the Processor, ArborXR shall not respond to such requests, complaints or communications, unless you have given ArborXR written instructions to that effect or if such is required under a statutory or regulatory provision. In the latter case, prior to responding to the request, ArborXR shall notify you of the relevant statutory or regulatory provision and ArborXR shall limit its response to what is necessary to comply with the request.

4. Confidentiality

ArborXR shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. ArborXR shall ensure that such confidentiality obligations survive the termination of the personnel engagement and that access to Personal Data is limited to those personnel performing Services in accordance with the Terms.

5. Sub-Processors

5.1 Appointment of Sub-processors. You acknowledge and agree that (a) ArborXR may be retained as Sub-processors; and (b) ArborXR may engage third-party Sub-processors in connection with the provision of the Services. ArborXR will ensure that we have entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.

5.2 List of Current Sub-processors and Notification of New Sub-processors. ArborXR shall make available to you the current list of Sub-processors for our Services upon request made by emailing privacy@arborxr.com or by posting a list on our Website.

5.3 Objection Right for New Sub-processors. You may object to ArborXR’s use of a new Sub-processor by notifying us in writing by emailing privacy@arborxr.com. In the event you object to a new Sub-processor, ArborXR will use commercially reasonable efforts to make available or recommend a commercially reasonable change to your configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub- processor.

5.4 Liability. ArborXR shall be liable for the acts and omissions of our Sub-processors to the same extent we would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Terms.

6. Security

6.1 Controls for the Protection of Personal Data. ArborXR shall establish and maintain commercially reasonable administrative, physical, and technical safeguards for protection of Personal Data. These safeguards will include an industry standard information and security program and procedures to help ensure the protection of Personal Data.

6.2 Audits. Upon your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Terms, ArborXR will make available to you a copy of our then-current third-party audit or certification (“Audit Report”), as applicable, unless you are a competitor of ArborXR. ArborXR shall cooperate for reasonable audits of its policies, procedures, and records with respect to the Processing of Personal Data.

6.2.1 To the extent that the Audit Report does not provide you with all information reasonably necessary to prove ArborXR’s compliance with the obligations set out in this DPA, you shall be entitled to audit whether ArborXR complies with its obligations arising from this DPA. ArborXR shall fully cooperate with such an audit which shall be conducted at your expense and during ArborXR’s regular business hours. You shall provide ArborXR with reasonable advance notice of your intention to perform such an audit and you and ArborXR shall mutually agree on a date on which such an audit will take place, the scope, duration, and evidence requirements of the audit. ArborXR shall make reasonable efforts to remedy the material failures identified by the audit at its own expense within a reasonable time.

6.2.2 Audits are limited to one (1) per year unless (a) ArborXR has experienced a Personal Data Incident (as defined in Section 7 below) within the prior twelve (12) months which has impacted User’s Personal Data or (b) a previous audit conducted at your request has revealed a material noncompliance.

7. Incident Management and Notification

ArborXR maintains security incident management policies and procedures and will notify you without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, Processed by ArborXR or our Sub-processors of which we become aware (a “Personal Data Incident”). ArborXR shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as we deem necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within our reasonable control. The obligations herein shall not apply to incidents that are caused by any User.

8. Return and Deletion of Your Data

ArborXR will return your Personal Data to you if requested by you and, to the extent allowed by applicable law, delete Personal Data in accordance with the procedures and timeframes specified in our Privacy Policy.

9. Authorized Affiliates

9.1 Contractual Relationship. If you are a Customer accepting the Terms, you enter into the DPA on behalf of yourself and, as applicable, in the name and on behalf of your Authorized Affiliates, thereby establishing a separate DPA between ArborXR and each such Authorized Affiliate subject to the provisions of the Terms and this Section 9 and Section 10. Each of your Authorized Affiliates agrees to be bound by the obligations under this DPA and to the Terms. For the avoidance of doubt, an Authorized Affiliate is a party to the DPA and must comply with the terms of the Terms and any violation of the Terms by an Authorized Affiliate shall be deemed a violation by the Customer.

9.2 Communication. Customer shall remain responsible for coordinating all communication with ArborXR related to this DPA and shall make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates, except as otherwise required by applicable Data Protection Laws and Regulations.

9.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to this DPA, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following: (a) Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against ArborXR directly by itself, the Parties agree that (i) the Customer that is the contracting party to the Terms shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Terms shall exercise any such rights under this DPA not separately for each of its Authorized Affiliates or individually but in a combined manner for itself and all of its Authorized Affiliates together; and (b) the Parties agree that the Customer is the contracting party to the Terms shall, when carrying out an audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on ArborXR and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in a single audit.

10. Limitation of Liability

Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and ArborXR, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the ArborXR Terms, and any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under the Terms and all DPAs together. For the avoidance of doubt, ArborXR’s total liability for all claims from you, and if you are a Customer, all of your Authorized Affiliates, arising out of or related to the Terms and all DPAs shall apply in the aggregate for all claims under both the Terms and all DPAs established under this DPA, including by you, Customer, and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliates that is a contractual party to any such DPA.

11. Additional Provisions

11.1 GDPR. ArborXR will Process Personal Data in accordance with the GDPR requirements directly applicable to our provision of Services.

11.2 Data Protection Impact Assessment. Upon your request, ArborXR shall provide you with commercially reasonable cooperation and assistance needed to fulfill any obligation you may have under applicable Data Protection Laws and Regulations to carry out a data protection impact assessment related to your use of the Services, to the extent you do not otherwise have access to the relevant information, and to the extent such information is available to us.

