MEETAVERSE DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is an integral part of an agreement or purchase order for the provision of Services (the “Agreement”) between the Customer as indicated in the Agreement and Meetaverse Inc. (“Meetaverse”).

1. Definitions

For the purposes of this DPA the following terms and those defined within the body of this DPA apply. All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement.

1. “Attendee/s” means: an individual other than the Authorized User or an entity that Customer has authorized and/or invited to access the Platform as a participant or guest; or an individual whose Personal Data was added to the Platform by the Authorized Users or at Customer’s request by Meetaverse.
2. “Affiliate” means an entity that is either controlling, controlled by, or under a common control with the subject matter entity whereby “control” shall mean the direct or indirect holding of more than 50% of equity ownership or voting rights.
3. “Authorized User/s” means an individual who is an identified representative of Customer to whom Customer assigns the right to manage and use the Platform for and on behalf of Customer.
4. “Customer Personal Data” means Personal Data of Customer’s Authorized Users and Attendees.
5. “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules, regulations, and guidelines issued by authorized public authorities to which the Customer Personal Data are subject. “Data Protection Laws” shall include but not be limited to US Data Protection Laws, the EU General Data Protection Regulation 2016/679 (“GDPR”), and Data Protection Act 2018 (“UK GDPR”).
6. “IDTA” and “Addendum” means international data transfer agreement and international data transfer addendum respectively issued under section 119A of the UK GDPR effective as of 21 March 2022 as amended and updated from time to time.
7. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
8. “Platform” means Meetaverse’s cloud-based proprietary platform through which Meetaverse provides the Services as more particularly described or identified in the applicable Agreement.
9. “Process” or “Processing” has the meaning given to it in the Data Protection Laws and “process”, “processes” and “processed” will be interpreted accordingly.
10. “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to Meetaverse.
11. “Services” means the services that Meetaverse performs under the Agreement.
12. “Standard Contractual Clauses” means the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021 as available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en.
13. “Subprocessor(s)” means vendors and third parties Processing Customer Personal Data for and on behalf of Meetaverse and Customer.
14. “US Data Protection Laws” means as applicable any and all applicable acts, laws, rules, and regulations on any state or federal level pertaining to data privacy, data security, and the protection of Personal Data, including without limitation the California Consumer Privacy Act Cal. Civ. Code § 1798.100 et seq. as amended by the California Privacy Rights Act of 2020 and the regulations enacted thereunder, the Colorado Privacy Act 2021 Colo. ALS 483; 2021 Colo. Ch. 483; 2021 Colo. SB. 190, the Connecticut Data Privacy and Online Monitoring Act Conn. Gen. Stat. §42-515 et. Seq., the Utah Consumer Privacy Act Utah Code Ann. Title 13 Ch. 61, the Virginia Consumer Data Protection Act Va. Civ. Code § 59.1 as well as any future laws, amendments, or regulations that may be enacted or promulgated governing data protection within the United States.
15. Any reference to a legal framework, statute, or other legislative enactment is a reference to it as amended or re-enacted from time to time.

2. Subject Matter and Duration

1. Scope and Roles. This DPA reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with Meetaverse’s Services pursuant to the Agreement. In this context, Meetaverse is a “Processor” for Customer; while Customer is a “Controller” (as each of those terms is defined in the Data Protection Laws as applicable; any similar corresponding classification shall apply under any applicable Data Protection Laws as defined therein) with respect to Customer Personal Data.

3. Processing Details

1. Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
2. Duration. The Processing will continue until the expiration or termination of the Agreement.
3. Categories of Data Subjects. Customer’s Authorized Users and/or Attendees, Customer’s contact persons for commercial negotiations.
4. Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by Meetaverse is the performance of the Services.
5. Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement that may contain pertaining to Authorized Users and Attendees: (i) first and last name; (ii) email address; (iii) picture (iv) data regarding use of the Services and interaction with other Authorized Users or Attendees.

