Data Processing Agreement

The terms “controller”, “data subject”, “personal data”, “process”, “processing”, and “processor” will have the same meanings as defined by Data Protection Laws. Other relevant terms, such as “business”, “business purpose”, “consumer”, “personal information”, “sale” (including the terms “sell”, “selling”, “sold”, and other variations thereof), “service provider”, and “third party”, have the meanings given to those terms under the CCPA;

2.1.

Roles: The parties acknowledge that to the extent Immersive (and its Affiliates) processes personal data on the Customer’s (and its Affiliates’) behalf when providing access to the Platform or performing the Services, the Customer (or the applicable Affiliate) is the “controller” or the “business”, and Immersive (or its applicable Affiliate) is the “processor” or the “service provider” for the purposes of the Data Protection Laws.

2.2.

Processing Details: A description of the processing that Immersive will perform on behalf of the Customer is set out in Annex A.

2.3.

Documented Instructions: Immersive shall process Customer personal data only to provide the Platform and Services in accordance with the Agreement, this DPA, any applicable ordering document between the parties, and any instructions agreed upon by the parties. Immersive may refuse to comply with any instructions that, in its reasonable opinion, fall outside the scope of the Platform or Services or would violate Data Protection Laws.

2.4.

Lawful Basis: The Customer is responsible for establishing a legal ground or valid basis (including, where required, a lawful basis as defined by the GDPR) for the processing of personal data under the Agreement, and warrants that it has lawfully collected, and will lawfully provide, personal data to Immersive for the purposes contemplated by the Agreement, including ensuring that all necessary notices have been provided to, and consents have been obtained from, data subjects.

2.5.

Compliance with Law: Both parties warrant that, in its capacity as either a controller or a processor (as applicable), each party shall comply with all applicable Data Protection Laws with regard to activities under the Agreement and this DPA.

2.6.

Confidentiality: Immersive shall ensure that any Immersive personnel entrusted with the processing of personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality no less restrictive than those confidentiality obligations included in the Agreement.

2.7.

Inquiries and Requests: Immersive shall provide reasonable assistance to the Customer to assist with the Customer’s compliance with its obligations under applicable Data Protection Laws, including but not limited to requests from individuals exercising their rights under Data Protection Laws.

2.8.

DPIA and Prior Consultation: Where required by Data Protection Laws, Immersive agrees to provide reasonable assistance to the Customer in completing a data protection impact assessment and/or prior consultation with the relevant data protection authorities. For clarity, such assistance will include the provision of additional information reasonably requested by the Customer (which may include copies of Immersive’s then-current SOC 2 type II report and ISO 27001 certification) to the extent reasonably necessary for the Customer to complete its own data protection impact assessment and/or consult with the relevant data protection authorities.

2.9.

CCPA: If and to the extent that Immersive processes any personal information relating to an Authorized User of the Customer or an Affiliate within the scope of the CCPA, Immersive acts as a Service Provider as defined in the CCPA. The Customer or Affiliate, respectively, discloses personal information to Immersive, if any, solely for: (i) a valid business purpose; and (ii) to permit Immersive to provide the Platform and Services under the Agreement. Immersive will not (i) sell the personal information, (ii) retain, use, or disclose the personal information for a commercial purpose other than providing the Platform and Services; or (iii) retain, use, or disclose the personal information outside of the provision of the Platform and Services to the Customer or Affiliate, respectively, pursuant to the Agreement.

3.1.

Sub-Processor List: Subject to Immersive’s compliance with this DPA, the Customer provides Immersive with general written authorization to engage the Sub-processors listed at immersivelabs.com/legal (Sub-processor List).

3.2.

Notification of Changes: Immersive shall notify the Customer whenever it adds a Sub-processor or changes the hosting location of an existing Sub-processor by updating the Sub-processor List and providing notice to the Customer’s point of contact via email thirty (30) days before such change takes effect.

3.3.

Right to Object: The Customer may object to a Sub-processor change on reasonable grounds within ten (10) business days following Immersive’s notice. If the Customer objects, the parties will work together to find a solution that remedies the objection. If the parties are unable to agree on a resolution within thirty (30) days, the Customer shall have the right to terminate the affected part of the Platform or Services and receive a prorated refund of fees paid relating to the applicable Order.

3.4.

Sub-Processor Compliance: Immersive agrees to: (i) enter into a written agreement with Sub-processors that imposes data protection requirements that are consistent with this DPA; and (ii) remain fully responsible for its Subprocessors’ acts, omissions, and defaults.

