Data Processing Agreement

This Agreement applies between Shapr3D and their Clients (and the Client’s Authorized Affiliates) and forms part of the Terms of Use.

This DPA is made in accordance with Article 28 of the GDPR.

In this DPA, the terms, “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives), and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws.

1. Clients authorized affiliates


The Client shall remain responsible for the acts and omissions of its Authorized Affiliates. For the avoidance of doubt, the Client entity that is the contracting party to the Agreement shall, on behalf of itself and its Authorized Affiliates: 

  • remain responsible for coordinating, making, and receiving all communication with Shapr3D under this DPA;
  • and exercise any rights herein in a combined manner with Shapr3D under this DPA.

2. Confidentiality


Shapr3D warrants and undertakes to treat as confidential all Client Personal Data which may be derived from or obtained during the contract, or which may come into the possession of Shapr3D or any Personnel because of or in connection with the Services.


Shapr3D shall ensure that its personnel engaged in the Processing of Personal Data are

  • informed of the confidential nature of the Personal Data and have executed written confidentiality agreements;
  • have received appropriate training on their responsibilities, specifically pertaining to security and privacy measures; and
  • only have access to Personal Data to the extent reasonably determined to be necessary in order to perform any obligations, responsibilities, or duties as further specified in this DPA and the Agreement.

Further, to the extent permitted by applicable law, Shapr3D shall ensure that the confidentiality obligations shall survive the termination of the personnel engagement.

3. Access to data


Shapr3D warrants and undertakes to allow access to any Client Personal Data provided by the Client only to persons who are involved in the provision of Services.

4. Data protection law


Shapr3D warrants and represents that it is subject to the territorial scope of the Data Protection Laws as determined in accordance therewith. Shapr3D further agrees that to the extent that it is not in fact subject to the territorial scope of the Data Protection Laws, this DPA shall be deemed automatically void with effect from the Effective Date without the requirement of notice.


Shapr3D shall always comply with the Data Protection Laws and shall not perform its obligations under Services in such a way as to cause the Client to breach any of its applicable obligations under the Data Protection Laws.

5. Data processing


The parties agree that for the Processing of Personal Data by Shapr3D on behalf of the Client, the Client is the Controller, Shapr3D is the Processor, and that Shapr3D will only engage Sub-processors as further detailed in Paragraph 11 “Sub-processing” below.


The Client represents and warrants on an ongoing basis – with regards to GDPR (6) – that there is and will be throughout the term of the Agreement a valid legal basis for Processing by Shapr3D of Client Personal Data in accordance with this DPA and the Agreement (including all instructions issued by the Client from time to time in respect of such Processing).


Considering the nature of the Processing, Shapr3D shall assist the Client by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client’s obligations, as reasonably understood by the Client, to respond to requests to exercise Data Subject rights under the Data Protection Laws.


Shapr3D warrants and undertakes to process Process Client Personal Data only in accordance with instructions from the Client as needed for the Services, or as provided in writing by the Client to Shapr3D from time to time.


Shapr3D warrants and undertakes to process Client Personal Data only to the extent, and in such manner, as is necessary for the purpose of the Services, or as is required by law or any supervisory body and shall process such personal data in compliance with all applicable Data Protection Laws, regulations, orders, standards, and other similar instruments.

6. Notifications


Shapr3D shall notify the Client promptly (but in any event within 1 Business Day) should it:

  • Receive notice of any complaint made to a Supervisory Authority or any finding by a Supervisory Authority in relation to its Processing of Client Personal Data;
  • be under a legal obligation to process Client Personal Data, other than under the instructions of the Client. In which case it shall inform the Client of the legal obligations, unless the law prohibits such information being shared on important grounds of public interest;
  • receives any Data Subject Request on behalf of a Data Subject of Client Personal Data;
  • become aware that in following the instructions of the Client, it shall be breaching Data Protection Laws.

7. Cessation of services


Subject to Paragraph 7.2. upon the date of cessation of any Services involving the Processing of Client Personal Data, Shapr3D shall immediately cease all Processing of the Client Personal Data for any purpose other than for storage.


To the fullest extent technically possible in the circumstances, within forty-five (45) Business Days after the Cessation Date, Shapr3D shall either (at its option):

  • Delete; or
  • irreversibly render anonymized

all Client Personal Data that is within Shapr3D’s possession.


The Client agrees that for the purposes of Article 28 of the GDPR is hereby deemed to have irrevocably selected Deletion, in preference of return, of the Client Personal Data at the Cessation Date.


Parties agree that on the termination of the provision of data processing services related to paid license, Shapr3D offers its Clients the opportunity, to change their paid license to a free license, in which case existing Client Personal Data is migrated to said free license according to free license’s terms as they can be found on Shapr3D’s Application/user Account at Cessation Date. In the case of such migration, Paragraphs 7.1. and 7.2. only apply to Client Personal Data not being migrated.


Shapr3D and any Sub-processor may retain Client Personal Data after Cessation Date where required by applicable law, for such period as may be required by such applicable law, provided that Shapr3D and any such Sub-processor shall ensure that such Client Personal Data is only processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.


The Client acknowledges and agrees that Shapr3D shall be freely able to use and disclose anonymized data derived from Client Personal Data for Shapr3D’s own business purposes without restriction.

8. Security


Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Shapr3D shall in relation to Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.


In assessing the appropriate level of security, Shapr3D shall take account of the risks presented by the Processing, in particular from a Personal Data Breach.


Shapr3D maintains security incident management policies and procedures.

