This Data Processing Addendum is entered into between COGNITIVEVR INC. dba Cognitive3D (“Processor”) and any party using Processor to perform services on data they collect (“Controller”).

1. Scope of Data Processing

In the course of Processor providing services to Controller pursuant to a subscription/service agreement between the parties or, if no agreement is in place, the Processor’s Terms of Service (in either case, the “Main Agreement”), it is necessary for Processor to access personal data, with respect to which Controller is the ‘data controller’ for the purposes of applicable data protection laws (“Controller Data”). This addendum substantiates the rights and obligations of the parties in accordance with applicable data protection laws for the processing of Controller Data by the Processor and fulfils all requirements of a commissioned data processing agreement pursuant to the European Economic Area’s General Data Protection Regulation (“GDPR”). Processor shall also comply with applicable privacy laws in the UK, Switzerland, Brazil, Canada and the US.

2. Subject Matter and Scope

Processor collects, processes and uses Controller Data exclusively on behalf of and on instruction of Controller pursuant to pursuant to Art 28 et seq. of the GDPR and only in accordance with Controller’s written instructions from time to time and within the type, scope and purpose described in Schedule-A. Instructions deviating from Controller’s written instructions and outside the scope of Schedule-A require Processor’s consent and Controller shall pay any additional costs incurred by Processor in order to facilitate privacy compliance outside the scope of the instructions in Schedule-A. Processor shall inform Controller if it believes Controller’s instructions breach applicable data protection laws and may suspend execution of Controller instructions until having received confirmation from Controller that such instructions are legally compliant.

Processor shall not combine Controller Data with data collected and used for other purposes under the Main Agreement unless explicitly permitted by law and/or by Controller, as applicable. Controller owns and/or holds all rights to Controller Data.

Processor may process Controller Data outside the European Union or the European Economic Area (EEA) or have it processed by third parties in accordance with section 8 (if the requirements of Art 44 to 48 of the GDPR are fulfilled) or if an exception in accordance with Art 49 of the GDPR exists. Processor is subject to the Canadian Personal Information Protection and Electronic Documents Act, which provides adequate protection of Personal Data according to the European Commission’s adequacy decision C(2001) 4539 decided on December 20, 2001.

3. Obligations of Controller

Controller shall:

• ensure that the collection, processing and use of Controller Data is admissible under applicable data protection laws;
• safeguard data subject rights;
• indemnify Processor from third party claims based on the collection, processing or use of Controller Data by Controller;
• timely provide Processor with Controller Data and ensure Controller Data quality;
• inform Processor upon encountering any errors or irregularities concerning statutory provisions on the processing of Personal Data or detected during an evaluation of processing results;
• provide Processor with a record of processing activities as per Art 30 Para 2 of the GDPR; and
• if Processor is obligated to provide processing information to authorities or a person or to otherwise cooperate with them, support Processor in providing such information and cooperate as necessary (in particular, such support shall be rendered by immediately providing all information and documents regarding the organisational and technical measures taken as per Art 32 of the GDPR).

4. Obligations of Processor

Processor shall:

• ensure and check that processing and usage of data conforms with the scope of services rendered under the Main Agreement and provisions of this addendum;
• not copy or duplicate Controller Data without Controller’s permission, except as set forth in the Main Agreement, this addendum and/or the Processor’s Privacy Policy (including data backups) and as necessary to fulfil legal retention obligations;
• reasonably support Controller if Controller is audited by the supervising authority concerning Processor’s data processing;
• inform Processor of any biometric personal data included as part of the Controller Data prior to sharing such data with Processor;
• upon request, provide Controller with an overview of information defined in Art 30 Para 1 of the GDPR and on the persons with access rights;
• ensure that every person in his employment processes Controller Data according to this addendum and Controller instructions, according to Art 29 of the GDPR; and

support Controller, within the bounds of what is reasonable and necessary, in return for reimbursement of expenses and costs incurred in a possible data protection impact assessment and subsequent consultation by the supervisory authority according to Art 35 and 36 of the GDPR.

5. Technical and organisational measures

Processor has put in place and maintains appropriate technical and organisational measures to protect Controller Data from the risks posed by the data processing, as described on Schedule-B.

