This Data Processing Addendum (“DPA”) forms part of the agreement between Vizbl Systems, Inc., a Delaware corporation (“Vizbl”), and the customer identified in the applicable agreement or order form (“Customer”) to the extent Vizbl processes Customer Personal Data on behalf of Customer in connection with the Services.
Capitalized terms not defined in this DPA have the meanings given to them in the applicable agreement between Vizbl and Customer.
“Customer Personal Data” means personal data, personal information, or similar regulated data processed by Vizbl on behalf of Customer in connection with the Services.
“Data Protection Laws” means all applicable laws and regulations relating to privacy, data protection, data security, breach notification, or the processing of personal data, including, where applicable, the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and similar U.S. state privacy laws.
“Controller,” “Processor,” “Business,” “Service Provider,” “Personal Data,” “Personal Information,” and “Processing” have the meanings given to them under applicable Data Protection Laws.
“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Vizbl on behalf of Customer.
For Customer Personal Data, Customer is the controller or business, and Vizbl is the processor or service provider, unless otherwise stated in the applicable agreement or required by Data Protection Laws.
Customer is responsible for determining the purposes and means of processing Customer Personal Data and for ensuring that Customer has all notices, consents, authorizations, legal bases, and rights required to provide Customer Personal Data to Vizbl for processing under the Services.
Vizbl will process Customer Personal Data only:
(a) to provide, secure, support, maintain, improve, and operate the Services;
(b) in accordance with Customer’s documented instructions, including the applicable agreement, order form, statement of work, configuration choices, and use of the Services;
(c) as necessary to comply with applicable law; and
(d) as otherwise permitted by this DPA and Data Protection Laws.
Customer’s instructions must comply with Data Protection Laws. Vizbl may notify Customer if Vizbl believes an instruction violates Data Protection Laws, but Vizbl has no obligation to provide legal advice to Customer.
Customer Personal Data may include account information, user identifiers, contact information, login data, device data, usage data, uploaded content, images, product-related content, catalog data, support communications, and other personal data submitted to or processed through the Services by or on behalf of Customer.
Data subjects may include Customer’s employees, contractors, authorized users, end users, shoppers, website visitors, business contacts, and other individuals whose personal data is submitted to or processed through the Services.
The nature and purpose of processing is to provide the Services, including hosting, storage, transmission, rendering, visualization, 3D and AR content processing, catalog processing, support, security, troubleshooting, analytics, product improvement, and related activities described in the applicable agreement and order form.
Vizbl will implement and maintain commercially reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, or disclosure.
Such measures may include, as appropriate, access controls, authentication, encryption in transit, logging, monitoring, backup procedures, vulnerability management, and internal policies designed to protect Customer Personal Data.
Vizbl will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
Customer authorizes Vizbl to engage affiliates and third-party subprocessors to provide the Services. Vizbl will remain responsible for the performance of its subprocessors to the same extent Vizbl is responsible for its own processing under this DPA.
Vizbl may update its subprocessors from time to time. Where required by Data Protection Laws, Vizbl will provide notice of material changes to subprocessors and a reasonable opportunity for Customer to object on reasonable data protection grounds.
Customer acknowledges that Customer Personal Data may be processed in the United States and other jurisdictions where Vizbl, its affiliates, or subprocessors operate.
Where required by Data Protection Laws, the Parties will use appropriate transfer mechanisms, including standard contractual clauses, adequacy decisions, or other legally recognized safeguards.
Taking into account the nature of the processing and the information available to Vizbl, Vizbl will provide reasonable assistance to Customer in responding to data subject requests to access, delete, correct, restrict, export, or object to processing of Customer Personal Data, to the extent required by Data Protection Laws.
Customer is responsible for responding to data subject requests unless otherwise required by Data Protection Laws.
Vizbl will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data.
The notice will describe, to the extent then known, the nature of the Security Incident, the categories of affected data, and the measures Vizbl is taking to contain, investigate, and remediate the Security Incident.
Vizbl’s notification of or response to a Security Incident will not be construed as an admission of fault or liability.
Upon expiration or termination of the applicable Services, Vizbl will delete or return Customer Personal Data in accordance with the applicable agreement, unless retention is required by law or permitted for backup, audit, compliance, security, fraud prevention, or dispute-resolution purposes.
Backup copies may be retained for a limited period in accordance with Vizbl’s standard backup and retention practices, provided that such copies remain protected under this DPA.
Upon Customer’s reasonable written request, Vizbl will provide information reasonably necessary to demonstrate compliance with this DPA.
Any audit must be subject to reasonable confidentiality, security, scope, timing, and frequency limitations and may not unreasonably interfere with Vizbl’s operations or compromise the security of Vizbl’s systems, other customers, or third parties.
To the extent Customer Personal Data includes Personal Information subject to the CCPA/CPRA, Vizbl will process such Personal Information as a Service Provider or Contractor and will not sell or share such Personal Information except as permitted by the CCPA/CPRA.
Vizbl will not retain, use, or disclose such Personal Information outside the direct business relationship between Vizbl and Customer except as permitted by the CCPA/CPRA.
To the extent Customer Personal Data is subject to the GDPR or UK GDPR, Vizbl will process Customer Personal Data as a processor on behalf of Customer and will comply with the processor obligations applicable to Vizbl under such laws.
Where standard contractual clauses are required for international transfers, the Parties agree to enter into or be bound by the applicable standard contractual clauses or another legally recognized transfer mechanism.
Customer is responsible for:
(a) Â complying with Data Protection Laws applicable to Customer;
(b)Â providing all legally required notices and obtaining all required consents or legal bases;
(c) Â ensuring that Customer Personal Data is accurate, lawful, and appropriate for processing through the Services;
(d) configuring and using the Services in a manner consistent with Customer’s legal obligations; and
(e)  ensuring that Customer’s instructions to Vizbl comply with Data Protection Laws.
Each Party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the applicable agreement, unless prohibited by Data Protection Laws.
If this DPA conflicts with the applicable agreement, this DPA will control solely with respect to the processing of Customer Personal Data. The applicable agreement will control in all other respects.
Vizbl may update this DPA from time to time. Updates will not materially reduce the protections applicable to Customer Personal Data during the then-current subscription term unless required for legal, regulatory, security, operational, or third-party reasons.
‍