Data Processing Addendum

8th Wall Data Processing Addendum

Addendum Effective Date: 27 December 2022

This Data Processing Addendum (the “Addendum”) is made by and between 8th Wall, LLC (“8th Wall”) and Licensee (“Developer”). This Addendum will be effective and replace any terms previously applicable to the processing of Developer Personal Data from the Addendum Effective Date (as defined above).

This Addendum is incorporated into the Terms and Conditions, license agreement, and/or other commercial agreement between Developer and 8th Wall (“Agreement”) between 8th Wall and the Developer and applies to the extent 8th Wall Processes Developer Personal Data as a Processor on behalf of the Developer. The Addendum is intended to satisfy the requirements of Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679). This Addendum shall be effective for the term of the Agreement.

1. Definitions

1.1. For the purposes of the Addendum:

  • 1.1.1. “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation the UK GDPR and the EU GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;

  • 1.1.2. "Developer Personal Data" means the Personal Data described under Section 2 of this Addendum, in respect of which the Developer is the Controller;

  • 1.1.3. “EU GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

  • 1.1.4 “GDPR” means, as applicable: (a) the EU GDPR; and/or (b) the UK GDPR.

  • 1.1.5. “Personal Data”, “Data Subject”, “Personal Data Breach”, “Process”, “Processor” and “Controller” will each have the meaning given to them in the GDPR; and

  • 1.1.6. “Restricted Transfer Country” means countries in the European Economic Area and/or the United Kingdom.

  • 1.1.7. “Standard Contractual Clauses” means the Standard Contractual Clauses (Module Two), excluding Clause 7 (Docking), Clause 9 (a)(Option 2), Clause 11 (Option), and Clause 17 (Option 1)) approved by the European Commission in decision 2021/914/EC;

  • 1.1.8. Third Country means:

  • (a) for data processed subject to the EU GDPR: the EEA, or a country or territory not recognized as providing adequate protection under the EU GDPR; and/or

  • (b) for data processed subject to the UK GDPR: the UK, or a country or territory not recognized as providing adequate protection under the UK GDPR and the Data Protection Act 2018;

  • 1.1.9. “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018; and

  • 1.1.10. “UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office, in force 21/03/2022.

1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

2. Details of The Processing

2.1. Categories of Data Subjects. This Addendum applies to the Processing of Developer Personal Data relating to end users of Developer’s products and services.

2.2. Types of Personal Data. Developer Personal Data includes Personal Data, the extent of which is determined and controlled by the Developer in its sole discretion, such as IP address, browser user agent, the make, model, and operating system of end user devices, information related to end users’ use of Developer products that incorporate the Service (i.e., the length of time the Service is running), a unique device/application identifier that cannot be used to track devices across applications or websites, and, with end user permission, camera data from the end user device. Developer Personal Data excludes Personal Data collected through Lightship (including, but not limited to VPS and Niantic Authentication) (“Lightship Personal Data”). If Developer elects to use Lightship features within an 8th Wall project, use of these features shall be subject to the terms set out in https://lightship.dev/legal/terms/ (including the Data Processing Agreement(s) incorporated therein).

2.3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Developer Personal Data by 8th Wall is the provision of the Services to the Developer that involves the Processing of Developer Personal Data. Developer Personal Data will be subject to those Processing activities which 8th Wall needs to perform in order to provide the Services pursuant to the Agreement.

2.4. Purpose of the Processing. Developer Personal Data will be Processed by 8th Wall for purposes of providing the Services set out into the Agreement.

2.5. Duration of the Processing. Developer Personal Data will be Processed for the duration of the Agreement, subject to Section 10 of this Addendum.

3. Processing of Developer Personal Data

3.1. The parties acknowledge and agree that Developer is the Controller of Developer Personal Data and 8th Wall is the Processor of that data. 8th Wall will only Process Developer Personal Data as a Processor on behalf of and in accordance with the Developer’s prior written instructions, including with respect to transfers of personal data. 8th Wall is hereby instructed to Process Developer Personal Data to the extent necessary to enable 8th Wall to provide the Services in accordance with the Agreement.

3.2. If 8th Wall cannot process Developer Personal Data in accordance with Developer’s instructions due to a legal requirement under any applicable European Union or Member State law, 8th Wall will (i) promptly notify the Developer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) cease all Processing of the affected Developer Personal Data (other than merely storing and maintaining the security of the affected Developer Personal Data) until such time as the Developer issues new instructions with which 8th Wall is able to comply. If this provision is invoked, 8th Wall will not be liable to the Developer under the Agreement for failure to perform the Services until such time as the Developer issues new instructions.

3.3. Each of the Developer and 8th Wall will comply with their respective obligations under the Data Protection Legislation. Developer shall ensure that Developer has obtained (or will obtain) all rights and consents (if required) which are necessary for 8th Wall to Process Developer Personal Data in accordance with this Addendum.