If the technical and organisational measures, prove to be insufficient or if technological advances or legislative changes require the same, per Art 32 of the GDPR, Processor shall introduce additional effective technical and organisational measures. Each party shall notify the other if these measures are insufficient or if technological or legislative changes require changes. Processor shall document changes to technical and organisational measures.

6. Reporting of breaches by Processor

Processor shall notify Controller upon its breach of data protection laws or this addendum and shall support Controller, upon request, if Controller is subject to legal reporting and notification obligations arising from such breach (in particular pursuant to Art 33 and 34 of the GDPR), within reasonable and necessary bounds. Controller shall reimburse Processor’s expenses and costs in relation to any breach related legal requirements.

7. Controller’s supervision rights

Controller may supervise Processor’s compliance with this addendum and relevant data protection laws by, at processor’s discretion, being provided suitable current certificates, reports or statements of evidence from independent bodies of compliance with the technical and organisational measures described on Schedule-B.

Processor may withhold confidential or trade secret information or if granting access would breach Processor’s statutory or contractual obligations, as determined in Processors discretion. Controller shall not access data or information not directly relevant to the inspection. Controller may engage a subcontractor to perform the inspection, who shall not be a competitor of Processor and shall be bound by a confidentiality agreement acceptable to Processor.

8. Processor’s Subcontractors

Processor may engage third parties in connection with processing or usage of Controller Data and are listed on Schedule-C. Processor’s agreements with these third parties provide a level of security corresponding with this addendum, bind these third parties to the obligations defined in Art 28 Para 3 of the GDPR and, if possible, afford Controller with similar supervision rights to section 7. Processor may engage or change subcontractors in its sole discretion but shall notify Controller of intended changes to these third parties. In individual cases, Controller may object to the commissioning of a potential sub-processor. Controller waives any objection if it does not provide a response within 7 days after receipt of the notification.

This section 8 also applies if a subcontractor is engaged in a third country. Controller hereby authorizes Processor to conclude a contract including the EU standard contractual clauses for the transfer of Personal Data to processors in third countries who process or uses Controller Data outside the EEA, on behalf Controller. Controller agrees to assist in fulfilling the requirements of Art 49 of the GDPR.

9. Data Subject Rights

The rights of data subjects shall be asserted against Controller. Processor shall timely forward any requests to exercise a data subject’s data right in accordance with Art 12 et seq. of the GDPR (“Data Subject Rights”). If a data subject exercises Data Subject Rights and information rights on stored Controller Data, the storage’s purpose and the persons and locations Controller Data is regularly transferred to vis-à-vis Controller, Processor shall support Controller in fulfilling such requirements within reasonable means if Controller is unable to meet the requests without Processor’s support.

Processor shall enable Controller to correct, delete or block Controller Data or, if and to the extent that this is impossible for Controller, to carry out the correction, blocking or deletion at Controller’s request. Insofar as the data subject has a right to data portability vis-à-vis Processor with regard to Controller data pursuant to Art 20 of the GDPR, Processor shall support Controller within reasonable means in return for reimbursement of expenses and costs incurred by Processor as a result.

10. Return and deletion of Controller Data and data storage mediums

The duration and termination of this addendum shall be tied to the duration and termination of the Main Agreement. Processor shall delete or return to Controller all data storage mediums received from Controller, which contain Controller Data, following termination of the Main Agreement and, upon Controller’s request, provide a written report thereof. Processor should store documentation proving the orderly processing of Controller Data pursuant to the respective retention period beyond the date of the termination of this addendum.

11. Indemnity

To the maximum extent permitted by applicable law, and except with respect to a party’s defense and indemnification obligations expressly set out in this addendum, neither party shall be liable to the other for any claim, loss or damage of any kind arising out of or relating to this addendum or the subject matter of this addendum, including without limitation consequential, incidental or special damages, loss of data, loss of profits, loss of goodwill and any and all other tangible and intangible damages or losses, even if C3D has been advised of the possibility of such damage or loss.

Under no circumstances shall the total aggregate liability of either party to the other party or any other person arising out of or relating to this addendum or the subject matter of this addendum ever exceed the total amount paid by Controller to Processor in the 12 months immediately preceding the date of act leading to the harm in question. Processor shall not be responsible or liable for any wrongful act or omission by or on behalf of any subcontractor listed under Schedule-C.

12. Governing Law

This addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the applicable laws of Canada and the Province of British Columbia.

