AdultVI.com

Data Processing Addendum

Last Updated: June 1, 2022

This Data Processing Addendum (“DPA”) supplements the AdultVI terms-of-service agreement available at https://adultvi.com/tos.html as updated from time to time between Client and AV Tech Global LLC (“AV Tech Global”), or other agreements between Client and AV Tech Global governing Client’s use of the Services (“Agreement”), when Applicable Data Protection Laws apply to Client’s use of the Services to process Client Personal Data. Any terms not defined in this DPA will have the meanings set out in the Agreement. In the event of a conflict between this DPA and the Agreement, the terms of this DPA will prevail.

1. Definitions.

1.1 “Applicable Data Protection Law” means, if applicable to the parties, any law or regulation applicable to AV Tech Global or the Services relating to privacy, data protection, or data security, including Brazil’s Lei Geral de Proteção de Dados (“LGPD”), the California Consumer Privacy Act (“CCPA”) and the regulations promulgated under it, Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), the European Union’s General Data Protection Regulation (“GDPR”), Japan’s Act on the Protection of Personal Information (“APPI”), the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”), the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (“UK Data Protection Laws”), and any other national, state, or local privacy and data protection laws, rules, and regulations in effect on or after the effective date of this DPA, including the California Privacy Rights Act (“CPRA”), the Colorado Privacy Act (“CPA”), the Connecticut Personal Data Privacy Act (“CPDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“CDPA”).

1.2 “Authorized Person” means any employee or staff member of AV Tech Global who has a need to know or otherwise accesses Client Personal Data to enable Av Tech Global to perform its obligations under this DPA or the Agreement.

1.3 “Client” means the person that has entered into the Agreement.

1.4 “Client Personal Data” means any Personal Data contained in the images, videos, text, audio, and other data that Client, its authorized affiliates, or its authorized users submit to AV Tech Global for Processing with the Services under the Agreement, including (without limitation) biometric data and Personal Data regarding (i) those authorized users and other employees, agents, advisors, and freelancers of Client; (ii) Client’s end users or customers; or (iii) other nonparty individuals, as more particularly described in annex 1 to this DPA.

1.5 “Data Subject Rights Request” means a request from a Data Subject regarding their Personal Data under Applicable Data Protection Laws.

1.6 “Europe” means, for this DPA, the Member States of the European Union, Iceland, Liechtenstein, Norway (collectively, “EEA”) plus Switzerland and the United Kingdom.

1.7 “Personal Data” means any information that is protected as “personal information,” “personally identifiable information,” or “personal data” under Applicable Data Protection Laws and includes, at a minimum, any information about an identified or identifiable natural person or consumer.

1.8 “Personal Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored, or otherwise Processed by AV Tech Global as a Processor or Service Provider (as applicable) with the Agreement.

1.9 “Restricted Transfer” means a transfer of Personal Data originating from a country in Europe to any country or recipient: (a) not deemed as providing an adequate level of protection for Personal Data within the meaning of Applicable Data Protection Laws, and (b) not covered by a suitable framework or certification recognized by the relevant Supervisory Authority as providing an adequate level of protection for Personal Data.

1.10 “Services” with have the meaning set out in the Agreement.

1.11 “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, a copy of which is available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, or any updated version of it.

1.12 “Sub-processor” means any nonparty authorized under this DPA to have logical access to and process Client Personal Data to provide parts of the Services and related technical support, excluding any employee, consultant, or contractor of AV Tech Global.

1.13 “UK DPA” means the International Data Transfer DPA (version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as amended, superseded, or replaced from time to time.

1.14 The terms “Controller,” “Processor,” “Data Subject,” “Supervisory Authority,” and “Process” will have the meanings given to them under the Applicable Data Protection Laws and “Processes,” “Processing,” and “Processed” will be interpreted accordingly, and the terms “Business” and “Service Provider” will have the meanings given to them under the CCPA.

2. Scope of DPA and Processing Roles.

2.1 Scope of DPA. This DPA sets out the parties’ rights and obligations regarding the Processing of Client Personal Data by AV Tech Global as a Processor or Service Provider (as applicable) in connection with the Agreement. The subject matter, nature, purpose, and duration of the Processing, and the types of Personal Data Processed and categories of Data Subjects involved, are described in annex 1 to this DPA. Nothing in this DPA will act to limit or prevent AV Tech Global from Processing data (including Personal Data) that AV Tech Global would otherwise collect or Process independently of providing the Services to Client.