11.3 Transfer Mechanisms for Data Transfers.

11.3.1 Customer authorizes ArborXR to make international transfers of the Personal Data only if (i) Data Protection Law for such transfers is respected and (ii) the transfer is otherwise permitted by this DPA.

11.3.2 To the extent legally required, the Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth in subsection 11.3.3 and 11.3.4 below, they will be deemed completed as follows:

  • Customer, the exporter, acts as a controller and ArborXR, the importer, acts as Customer ‘s processor with respect to the Personal Data subject to the Standard Contractual Clauses, and its Module 2 applies.  Their contact information is set forth in the Terms and/or order form.
  • Clause 7 (the optional docking clause) is included.
  • Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of Subprocessors is set forth as described in the manner stated in Section 5.2 and ArborXR shall update that list at least 30 days in advance of any intended additions or replacements of Subprocessors.
  • Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
  • Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The parties select the law of Ireland.
  • Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
  • Annexes I and II of the Standard Contractual Clauses are set forth in Schedule 1 of the DPA.
  • Annex III of the Standard Contractual Clauses (List of Subprocessors) is inapplicable.

11.3.3 With respect to Personal Data for which UK Privacy Act governs the transfer, to the extent legally required, the UK SCC Addendum forms part of this DPA and takes precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCC Addendum):

  • Table 1 of the UK SCC Addendum: The Parties, their details, and their contacts are those set forth in the Terms and/or the order form.
  • Table 2 of the UK SCC Addendum: the “Approved EU Standard Contractual Clauses” shall be the Standard Contractual Clauses as set forth in subsection (11.3.2) above.
  • Table 3 of the UK SCC Addendum: Annexes I(A), I(B), and II are in Schedule 1 of the DPA, and Annex III is as described in Section 13.
  • Table 4 of the UK SCC Addendum: neither party may exercise the right set forth in Section 19 of the UK SCC Addendum.

11.3.4 With respect to Personal Data for which the Swiss FADP governs the transfer, the Standard Contractual Clauses shall be deemed to have the following differences to the extent required by the Swiss FADP:

  • References to the GDPR in the Standard Contractual Clauses are to be understood as references to the Swiss FADP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
  • The term “member state” in Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
  • References to personal data in the Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the Swiss FADP that eliminate this broader scope.
  • Under Annex I(C) of the Standard Contractual Clauses (Competent supervisory authority):
  • Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
  • Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the Standard Contractual Clauses insofar as the transfer is governed by the GDPR.

11.3.5 Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom. To the extent that ArborXR Processes Personal Data of data subjects located in or subject to the applicable Data Protection Laws and Regulations of the EEA, Switzerland, or the United Kingdom, ArborXR agrees to the following safeguards to protect such data to an equivalent level as applicable Data Protection Laws and Regulations:

  • ArborXR and Customer shall encrypt all transfers of the Personal Data between them, and ArborXR shall encrypt any onward transfers it makes of such personal data, to prevent the acquisition of such data by third parties.
  • ArborXR will notify Customer if it receives a request, order, demand, or similar communication from any governmental authority or law enforcement body, including any intelligence agency, relating to Personal Data (“Government Request”), to the extent that ArborXR is legally permitted to do so. ArborXR will inform Customer of all facts concerning a Government Request that ArborXR is legally permitted to disclose, including the Personal Data affected by the Government Request and whether the Government Request is related to intelligence activities or national security.

12. Regulatory Assistance

Taking into account the nature of the Processing and the information available to ArborXR, ArborXR will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required (a) data protection impact assessment of the Processing or proposed Processing of the Personal Data involving ArborXR and (b) related consultation with supervisory authorities. Each party will negotiate promptly and in good faith to enter into any amendment to this DPA or additional contract required by applicable Data Protection Laws and Regulations.

13. Term

The provisions of this DPA survive the termination or expiration of the Terms for as long as ArborXR or its Subprocessors Process Personal Data.

SCHEDULE 1

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

Data exporter
The data exporter is the entity identified as “you” or “Customer” in the DPA.

Data importer
The data importer is the entity identified as “ArborXR” in the DPA.

Data subjects
The personal data transferred concern the following categories of data subjects:
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: (i) prospects, customers, business partners and vendors of data exporter (who are natural persons), (ii) employees or contact persons of data exporter’s prospects, customers, business partners and vendors, (iii) employees, agents, advisors, freelancers of data exporter (who are natural persons), and (iv) data exporter’s Users authorized by data exporter to use the Services.

Categories of data
The personal data transferred concern the following categories of data (please specify):
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • e-mail address; name;
  • mailing address; telephone number; business name;
  • IP address;
  • passwords;
  • other information Users may provide to our website, customer support, or via third-party platforms;
  • generic or precise geographic location data from users’ mobile devices when the app is running and when it is not running.

Special categories of data (if appropriate)
Personal data transferred does not include any sensitive data.

Processing operations
The personal data transferred will be subject to the following basic processing activities:
The objective Processing of Personal Data by data importer is the performance of the Services pursuant to the Terms or an applicable Supplemental Terms.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis for as long as Customer is engaging ArborXR to provide the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: Transfers to subprocessors are for the same purposes as transfers to the processor.

Competent Supervisory Authority: Ireland Data Protection Commissioner.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer will maintain administrative, physical, and technical safeguards for protection of Personal Data uploaded to the Services, as described in the Privacy Policy and Documentation applicable to the specific Services used by data exporter, as made reasonably available by data importer. These safeguards will include an industry standard information and security program and procedures to help ensure the protection of Personal Data. Data Importer will not materially decrease the overall security of the Services during the Subscription Term.