13. Disputes

If there are any provisions which conflict between this addendum and the Main Agreement, the Main Agreement shall supersede this addendum, except in cases where such interpretation would violate applicable privacy laws, and in that case, the conflicting provision in this addendum shall prevail.

14. Severability

If any provision of this addendum is found by a court of competent jurisdiction to be unenforceable or invalid, that provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will remain in full force and effect.

15. General

Any amendments, supplements or the cancellation of this addendum must be in writing (email sufficient). Should parts of this addendum be or become invalid or contain a gap, the remaining provisions remain unaffected and the parties shall replace the invalid provision with a legally permissible provision that comes closest to the economic purpose of the invalid provision or fills such gap. The sole place of jurisdiction for all disputes arising from or in connection with this addendum is British Columbia, Canada.

SCHEDULE-A

PURPOSE, TYPE AND SCOPE OF DATA PROCESSING, TYPE OF DATA AND CATEGORIES OF DATA SUBJECTS

SCHEDULE-B

TECHNICAL AND ORGANIZATIONAL MEASURES

Organisational Control

• Internal data processing regulations and processes, guidelines, work instructions, descriptions of procedures and regulations regarding the programming, checking and publication of data.
• Existence of a data security concept.
• Inspection of systems and programs according to industrial standards.
• Existence of an emergency plan (backup contingency plan).
• Employees agree to abide by confidentiality obligations in writing.
• Regular training for employees regarding data protection aspects.
• Commissioned data protection officer.

Entrance Control

Processor shall take the following measures to prevent unauthorised persons from gaining access to data processing systems for processing or using personal data:

• Security areas identified (visitors area, server rooms etc.).
• Regulation about entry permission for employees, visitors, externals.
• Access control system with logging mechanism, administration of access authorisations.
• Isolating devices.
• Card readers, magnetic cards, chip cards.
• Keys/key management.
• Door-locking devices (electric door openers, etc.).
• Plant security, door man (24/7).
• Supervision facilities.
• Alarm system.
• Video control.
• Safety equipment and devices for the building (fence, window grills etc.)

Server Access Control

Processor shall take the following measures to prevent data processing systems from being used without authorisation:

• Password policy (special characters, minimum length, password change etc.)
• Automatic blocking (for timeout, failed password entry attempts.
• Creation of one master record per user.
• Encryption of data storage media.

Data Access Control

An authorisation concept (user and administrative rights) ensures that access to data of the system is possible only as far as it is necessary for the task execution in accordance with internal distribution of tasks and functional separation of the user. Rules and procedures for creating, modifying and deleting authorisation profiles and user roles in accordance with data protection are:

• Requirement-driven definition of the access scheme and access rights.
• Differentiated access rights (profiles, roles, transactions).
• Encryption of data storage devices.
• Password protection of files.

Transfer Control

Processor shall take the following measures to ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transfer or transport or while being recorded onto data storage media:

• Encryption/tunnelling (VPN = Virtual Private Network).
• Required multi-factor authentication for access to systems.
• Standard logging of electronic transfer, data transport, transmission control.
• Documentation of interfaces for data transfer and documentation of personal data transferred).

Data Entry Control

Processor shall take the following measures to ensure that it is possible to check and ascertain whether data have been accessed, altered or removed from data processing systems and if so, by whom:

• Concept that defines the user permissions for input (profiles) and ensures that data access by users is restricted to the necessary scope.
• Detailed logging systems for entry, processing or deletion of personal data.
• Documentation of authorised persons.
• Storage and deletion of log files

Data Processing Control

Processor shall take the following measures to ensure that personal data processed on behalf of others is processed strictly in compliance with the instructions of Controller:

• Assignment of contact persons by both contract parties.
• Unambiguous wording of contracts.
• Formal commissioning (project organisation, request forms).
• Monitoring of contract performance.

Loss Control

Processor shall take the following measures to protect personal data against accidental destruction or loss:

• Backup procedures and secure storage of backups.
• Separate storage.
• Antivirus protection/Firewall.
• Emergency concept.
• Backup and recovery concept.

Separation Control

Processor shall take the following measures suitable for enabling the separate processing of data collected:

• Separate virtual systems.
• Separate applications on the same server (e.g. different database systems).
• Separate databases with restricted rights for each user.

SCHEDULE-C

SUBCONTRACTORS