3.4. Developer acknowledges that 8th Wall does not maintain Developer Personal Data in a manner that allows 8th Wall to associate the Developer Personal Data with any particular Data Subject. Accordingly, Developer agrees that 8th Wall is not required to provide the assistance offered in Sections 7, 8, and 9 of this Addendum unless (a) the purposes for which Developer processes the Developer Personal Data require Developer to identify the Data Subject and (b) Developer provides 8th Wall with information sufficient to allow 8th Wall to associate the Developer Personal Data with a Data Subject.

3.5. Subject to Clause 3.6 below, to the extent that the Agreement requires the transfer of Developer Personal Data originating from a Restricted Transfer Country to a Third Country, the parties will ensure the transfer is in compliance with Applicable Law. To that end:

  • 3.5.1. the Standard Contractual Clauses are hereby incorporated by reference and shall apply to all such transfers, provided that Annexes 1, 2 and 3 of the Standard Contractual Clauses shall be deemed completed as set forth in Schedule 1 to this Addendum. The parties agree that the notice period in Clause 9(a) of the Standard Contractual Clauses shall be 30 days, and that the law of Belgium shall be the governing law for the purposes of Clause 17 of the EU Standard Contractual Clauses, and the Belgian courts shall have jurisdiction for the purposes of Clause 18(b) of the Standard Contractual Clauses; and

  • 3.5.2. with respect to transfers subject to the UK GDPR, the UK IDTA as set out in Schedule 2 to this Addendum, is hereby incorporated by reference and shall apply in addition to the Standard Contractual Clauses. In the event of a conflict or inconsistency between the Standard Contractual Clauses and the UK IDTA, the provisions which provide the most protection to data subjects shall prevail.

3.6. The Standard Contractual Clauses and/or the UK IDTA will not apply to transfers of data from a Restricted Transfer Country to a Third Country if 8th Wall has adopted Binding Corporate Rules for Processors or an alternative recognized compliance standard for lawful data transfers.

4. Confidentiality

4.1. 8th Wall will ensure that any person whom 8th Wall authorizes to Process Developer Personal Data on its behalf is subject to confidentiality obligations in respect of that Developer Personal Data.

5. Security Measures

5.1. 8th Wall will implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Developer Personal Data (described in Schedule 1, Section D to this Addendum).

5.2. 8th Wall will, at the Developer’s request and subject to the Developer paying all of 8th Wall’s fees at prevailing rates, and all expenses, provide the Developer with reasonable assistance as necessary for the fulfilment of the Developer’s obligation to keep Developer Personal Data secure.

6. Sub-Processing

6.1. Developer authorizes 8th Wall to appoint sub-Processors to perform specific services on 8th Wall’s behalf which may require such sub-Processors to Process Developer Personal Data.. 8th Wall will inform Developer of any intended changes concerning the addition or replacement of any sub-Processors and Developer will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.

6.2. 8th Wall will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to 8th Wall under this Addendum. Where any of its sub-Processors fails to fulfil its data protection obligations, 8th Wall will be liable to the Developer for the performance of its sub-Processors’ obligations.

7. Data Subject Rights

7.1. Subject to Section 3.4, 8th Wall will provide the Developer with assistance necessary for the fulfilment of the Developer’s obligation to respond to requests for the exercise of Data Subjects’ rights. Developer shall be solely responsible for responding to such requests. 8th Wall shall not respond to such requests without Developer’s prior written consent and written instructions.

8. Personal Data Breaches

8.1. 8th Wall will notify the Developer without undue delay after it becomes aware of any Personal Data Breach affecting any Developer Personal Data. At the Developer’s request and subject to Section 3.4, 8th Wall will promptly provide the Developer with all reasonable assistance necessary to enable the Developer to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Developer is required to do so under applicable Data Protection Legislation. Developer is solely responsible for complying with data incident notification requirements applicable to Developer and fulfilling any third-party notification obligations related to any data incidents.

9. Data Protection Impact Assessment; Prior Consultation

9.1. Subject to Section 3.4, 8th Wall will, at the Developer’s request, provide the Developer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if the Developer is required to engage in such activities under the GDPR, and solely to the extent that such assistance is necessary and relates to the Processing by 8th Wall of the Developer Personal Data, taking into account the nature of the Processing and the information available to 8th Wall.

10. Return or Deletion of Developer Personal Data

10.1. 8th Wall will return or delete, at Developer’s choice, Developer Personal Data to the Developer after the end of the provision of Services relating to the Processing, and delete existing copies unless the applicable European Union or member state law requires storage of the data. Without prejudice to the foregoing, 8th Wall may retain anonymized data pursuant to the Agreement.

