Last updated: March 26, 2026This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Miris Terms of Service or other written agreement between Miris and Customer (the “Main Agreement”) when the GDPR or other data protection laws require a contract for the processing of personal data. This DPA reflects the parties’ agreement on the processing of personal data in connection with the Services.
Effective Date: This DPA is effective as of the later of (a) May 25, 2018 (the GDPR effective date) or (b) the effective date of the Main Agreement. By using the Services after that date or by otherwise signing this DPA, Customer agrees to this DPA on behalf of itself and its Affiliates.
For the purposes of this DPA:
1.1 “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is processed by Miris on behalf of Customer as part of the Services. It corresponds to “personal data” or “personal information” as defined under Applicable Data Protection Laws, to the extent such data is contained in Customer Content or is generated through Customer’s use of the Services.
1.2 “Processing,” “Controller,” “Processor,” and “Data Subject” have the meanings given to them in the EU General Data Protection Regulation 2016/679 (“GDPR”) and UK GDPR, or equivalent terms under other Applicable Data Protection Laws. In summary, Controller determines the purposes and means of processing personal data and Processor processes personal data on behalf of a controller.
1.3 “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Main Agreement. This includes, where applicable, EU and UK Data Protection Laws (GDPR and national laws), the California Consumer Privacy Act (CCPA) as amended by CPRA, and any other applicable privacy laws.
1.4 “EU and UK Data Protection Laws” refers collectively to the GDPR and any applicable legislation of EU Member States, the UK Data Protection Act 2018 and UK GDPR, Swiss Federal Act on Data Protection, and any other European privacy laws.
1.5 “Standard Contractual Clauses” or “SCCs” means the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries, adopted by Commission Implementing Decision (EU) 2021/914 on June 4, 2021, including the relevant modular terms (as may be amended or superseded).
1.6 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework program and related UK and Swiss extensions administered by the U.S. Department of Commerce, which may be used as a transfer mechanism once in force.
1.7 “Sub-processor” means any third party (including any Miris Affiliate) engaged by Miris to process Personal Data on behalf of Customer in order to deliver the Services. Sub-processors may include cloud service providers, data center operators, and other vendors.
1.8 The terms “Miris,” “Customer,” “Services,” and “Main Agreement” have the same meaning as in the Main Agreement. In this DPA, the term “Miris” includes Miris, Inc. and all its Affiliates to the extent they are involved in processing Personal Data to provide the Services. “Customer” includes the entity that signed the Main Agreement and its Affiliates to the extent such Affiliates use the Services.
Any capitalized terms not defined in this DPA shall have the meaning given to them in the Main Agreement.
Subject Matter: The subject matter of the processing is the Personal Data which is uploaded to, stored in, or generated via the Services under the control of Customer, as necessary to provide the Services and as further instructed by Customer.
Duration: Miris will process Personal Data for the duration of the Main Agreement, until deletion of all Personal Data as described in this DPA.
Nature and Purpose: The purpose of processing Personal Data is to provide the Services to Customer in accordance with the Main Agreement (including this DPA). This includes processing to transmit, store, and display content to End Users, to secure and improve the Services, to troubleshoot and support the Services, and any other activities described in the Main Agreement. Miris will not process Personal Data for any purposes other than those instructed by Customer and permitted by the Agreement, except where required by law (in which case, Miris will inform Customer unless prohibited).
Type of Personal Data: Personal Data processed may include identifiers (such as IP addresses, unique IDs), contact information of Customer’s end users if provided, device and network information, usage data (log files, telemetry), and any other personal data Customer chooses to include in the content or transmit through the Services. Customer should not deliberately include special categories of data in the Services, and none is needed for Service use. Miris does not need or request any sensitive personal data for standard operations.
Categories of Data Subjects: Data Subjects may include Customer’s employees and contractors who use the Services, and end users of Customer’s websites or applications who interact with content delivered via Miris (who may be Customer’s customers or users). Data Subjects may also include individuals whose data is included in Customer Content. Typically, these are individuals related to Customer’s business (B2B context) and not minors or general public, but that depends on Customer’s use case.
Customer (the Controller) should ensure that these details align with its own records of processing. Miris makes these details available as part of this DPA to satisfy GDPR Art. 28 requirements.
3.1 Controller and Processor: As between the parties, Customer is the Controller of Personal Data and Miris is the Processor when Miris processes Personal Data on Customer’s behalf as part of providing the Services. Customer will comply with its obligations under Applicable Data Protection Laws as a Controller (including obtaining any necessary consents, providing required notices, and having a valid legal basis for processing). Miris shall process Personal Data only as a Processor acting on Customer’s documented instructions (as set out in Section 3.2 below) except where otherwise required by applicable law.
3.2 Customer’s Instructions: By entering into the Main Agreement, Customer instructs Miris to process Personal Data to provide the Services in accordance with the Agreement, including (i) to perform the actions initiated by Users via the Service interfaces (which constitute instructions by Customer), and (ii) to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Miris will not retain, use, or disclose Personal Data except as necessary for the specific purpose of performing the Services or as otherwise permitted by Customer’s instructions. If Miris believes an instruction violates Applicable Data Protection Laws, Miris shall inform Customer (unless legally prohibited from doing so) and may suspend such processing until clarified or modified.
3.3 Additional Use for Improvements: The parties acknowledge that Miris may process certain data (which may include Personal Data in limited cases) for the purpose of product improvement and analytics, as described in the Main Agreement (e.g., usage data to improve the network and algorithms). To the extent such processing falls outside Customer’s instructions necessary for Service delivery, the parties agree that either (a) Customer provides a general authorization and instruction for Miris to process data for these purposes (which Miris will do in compliance with Applicable Data Protection Laws, including by anonymizing or pseudonymizing data where feasible and handling as a controller if required), or (b) Miris will ensure any processing for its own improvement purposes is done in a manner that does not identify Customer or any Data Subject (thus not personal data). Customer may opt-out of certain improvement-related processing as set forth in the Main Agreement, in which case Miris will exclude Customer’s Personal Data from those uses. The provisions of this DPA primarily cover Miris’s role as Processor; any processing Miris conducts as an independent Controller is outside the scope of GDPR Article 28 and is instead covered by our Privacy Policy or other arrangement.
