This Independent Controller Data Processing Addendum (“Addendum”) supplements the Agreement (defined below) entered into by and between Shapeways Holdings, Inc., d/b/a Otto, and its affiliates (“Otto”) and the customer entity that is subject to the Agreement (“Customer”) (each of Otto and Customer, a “Party” and together, the “Parties”).  We may update this Addendum from time to time, and we will provide reasonable notice of any such updates. Any terms not defined in this Addendum shall have the meaning set forth in the Agreement.

1. Definitions
   1. “Agreement” means (as applicable) that certain Terms and Conditions, which can be found at ottosoftware.com/terms-and-conditions
   2.  “Applicable Law(s)” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: (i) the California Consumer Privacy Act (“CCPA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection, (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case, as updated, amended or replaced from time to time. The terms “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing”, “processor,” “controller,” and “supervisory authority” shall have the meanings set forth in the GDPR.
   3. “Standard Contractual Clauses” means (i) with respect to ex-EEA Transfers, Module 1 (Controller-to-Controller) of the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time) (the “EU SCCs”), and (ii) with respect to ex-UK Transfers, controller-to-controller clauses as approved by the European Commission in Commission Decision 2004/915/EC, dated 27 December 2004 (as amended and updated from time to time) (“UK SCCs”).
   4. “Data Exporter” means Otto.
   5. “Data Importer” means Customer.[GDSVF&H2] 
   6. “Data Subject Rights” means the rights recognized and granted to Data Subjects with respect to their Personal Data under Applicable Laws.
   7.  “ex-EEA Transfer” means the transfer of Personal Data, which is processed in accordance with the GDPR, from the Data Exporter to the Data Importer (or its premises) outside the European Economic Area (the “EEA”), and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.
   8. “ex-UK Transfer” means the transfer of Personal Data, which is processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer (or its premises) outside the United Kingdom (the “UK”), and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR and the Data Protection Act 2018.
   9. “Restricted Transfers” shall mean ex-EEA Transfers and/or ex-UK Transfers, as applicable.
   10.  “Services” shall have the meaning set forth in the Agreement

2. Independent Controllers
   1. The Parties acknowledge and agree that each Party shall act as an independent Controller with respect to any Personal Data collected or processed in connection with the Services. The Parties understand and agree that they (a) are acting, and shall act, independently of one another in their respective processing of such Personal Data, and are not and shall not be ‘joint controllers’ of such Personal Data within the meaning of Article 26(1) of the GDPR; (b) shall provide reasonable cooperation and assistance to the other Party as necessary for the other Party’s compliance with Applicable Laws (at the other Party’s reasonable expense) with respect to such Personal Data; and (c) shall be bound by the Standard Contractual Clauses with respect to any Restricted Transfers of such Personal Data that are made between them. Each Party will be responsible for its compliance with Applicable Laws.
   2. Without limiting the foregoing, each Controller agrees to the following:
      1. Each Controller shall maintain a publicly-accessible privacy policy on its mobile applications and websites that satisfies all applicable transparency and notice requirements as required by Applicable Laws with respect to Processing of Personal Data, and shall delete or destroy all Personal Data upon the conclusion of its purpose for Processing such Personal Data.
      2. In the event that either Controller receives a request from a Data Subject relating to the Processing of such Data Subject’s Personal Data by the other Controller, the Controller receiving such request will (a) promptly notify the other Controller of such request, (b) direct the Data Subject to such other Controller in order to enable such other Controller to respond directly to the Data Subject’s request, and (c) reasonably cooperate with such other Controller in responding to such request.  Without limiting the foregoing, Client agrees that it will promptly (and in any event within five (5) business days) notify Otto of any Data Subject request pursuant to Article 16 (Right to rectification), Article 17 (Right to erasure), or Article 18 (Right to restriction of processing) of the GDPR that relates in any way to the Personal Data.
      3. Each Controller shall implement appropriate technical and organizational measures to protect the Personal Data, including, without limitation, the measures described in Exhibit B In the event that either Controller suffers a Personal Data Breach, such Controller shall notify the other Controller without undue delay and the Parties shall reasonably cooperate with each other in taking such measures as may be necessary to notify affected Data Subjects, comply with each Party’s obligations under Applicable Laws, and to mitigate or remedy the effects of such Personal Data Breach.
      4. If and to the extent either Controller transfers any Personal Data to any third-party data processor, such Controller shall first enter into contractual arrangements with such third party data processors obligating such processor to Process the Personal Data in accordance with the requirements of the GDPR.