4. Data Use and Processing

1. Documented Instructions. Meetaverse shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this DPA, any applicable order form and ordering documents, all of which shall constitute Customer’s documented instructions regarding Meetaverse’s processing of Customer Personal Data (“Documented Instructions”). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Meetaverse and Customer, including agreement on any additional fees payable by Customer to Meetaverse for carrying out such instructions. Meetaverse will process Customer Personal Data only in accordance with Documented Instructions. Meetaverse will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Documented Instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Documented Instructions.
2. Authorization to Use Subprocessors. Customer hereby grants Meetaverse a general written authorization to use sub-processors to Process Customer Personal Data under this DPA and/or the Agreement. Such sub-processors include, without limitation, all of Meetaverse Affiliates. Customer acknowledges and agrees that Meetaverse Affiliates may engage third-party Subprocessors in connection with the provision of the Services, including other Meetaverse Affiliates.
3. Meetaverse and Subprocessor Compliance. Meetaverse agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this DPA; and (ii) remain responsible to Customer for Meetaverse’s Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.
4. Right to Object to Subprocessors. Where required by Data Protection Laws, Meetaverse will notify Customer via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. In the event that Customer’s objection is reasonable, at Meetaverse’s sole discretion, Meetaverse will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially-reasonable change to Customer’s configuration or use of the Service to avoid Processing of Customer Data by the objected-to new Sub-processor without unreasonably burdening the Customer or Meetaverse. If Meetaverse is unable to make available such change that is commercially reasonable to Meetaverse, within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable Service with respect only to those aspects of the Service which cannot be provided by Meetaverse without the use of the objected-to new Sub-processor by providing written notice to Meetaverse, however no refund shall be made to Customer.
5. Confidentiality Obligations of Meetaverse Personnel. Meetaverse restricts its personnel to Processing Customer Personal Data on a need-to-know basis, for the purpose of fulfilling their roles in connection with the provision of the Services. Meetaverse imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
6. Personal Data Inquiries and Requests. Where required by Data Protection Laws, taking into account the nature of the Services, Meetaverse agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.
7. US Data Protection Laws. Meetaverse is a “Service Provider” as defined pursuant to U.S. Data Protection Laws. Customer discloses personal data to Meetaverse solely for: (i) a valid business purpose; and (ii)to perform the Services. Meetaverse shall not: (i) sell Customer Personal Data; (ii) collect, retain, use or disclose Customer Personal Data for any purpose other than providing the Services to Customer; and (iii) collect, retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Meetaverse. Meetaverse certifies that it understands the prohibitions outlined in this Section and will comply with them.
8. Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Meetaverse agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Meetaverse requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
9. Service Optimization. Meetaverse may Process aggregated and/or anonymized data based on the Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
10. Aggregation and De-Identification. Meetaverse may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.

5. Cross-Border Transfers of Personal Data.

• Cross-Border Transfers of Personal Data. Customer authorizes Meetaverse and its Subprocessors to transfer Customer Personal Data across international borders, including without limitation from the European Economic Area, Switzerland, and/or the United Kingdom to the United States and Israel, and subject to the following terms.
• Standard Contractual Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland is transferred by Customer to Meetaverse in a country that has not been found to provide an adequate level of protection under GDPR, Customer and Meetaverse hereby agree to be bound by and comply with the Standard Contractual Clauses Each party’s signature to the Agreement shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder. The parties agree that the following shall apply:
  1. Clause 7 of the Standard Contractual Clauses shall not be applicable.
  2. In Clause 9, option 2 shall apply.
  3. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body
  4. In Clause 17, option 1 shall apply. To the extent the Data Exporter is established in the EU, the clauses shall be governed by the law of establishment of the Data Exporter. To the extent the Data Exporter is established outside the EU, the clauses shall be governed by the law of Ireland/
  5. In Clause 18(b) the Parties choose the courts of Dublin, Ireland as their choice of forum and jurisdiction.
• Alternative Data Export Solution. The parties agree that the data export solution identified above may not apply if and to the extent that Meetaverse adopts an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation) outside of the EEA, UK or Switzerland, in which event, Meetaverse shall notify Customer of such alternative data export solution and it shall apply instead. Customer shall reasonably cooperate with Meetaverse to implement such solution.
• Annexes. The parties hereby agree that data processing details set out in Exhibit A of this DPA shall apply for the purposes of Annex 1 of the Standard Contractual Clauses and the technical and organizational security measures set out in Exhibit B of this Addendum shall apply for the purpose of Annex 2 to the Standard Contractual Clauses. Meetaverse shall be deemed the “data importer” and Customer the “data exporter” under the Standard Contractual Clauses.
• Amendment of Standard Contractual ClausesIf the European Commission subsequently amends the Standard Contractual Clauses at a date later than the Effective Date of this DPA, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties as per Section (b) above.
• Transfer from UK. With respect to any transfer (and any subsequent onward transfer) of Customer Personal Data by Meetaverse from the UK to any country that has not been designated by the UK Government as providing an adequate level of protection for personal data, the parties agree that such processing shall be subject to the IDTA, or if the transfer is already based on Standard Contractual Clauses then, subject to the Addendum, with the applicable necessary changes.