3.4 Customer Affiliates: Customer’s Affiliates may be co-Controllers with Customer of Personal Data and may benefit from the Services under the Main Agreement. Miris will, if directed by Customer, treat any instructions from Customer’s Affiliates as if issued by Customer itself. Customer shall be responsible for any of its Affiliate’s actions in relation to this DPA, including making any required authorizations or notifications to those Affiliates.
Miris agrees to the following with respect to any Personal Data processed on Customer’s behalf in the course of providing Services:
4.1 Compliance with Instructions: Miris will only process Personal Data on documented instructions from Customer (as per Section 3.2), including with regard to transfers of Personal Data to a third country, unless required to do otherwise by applicable law. In such case, Miris will inform Customer of that legal requirement before processing (unless law prohibits such disclosure on important grounds of public interest).
4.2 Confidentiality: Miris will ensure that all personnel (including employees and contractors) authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Miris will not access or disclose Personal Data to third parties unless permitted by Customer or this DPA, except as necessary to comply with a legally binding request as described in Section 8 below.
4.3 Security: Miris will implement and maintain appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Security Incident”). These measures are described in Annex 2 (Security Measures) of this DPA. Miris regularly monitors compliance with these measures and will not materially decrease the overall security of the Services during the term. Customer acknowledges that it has reviewed the Security Measures and deems them sufficient for its purposes.
4.4 Sub-processors: Customer grants Miris a general authorization to engage Sub-processors as needed to provide the Services. A current list of Sub-processors is available at Miris’s website or upon request (including the identities and locations). Miris shall: (a) impose on its Sub-processors data protection obligations that are at least as protective as those in this DPA, including obligations to process Personal Data only per Miris’s instructions, and to protect Personal Data to at least the standard provided here; and (b) remain liable for any breach of the DPA caused by a Sub-processor’s act or omission. Sub-processor Changes: Miris will inform Customer in advance of any intended addition or replacement of Sub-processors, by updating the Sub-processor list and notifying Customer (e.g., via email or portal) at least 3 days before the change. If Customer has a reasonable basis to object to the new Sub-processor on data protection grounds, it must notify Miris in writing within 10 days of the notice. The parties will discuss the objection in good faith. If Miris cannot reasonably accommodate Customer’s objection (for instance, by not using the proposed Sub-processor for Customer’s data) and the Customer continues to object, Customer may, as its sole remedy, terminate the affected Service upon written notice to Miris and receive a refund for any prepaid fees covering the remainder of the term for the terminated Service. If Customer does not object within the 10-day period, Customer is deemed to have approved the Sub-processor.
4.5 Assistance to Customer: Taking into account the nature of processing and the information available to Miris, Miris will assist Customer in fulfilling its obligations under Applicable Data Protection Laws, including: (a) Cooperating with Customer in conducting Data Protection Impact Assessments (DPIAs) and related consultations with supervisory authorities if required; (b) Providing reasonable assistance with Customer’s obligation to respond to data subject requests (see Section 5 below); and (c) Providing information about and demonstrating the security measures and processing activities as needed for Customer to ensure compliance with its obligations (including enabling audits, see Section 5.3). Miris may charge a reasonable fee for assistance that goes beyond the routine functionality of the Services and requires significant resources (for example, a detailed audit or extensive data export), provided that Miris will advise Customer of any fees in advance and seek agreement.
4.6 Data Accuracy and Minimization: Miris will not modify, correct, or delete Personal Data except as instructed by Customer or as described in the Agreement. Miris encourages Customer to use the self-service features of the Service to update or delete Personal Data as needed for accuracy. Miris will notify Customer if it becomes aware that Customer’s instructions conflict with the functionality of the Service or may lead to inaccurate Personal Data in the Service.
4.7 Deletion or Return at Termination: Upon termination or expiration of the Main Agreement and at Customer’s choice, Miris will delete or return to Customer all Personal Data (including copies) processed on Customer’s behalf, within a reasonable timeframe, except to the extent that Miris is required by law to retain any Personal Data (in which case Miris will isolate and protect that data from further processing and delete as soon as legally permitted). Miris offers self-service data retrieval and deletion tools in the Service; Customer is responsible for initiating any export of its data prior to termination. If Customer requests return of data, Miris will provide it in a commonly used format. After confirming that data is successfully returned or upon Customer’s election to have data deleted, Miris will proceed to securely delete the data from its active systems. Residual copies may remain in backups for a limited period, subject to deletion per Miris’s retention practices, and Miris will continue to protect all such data per this DPA until deletion.
5.1 Data Subject Requests: Miris acknowledges that Data Subjects have certain rights to their personal data, including rights to access, correct, or delete their data, or object to or restrict certain processing. Customer’s Responsibility: Customer is primarily responsible for receiving and responding to requests from Data Subjects or regulatory authorities concerning the processing of Personal Data. If Miris receives any such request or communication directly, it will promptly (and in any case within 5 business days) inform Customer and provide the request details. Miris will not respond to the request directly unless required by law or authorized by Customer.