11. Information

11.1. 8th Wall will, at Developer’s request and subject to the Developer agreeing to non-disclosure obligations acceptable to 8th Wall and paying all of 8th Wall’s fees at prevailing rates, and all expenses, provide the Developer with all information necessary to enable the Developer to demonstrate compliance with its obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by the Developer or an auditor mandated by the Developer (provided such auditor agrees to confidentiality obligations reasonably acceptable to 8th Wall), to the extent that such information is within 8th Wall’s control and 8th Wall is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out on at least six weeks written notice during regular business hours at a mutually agreeable date and time not more often than once per year. To be clear, all information provided to or received by Developer pursuant to this Section 11.1 shall be considered 8th Wall’s confidential information. 8th Wall will immediately inform Developer if, in its opinion, an instruction from Developer infringes the Data Protection Legislation.

12. Liability

12.1. Each party’s liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.

12.2. The Developer acknowledges that 8th Wall is reliant on the Developer for direction as to the extent to which 8th Wall is entitled to Process Developer Personal Data on behalf of Developer in performance of the Services. Consequently 8th Wall will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by 8th Wall that results from the Developer’s instructions or from Developer’s failure to comply with its obligations under the applicable data protection law.

13. General Provisions

13.1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.

SCHEDULE 1

DESCRIPTION OF THE PROCESSING ACTIVITIES / TRANSFER AND DATA IMPORTER TECHNICAL AND ORGANISATIONAL SECURITY MEASURES/ LIST OF SUBPROCESSORS

A. List of Parties

Data Exporter Data Importer
Name: Developer Name: 8th Wall
Address: As notified to 8th Wall Address: As notified to Developer
Contact Person’s name, position and contact details: Developer shall make contact details available on request Contact Person’s name, position and contact details: 8th Wall shall make contact details available on request
Activities relevant to the transfer: See (B) below) Activities relevant to the transfer: See (B) below)
Role: Controller Role: Processor

B. Description of processing/ Transfer

Categories of Data Subjects: The personal data transferred concern the following categories of data subjects: Categories of data subjects include end users of Developer’s products and services, per clause 2.1 of the Addendum.
Purpose of the transfer: The transfer is made for the following purposes: Processing (a) to provide the Services in accordance with the Agreement; (b) to comply with other reasonable instructions provided by the Developer that are consistent with the terms of this Agreement; and (c) to comply with any legal obligations under applicable law.
Categories of Personal Data: The personal data transferred concern the following categories of data: As described in clause 2.2 of the Addendum
Frequency of the transfer: Continuous or one off Continuous
Sensitive Data: The personal data transferred concern the following categories of special / sensitive Personal Data: N/A
Duration of processing Until the termination of the Agreement in accordance with the terms set out therein.
Nature and Subject Matter of the Processing: Personal data transferred will be processed in accordance with the Agreement.
Retention period (or, if not possible to determine, the criteria used to determine that period): In accordance with the Agreement
Subject matter, nature and duration of the processing relevant to transfers to (sub-) processors 8th Wall uses processors as necessary to perform the Services pursuant to the Agreement on a continuous basis for the duration of the retention period.

C. Competent supervisory authority

The competent supervisory authority will be the Belgian Data Protection Authority.

D. Technical And Organisational Measures Including Technical And Organisational Measures To Ensure The Security Of The Data

The technical and organizational security measures implemented by the data importer are described at https://www.8thwall.com/toms.

E. List of Subprocessors (Annex III)

Available on request from 8th Wall.

Schedule 2

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, in force 21 March 2022

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date Commencement date of the Agreement
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details Full legal name: Developer

Trading name (if different): N/A

Main address (if a company registered address): Per Schedule 1 to the Addendum

Official registration number (if any) (company number or similar identifier): Per Schedule 1 to the Addendum

Full legal name: 8th Wall

Trading name (if different): N/A

Main address (if a company registered address): Per Schedule 1 to the Addendum

Official registration number (if any) (company number or similar identifier): Per Schedule 1 to the Addendum

Key Contact Per Schedule 1 to the Addendum Per Schedule 1 to the Addendum
Signature (if required for the purposes of Section 2) This International Data Transfer Agreement Addendum shall be deemed to have been executed on the date that the Agreement was executed. This International Data Transfer Agreement Addendum shall be deemed to have been executed on the date that the Agreement was executed.

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information.

Table 3: Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: Per the Annex to Attachment 2 to this Agreement
Annex 1B: Description of Transfer: Per the Annex to Attachment 2 to this Agreement
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Per the Annex to Attachment 2 to this Agreement
Annex III: List of Sub processors (Modules 2 and 3 only): Per the Annex to Attachment 2 to this Agreement

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19:

Either Party

Part 2: Mandatory Clauses

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 19 of those Mandatory Clauses.