3.  Restricted Transfers.
   1. Standard Contractual Clauses. The Parties acknowledge and agree that where the Standard Contractual Clauses apply, (a) Exhibit B of this Addendum serves as Annex B of the UK SCCs., (b) Exhibit A to this Addendum contains the information required in Annex I of the EU SCCs; (c) Exhibit B to this Addendum contains the information required in Annex II of the EU SCCs; and (d) the Party receiving the Personal Data in a Restricted Transfer shall process the Personal Data received in such Restricted Transfer in accordance with the data processing principles set forth in Exhibit A hereto, as applicable. By entering into this Addendum, the Parties are deemed to have signed the SCCs incorporated herein, including their Annexes
      1. Ex-EEA Transfers. With respect to the EU SCCs, which are deemed entered into and incorporated into this Addendum by reference, shall be modified as follows:
   2. The optional docking clause in Clause 7 do not apply;
      1. In Clause 11, the optional language does not apply;
      2.  All square brackets in Clause 13 are hereby removed;
      3. In Clause 17 (Option 1), the EU SCCs will be governed by the laws of The Netherlands;
      4. In Clause 18(b), disputes will be resolved before the courts of The Netherlands
   3. Ex-UK Transfers. The Parties agree that ex-UK Transfers are made pursuant to the UK SCCs, which are deemed entered into and incorporated into this Addendum by reference, and completed as follows:
      1. References to the GDPR will be deemed to be references to the UK GDPR and the UK Data Protection Act 2018, references to “supervisory authorities” will be deemed to be references to the UK Information Commissioner, and references to “Member State(s)” or the EU will be deemed to be references to the UK.
      2. Clause II(h) of the UK SCCs shall be deemed to state that Otto will process Personal Data in accordance with the data processing principles set forth in Annex A of the UK SCCs. The illustrative commercial clause does not apply. Clause IV (Governing Law) shall read “The Clauses shall be governed by the law of the Member State in which the data exporter is established, but without prejudice to the rights and freedoms that data subjects may enjoy under their national data protection laws.”
      3. The parties acknowledge and agree that if the UK SCCs are replaced or superseded by new standard contractual clauses issued and approved pursuant to Article 46 of the UK GDPR and related provisions of the UK Data Protection Act 2018 (“New UK SCCs”), the Data Importer may give notice to the Data Exporter and, with effect from the date set forth in such notice, the application of the UK SCCs set forth in this Addendum shall be amended so that the UK SCCs cease to apply to ex-UK Transfers, and the New UK SCCs specified in such notice shall apply going forward. To the extent that the use of the New UK SCCs require the parties to complete additional information, the parties shall reasonably and promptly work together to complete such additional information.
   4. Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:
      1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
      2. The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.
      3. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed.
      4. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCC.
   5. Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:
      1. As of the date of this Addendum, the Data Importer has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the Personal Data is being exported, for access to (or for copies of) Customer’s Personal Data (“Government Agency Requests”).
      2. If, after the date of this Addendum, the Data Importer receives any Government Agency Requests, Data Importer shall attempt to redirect the law enforcement or government agency to request that data directly from Data Exporter. As part of this effort, Data Importer may provide Data Exporter’s basic contact information to the government agency. If compelled to disclose Data Importer’s Personal Data to a law enforcement or government agency, Data Importer shall give Data Exporter reasonable notice of the demand and cooperate to allow Data Exporter to seek a protective order or other appropriate remedy unless Data Importer is legally prohibited from doing so. Data Importer shall not voluntarily disclose Personal Data to any law enforcement or government agency. Data Exporter and Data Importer shall (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this Addendum should be suspended in the light of the such Government Agency Requests; and
      3. The Data Exporter and Data Importer will meet regularly to consider whether:
         1.  the protection afforded by the laws of the country of the Data Importer to data subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA or the UK, whichever the case may be;
         2.  additional measures are reasonably necessary to enable the transfer to be compliant with the Applicable Laws; and
         3. it is still appropriate for Personal Data to be transferred to the relevant Data Importer, taking into account all relevant information available to the parties, together with guidance provided by the supervisory authorities.
      4. If Applicable Laws require the Data Exporter to execute the Standard Contractual Clauses applicable to a particular transfer of Personal Data to a Data Importer as a separate agreement, the Data Importer shall, on request of the Data Exporter, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by the Data Exporter to reflect the applicable appendices and annexes, the details of the transfer and the requirements of the relevant Data Protection Laws.
      5. If either (i) any of the means of legitimizing transfers of Personal Data outside of the EEA or UK set forth in this Addendum cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, the parties shall cooperate to amend or put in place alternative arrangements in respect of such transfers, as required by Applicable Laws.
4. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this Addendum; and (3) the Agreement. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.