5.2 Miris’s Assistance: Miris will assist Customer, via appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to Data Subject requests. For example, Miris may provide admin console features that allow Customer to search, retrieve, correct, or delete Personal Data. If such features are insufficient to address a specific request, Customer may request Miris’s help via support channels. Miris will provide reasonable additional assistance (e.g., providing additional data or deleting data from systems without self-service delete) to the extent Customer cannot fulfill the request through available Services. If legally permitted, Miris may charge a reasonable fee for such assistance if it is significant (particularly for excessive or manifestly unfounded requests from Data Subjects), but will discuss this with Customer in advance.
5.3 Audits: Customer (or its appointed independent auditor) has the right to audit Miris’s compliance with this DPA, up to once per year, by reviewing Miris’s SOC 2 or similar audit reports, if available, provided that during Miris' beta period and until Miris obtains SOC 2 Type II certification, audits shall be limited to written questionnaires and document review only. Audits are subject to the following conditions: (a) Customer must give at least 90 days’ prior written notice to Miris, including a detailed audit plan; (b) the audit must not unreasonably interfere with Miris’s business operations; (c) audits shall be conducted during normal business hours, and in compliance with Miris’s on-site policies; (d) any auditors (if external) shall execute a confidentiality agreement acceptable to Miris; and (e) Customer shall be responsible for any costs associated with the audit (Miris will bear its own internal costs). Miris will support the audit by providing information and access to knowledgeable personnel as reasonably necessary. Alternative Evidence: Customer agrees that Miris’s then-current SOC 2 Type II report, or similar third-party audit certifications can satisfy the requirement for an audit of the technical and organizational measures herein, and Customer will utilize such reports before requesting any on-site audit, to the extent they provide the information Customer needs. If the information from such certifications and Miris’s answers to reasonable questions are insufficient to confirm compliance, then Customer may proceed with an on-site or more extensive audit. Any findings will be provided to Miris, and Miris will address any material findings within a reasonable timeframe. As of the Effective Date, Miris has not obtained SOC 2 or equivalent third-party security certifications and does not presently maintain formal attestations of compliance with such frameworks.
6.1 Authorization of Transfers: Customer authorizes Miris and its Sub-processors to transfer and process Personal Data internationally as needed to provide the Services. This includes transfers of Personal Data to the United States and any other country where Miris or its Sub-processors operate. Miris shall ensure that such transfers are made in compliance with Applicable Data Protection Laws, including by implementing appropriate transfer mechanisms.
6.2 Transfers from EEA/UK/Switzerland: For Personal Data that is subject to EU GDPR, UK GDPR, or Swiss FADP, and is transferred from the EEA, UK, or Switzerland to countries not deemed by the applicable authority to provide an adequate level of protection, the following mechanisms apply:
a. Standard Contractual Clauses (EU): The parties hereby enter into, and deem incorporated herein, the EU Standard Contractual Clauses (2021) as follows: Module Two (Controller-to-Processor) applies when Customer is a Controller and Miris is a Processor; Module Three (Processor-to-Processor) applies when Customer is a Processor on behalf of another Controller and Miris is a sub-Processor. The details in Section 2 of this DPA shall serve as Annex I of the SCCs, and the Security Measures in Annex 2 shall serve as Annex II. For Clause 7 of the SCCs, the optional docking clause is deemed selected to allow addition of parties. For Clause 9 of the SCCs, Option 2 (“general written authorization”) is selected and the notification period shall be as set forth in Section 4.4 of this DPA (30 days). For Clause 17, the parties select Option 2, and agree the governing law of the SCCs shall be the law of Ireland (an EU Member State that allows third-party beneficiary rights). For Clause 18(b), disputes shall be resolved before the courts of that same Member State. The parties agree that if the Customer is a Processor for a third-party Controller, then Customer is deemed to have entered into the SCCs with Miris as “data exporter” on behalf of that Controller, and Module Three applies accordingly. The SCCs shall be directly enforceable by the parties and by Data Subjects where required.
b. UK Transfers: For Personal Data subject to UK GDPR, the EU SCCs as incorporated above shall apply in accordance with the UK’s international data transfer addendum (“UK Addendum”). The EU SCCs shall be deemed amended as specified by the UK Addendum, which is hereby incorporated, such that the transfers are made under the UK Addendum. In the Addendum’s Table 1, the exporter is Customer and importer is Miris per details in Annex I; Table 2, the version of SCCs is the 2021 EU SCCs (Module 2/3 as applicable); Table 3, Annexes per this DPA; Table 4, both parties agree that the Importer may end the UK Addendum when the Importer may use an alternative transfer mechanism as per Section 17 of the UK Addendum (both parties select “neither party” in Table 4). The parties acknowledge the UK Addendum (with EU SCCs) forms the transfer mechanism for UK data.
c. Swiss Transfers: For Personal Data subject to the Swiss FADP, the EU SCCs (Module 2/3 as applicable) are adopted with the following modifications: The Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority under Clause 13; references to GDPR in the SCCs refer to the FADP for Swiss data; references to “Member State” refer to Switzerland; and the governing law in Clause 17 for Swiss transfers shall be the law of Switzerland.
d. Priority: In the event of conflict between the SCCs and this DPA or other parts of the Agreement as regards transfers of Personal Data, the SCCs shall prevail. If the European Commission, UK ICO, or Swiss FDPIC issues new transfer mechanisms or updates, the parties will work in good faith to adopt those as needed.
6.3 Data Privacy Framework: Miris may seek self-certification under the EU-U.S. Data Privacy Framework and equivalent UK and Swiss extensions in the future. This DPA will be updated to reflect Miris's certification status if and when such certification is obtained. Until such time, the Standard Contractual Clauses set forth in Section 6.2 shall serve as the sole transfer mechanism for Personal Data transferred from the EEA, UK, or Switzerland.
