Data Processing Agreement

The Parties agree that, for the Processing of Personal Data by Shapr3D on behalf of the Client, the Client acts as the Controller and Shapr3D acts as the Processor. Shapr3D shall engage Sub-processors only as further detailed in Section 12 (“Sub-processing”).

The Parties acknowledge that the roles described herein apply solely to the Personal Data and Processing activities governed by this DPA and do not extend to any Processing carried out by either Party outside the scope of this DPA.

The detailed scope of the DPA — including the nature and purpose of the Processing, the categories of Personal Data, the categories of Data Subjects, and the duration of the Processing — is set out in Section 16 to this DPA.

The Client shall remain responsible for the acts and omissions of its Authorized Affiliates. For the avoidance of doubt, the Client entity that is the contracting party to the Agreement shall, on behalf of itself and its Authorized Affiliates:

• remain responsible for coordinating, making, and receiving all communication with Shapr3D under this DPA;
• and exercise any rights herein in a combined manner with Shapr3D under this DPA.

Shapr3D warrants and undertakes to treat as confidential all Client Personal Data which may be derived from or obtained during the contract, or which may come into the possession of Shapr3D or any Personnel because of or in connection with the Services.

Shapr3D shall ensure that its personnel engaged in the Processing of Personal Data are

• informed of the confidential nature of the Personal Data and have executed written confidentiality agreements;
• have received appropriate training on their responsibilities, specifically pertaining to security and privacy measures; and
• only have access to Personal Data to the extent reasonably determined to be necessary in order to perform any obligations, responsibilities, or duties as further specified in this DPA and the Agreement.

Further, to the extent permitted by applicable law, Shapr3D shall ensure that the confidentiality obligations shall survive the termination of the personnel engagement.

Shapr3D warrants and undertakes to allow access to any Client Personal Data provided by the Client only to persons who are involved in the provision of Services.

Each Party shall comply with its respective obligations under the Data Protection Laws in relation to the Processing of Personal Data under this DPA.

The Client represents and warrants that it has, and will maintain throughout the term of the DPA, a valid legal basis under Article 6 GDPR (and any other applicable provisions of Data Protection Laws) for the Processing of Client Personal Data in accordance with this DPA and the Client’s documented instructions.

Considering the nature of the Processing, Shapr3D shall assist the Client by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of the Client’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

Considering the nature of the Processing and the information available to Shapr3D, Shapr3D shall assist the Client in ensuring compliance with its obligations under Articles 32–36 GDPR, including by providing reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities, insofar as such assistance relates to the Processing of Client Personal Data carried out by Shapr3D.

Shapr3D shall process Client Personal Data only on documented instructions from the Client, including as necessary for the performance of the Services, unless required to do so by applicable law.

Shapr3D warrants and undertakes to process Client Personal Data only to the extent, and in such manner, as is necessary for the purpose of the Services, or as is required by law or any supervisory body and shall process such personal data in compliance with the Data Protection Laws as defined in this DPA.

Shapr3D is not required to comply with any Client instruction that would require material changes to the Services, impose disproportionate burden or costs, be technically unfeasible, or conflict with applicable law. Where an instruction exceeds the scope of this DPA or the Terms of Use, Shapr3D shall inform the Client, and the Parties may agree on additional services or charges, if applicable.

Shapr3D shall, without undue delay, inform the Client of any complaints, requests, or communications received directly from a Data Subject relating to Client Personal Data,

Shapr3D shall notify the Client without undue delay of any inquiry, investigation, or request from a Supervisory Authority or other competent authority relating to the Processing of Client Personal Data, unless prohibited by law.

Subject to Paragraph 7.2. upon the date of cessation of any Services involving the Processing of Client Personal Data, Shapr3D shall immediately cease all Processing of the Client Personal Data for any purpose other than for storage.

To the fullest extent technically possible in the circumstances, within forty-five (45) Business Days after the Cessation Date, Shapr3D shall either (at its option):

• Delete all Client Personal Data that is within Shapr3D’s possession (including existing copies) or
• Return such Personal Data that is within Shapr3D’s possession

The Client agrees that for the purposes of Article 28 of the GDPR is hereby deemed to have irrevocably selected Deletion, in preference of return, of the Client Personal Data at the Cessation Date, unless otherwise agreed in writing.