6. Third Party Data Access Requests.

• If Meetaverse becomes subject to a binding order or request for disclosure by a law enforcement authority or other competent government authority involving Customer Personal Data that Meetaverse processes on behalf of Customer then, to the extent that Meetaverse identifies that such legal proceeding is in conflict with applicable Data Protection laws, Meetaverse shall make reasonable efforts, unless legally prohibited, to:
  • Immediately notify Customer of the binding order or request unless such notification is legally prohibited; and use reasonable efforts to assist Customer in its efforts to oppose the request or order, if applicable;
  • Inform the law enforcement authority or such other competent government authority that Meetaverse is merely a processor or sub-processor (as applicable) of the Personal Data and is not authorized to disclose the Personal Data without Customer’s consent.
  • Request that such law enforcement authority or such other competent government authority direct its request directly at Customer; and
  • Use reasonable efforts to assist the Customer in its efforts to oppose the request or order, if applicable;
• If Meetaverse provides access to or discloses Customer Personal Data in response to third party legal process either with Customer authorization or due to a mandatory legal compulsion, then Meetaverse will only disclose such Customer Personal Data to the extent it is legally required to do so and in accordance with applicable lawful process.
• Clauses 6(a) and 6(b) shall not apply in the event that Meetaverse has a good-faith belief the government request is necessary due to an emergency involving immediate danger of death or serious physical injury to an individual. In such event, Meetaverse shall notify Customer of the data disclosure as soon as possible following the disclosure and provide Customer with full details of the same, unless such disclosure is legally prohibited.
• In the event such binding order or any subsequent disclosure or action by Meetaverse prevents or would prevent Meetaverse from complying with the Standard Contractual Clauses or the Documented Instructions of Customer, Meetaverse agrees to promptly inform the Customer of its inability to comply.

7. Information Security.

1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Meetaverse will use commercially reasonable efforts to implement and maintain administrative, organizational, technical, and physical safeguards designed to ensure a level of security appropriate to the risk to the Customer Personal Data, at least as set forth in Exhibit B hereto.

8. Security Incidents.

1. Notice. Upon becoming aware of a Security Incident, Meetaverse agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, taking into account the nature of the Services, the information available to Meetaverse, and any restrictions on disclosing the information, such as confidentiality undertakings towards third parties or rights and freedoms of natural persons, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

9. Audits.

1. Customer Audit. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may carry out an audit of Meetaverse’s policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit must be: (i) conducted during Meetaverse’s regular business hours; (ii) with reasonable advance notice to Meetaverse; (iii) carried out in a manner that prevents unnecessary disruption to Meetaverse’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.
2. Use of Audit Reports. Customer may use any audit report(s) only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA. The audit report(s) shall constitute confidential information of both parties hereto.

10. Data Deletion.

1. Data Deletion. At the expiry or termination of the Agreement, Meetaverse will, at Customer’s option, delete or return all Customer Personal Data, excluding where Meetaverse is required to retain copies under applicable laws, in which case Meetaverse will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws. Any data retained in backups, which are not readily available for processing, will be erased by the next backup rollout, writing over the preiovus backup, in accordance with Meetaverse`s backup policy.

11. Indemnity.

1. To the extent Meetaverse shall be subject to any enforcement action or any third party claim, based on any acts or omissions of Customer related to the Personal Customer Data, or any failure by Customer to comply with any applicable Data Protection Laws, Customer shall hold Meetaverse harmless and fully indemnify Meetaverse at its first demand, for any expenses, losses and damages, including without limitation, reasonable attorney’s fees and any fines and levies, incurred by Meetaverse in connection with and as a result of such enforcement action or claim.

12. Representations and Warranties.

1. Customer represents and warrants Meetaverse that: (1) it has the right and the authority to provide the Customer Personal Data to Meetaverse for its use of such Customer Personal Data pursuant to the Agreement and this DPA, including cross borders transfers thereof as stipulated hereinabove; (2) it has provided any required notices and to the extent required, has validly obtained any required consents from individuals as required by Data Protection Laws to collect and process their Customer Personal Data, including, through Meetaverse (3) it is fully and solely responsible for the confidentiality, integrity and availability, of the Customer Personal Data it collects and provides to Meetaverse (except when and as processed by Meetaverse) (4) the processing of the Customer Personal Data including the provision thereof to Meetaverse will not violate any applicable law (5) the essence of this Agreement shall be made available to any Data Subject by Customer upon such Data Subject’s request.
2. Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement. Meetaverse will Process Customer Personal Data until the relationship terminates as specified in the Agreement.
3. Order of Precedence. If and to the extent language in this DPA or any of its Exhibits conflicts with the Agreement, this DPA shall prevail. In any case of conflict between this DPA and the Standard Contractual Clauses, where the Standard Contractual Clauses apply, the terms of the Standard Contractual Clauses shall prevail.