6.4 Supplementary Measures: Miris may from time to time implement additional safeguards as needed to ensure that transfers are adequately protected, including: (a) implementing strong encryption for data in transit and at rest; (b) minimizing data to only what is necessary for the purpose; (c) committing not to voluntarily disclose personal data to foreign authorities and to use all legally available measures to challenge any government request for personal data that is not legally binding (and to notify Customer of such requests, unless prohibited); and (d) providing Customer with relevant information about government requests to the extent permitted (Transparency Reports, etc.). If Customer requests, Miris will provide information about the legal environment in the countries where data is processed as it relates to data access by public authorities (to the extent Miris has such information, e.g., references to publicly available resources). If Customer believes additional measures are needed to protect transfers, the parties will collaborate in good faith to address that.
7.1 Notification: If Miris becomes aware of a confirmed unauthorized or unlawful breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Miris under this DPA (a “Data Breach”), Miris will within the timeframe required under Applicable Data Protection Law, e.g., 72 hours under GDPR notify Customer of the Data Breach. Such notice may include available details on the nature of the breach, the affected data, the known or suspected cause, any measures Miris has taken or plans to take to address it, and any recommended steps for Customer or Data Subjects to mitigate potential harm.
7.2 Mitigation: In the event of a Data Breach, Miris will where feasible and reasonable take action to identify, mitigate, and remediate the cause of the breach and restore the integrity of the Services. Miris will cooperate with Customer and law enforcement as appropriate regarding any investigation and response to the Data Breach.
7.3 Coordination: The parties agree to coordinate in good faith on press releases or required notices to the affected Data Subjects or relevant authorities, to the extent such notices are required under law. Customer has responsibility for determining whether to notify authorities and Data Subjects and the contents of such notices, but Miris will provide reasonable assistance (including the information mentioned above) to support Customer in fulfilling any breach notification obligations.
Miris’s notification of or response to a Data Breach under this Section is not an acknowledgement of fault or liability with respect to the Data Breach.
8.1 Data Protection Impact Assessment and Consultation: If Customer believes that Miris’s processing of Personal Data is likely to result in a high risk to data protection rights (for example, if Customer undertakes a new use of the Services involving sensitive personal data), Customer should conduct a Data Protection Impact Assessment (DPIA). Miris will provide reasonable cooperation and information needed for Customer’s DPIA upon request. If the DPIA indicates that the processing will result in high risk and require prior consultation with a supervisory authority, Miris will assist in providing such consultation information as required by law.
8.2 Cooperation with Regulators: Miris will cooperate, on request, with any data protection authority in the performance of its tasks where required by Applicable Data Protection Laws. Miris will also inform Customer promptly if it receives an inquiry, audit, inspection, or similar from a data protection authority relating to the Personal Data processed for Customer, unless prohibited by law. Customer is responsible for handling such authority communications involving its Personal Data, but Miris will provide reasonable assistance.
8.3 Law Enforcement Requests: If Miris receives a legally binding request from a public authority (e.g., law enforcement or national security agency) for disclosure of Personal Data that is subject to this DPA, Miris will, unless prohibited by law, (a) inform the authority that Miris is a processor and cannot disclose Personal Data without Customer’s consent; (b) attempt to redirect the request to Customer (e.g., by providing the authority Customer’s basic contact information); and (c) notify Customer as soon as possible to allow Customer to seek a protective order or other remedy. If despite our efforts, we are compelled by law to disclose Personal Data, we will only disclose the minimum data necessary to comply with the request. Miris will not voluntarily disclose Personal Data to any government or law enforcement without a court order or equivalent compulsory legal process.
8.4 CCPA (California): Although as a service provider Miris is not directly obligated by CCPA for Customer-controlled data, Miris acknowledges it is a “Service Provider” as defined by the CCPA with respect to Personal Data processed on behalf of Customer, and makes the following affirmations: Miris shall not (a) sell personal information; (b) retain, use, or disclose personal information for any purpose other than providing the Services (which includes permitted business purposes of providing and improving the Services as described in the Agreement) or as otherwise permitted by the CCPA; or (c) retain, use, or disclose the personal information outside of the direct business relationship between Miris and Customer. Miris certifies it understands these restrictions and will comply. Where applicable, Miris will provide assistance for Customer’s CCPA compliance similar to GDPR (like enabling responses to consumer rights requests and providing relevant information about processing and sub-processors).
The total liability of each party under or in connection with this DPA shall be subject to the exclusions and limitations of liability set out in the Main Agreement. The parties agree that any regulatory fines incurred by Miris in relation to the Personal Data that arise from Miris's breach of this DPA or Applicable Data Protection Laws shall be considered direct damages that count toward and are subject to the limitation of liability in the Main Agreement (i.e., they are not deemed punitive or indirect damages). Nothing in this DPA is intended to limit a party's liability for its violation of data protection laws to the extent such liability cannot be limited under applicable law."
10.1 Termination: This DPA will remain in effect as long as Miris processes Personal Data under the Main Agreement. Termination or expiration of the Main Agreement will automatically terminate this DPA. Sections that by their nature should survive termination (such as obligations to return or delete data, confidentiality, etc.) will survive.
10.2 Order of Precedence: In the event of any conflict or inconsistency between this DPA and the Main Agreement, this DPA shall prevail with respect to the subject matter (data protection) unless explicitly stated otherwise. In the event of conflict between this DPA and the Standard Contractual Clauses, the SCCs shall prevail. No modification to the SCCs (beyond selecting options or filling in details as allowed) is made by this DPA.
10.3 Changes in Law: If any changes in Data Protection Laws or regulations or court decisions render this DPA ineffective or make compliance with it unduly burdensome, the parties agree to negotiate in good faith to update this DPA. If an amendment to the DPA is required by law or by a supervisory authority, Miris will make such amendment available. If Customer objects to the amendment, Customer may terminate any affected Services, and Miris will refund any prepaid fees for the terminated portion.