Immersive shall implement and maintain appropriate technical and organizational security measures to adequately protect the personal data processed on behalf of the Customer against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as required under Data Protection Laws and in accordance with the Security Standards attached at Annex B.

5.1.

Notice: Immersive shall notify the Customer of any confirmed Personal Data Breach affecting the Customer's personal data without undue delay and, in any event, no later than forty-eight (48) hours after becoming aware of the breach. This notification shall be delivered to the Customer's point of contact via email

5.2.

Content and Assistance: Where possible and required by applicable Data Protection Laws, Immersive's notification will include, or Immersive will promptly provide through supplementary communication, reasonable details to assist the Customer in fulfilling its own breach reporting obligations. This assistance will include: (i) describing the nature of the breach; (ii) stating the categories and approximate number of data subjects and personal data records concerned; (iii) detailing the likely consequences of the breach; and (iv) describing the measures taken or proposed to be taken to address the breach.

5.3.

Remediation: Immersive shall take reasonable steps to investigate, contain, and mitigate the effects of the Personal Data Breach and to prevent its recurrence.

5.4.

Non-Admission of Fault Immersive’s notification of or response to a Personal Data Breach will not be construed as an admission or acknowledgment by Immersive of any fault or liability with respect to the Personal Data Breach, except as otherwise stipulated by law or the Agreement.

6.1.

Authorization: The Customer authorizes Immersive and its Sub-processors to transfer personal data across international borders. Immersive shall ensure that any international transfer of personal data complies with applicable Data Protection Laws.

6.2.

6.3.

Data Protection Framework: Immersive has certified to the U.S. Department of Commerce that it adheres to: (i) the EU-U.S. Data Privacy Framework Principles with regards to the processing of personal information received from the European Union in reliance on the EU-U.S. Data Privacy Framework (EU- U.S. DPF) and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF (collectively, the DPF Principles ). In the event the DPF Principles are deemed to be invalid, Section 6.2 shall continue to apply in place of this Section 6.3 for so long as the DPF Principles are held to be invalid.

7.1.

Customer Audits: The Customer (or its appointed representative) may carry out an audit of Immersive’s facilities, policies, procedures and records relevant to the processing of Customer personal data.

7.2.

Audit Process: Any audit must be: (i) conducted during Immersive’s regular business hours; (ii) scheduled with 45 days’ advance notice; (iii) carried out in a manner that prevents unnecessary disruption to Immersive’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction. When deciding on a review or audit, the Customer will take into account that Immersive holds SOC 2 type II, ISO 27001, Cyber Essentials and Cyber Essentials Plus Certifications, and can provide the Customer with the relevant reports upon request.

This DPA will terminate automatically upon the later of (i) termination or expiry of the Agreement; or (ii) termination of processing of the personal data by Immersive. Upon termination of this DPA, Immersive shall delete, within a reasonable timeframe (not to exceed 90 days), all personal data processed on behalf of the Customer, unless the Customer requests the return of the personal data or to the extent that applicable Data Protection Laws require storage of such personal data.

9.1.

Authorized Affiliates: The Customer enters into this DPA on behalf of itself and, where applicable, on behalf of any Affiliate of the Customer, thereby establishing a separate DPA between Immersive and each such Affiliate, subject to the provisions of the Agreement. Each Affiliate agrees to be bound by the obligations under this DPA and the relevant terms of the Agreement, and any violation thereof by an Affiliate shall be deemed a violation by the Customer.

9.2.

Exercise of Rights: Where an Affiliate becomes a party to this DPA: (i) only the Customer that is the contracting party to the Agreement shall be entitled to exercise any right or seek any remedy on behalf of the Affiliate, including the right to receive notices and communications, object to Sub-processors, or conduct audits; and (ii) the Customer shall exercise any such rights under this DPA in a combined manner for all of its Affiliates together, rather than separately for each individual Affiliate. Immersive may satisfy any of its obligations to the Affiliates by providing them to the Customer.

The limits and exclusions on a party’s liability set out in the Agreement shall apply to that party’s liability under this DPA (and the Contractual Safeguards), provided that in all cases the foregoing shall not operate to limit or exclude a party’s liability to a data subject under the Contractual Safeguards.

11.1.

Conflicts: In the case of conflict between the terms of the Agreement and the terms of this DPA, the terms of the DPA shall take precedence. In the event of any conflict or inconsistency between the clauses of this DPA and the Contractual Safeguards, the Contractual Safeguards shall prevail.

11.2.

Amendments: Amendments or additions to this DPA must be made in writing and agreed between the parties to be effective.

11.3.