EXHIBIT A

Details of Processing

The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.

1.       The Parties

Data Exporter(s): Shapeways Holdings, Inc., d/b/a Otto, and its affiliates

Address: 228 Park Avenue S, PMB 15839, New York, NY 10003

Contact person’s name, position and contact details: Jeffrey Shieh, Legal Counsel, [email protected]

Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Agreement.

Role (controller/processor): Controller

Data Importer: The Customer

Contact details: As designated by Customer in Customer’s Account. [GDSVF&H5] 

Signature and date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses incorporated herein, as of the Effective Date of the Agreement.

Role (controller/processor): Controller

2.       Description of the Transfer

Data Subjects	Customer’s end-users/customers
Categories of Personal Data	Categories of Personal Data shall include: Name, Username, Shipping Address, Billing address, IP Address, Email address, Telephone number, Products purchase history, Physical location, Browsing history, click history, Tax ID number
Special Category Personal Data (if applicable)	N/A
Nature and Purpose of the Processing	Otto: To provide the Services or and to perform all other obligations as provided in the Agreement, including, without limitation:Receiving data, including collection, accessing, retrieval, recording, and data entryHolding data, including storage, organization and structuringUsing data, including analysis, consultation, testing, automated decision making and profilingUpdating data, including correcting, adaptation, alteration, alignment and combinationProtecting data, including restricting, encrypting, and security testingSharing data, including disclosure, dissemination, allowing access or otherwise making availableReturning data to the data exporter or data subjectErasing data, including destruction and deletion

Customer: To process Personal Information in connection with services or products Customer provides to Data Subjects.
Duration of Processing and Retention (or the criteria to determine such period)	As described in Section 2.2.1 of the Addendum.
Frequency of the transfer	As necessary to complete each Party’s respective purposes of processing.
Recipients of Personal Data Transferred to the Data Importer	Each Party will be responsible for maintaining a list of its respective subprocessor.

3.       Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs.

EXHIBIT B

Description of the Technical and 

Organizational Security Measures implemented by the Data Importer

The following includes the information required by Annex II of the EU SCCs and Appendix 2 of the UK SCCs.