10.4 Entire Agreement: This DPA, together with the Main Agreement (and SCCs, if applicable), constitutes the entire agreement between Customer and Miris with regard to the processing of Personal Data. This DPA supersedes any prior agreements or terms relating to its subject matter. In case of any ambiguity on whether a provision relates to data protection, this DPA will govern over general terms.
10.5 Execution: The parties acknowledge that by entering into the Main Agreement, they are also entering into this DPA and the SCCs (where applicable), without the need for further formalities. This DPA may be executed in counterparts or by an order form or agreement that incorporates it by reference, which shall be deemed to constitute execution of the DPA.
Identity of the Data Exporter
Name: The Data Exporter is the EU-based Customer (Controller) that has contracted with Miris for 3D spatial streaming services. The Customer’s identity (and that of any affiliated EU entities, if applicable) is as specified in the main service agreement or order. Address: As specified by the Customer in the agreement (generally an EU/EEA member state address). Contact Person & Details: The Customer’s data protection contact (and EU/UK representative, if required) is as provided in the DPA or main agreement. The Data Exporter acts as the Controller of the personal data uploaded to or streamed through Miris.
Identity of the Data Importer
Name: Miris, Inc. a Delaware corporation providing cloud-based 3D spatial streaming services to customers whose principal address in the United States is 10567 Jefferson Blvd., Suite C, Culver City, CA 90232. Miris, Inc. will act as the Processor, processing personal data on behalf of the Customer in order to provide the contracted 3D streaming services.
Categories of Data Subjects
The personal data transferred pertains to the following categories of Data Subjects, as determined and controlled by the Customer in its use of Miris’s services:
End Users of the Customer: Individuals who access, use, or interact with the Customer’s 3D content, applications, or services delivered via the Miris platform. This typically includes the Customer’s own customers or end-users – for example, natural persons viewing or engaging with the immersive 3D/AR/VR content streamed by the Customer through Miris. These end users may be website visitors, application users, or other consumers of the Customer’s 3D experiences.
Customer’s Personnel and Authorized Users: Individuals who are employees, contractors, or agents of the Customer that are involved in using the Miris service on the Customer’s behalf. This can include those who upload or stream content, configure Miris’s SDK, or administer the service (e.g. developers or administrators with Miris platform accounts). These persons may have access credentials for Miris’s platform and thus their details (e.g. business contact information) may be processed as part of account creation or service use.
Miris itself has no direct relationship with the Data Subjects, since Miris provides services to the Customer on a B2B basis. All personal data pertains to individuals with whom the Customer has a relationship (e.g. the Customer’s end-users or staff), not to individuals who are direct clients of Miris.
Categories of Personal Data
The Personal Data transferred from the Customer to Miris (and subsequently processed by Miris) falls into the following categories, as relevant to the use of the 3D streaming service:
3D Content and User Interaction Data: Any personal data that may be contained within or derived from the 3D multimedia content, user interactions, or associated metadata that the Customer streams through Miris. The specific nature of such data is determined by the Customer’s use of the service. For example, if the Customer’s 3D content or application collects user actions or behavioral data (such as positional data, interaction logs, chat or audio from users in a 3D environment), those elements (to the extent they contain personal data) will be transferred to Miris’s systems. The inclusion of any personal data in the content or interactions is at the Customer’s discretion and control, Miris processes whatever data the Customer elects to transmit via the service. Importantly, Miris’s service does not require users’ real-world identifying information (like names, emails, etc., of end-users) to function; any such personal details would only be processed if the Customer actively includes them in the streamed content or data.
Technical Telemetry and Analytics Data: This includes data collected by Miris’s platform for the optimization and delivery of the streaming service. Examples of such data are: IP addresses of end users (which may be used to derive an approximate geographic location); network identifiers or pseudonymous identifiers (such as session IDs, device IDs or cookies) used to maintain sessions and route content; device and browser information (e.g. user agent strings, operating system, browser type/version, device type); and streaming performance metrics and usage statistics (such as bandwidth used, latency, frame rate, error logs, and other quality-of-service indicators). This telemetry data is generally tied to sessions or device identifiers rather than directly identifiable individuals, and is used to adapt streams and troubleshoot performance.
Customer Account Data (Administrative Data): Personal data relating to the Customer’s authorized users who manage or configure the Miris service. This may include contact and identity details for those individuals (e.g. names, work email addresses, job titles, and login credentials for the Miris platform) and records of their interactions with the platform (such as audit logs of account activities, including IP addresses used to access the admin dashboard). This data is limited to the Customer’s personnel and is used for authentication, security, support, and audit purposes.
Aggregated or Derived Data: In some cases, Miris may generate aggregated analytics or derived technical information from the telemetry (for example, overall system performance reports). Such aggregated data would not contain personal data except insofar as it includes or encapsulates the above-described categories for the Customer’s use.
Miris does not intentionally collect highly identifying information such as social security numbers, financial account details, home addresses of end-users, or similar data, since the service is focused on technical streaming content. The Customer retains control over what personal data (if any) is included in the content and associated data that is sent to Miris.
Sensitive Data (Special Categories)
Not Applicable – No Special Category Data Anticipated. The Miris 3D streaming service does not require or intentionally target any special categories of personal data (as defined in GDPR Art. 9) or other sensitive data. In the ordinary course, the personal data transferred will be limited to the categories described above (technical, usage, and basic account data), which do not include sensitive attributes like racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric identifiers, health information, or sex life/sexual orientation details. Miris does not ask for or need any such sensitive data to perform its services, and the Customer is not expected to upload or stream it via the Service.