Severance: Should any provision of this DPA be or become invalid, this shall not affect the validity of the remaining terms.

11.4.

Statutory Compliance: This DPA shall not limit or reduce the statutory obligations and liabilities of either Party under Applicable Data Protection Laws or any binding judicial or regulatory decision.

11.5.

Governing Law: This DPA shall be governed by the same law that is governing the Agreement between the parties, except for the Contractual Safeguards, which shall be governed by the law applicable pursuant to the applicable Contractual Safeguards.

Immersive maintains an Information Security Policy and reviews it annually or after any major changes in applicable law or regulatory guidance, or major changes made to the applications, databases, infrastructure, and platforms under Immersive’s control that are utilized to provide the Immersive One Platform (collectively referred to as “Systems” ).

Immersive maintains codes of conduct and other policies covering anti-bribery and corruption, whistle-blowing, and other ethics policies (such as anti-money laundering and anti-slavery), and communicates these policies to all employees. Immersive’s codes of conduct are available upon request.

Immersive implements technical and organizational measures designed to protect against unauthorized or unlawful processing of Customer personal data and against accidental loss or destruction of, or damage to, Customer personal data, including a written information security program, which includes policies, procedures, and technical and physical controls designed to ensure the security, availability, integrity, and confidentiality of Customer personal data.

Immersive conducts pre-employment background screening on employees and contractors who will access Customer personal data in the ordinary course of performing their job responsibilities, to the extent legally permissible and practicable in the applicable jurisdiction.

Immersive requires all employees, contractors, and sub-processors to execute a confidentiality agreement as a condition of employment or engagement, and to comply with policies on the protection of Customer personal data.

All access to Systems must be authorized and authenticated. Access controls and permissions are based on job role and follow the principle of “need-to-know” and “least privilege”. Controls are designed to ensure that persons entitled to use a System have access only to the Customer personal data for which they have a business need.

Access to systems is strictly controlled, segregated, and provisioned on an individual user basis.

Non-privileged users are prohibited from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards.

Immersive maintains a Password Management Policy designed to ensure strong, consistent passwords consistent with industry-standard practices and requires the use of multi-factor authentication to access Systems. If Immersive becomes aware that account credentials have been compromised, passwords will be promptly changed.

Immersive creates, protects, and retains Systems audit records to maintain integrity and enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate Systems activity.

Immersive reviews and analyses System audit records on a regular basis to detect significant unauthorized activity related to Systems. Actions of Immersive users can be uniquely traced to those users, enabling them to be held accountable.

Immersive establishes a configuration baseline for Systems using applicable information security standards, manufacturer recommendations, or industry standard practices. Monitoring is performed to validate that Systems are configured according to the established configuration baseline.

The introduction of new systems is controlled, documented, and enforced through formal change control procedures, including documentation, specifications, testing, quality control, recovery, and managed implementation.

Immersive employs controls designed to secure source code, including version control, source code repository segregation, and least-privilege access principles. Immersive maintains separate, isolated environments for development, testing, and production. Immersive Customer instances are logically separated.

Immersive follows a structured, secure development methodology, adheres to secure coding standards, and undergoes security assessments (e.g., dynamic and static scans) to identify and remediate security vulnerabilities before release to production.

Immersive employs reasonable controls designed to remove or disable unnecessary ports and services from Systems in accordance with the applicable vendor’s recommendations and settings.

Immersive maintains up-to-date anti-malware software, has implemented a vulnerability management program with regular scanning, subscribes to a vulnerability notification service, prioritizes vulnerability remediation based on risk, and establishes remediation timeframes based on risk ratings.

Once a patch is released and the associated security vulnerability has been reviewed and assessed for applicability and importance, the patch is tested, applied, and verified within a timeframe commensurate with the risk posed to the Systems.

Penetration testing is conducted on the Systems at least annually by a reputable, independent third-party testing company. Any remediation items identified as a result of the assessment will be resolved as soon as possible, on a timetable commensurate with the risk. Upon request, Immersive will provide summary details of the penetration tests performed, including findings and confirmation of whether the identified issues have been resolved.

Immersive uses commercially reasonable efforts to regularly identify software vulnerabilities and, for known vulnerabilities, to provide relevant updates, upgrades, and bug fixes.

Immersive deploys industry-standard anti-virus software on all Systems to detect, protect against, and respond to malicious software.

This software is: (i) kept up to date with the latest threat definitions and software patches; (ii) centrally managed to ensure prompt altering; (iii) configured to perform automated, regular, and mandatory full system scans; and (iv) designed to prevent, detect, and automatically quarantine or remove known and suspected malware, viruses, and other malicious code.

