Data Processing Agreement

Parties

This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between:

(together referred to as "the Parties")

Whereas

1. The Company acts as a Data Controller.
2. The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.
3. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, "GDPR").
4. The Parties wish to lay down their rights and obligations.

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1. 1.1.1 "Agreement" means this Data Processing Agreement and all Schedules;
2. 1.1.2 "Company Personal Data" means any Personal Data processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;
3. 1.1.3 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
4. 1.1.4 "EEA" means the European Economic Area;
5. 1.1.5 "EU Data Protection Laws" means the GDPR and all national laws implementing or supplementing the GDPR, including the German Bundesdatenschutzgesetz (BDSG);
6. 1.1.6 "GDPR" means EU General Data Protection Regulation 2016/679;
7. 1.1.7 "Services" means the 3D printing quote generation and order processing services provided by the Processor through the platform at 3d-instaqoute.org;
8. 1.1.8 "Subprocessor" means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the Agreement.

1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" shall have the same meaning as in the GDPR.

2. Processing of Company Personal Data

2.1 The Processor shall:

1. 2.1.1 comply with all applicable Data Protection Laws in the processing of Company Personal Data; and
2. 2.1.2 not process Company Personal Data other than on the Company's documented instructions, unless required to do so by applicable law.

2.2 The Company instructs the Processor to process Company Personal Data solely for the purpose of providing the Services described in the Principal Agreement.

2.3 The categories of personal data processed include: name, email address, postal address, telephone number, IP address, device data, and payment information of the Company's end users.

2.4 The data subjects are the end customers of the Company who submit 3D print orders through the widget provided by the Processor.

3. Processor Personnel

The Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Company Personal Data, ensuring that access is strictly limited to those individuals who need to know or access the relevant data as strictly necessary for the purposes of the Principal Agreement. All such individuals shall be subject to appropriate confidentiality obligations.

4. Security

4.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including as appropriate the measures referred to in Article 32(1) of the GDPR.

4.2 These measures include at minimum: SSL/TLS encryption in transit, access controls, and use of PCI-DSS compliant payment processing via Stripe Inc. and email delivery and recieving via Resend Inc.

5. Subprocessors

5.1 The Company hereby grants general authorization for the Processor to engage the following Subprocessors, who are pre-approved as of the date of this Agreement:

• Stripe Inc. (USA) — Payment processing. Privacy policy: https://stripe.com/privacy
• Resend Inc. (USA) — Email delivery and transactional emails. Privacy policy: https://resend.com/legal/privacy-policy
• Hosting provider (EU/USA) — Infrastructure and server hosting

5.2 The Processor shall inform the Company of any intended changes concerning the addition or replacement of Subprocessors, giving the Company the opportunity to object to such changes within 14 days of notification.

5.3 The Processor shall ensure that any Subprocessor is bound by data protection obligations equivalent to those set out in this Agreement.

6. Data Subject Rights

6.1 Taking into account the nature of the processing, the Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company's obligations to respond to requests to exercise Data Subject rights under Data Protection Laws.

6.2 The Processor shall promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data, and shall not respond to that request except on the documented instructions of the Company or as required by applicable law.

7. Personal Data Breach

7.1 The Processor shall notify the Company without undue delay — and in any event within 48 hours — upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing the Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the breach under applicable Data Protection Laws.

7.2 The Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

The Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with Supervisory Authorities which the Company reasonably considers to be required by Article 35 or 36 of the GDPR, solely in relation to the processing of Company Personal Data by the Processor.

9. Deletion or Return of Company Personal Data

9.1 Upon cessation of the Services, the Processor shall within 10 business days delete all Company Personal Data unless applicable law requires continued storage.

9.2 Upon written request from the Company, the Processor shall confirm in writing that such deletion has been completed.

10. Audit Rights

10.1 The Processor shall make available to the Company all information reasonably necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company.

10.2 The Company shall give the Processor reasonable prior notice of any intended audit and shall ensure that audits are conducted in a manner that minimizes disruption to the Processor's business operations.

11. International Data Transfers

11.1 The Processor may not transfer or authorize the transfer of Company Personal Data to countries outside the EU/EEA without the prior written consent of the Company, except where such transfer is covered by an adequacy decision of the European Commission or appropriate safeguards such as Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR.

11.2 Transfers to Stripe Inc. and Resend Inc. are covered by Standard Contractual Clauses or equivalent safeguards as provided by those Subprocessors.

12. General Terms

12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party confidential and must not use or disclose that information without prior written consent, except as required by law or where the information is already in the public domain.

12.2 Notices. All notices and communications given under this Agreement must be in writing and delivered by post or by email to the addresses provided during registration or as otherwise notified by the Parties.

12.3 Severability. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of the Federal Republic of Germany.

13.2 Any dispute arising in connection with this Agreement which the Parties cannot resolve amicably shall be submitted to the exclusive jurisdiction of the courts of Lüneburg, Germany, subject to possible appeal to the Higher Regional Court of Celle (Oberlandesgericht Celle).

14. Electronic Acceptance

14.1 This Agreement is accepted electronically by the Company upon checking the acceptance box during registration at 3d-instaqoute.org. No handwritten or electronic signature is required.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date of Account Creation to agree to this DPA.