Data Processing AgreementLast Modified: July 11, 2023
1. Introduction
- This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service (the “Terms”) between you and echo3D, Inc. (“echo3D”). You and echo3D are individually a “party” and, collectively, the “parties.”
- This DPA applies where and only to the extent that echo3D processes Personal Data on your behalf in the course of providing the Service and such Personal Data is subject to Data Protection Laws of the appropriate jurisdiction, including the State of California, the European Union (“EU”), the European Economic Area (“EEA”) or its member states, Switzerland or the United Kingdom (“UK”). The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
- The duration of the Processing covered by this DPA shall be in accordance with the duration of the Terms.
2. Definitions
- The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Terms.
- The following terms have the definitions given to them in the CCPA (as defined below): “Business,” “Sell,” “Service Provider,” and “Third Party.”
- “Controller” means the entity that determines the purposes and means of the Processing of Personal Data, as defined in Data Protection Laws. “Controller” includes equivalent terms in other Data Protection Laws, such as the CCPA-defined term “Business” or “Third Party,” as context requires.
- “Data Protection Laws” mean California, EU, EEA, Switzerland or UK data protection laws applicable to the processing of Personal Data under the Terms as it relates to you, including Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”), Regulation 2016/679 (General Data Protection Regulation) (“GDPR”), and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 in the UK and the Data Protection Act 2018 (“UK GDPR”).
- “Data Subject” means an identified or identifiable natural person.
- “De-identified Data” means a data set that does not contain any Personal Data. Aggregated data and anonymized data are De-identified Data.
- “EEA” means the European Economic Area.
- “Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognised as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time).
- “Personal Data” means personal information of California, EU, EEA, Switzerland and UK Data Subjects provided to echo3D by you or on your behalf when you are the Data Controller, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Personal Data” includes equivalent terms in Data Protection Laws, such as the CCPA-defined term “Personal Information,” as context requires.
- “Personal Data Breach” means a breach of security of the Service leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data on systems managed or controlled by echo3D.
- “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
- “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Service Provider,” as context requires.
- “Subprocessor” means a Processor engaged by a party who is acting as a Processor.
- “UK IDTA Addendum” means the Mandatory Clauses of Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.
3. Processing of Personal Data
- Roles of Parties. echo3D processes Personal Data on your behalf and as instructed by you, in accordance with the Data Protection Laws, as applicable. echo3D also retains Personal Data it collects as a Controller.
- Appointment. You, as the Controller, appoint echo3D to process Personal Data on your behalf only as is necessary to provide the Service and as may subsequently be agreed to by the parties in writing.
- Legitimacy of Processing. You are responsible for ensuring a valid legal basis for processing the Personal Data. You represent and warrants that you have the consent or other lawful basis necessary to collect Personal Data in connection with the Service.
- Details of Processing. The purposes and details of Processing, including the types of Personal Data involved in the Processing and the parties’ statuses under relevant Data Protection Laws, are described in Schedule 1 of this DPA.
- Compliance with Law. Each party will comply with its respective obligations under the Data Protection Laws in relation to this DPA.
4. Parties’ Obligations
- Cooperation. The parties will provide each other with reasonable cooperation and assistance to enable each party to comply with their respective obligations under the Data Protection Laws.
- Data Subject Requests. echo3D will promptly inform you if echo3D receives a request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law. You will be responsible for responding to such requests. echo3D will not respond to such Data Subjects except to acknowledge their requests. echo3D will provide you with commercially reasonable assistance, upon request, to help you to respond to a Data Subject’s request.
- Supervisory Requests. echo3D will promptly inform you if echo3D receives a request, inquiry, or complaint from a governmental, investigatory, or regulatory authority relating to your Personal Data. echo3D will assist you, insofar as it is commercially reasonable, to fulfill your obligation to respond to requests from such supervisory authorities as required by Data Protection Law. You will promptly notify echo3D if you receive any similar request, inquiry, or complaint, indicating that echo3D may have or is violating Data Protection Laws.
- Data Protection Impact Assessment. Upon request, the parties will provide commercially reasonable information to each other, taking into account the nature of the Processing and the information available to echo3D, to fulfill their respective obligations, if any, to conduct data protection impact assessments, as required by Data Protection Law.