Technical and Organizational Security Measure	Details
Measures of pseudonymisation and encryption of personal data	Firewall in place to help prevent outsiders from gaining unauthorized access to private data on systems.Data transfers between systems encrypted end-to-end via the HTTPS protocol, with SSL/TLS certificates.Personally Identifiable Information (PII) and/or Protected Health Information (PHI) on systems cryptographically encrypted while at rest.Physical and administrative security controls in place to limit access to private data on systems.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	Systems constructed/configured in a High Availability manner such that essential services only ever experience minimal service interruptions.Tests performed regularly on systems to ensure that they’re functioning correctly; and that they’re performing within acceptable industry standards.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Incremental backups of private data performed on a daily basis; and each backup stored in a secure location that’s readily accessible for a minimum period of seven (7) calendar days.Full backups of private data performed on a weekly basis; and each backup stored in a secure location that’s readily accessible for a minimum period of thirty (30) calendar days.All backups tested on a monthly basis to ensure that the private data therein can be fully recovered.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	All systems regularly tested to ensure that they’re functioning correctly; and that they’re performing within acceptable industry standards.
Measures for user identification and authorization	All systems protected by a cryptographically strong password that adheres to the latest recommendations from the National Institute of Standards and Technology (NIST).  If applicable, two-factor authentication (2FA) and/or Single Sign-On (SSO) enabled by default.
Measures for the protection of data during transmission	Data transfers between systems encrypted end-to-end via the HTTPS protocol, with SSL/TLS certificates.
Measures for the protection of data during storage	Personally Identifiable Information (PII) and/or Protected Health Information (PHI) on systems cryptographically encrypted while at rest.Physical and administrative security controls in place to limit access to private data on systems.
Measures for ensuring physical security of locations at which personal data are processed	All onsite visitors recorded in an access log; given a badge that clearly and visibly identifies them as a visitor; and escorted at all times by an authorized personnel.All terminated onsite personnel and expired visitor identification (such as ID badges) have their access revoked immediately.
Measures for ensuring events logging	A system access log and/or an event log maintained for a minimum period of seven (7) calendar days.  Said log containing a datetime stamp for each event; a list of the data accessed or commands ran or locations visited; the Internet Protocol (IP) address of the user, if available; the user’s username, if available; and, any other pertinent metadata that might be useful in monitoring, auditing, and/or tracing user activity; or, for debugging purposes.
Measures for ensuring system configuration, including default configuration	All default passwords on third-party provided hardware and/or software systems changed immediately to cryptographically strong passwords that adhere to the latest recommendations from the National Institute of Standards and Technology (NIST).
Measures for internal IT and IT security governance and management	N/A
Measures for certification/assurance of processes and products	N/A
Measures for ensuring data minimisation	Personally Identifiable Information (PII) and/or Protected Health Information (PHI) limited to what is necessary in relation to the purpose(s) for which the data was originally acquired and processed.
Measures for ensuring data quality	N/A
Measures for ensuring limited data retention	Personally Identifiable Information (PII) and/or Protected Health Information (PHI) not kept for longer than is necessary in relation to the purpose(s) for which the data was originally acquired and processed.PII and PHI data in compliance with the European Union’s General Data Protection Regulation (GDPR), the U.S. state of California’s Consumer Privacy Act (CCPA), and any other applicable laws pertaining to privacy rights and/or the “right to be forgotten”.
Measures for ensuring accountability	An annual audit performed by a qualified third-party vendor to ensure that the policies and procedures stated herein are being adhered to; especially pertaining to private data protections and system security.All personnel that interact with Personally Identifiable Information (PII) and/or Protected Health Information (PHI) trained, and then annually re-trained, on how best to handle and secure such data by a nationally accredited institution.
Measures for allowing data portability and ensuring erasure	PII and PHI data in compliance with the European Union’s General Data Protection Regulation (GDPR), the U.S. state of California’s Consumer Privacy Act (CCPA), and any other applicable laws pertaining to privacy rights and/or the “right to be forgotten”.
Technical and organizational measures of sub-processors	The Company enters into Data Processing Agreements with its sub-Processors with data protection obligations substantially similar to those contained in this Addendum.