13. Contact Information.

1. Customer and Meetaverse agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for Customer shall be the contact person indicated in the Agreement and for Meetaverse shall be Mr. Meir Harari.

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s):

1. Name: …………………………………………………………………………………………………………………………………
   Address: ……………………………………………………………………………………………………………………………..
   Contact person’s name, position and contact details: ………………………………………………………………
   Activities relevant to the data transferred under these Clauses: ………………………………………………..
   Signature and date: ……………………………………………………………………………………………………………..
   Role (controller/processor): ………………………………………………………………………………………………….
2. ………………………………………………………………………………………………………………………………………….

Data importers(s):

[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: …………………………………………………………………………………………………………………………………
   Address: ……………………………………………………………………………………………………………………………..
   Contact person’s name, position and contact details: ………………………………………………………………
   Activities relevant to the data transferred under these Clauses: ………………………………………………..
   Signature and date: ……………………………………………………………………………………………………………..
   Role (controller/processor): ………………………………………………………………………………………………….
2. ………………………………………………………………………………………………………………………………………….

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

1. Categories of data subjects whose personal data is transferred
2. Customer’s Authorized Users and/or Attendees, Customer’s contact persons for commercial negotiations
3. Categories of personal data transferred
   1. Customer Personal Data that is Processed pursuant to the Agreement that may contain pertaining to Authorized Users and Attendees: (i) first and last name; (ii) email address; (iii) picture (iv) data regarding use of the Services and interaction with other Authorized Users or Attendees.
4. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
5. NA
6. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
7. On a continuous basis
8. Nature of the processing
9. the processing is comprised of storing, analyzing, computing, transferring, organizing and presenting of data as part of the Services, for the benefit of the Customer’s purposes
10. Purpose(s) of the data transfer and further processing
11. The purpose of the Processing of Customer Personal Data by Meetaverse is the performance of the Services
12. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
13. The Processing will continue until the expiration or termination of the Agreement
14. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
    Same as the details of processing specified above

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

1. Identify the competent supervisory authority/ies in accordance with Clause 13

1. This Exhibit B forms part of the DPA and describes the technical and organizational security measures implemented by the data importer.
2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
   1. the pseudonymization and encryption of personal data;
   2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
   3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
   4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

Data exporter(s):

1. Name: …………………………………………………………………………………………………………………………………
   Address: ……………………………………………………………………………………………………………………………..
   Contact person’s name, position and contact details: ………………………………………………………………
   Activities relevant to the data transferred under these Clauses: ………………………………………………..
   Signature and date: ……………………………………………………………………………………………………………..
   Role (controller/processor): ………………………………………………………………………………………………….
2. ………………………………………………………………………………………………………………………………………….

Data importers(s):

[Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: …………………………………………………………………………………………………………………………………
   Address: ……………………………………………………………………………………………………………………………..
   Contact person’s name, position and contact details: ………………………………………………………………
   Activities relevant to the data transferred under these Clauses: ………………………………………………..
   Signature and date: ……………………………………………………………………………………………………………..
   Role (controller/processor): ………………………………………………………………………………………………….
2. ………………………………………………………………………………………………………………………………………….

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred

………………………………………………………………………………………………………………………………………………..

Categories of personal data transferred

………………………………………………………………………………………………………………………………………………..

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

……………………………………………………………………………………………………………………………………………….

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

………………………………………………………………………………………………………………………………………………..

Nature of the processing

……………………………………………………………………………………………………………………………………………….

Purpose(s) of the data transfer and further processing

………………………………………………………………………………………………………………………………………………..

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

……………………………………………………………………………………………………………………………………………….

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

………………………………………………………………………………………………………………………………………………

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

Identify the competent supervisory authority/ies in accordance with Clause 13

…………………………………………………………………………………………………………………………………………………

MODULE TWO: Transfer controller to processor

EXPLANATORY NOTE:

This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).

The controller has authorised the use of the following sub-processors:

See DPA