- Confidentiality. The parties will ensure that their employees, independent contractors, agents, and representatives are bound by obligations to keep Personal Data confidential, and will take all reasonable steps to ensure the confidentiality of the Personal Data.
- De-identified Data. The parties may create De-identified Data from Personal Data and Process the De-identified Data for any purpose.
- Data Security. In accordance with Data Protection Laws, as applicable, each party will maintain appropriate technical, administrative, and organizational measures required to: (i) ensure a level of confidentiality and security appropriate to the risks represented by the Processing and the nature of Personal Data; and (ii) prevent unauthorized or unlawful processing of Personal Data, accidental loss, disclosure or destruction of, or damage to, Personal Data. echo3D’s security controls are described in Schedule 2.
5. echo3D’s Obligations as a Processor
- Applicability. echo3D will bear the obligations set forth in this Section 7 only if it Processes Personal Data in its capacity as your Processor. For clarity, these obligations do not apply to echo3D in its capacity as a Controller.
- Scope of Processing. echo3D will only process Personal Data in accordance with the Terms and DPA, and will not use or process Personal Data for any purpose other than in its capacity as Processor appointed by the Controller.
- Return or Deletion of Personal Data. Upon completion of echo3D’s obligations in relation to Processing of Personal Data under this DPA, deactivation of the Services, or upon the Controller’s request, echo3D will either: (i) return all or subsets of the Personal Data in echo3D’s possession to the Controller; (ii) render all or part of Personal Data anonymous in such a manner that the data no longer constitutes personal data; or (iii) permanently delete or render all or parts of the Personal Data unreadable. This obligation shall not apply to the extent echo3D is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data be isolated and protected from any further processing, except to the extent required by applicable law.
- Hashed Personal Data. If echo3D receives Personal Data in hashed or otherwise obfuscated format, echo3D will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated the Personal Data unless the Controller instructs echo3D to do so; and (ii) only share the Personal Data in the format echo3D received it from the Controller.
- Providing Evidence. echo3D shall maintain records of its security standards. Upon Controller’s written request, echo3D shall provide, on a confidential basis, copies of relevant external ISMS certifications, audit report summaries, or other documentation reasonably required by Controller to verify echo3D’s compliance with this DPA. echo3D shall further provide written responses, on a confidential basis, to all reasonable requests for information made by Controller, including responses to information security and audit questionnaires, that Controller, acting reasonably, considers necessary to confirm echo3D’s compliance with this DPA, provided that Controller shall not exercise this right more than once per year. echo3D will allow for and contribute to such audits conducted by the Controller or its representatives who are bound by appropriate obligations of confidentiality; if: (i) the Controller provides no fewer than ten business days’ prior written notice to echo3D ; (ii) such audit is conducted during echo3D’s normal business hours and in a manner that does not unreasonably interfere with echo3D’s normal business operations; (iii) such audit lasts no longer than three total business days; (iv) in no event is the Controller (or, for avoidance of doubt, any authorized third-party auditor) entitled to access or receive echo3D’s proprietary or confidential information, except to the extent strictly necessary to demonstrate compliance with this DPA; and (v) the Controller is obligated to reimburse echo3D for echo3D’s documented reasonable costs if that audit determines that echo3D is in compliance with this DPA.
- Personal Data Breach. In accordance with Data Protection Laws, as applicable, echo3D will notify you without undue delay of a Personal Data Breach affecting Personal Data echo3D Processes in connection with the Service. Upon request, echo3D will provide information to you about the Personal Data Breach to the extent necessary for you to fulfill any obligations you have to investigate or notify authorities, except that echo3D reserves the right to redact information that is confidential or competitively sensitive. Notifications will be delivered to the email address you provide in your account. You agree that email notification of a Personal Data Breach is sufficient. You agree that echo3D may not notify you of security-related events that do not result in a Personal Data Breach.
7. Subprocessors
- Authorized Subprocessors. You specifically authorize the engagement of echo3D’s affiliates to process Personal Data and you generally authorize the engagement of any other third parties as Subprocessors to process Personal Data.
- Obligations of Subprocessor. In accordance with the Data Protection Laws, as applicable, echo3D will impose legally binding contract terms on each Subprocessor that are as restrictive as those contained in this DPA.