9. Personal data breach


Shapr3D shall notify the Client, without undue delay, of any breach of its security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data, transmitted, stored, or otherwise processed by Shapr3D or its Sub-processors of which Shapr3D becomes aware and which requires notification to be made to the Client, a Supervisory Authority and/or Data Subject under Data Protection Laws and Regulations (a “Security Incident”). Security Incident(s) will not include unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. 


Notification provided under this Section shall not be interpreted or construed as an admission of fault or liability by Shapr3D. Shapr3D shall make reasonable efforts to identify the cause of such Security Incident and take those steps as Shapr3D deems necessary and reasonable to remediate the cause of such a Security Incident to the extent the remediation is within Shapr3D’s reasonable control.


Additionally, upon request, Shapr3D shall provide the Client with relevant information about the Security Incident, as reasonably required to assist the Client in ensuring the Client’s compliance with its own obligations under Data Protection Laws to notify any Supervisory Authority or Data Subject in the event of a Security Incident. The obligations herein shall not apply to incidents that may occur on the Client’s end, and which are caused by the Client or the Client’s users or any non-Shapr3D products or services, which are not processing Client Personal Data on Shapr3D's behalf.


Shapr3D shall at the Client’s sole cost and expense co-operate with the Client and take such reasonable commercial steps as may be directed by the Client to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

10. Audit


Shapr3D shall provide on request all necessary support to the Client to verify Shapr3D’s compliance with its obligations under this Agreement and the Data Protection Laws. The Client may request such information and/or assistance on material change, but maximum once a year.


Shapr3D shall make available to the Client on request such information as Shapr3D (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA.


Subject to Paragraphs 10.5 and 10.6, in the event that the Client (acting reasonably) is able to provide documentary evidence that the information made available by Shapr3D pursuant to Paragraph 10.2 is not sufficient in the circumstances to demonstrate Shapr3D’s compliance with this DPA, Shapr3D shall allow for and contribute to audits by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by Shapr3D.


The Client shall give Shapr3D reasonable notice of any audit or inspection to be conducted under Paragraph 10.3 (which shall in no event be less than fifteen (15) Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 10.5 (f) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any form of damage, and hereby indemnifies Shapr3D in respect of any damage, injury or disruption to Shapr3D’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Shapr3D’s other Clients or the availability of Shapr3D’s services to such other Clients) caused by its Personnel and/or its auditor’s Personnel (if applicable) in the course of any audit or inspection.


Shapr3D need not permit or support an audit or inspection:

  • to any individual unless they produce reasonable evidence of their identity and authority;
  • to any auditor whom Shapr3D has not given its prior written approval (not to be unreasonably withheld);
  • unless the auditor enters into a non-disclosure agreement with Shapr3D on terms acceptable to Shapr3D;
  • where, and to the extent that, Shapr3D considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Shapr3D’s other Clients or the availability of Shapr3D services to such other Clients;
  • outside normal business hours at those premises; or
  • on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which the Client is required to carry out by Data Protection Laws or a Supervisory Authority, where the Client has identified the relevant requirement in its notice to Shapr3D of the audit or inspection.


The Client shall bear any third-party costs in connection with such inspection or audit and reimburse Shapr3D for all costs incurred by Shapr3D and time spent by Shapr3D (at Shapr3D’s then-current professional services rates) in connection with any such inspection or audit.

11. Sub-processing


The Client authorizes Shapr3D to appoint Sub-processors as follows;


Shapr3D may continue to use those Sub-processors already engaged by Shapr3D at the date of this DPA, subject to Shapr3D meeting within a reasonable timeframe (or have already met) the obligations set out in Paragraph 11.4


Shapr3D shall give the Client prior written notice of the appointment of any new Sub-processor, including reasonable details of the Processing to be undertaken by the Sub-processor. The Client may in good faith reasonably object to the use of a new Sub-processor by notifying Shapr3D promptly in writing (email acceptable) within ten (10) Business Days after Shapr3D’s notice. The Client’s notice shall explain the Client’s good faith and reasonable grounds for the objection. Shapr3D and the Client shall try to negotiate to remedy the situation and conclude in a way that is acceptable for both parties. If the parties are unable to resolve the objection via negotiations, Shapr3D will use commercially reasonable efforts to make available to the Client a change in the services or recommend a commercially reasonable change to the Client’s use of the services to avoid Processing of Client Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client.


With respect to each Sub-processor, Shapr3D shall ensure that the arrangement between Shapr3D and the Sub-processor is governed by a written contract including terms that offer at least an equivalent level of protection for Client Personal Data as those set out in this DPA (including those set out in Paragraph 8 and 9).


Shapr3D shall promptly forward any received instructions or requests from the Client to the Sub-processor relating to the Processing.

12. Data transfer


Shapr3D may not transfer or authorize the transfer of Data to countries outside the EU or the European Economic Area (EEA), countries that the European Commission has recognized as providing adequate protection, or the United States of America (USA) without the prior written consent of the Client – this includes Sub-processors. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, Shapr3D shall ensure that the personal data are adequately protected. To achieve this, Shapr3D shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of Client Personal Data.


Shapr3D shall only engage a Sub-processor after assessing the applicable law for the Sub-processor and reasonably concluding that the applicable law does not conflict with Shapr3D’s obligations under the DPA and applicable Data Protection Laws.

13. Liability


Each party’s and all its Affiliates’ liability, in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Shapr3D, whether in contract, tort or under any other theory of liability, is subject to the Terms of Use, and any reference to the liability of a party means the total liability of that party and all its Affiliates under the Agreement and all DPAs together. In case of any contradiction between the Terms of Use and present DPA, this DPA prevails.