Parties agree that on the termination of the provision of data processing services related to paid license, Shapr3D offers its Clients the opportunity, to change their paid license to a free license, in which case existing Client Personal Data is migrated to said free license according to free license’s terms as they can be found on Shapr3D’s Application/user Account at Cessation Date. Such migration shall be deemed a documented instruction, unless otherwise agreed in writing.  Paragraphs 8.1. and 8.2. only apply to Client Personal Data not being migrated.

Shapr3D and any Sub-processor may retain Client Personal Data after Cessation Date where required by applicable law, for such period as may be required by such applicable law, provided that Shapr3D and any such Sub-processor shall ensure that such Client Personal Data is only processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

The Client acknowledges and agrees that Shapr3D shall be freely able to use and disclose anonymized data derived from Client Personal Data for Shapr3D’s own business purposes without restriction.

Taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of the Processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons, Shapr3D shall implement appropriate technical and organizational measures in relation to Client Personal Data to ensure a level of security appropriate to those risks. Such measures shall include, where applicable, the security measures set out in Article 32(1) of the GDPR.

In assessing the appropriate level of security, Shapr3D shall take account of the risks presented by the Processing, in particular from a Personal Data Breach standpoint.

Shapr3D maintains security incident management policies and procedures.

Shapr3D maintains an information security management system certified to ISO 27001 and SOC 2, and implements technical and organizational measures consistent with industry-standard security controls under that framework.

Shapr3D shall notify the Client without undue delay after becoming aware of the Data Breach affecting Client Personal Data. Shapr3D shall thereafter cooperate with the Client and provide further information about the Data Breach as it becomes available (see Paragraph 10.4).

This includes any breach of its security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data, transmitted, stored, or otherwise processed by Shapr3D or its Sub-processors of which Shapr3D becomes aware and which requires, registration in the Client’s inventory, or notification to be made to the Client, a Supervisory Authority and/or Data Subject under Data Protection Laws. This does not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

Notification provided under this Section shall not be interpreted or construed as an admission of fault or liability by Shapr3D. Shapr3D shall make reasonable efforts to identify the cause of such Data Breach and take those steps as Shapr3D deems necessary and reasonable to remediate the cause of such a Security Incident to the extent the remediation is within Shapr3D’s reasonable control.

Upon request, Shapr3D shall provide the Client with relevant information about the Data Breach, as reasonably required to assist the Client in ensuring the Client’s compliance with its own obligations under Data Protection Laws to notify any Supervisory Authority or Data Subject in the event of a Data Breach.

Shapr3D shall at the Client’s sole cost and expense co-operate with the Client and take such reasonable commercial steps as may be directed by the Client to assist in the investigation, mitigation, and remediation of each such Data Breach.

The obligations herein apply only to Data Breaches affecting Client Personal Data processed by Shapr3D under this DPA. They do not extend to incidents that do not involve such data, or that occur entirely within systems or environments outside of Shapr3D’s control.

Shapr3D shall provide on request all necessary support to the Client to verify Shapr3D’s compliance with its obligations under this DPA and the Data Protection Laws. The Client may request such information and/or assistance on material change, but maximum once a year.

Shapr3D shall make available to the Client, upon request, its current ISO 27001 and SOC2 certifications and any other information that Shapr3D (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.

Subject to Paragraphs 11.5 and 11.6, in the event that the Client (acting reasonably) is able to provide documentary evidence that the information made available by Shapr3D pursuant to Paragraph 11.2 is not sufficient in the circumstances to demonstrate Shapr3D’s compliance with this DPA, Shapr3D shall allow for and contribute to audits by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by Shapr3D.

The Client shall give Shapr3D reasonable notice of any audit or inspection to be conducted under Paragraph 11.3 (which shall in no event be less than fifteen (15) Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 11.5 (f) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any form of damage, and hereby indemnifies Shapr3D in respect of any damage, injury or disruption to Shapr3D’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Shapr3D’s other Clients or the availability of Shapr3D’s services to such other Clients) caused by its Personnel and/or its auditor’s Personnel (if applicable) in the course of any audit or inspection.

The Client shall bear any third-party costs in connection with such inspection or audit and reimburse Shapr3D for all costs incurred by Shapr3D and time spent by Shapr3D (at Shapr3D’s then-current professional services rates) in connection with any such inspection or audit.