- Restricted Access. echo3D will ensure each Subprocessor only accesses and uses Personal Data to the extent required to perform the obligations subcontracted to it and in accordance with this DPA.
- Updates of Subprocessors. In accordance with Data Protection Laws, as applicable, Schedule 1 contains a list of: (i) all Subprocessors involved in processing Personal Data; (ii) the purposes for which the Subprocessors process Personal Data; and (iii) the location of each Subprocessor. echo3D will notify the Controller via email or other contact methods at least 30 days before adding a new Subprocessor.
- Right to Object. Controller has the right to object to the addition of a new Subprocessor, as described in this Section. If the Controller reasonably objects to the processing of Personal Data by any newly appointed Subprocessor, it will immediately inform echo3D, after which echo3D will instruct the Subprocessor to cease any further processing of Personal Data in connection with echo3D’s provision of Service to Controller under the Terms, and the parties will enter into good faith negotiations to resolve the matter. If the parties are unable to resolve the matter within 15 days of Controller’s reasonable objection (which deadline the parties may extend by written agreement), Controller may terminate the Terms or any statement of work, purchase order, or other written agreements. The parties agree that echo3D has sole discretion to determine whether Controller’s objection is reasonable; however, the parties agree that Controller’s objection is presumptively reasonable if the Subprocessor is a competitor of Controller and Controller has a reason to believe that such competitor could obtain a competitive advantage from the Personal Data echo3D discloses to it, or you anticipate that echo3D’s use of the Subprocessor would be contrary to law applicable to Controller.
- Subprocessor Liability. echo3D acknowledges and agrees that it will remain liable to the Controller for a breach of the terms of this DPA by a Subprocessor and any other subsequent third-party processors appointed by it.
8. International Data Transfer
- If the Controller is established in the EEA, Switzerland or the UK and transfers Personal Data to echo3D, then the Standard Contractual Clauses or the UK IDTA Addendum, as applicable, shall: (i) apply to such transfers; (ii) take precedence over all other terms, including the terms of this DPA, in respect of such transfers; (iii) form a legally binding contract between you as the data exporter and echo3D as or on behalf of the data importer; and (iv) be hereby incorporated into the Terms.
- With respect to Personal Data of EEA, Switzerland and UK data subjects, the Controller and echo3D agree that echo3D may process Personal Data outside the EEA, Switzerland, and the UK where the Data Protection Law requirements (including, where applicable, Articles 44 through 47 GDPR) are fulfilled, or an exception (including, where applicable, those listed in Article 49 GDPR) applies.
- The parties agree that, with respect to the elements of the Standard Contractual Clauses that require the parties’ input, Schedule 1 contains all the relevant information.
Schedule 1Details of Processing and Subprocessors
1. echo3D as a Controller
When you engage in any of the following Processing activities, you and echo3D are each deemed a Controller (for clarity, echo3D is not a Processor of such Personal Data as it collects your information directly from you):
- You disclose Personal Data to echo3D to provide, operate, and maintain the Service;
- You disclose Personal Data to improve, analyze, personalize, the Service; or
- You contact echo3D for support.
Categories of Personal Data collected by echo3D as a Controller include, account registration info, user content, communications, cookies and other tracking technologies, usage of the Service, and third party accounts. Transfer of such Personal Data is done on a continuous basis.
2. echo3D as a Processor
When you store end-user data or content generated by your users on the Service, you act either as a Controller or a Processor to a Controller, while echo3D is deemed a Processor (as we process Personal Data you collect from others). The categories of Personal Data collected by echo3D as a Processor will be determined by you. Personal Data relating to individuals provided to echo3D via the Service, by you or at the your direction may include: email address, telephone number, IP address, cookie id, browser user agent, and actions and events taken on websites and apps, including pages viewed, purchases, searches, check-out events, wish lists, installs, and user registration methods. The frequency of transfer of Personal Data will also be determined by you, and may be continuous.
3. Additional Information for International Data Transfers
- Data Exporter. The data exporter is you, with your contact details being the email address(s) you designated in your echo3D account. The activities relevant to the data transferred include the provision of the Service in accordance with the Terms. The data exporter shall be in the Controller role.
- Data importer. The data importer is echo3D, with our contact details being privacy@echo3D.com. The activities relevant to the data transferred include the provision of the Service in accordance with the Terms. The data importer shall be in the Processor role.