If, due to the nature of the Customer’s content, any sensitive or special-category personal data is transferred, this would occur solely at the Customer’s discretion and not as a requirement of Miris’s services. The Customer, as Controller, would be responsible for ensuring a lawful basis and appropriate protections for any such data. Miris will apply the security and access controls described in Annex II (Technical and Organizational Measures) to protect all data, and any special categories of data (if ever present) would be subject to heightened safeguards in line with GDPR requirements. However, to reiterate, neither party anticipates the transfer of sensitive personal data in connection with the standard use of Miris’s 3D streaming services.
Frequency of the Transfer
Continuous, Ongoing Transfers. Personal data will be transferred on a continuous or real-time basis for the duration of the service provision. In other words, data flows occur whenever the Customer is using the Miris service, for example, whenever end users interact with the Customer’s 3D content, their telemetry and content data are continuously transmitted to Miris’s platform (and back to those end users) as part of the streaming process. This is not a one-time or occasional transfer; it is an ongoing data exchange inherent in the streaming service. The transfers will therefore continue throughout the term of the Customer’s agreement with Miris, as needed to provide the service. Should the Customer stop using the service or the agreement terminate, transfers will cease (after any necessary post-termination data return or deletion, as described below).
Nature and Purpose of Processing
Nature of the Processing: Miris will perform various data processing operations on the Customer’s behalf in order to deliver the 3D spatial streaming service. These operations include the collection, reception and transmission of data (e.g. receiving 3D content uploads/streams and end-user interaction data from the Customer, and transmitting optimized streams to end users), storage and hosting of data (e.g. caching 3D content on servers, temporarily storing user interaction logs and telemetry), analysis and processing of data for technical purposes (such as optimizing content format, performing real-time rendering or compression, measuring performance metrics, and adapting streaming quality based on telemetry), and deletion or return of data upon termination or as instructed. In essence, Miris acts as a technical intermediary and platform: it ingests the Customer’s 3D content and related data, processes it (including format conversion, optimization, and integration of telemetry), and distributes the content to end users in an interactive streaming format. Miris may also perform automated analyses on telemetry data to adjust network routing or quality of service in real time. All such processing is carried out solely on documented instructions from the Customer and for the purposes set out in the agreement (Miris has no autonomous purpose in processing the data outside of providing the service).
Purpose of the Processing: The purpose of transferring and processing the personal data is to enable Miris to provide its 3D spatial streaming services to the Customer, in accordance with the Main Agreement and DPA. This includes: (a) Content delivery and optimization – using the data to efficiently deliver the Customer’s 3D/immersive content to end users with high performance (e.g. adaptive bitrate streaming, edge caching via CDN, and format transcoding as needed); (b) Telemetry and analytics for service functionality – using the technical data (like device info, network metrics, etc.) to monitor service health, improve stream quality, and adapt to user’s context (for example, adjusting resolution or compression based on a user’s device capabilities or connection speed); (c) Support and troubleshooting – processing data as needed to identify, prevent, and resolve technical issues (such as diagnosing streaming errors or performance bottlenecks, including analyzing IP and log data to detect network problems); and (d) Ancillary operational purposes related to the service – such as securing the content (e.g., using IP or device info for security monitoring or access control), and providing customer support or guidance to the Customer’s administrators (which might involve accessing admin logs or account details to assist with issues). Miris will not use the personal data for any purpose other than providing and improving the contracted service and as otherwise instructed by the Customer. Commercial use of the data for Miris’s own purposes (like marketing or profiling unrelated to the service) is prohibited by the DPA. In summary, the processing is strictly limited to what is necessary to “provide the Services” (the Miris streaming platform and related features) to the Customer and ensure those services operate correctly and securely.
Duration of Processing and Retention
Duration: Miris will process personal data for the duration of the Service Agreement with the Customer, and only for as long as is necessary to fulfill the purposes outlined above. In general, this means that processing is ongoing throughout the active term of the contract while the Customer continues to use the Miris service. If the Customer temporarily suspends use of the service (e.g., no active streams for a period), Miris would still retain the data already collected at its discretion and in accordance with its internal procedures for the service (unless instructed to delete it), but no new data would be processed until service use resumes. There is no fixed end-date for the processing other than the end of the service relationship or the completion of the relevant purposes. Each category of data will be processed for no longer than necessary for the service delivery, in accordance with Miris' then-current retention policy.
Retention and Deletion: In accordance with the DPA and applicable law, Miris will retain personal data that it directly collects from its own customers for the duration of the agreement, and will delete or return such data upon termination of the services (subject to any mandatory legal retention requirements). Concretely, when the Customer’s contract terminates or expires, Miris will either return all personal data to the Customer or securely delete it, as per the Customer’s instructions and the DPA terms. Miris' standard practice is to delete Customer Data after service termination in accordance with Miris' then-current retention policy, as described in the Privacy Policy, absent a legal requirement or the Customer's written request to retain it longer. Certain data may be deleted sooner, for example, raw streaming logs might be purged on a rolling basis even during the term, once they are no longer needed for troubleshooting or analytics. Backup copies of data, if any, will be overwritten or destroyed in line with Miris’s retention policy. In summary, Personal Data is kept only as long as necessary to provide the service and meet applicable obligations, and is then erased. If the Customer requires an earlier deletion of certain data (or a return of data) during the term, Miris will comply to the extent allowed (for example, the Customer can request deletion of specific content or user data, and Miris will remove it from active systems and workflows). All deletions are performed in a secure manner to prevent unauthorized access to the data post-termination.
(For GDPR purposes, if deletion proves impossible or requires disproportionate effort, Miris will ensure such data is archived and protected from any further processing except for storage, until deletion is feasible. In all cases, Miris will not retain the personal data longer than necessary.)