Immersive maintains a capacity management program that continuously and iteratively monitors, analyses, and evaluates the performance and capacity of the Systems.

Immersive implements physical access control measures at Immersive facilities where personal data is accessed or managed. For data centres hosting the production environment, Immersive relies on the physical security controls provided by its Cloud Service Provider (AWS), which are detailed in Immersive's SOC 2 report.

Immersive maintains an Information Security Incident Management Program that manages security incidents (including Personal Data Breaches).

Immersive maintains an Incident Response Plan that specifies actions to be taken in the event of a security incident. Immersive will notify the Customer of a Personal Data Breach without undue delay, and in any case, no later than 48 hours after becoming aware of it.

Lessons learned are captured, reviewed, and incorporated into future iterations of the Incident Response Plan where applicable.

Immersive implements a risk-based vendor management program to assess the security and privacy practices of all sub-processors that process Customer personal data. This review ensures that Sub-processors implement appropriate technical and organizational measures, including regular monitoring and reassessment.

Immersive's risk-based vendor management program assesses and confirms that all sub-processors provide sufficient guarantees to implement technical and organizational security measures that meet or exceed the requirements of applicable data protection law and are commensurate with the risk associated with the personal data they process on Immersive's behalf.

Immersive encrypts Customer personal data so that it cannot be read, copied, altered, or deleted by unauthorized personnel during transit and storage, including when saved on removable media. All Customer data is encrypted using industry-standard encryption algorithms.

Keys are protected from unauthorized use, disclosure, alteration, and destruction, and have a backup and recovery process.

If a private key is compromised, all associated certificates will be revoked.

Immersive implements controls designed to ensure the secure disposal of Customer personal data in accordance with applicable law and the deletion/return process set out in Section 8 (Termination and Deletion) of the DPA. Unless the Customer requests the return or earlier deletion of the data, Immersive will delete the Customer's personal data within ninety (90) days following the termination or expiry of the Agreement.

Immersive ensures secure erasure electronically before disposal by overwriting or degaussing, or by physically destroying the media prior to disposal or reassignment to another system.

Immersive maintains a Risk Assessment Program that includes regular risk assessments and controls for risk identification, analysis, monitoring, reporting, and corrective action.

Immersive has implemented an Asset Management Program that classifies and controls hardware and software assets throughout their life cycle.

Immersive will use industry-standard practices for redundancy, resilience and scalability designed to maintain the Platform's availability.

Immersive implements and maintains contingency plans to address emergencies or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that could damage or destroy Systems or Customer personal data, including a data backup plan and a disaster recovery plan with at least annual testing of such plans.

Backups are taken, and recovery is tested on a regular basis.

Immersive conducts mandatory training for Immersive employees and relevant contingent workers, at least annually, on business ethics, privacy, and information security awareness. These trainings are reviewed and updated annually.

At least annually, Immersive will engage a qualified, independent external auditor to conduct periodic reviews of Immersive’s security practices against recognized audit standards, such as SOC 2 Type II and ISO 27001 certification audits (including surveillance and recertifications), as applicable.

1.1.

Legal Consulatation: Immersive will consult with external expert legal counsel regarding the validity and scope of all third-party requests for access to Customer personal data.

1.2.

Customer Referral: Immersive will refer each government request promptly to the relevant Customer so that the Customer or user can respond directly.

1.3.

Notice to Customer: If the government declines to redirect its request to the relevant Customer, Immersive will provide the Customer with prompt notice of the request unless it is legally prohibited from doing so.

1.4.

Delayed Notice: If Immersive is prohibited from providing prompt notice of a request to a Customer, Immersive will provide such notice as soon as the prohibition expires or is no longer in effect.

1.5.

Contesting Requests: Immersive will decline to comply with and undertake reasonable efforts to legally contest any request it determines is not valid, binding, and absolutely required by applicable local and U.S. law, including any non-valid request under FISA 702 or U.S. Executive Order 12333.

1.6.

Request History: Immersive has not received any government request for Customer Personal Data to date.

Immersive maintains strong encryption for Personal Data at rest and in transit using industry-standard protocols, as further detailed in Annex B (TOMs). This technical protection renders the data unintelligible or unusable to unauthorized third parties and government agencies without the necessary encryption keys, which Immersive controls.

The Mandatory Clauses of the UK Addendum, which replace the corresponding clauses of the EU SCCs for UK transfers, are incorporated herein by reference, and the Parties agree to be bound by them as if they were set out in full.