- Subject matter. echo3D’s provision of the Service to you.
- Duration of the processing and retention. For the term of the Terms, plus the period from expiry of the Terms, until the anonymization, return, or deletion of data in accordance with this DPA.
- Nature and purpose. echo3D will process Personal Data for the purposes of providing the Service to you in accordance with and as described in the Terms and this DPA.
- Sensitive data transferred. Not applicable.
- Data subjects. Data subjects include EEA, Switzerland or the UK individuals about whom personal data is provided to echo3D via the Service by you or at your direction as a Controller.
- Competent Supervisory Authority. The competent supervisory authority will be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).
- Dispute Resolution. The parties do not select the independent dispute resolution option.
- Jurisdiction. The parties select Netherlands as the Member State and agree that the competent courts will be the courts of Netherlands.
- Schedules. The parties agree that Schedule 1 describes the transfer and that Schedule 2 describes the technical and organizational measures applicable to the transfer.
4. echo3D’s Subprocessors
Below are the Subprocessors we use when providing you with the Service. We will update the list below whenever we add a new affiliate or third-party Subprocessor.
echo3D affiliates:
N/A
Third-party Subprocessors:
- Amazon Web Services
- Processing activities: Hosting and storage
- Location: Global
- Google Cloud Platform
- Processing activities: Hosting and storage
- Location: Global
- Microsoft Azure
- Processing activities: Hosting and storage
- Location: Global
- Digital Ocean
- Processing activities: Hosting and storage
- Location: Global
- HubSpot
- Processing activities: CRM data
- Location: United States
- Sendgrid
- Processing activities: Communication
- Location: United States
Schedule 2Technical and Organizational Security Measures
- Adopting and implementing a written information security policy consistent with industry standards, which includes administrative, technical, and physical safeguards appropriate to the nature of the Personal Data and which is designed to protect such information from: unauthorized access, destruction, use, modification, or disclosure; unauthorized access to or use that could result in substantial harm or inconvenience to the Controller, the Controller's customers, or the Controller's employees; and any anticipated threats or hazards to the security or integrity of such information;
- Assigning responsibility for information security management;
- Devoting adequate personnel resources to information security;
- Requiring employees, vendors, and others with access to the Personal Data to enter into written confidentiality agreements;
- Requirements-driven authorization scheme and access rights, which includes ;limiting access authorization to those employees, vendors, and others with access to the Personal Data to those who have a “need to-know,” and conducting periodic access reviews to update or remove of access rights;
- Implementing Data anonymization measures such that certain user data is separate from hosted content;
- Conducting training to make employees aware of information security risks and to enhance compliance with echo3D policies and standards related to data protection;
- Preventing unauthorized access to the Personal Data through the use, as appropriate, of physical (access ID cards) and logical (passwords) entry controls, encryption and authentication technology, log-on procedures, and other standards related to data protection on an ongoing basis;
- Adopting and implementing policies for allowing data portability and ensuring erasure, as set forth in our Privacy Policy.
- Data transmission control measures such as encryption in transit between your application and echo3D;
- Data entry control measures to ensure echo3D can check whether and by whom the Personal Data has been input into data processing systems, modified, or removed;
- Security testing measures to ensure information security practices remain relevant and up to date, including conducting post-mortems on any actual incidents in order to update the relevant disaster recovery plans;
- Subprocessor supervision measures, including policies to limit engagement to only reputable third party services, as well as measures to ensure that the Personal Data is protected from accidental destruction or loss including, data backup and retention policies;
- Taking such other steps as may be appropriate under the circumstances.
Note that when echo3D is acting as a Processor on your behalf (whether you act as a Controller or a Processor), it is your responsibility to set up measures to ensure (i) the encryption of personal data, (ii) ongoing confidentiality, integrity, availability and resilience of your processing systems and services, including backup and redundancy mechanisms to protect your content data, (iii) regular testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to ensure the security of the processing, (iv) user identification and authorization, (v) protection of data during transmission, (vi) protection of data during storage, (vii) events logging, (viii) internal IT and IT security governance and management, (ix) certification/assurance of processes and products, (x) data minimisation, data quality, limited data retention, and accountability, (xi) data portability and erasure, and (xii) assistance in transfers from processor to the controller and from a processor to a subprocessor, to you.