Shapr3D need not permit or support an audit or inspection:

1. to any individual unless they produce reasonable evidence of their identity and authority;
2. to any auditor whom Shapr3D has not given its prior written approval (not to be unreasonably withheld);
3. unless the auditor enters into a non-disclosure agreement with Shapr3D on terms acceptable to Shapr3D;
4. where, and to the extent that, Shapr3D considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Shapr3D’s other Clients or the availability of Shapr3D services to such other Clients;
5. outside normal business hours at those premises; or
6. on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which the Client is required to carry out by Data Protection Laws or a Supervisory Authority, where the Client has identified the relevant requirement in its notice to Shapr3D of the audit or inspection.

The Client accepts Shapr3D’s trusted Sub-processors, as disclosed on the Subprocessors and AI Service Providers page.

Clients may subscribe to receive a newsletter every time we update our Sub-processor list.

With respect to each Sub-processor, Shapr3D shall ensure that the arrangement between Shapr3D and the Sub-processor is governed by a written contract including terms that offer at least an equivalent level of protection for Client Personal Data as those set out in this DPA (including those set out in Paragraph 9 and 10).

Shapr3D shall promptly forward any received instructions or requests from the Client to the Sub-processor relating to the Processing.

Notwithstanding Paragraph 12.4 Shapr3D remains solely responsible for managing all instructions from the Client towards any Sub-processor. The Client shall not issue instructions directly to any Sub-processor.

Shapr3D shall ensure that any international transfers of Client Personal Data are carried out in accordance with the Client’s documented instructions and in compliance with Chapter V of the GDPR, including by relying on an adequacy decision, the EU–US Data Privacy Framework, Standard Contractual Clauses, or other lawful transfer mechanisms, together with any supplementary measures Shapr3D considers appropriate based on a reasonable assessment of the circumstances.

Shapr3D shall only engage a Sub-processor after assessing the Sub-Processor’s ability to observe Shapr3D’s obligations under the DPA and applicable Data Protection Laws.

Each party’s and all its Affiliates’ liability, in the aggregate, arising out of or in connection with this DPA shall be subject to the liability limitations and exclusions set forth in the Terms of Use. For clarity any reference to a Party’s liability under the Terms of Use includes the total aggregate liability of such Party and all its Affiliates under this DPA and any other DPAs in force between the Parties or their Affiliates. In case of any contradiction between the Terms of Use and present DPA, this DPA prevails solely with respect to data protection matters.

For end users and visitors interacting directly with Shapr3D (e.g., through its website, application, or support channels), Shapr3D acts as an independent Controller, as described in its Privacy Policy. This role is separate from Shapr3D’s role as Processor under this DPA.

For Client Personal Data processed under this DPA, Shapr3D shall inform the Client of any material changes to its Processing practices that would directly affect Shapr3D’s compliance with this DPA, to the extent such changes are not already publicly communicated through its Privacy Policy.

Subject matter of the Processing

The Processing of Client Personal Data as necessary for the provision, operation, maintenance, support, and improvement of the Shapr3D software services and related functionalities under the Agreement.

Nature of the Processing

Shapr3D will carry out the following Processing operations on behalf of the Client:

• collection (to the extent initiated by the Client or its Users),
• storage and hosting,
• transmission,
• structuring and organisation,
• access and retrieval,
• viewing,
• modification (when initiated by the Client),
• deletion,
• backup and recovery,
• logging and security monitoring.

No Processing for Shapr3D’s own purposes will take place.

Purpose of the Processing

The Processing is carried out solely for the purpose of providing the Shapr3D services to the Client, including:

• enabling the use of Shapr3D’s design and CAD functionalities,
• account management,
• service delivery and performance,
• security, stability and fraud-prevention measures,
• customer support,
• service improvements (only with aggregated or anonymized data) unless agreed otherwise.

Categories of Personal Data

Depending on Client configuration and use of the Services, the Processing may include:

• identification data (name, email address, username),
• usage and activity data within the Shapr3D application,
• device and technical data (IP address, logs, diagnostics, performance data),
• billing contact details (if applicable),
• any Client-uploaded content that may incidentally contain personal data.

No special categories of personal data (Art. 9 GDPR) are intended to be processed.

Categories of Data Subjects

• Users authorised by the Client (employees, contractors or other authorised individuals),
• Client’s administrative contacts,
• Client’s billing contacts (if applicable).

Duration of the Processing

For the duration of the Agreement and any retention period explicitly permitted under the Agreement or required by applicable law.

Upon cessation of the Services, Shapr3D shall delete or return Client Personal Data in accordance with Section 7 of this DPA.