Subject Matter of the Processing
The subject matter of the processing is the Customer’s content and related personal data in connection with the provision of Miris’s 3D spatial streaming services. In other words, Miris is processing Customer Personal Data that is uploaded, streamed, or otherwise provided by the Customer for the purpose of delivering immersive 3D experiences to end users. This encompasses the 3D digital content itself as well as any personal data needed to facilitate the streaming of that content (such as user telemetry and technical identifiers). All processing outlined in this Annex I is in service of that subject matter: enabling the Customer’s 3D content to be delivered, interacted with, and optimized via Miris’s platform. The subject matter is limited to the specific services defined in the Main Agreement (Miris’s spatial streaming and associated features) and does not extend to any unrelated processing.
In summary, the processing under these Clauses covers Customer Data (including any personal data contained therein) that is transferred from the Customer to Miris’s systems, for the purpose of cloud-based rendering, optimization, and streaming of 3D content back to the data subjects (end users), as instructed by the Customer. This subject matter is more fully described in the Nature and Purpose section above and in the service description of the Main Agreement.
Transfers to Subprocessors (if applicable)
Sub-processor Involvement: The Data Importer (Miris) is authorized under the DPA to use certain sub-processors (sub-contractors acting as further processors) to assist in delivering the services. Where Miris engages sub-processors, personal data may be transferred to and processed by these sub-processors for the same service purposes described in this Annex. Any such sub-processor will only process the data on Miris’s behalf and on instructions, and always under a binding contract that upholds equivalent data protection obligations (per Clause 9 of the SCCs and Article 28 GDPR).
Approved Sub-processors: As of the effective date, Miris utilizes a number of infrastructure and content delivery providers as sub-processors, including but not limited to:
CoreWeave, Inc. – a cloud infrastructure provider specializing in GPU-based computing. CoreWeave provides the scalable computing power for rendering and processing 3D content. Personal data may be transferred to CoreWeave’s US-based servers or cloud environment as needed for real-time rendering and stream hosting (e.g., processing the 3D content and telemetry on GPU instances). CoreWeave processes the data solely to perform these compute tasks on behalf of Miris.
Amazon Web Services (AWS) – a global cloud services platform (Amazon Web Services, Inc. and its affiliates). Miris may use AWS data centers (which could be in the US or EU, depending on service architecture and customer requirements) for hosting stored content, databases, or services related to the Miris platform. AWS acts as a sub-processor providing Infrastructure-as-a-Service (IaaS) — storing encrypted personal data and enabling its transmission, without accessing it except as needed for infrastructure operations.
Google Cloud Platform (GCP) – cloud infrastructure services provided by Google LLC and affiliates. Similar to AWS, GCP may be used by Miris for certain compute or storage tasks (for instance, hosting certain microservices or backups). Any personal data on GCP is processed only for storage/transit and basic computing purposes as instructed by Miris.
Cloudflare, Inc. – a content delivery network (CDN) and DDoS protection provider. Miris leverages Cloudflare’s global edge network to cache and deliver content (including 3D assets and data) closer to end users for performance and reliability. Cloudflare may process personal data such as IP addresses and telemetry in transit as part of providing networking and security services (e.g., serving content via its edge servers, mitigating malicious traffic). Cloudflare acts as a sub-processor purely to help route and accelerate content delivery and to protect the service.
Other Sub-processors: Miris may engage additional or replacement sub-processors for ancillary services (for example, monitoring, support ticketing, email delivery, etc.) as necessary. Any such sub-processor and its role will be detailed in the Miris sub-processor list provided to the Customer, and all are subject to the same GDPR-compliant obligations.
For each sub-processor, the subject matter and nature of the processing is essentially the same as described for Miris itself – i.e. handling of Customer Personal Data to the extent necessary to assist Miris in providing the 3D streaming service (such as cloud hosting, data transit, or processing tasks). The duration of sub-processor processing is also aligned with the Customer’s usage of the service: sub-processors will retain/process personal data only for as long as needed to fulfill their function in the service delivery, and not longer. Upon termination of the Main Agreement or removal of a sub-processor, that sub-processor will delete or return the personal data it processed in line with Miris’s instructions and the DPA. Miris maintains an up-to-date list of sub-processors which the Customer can consult or receive notice of (in accordance with the DPA’s provisions for sub-processor notification). All cross-border transfers to sub-processors (e.g., from Miris to infrastructure providers in the US or other countries) are covered by adequate transfer mechanisms (such as extended SCCs or other legally recognized measures), ensuring continuity of protection.
Contact Information
For any privacy or data protection queries, the parties may be contacted as follows:
Data Exporter (Customer): The Customer’s designated data protection or privacy contact is the appropriate point of contact for notices. This is typically the individual or department identified in the Customer’s account or the Main Agreement as responsible for privacy compliance (e.g. the Customer’s Data Protection Officer or legal contact). Contact details (name, address, email, phone) for the Customer’s privacy representative are set forth in the Main Agreement or DPA cover page. (If an EU representative or UK representative is required for the Customer, those details will also be provided by the Customer.)
Data Importer (Miris, Inc.): Miris’s contact for data protection matters is its Privacy Team. They can be reached at privacy@miris.com (or such other contact method as Miris may designate in the DPA). Postal inquiries may be directed to Miris’s business address (Attention: Data Privacy Team). Miris’s EU GDPR representative (if applicable) and other regional privacy contacts are listed in the Miris privacy policy or available upon request.
Both parties agree that they will communicate and cooperate in good faith with respect to any inquiries from data subjects or supervisory authorities. The above contact information should be used for any notices under the Standard Contractual Clauses or the DPA, including breach notifications, data subject requests, or supervisory authority communications. Each party is responsible for keeping its contact information up to date and notifying the other of any changes.
Annex 2: Miris Security Measures
Miris currently implements the following security measures, which shall serve as Annex II to the SCCs. These measures reflect Miris' current stage of development and the nature of data processed, and are subject to enhancement as Miris' operations scale. All measures described below represent current implementations unless explicitly noted as planned.
1. Organizational Security: - Security Program: Miris maintains a written information security program with policies and procedures that align with industry standards for the Miris’ stage of development. All employees and contractors with access to Personal Data are required to sign confidentiality agreements. Access to systems is granted based on the principle of least privilege and role-based access controls. Access rights are reviewed periodically and revoked promptly upon role change or termination.
2. Physical and Environmental Security: - Data Centers: Miris uses reputable third-party data center and cloud providers (e.g., AWS, CoreWeave) that have robust physical security controls.
3. Network Security and System Monitoring: - Firewall and Perimeter: We employ firewalls, VLANs, and network segmentation to isolate sensitive systems. Miris’s cloud networks are configured with security groups and access control lists to limit traffic. We utilize DDoS protection services to mitigate denial-of-service attacks. - Encryption in Transit: All external network traffic containing Personal Data is encrypted using strong protocols (TLS 1.2 or higher) with up-to-date ciphers. This includes data transmission between Customer devices and our servers, as well as between our internal services across untrusted networks. - Encryption at Rest: Personal Data (including Customer Content, database entries, and backups) is encrypted at rest using AES-256 or equivalent. For example, databases and object storage buckets holding Personal Data employ disk or file-level encryption. - Endpoint Protection: Miris ensures company laptops and devices have up-to-date anti-malware protection, host firewalls, full disk encryption, and are configured to adhere to security policies (including automatic locking, password complexity, etc.). - Monitoring & Logging: Miris monitors systems and infrastructure for security events. Centralized logging collects security-relevant events (login attempts, administrative actions, etc.). Miris implements logging and monitoring tools appropriate to its current stage of development, with plans to implement a formal IDS/IPS and SIEM solution as the platform scales toward general availability. - Vulnerability Management: Miris runs regular vulnerability scans on our infrastructure and applications. We maintain a process for prompt patch management – critical security critical security patches are applied on an expedited basis as soon as reasonably practicable, and routine updates are applied at least monthly. We plan to engage third-party penetration testing periodically, and at minimum upon reaching general availability of the Services, and will address any high-risk findings as a priority.
4. Access Controls and Identity Management:
- Authentication: All access to production systems requires strong authentication. Employee access to administrative consoles is protected by multi-factor authentication (MFA). We enforce password management policies (length, rotation, etc.) and use single sign-on (SSO) where feasible.
- Authorization: Access to databases or storage with Personal Data is restricted to authorized personnel with a legitimate need. We use unique user IDs
– no shared accounts are allowed. Privileged access (e.g., system administrators or database admins) is limited to a few individuals and is logged and audited.
- Customer Controls: The Services may allow Customer to configure role-based access for its users. Customer is responsible for managing end user access and credentials. Miris’s application provides session management and options like 2FA for Customer accounts (if applicable).
5. Data Integrity and Availability:
- Backups: Miris performs regular backups of critical data (including databases storing Personal Data) and uses encryption for backups. Reasonable efforts are made so that backups are stored in geographically separate locations or cloud regions to ensure redundancy, to the extent practicable given Miris' current infrastructure and scale. We periodically test restoration from backups to verify integrity.
- Disaster Recovery and Availability: Miris’s infrastructure is designed for high availability, leveraging redundant servers and failover capabilities across multiple availability zones or regions. We maintain a disaster recovery plan that aims to ensure service continuity or timely restoration in the event of a catastrophic event. Miris maintains recovery objectives appropriate to its current stage of development, which will be formalized and communicated to Customers upon request or as part of any separately negotiated SLA.
- Business Continuity: Key personnel and processes are in place to handle unexpected disruptions. We conduct drills or tabletop exercises to simulate major incidents and improve our response, at a frequency appropriate to Miris' current stage of development.
6. Change Management:
- Secure Development: Miris follows secure software development practices. Code changes are reviewed for security impact. We use separate development, staging, and production environments; test data is sanitized to not use real Personal Data when possible.
- Change Control: Changes to production infrastructure or applications (especially those that could affect security) are documented and require approval. Emergency changes are logged and reviewed post-implementation.
7. Audit and Compliance:
Miris maintains internal audit logs of administrative access and significant system actions, including access to Personal Data and changes in permissions. These logs are preserved in accordance with Miris' retention policy and reviewed periodically. Miris intends to pursue SOC 2 Type II certification as it scales toward general availability. Upon obtaining such certification or equivalent third-party audit attestation, Miris will make relevant reports available to Customers upon request and subject to confidentiality obligations.
8. Data Minimization and Pseudonymization:
Miris strives to minimize Personal Data in our systems. Where feasible, we pseudonymize Personal Data (for example, using one-way hashes for certain identifiers when full identity is not needed). We often work with aggregated or anonymized data for service analytics to avoid using raw Personal Data. We offer Customers options to limit the personal data they send us (e.g., not including user identifiers in filenames or using user IDs instead of personal info) and our default SDK configurations avoid collecting extraneous personal data.
9. Incident Management:
Response Plan: Miris maintains a detailed incident response plan covering the steps to identify, contain, eradicate, recover from, and report security incidents including Data Breaches. We have a dedicated response team that is on-call to react to alerts.
Breach Notification: As described in the DPA, Miris will notify Customer without undue delay of any confirmed Personal Data breach. Our plan includes processes for preserving evidence, performing forensic investigation, and communicating internally and with customers/regulators as needed.
10. Confidentiality and Privacy: All Miris personnel are bound by confidentiality obligations both contractually and via corporate policy. They are trained on privacy principles and the importance of protecting personal data.
These measures are kept up-to-date and may be revised as needed to address evolving threats or technological advancements. Miris may enhance or modify these measures, but any such changes will not reduce the overall security of the Services.