2.2 Role of the Parties. The parties acknowledge that Client is a Controller or Business (as applicable) of Client Personal Data and AV Tech Global shall act as a Processor or Service Provider (as applicable) for Client in its Processing of Client Personal Data in connection with the Agreement.

3. Client Obligations.

3.1 Compliance with law. Client will be responsible for complying with its obligations under Applicable Data Protection Laws in its Processing of Client Personal Data and, in particular, will (i) be responsible for determining whether the Services are appropriate for Processing Client Personal Data in a manner consistent with Client’s legal and regulatory obligations and for complying with Applicable Data Privacy Laws regarding its use of the Services, (ii) comply with its obligations as a Controller or Business (as applicable) under Applicable Data Protection Laws and any Processing instructions it issues to AV Tech Global, and (iii) ensure it has the right to transfer Client Personal Data to AV Tech Global, and for providing notice and obtaining all consents necessary under Applicable Data Protection Laws, for AV Tech Global to lawfully Process Client Personal Data for the purposes contemplated by the Agreement and this DPA.

4. AV Tech Global Obligations.

4.1 Processing Instructions. AV Tech Global shall only Process Client Personal Data as a Processor or Service Provider (as applicable) and in accordance with the lawful documented instructions from Client. For these purposes, Client instructs AV Tech Global to Process Client Personal Data to (i) provide the Services in accordance with the Agreement, and (ii) develop and improve the AV Tech Global technology for those Services and in accordance with the Agreement (including, for these purposes, Processing Client Personal Data alone or aggregated with other data to train or retrain AV Tech Global models) (collectively, “Permitted Purposes”). The Agreement sets out the Client’s complete and final instructions to AV Tech Global concerning the processing of Personal Data and Processing outside the scope of these instructions (if any) will require prior written agreement between the parties.

4.2 Sub-processors. Client hereby provides AV Tech Global an upfront general authorization to engage Sub-processors and may ask for a list of AV Tech Global’s current Sub-processors on written request. AV Tech Global shall notify Client at least 15 days before allowing any new Sub-processor to Process Client Personal Data, and during this period Client may reasonably object to that engagement on reasonable grounds relating to data protection by informing AV Tech Global in writing. Client acknowledges that certain Sub-processors are essential to providing the Services and that objecting to the use of a Sub-processor might prevent AV Tech Global from offering the Services to Client. If Client reasonably objects to an engagement in accordance with this section 4.2, the parties shall discuss Client’s concerns in good faith with a view to achieving a reasonable resolution. If the parties cannot reach that resolution, Client may terminate the affected part of the Services within a reasonable period. Termination will not relieve Client of any fees owed to AV Tech Global under the Agreement. If Client does not object to the engagement in accordance with this section 4.2, Client will be considered to have granted authorization to the Sub-processor for this DPA. In all cases, AV Tech Global shall enter into a written agreement with each Sub-processor imposing on the Sub-processor data protection obligations equivalent to those imposed on AV Tech Global under this DPA for the protection of Client Personal Data. AV Tech Global will remain liable to Client for the performance of each Sub-processor’s obligations. Under the Standard Contractual Clauses entered into between the parties under this DPA (i) the above authorizations constitute Client’s authorization to Sub-processors for the Standard Contractual Clauses, and (ii) AV Tech Global might be prevented from providing Client with copies of its agreements with Sub-processors due to confidential information but AV Tech Global will try to provide all information reasonably requested by Client for Sub-processor agreements.

4.3 Security and Personal Data Breach Notification. AV Tech Global shall implement appropriate technical and organizational measures to protect Client Personal Data from Personal Data Breaches that shall, at a minimum, include the measures described in annex B to this DPA. In the event of a Personal Data Breach, AV Tech Global shall, without undue delay, inform Client of the Personal Data Breach and take those steps as AV Tech Global in its sole discretion considers necessary and reasonable to remediate that Personal Data Breach (to the extent that remediation is within AV Tech Global’s reasonable control). AV Tech Global shall, considering the nature of the Processing and the information available to AV Tech Global, provide Client with reasonable cooperation and help necessary for Client to comply with its obligations under Applicable Data Protection Laws for notifying (i) the relevant Supervisory Authority, (ii) Data Subjects affected by such Personal Data Breach, or (iii) both (i) and (ii). The obligations described in this section 4.3 will not apply if a Personal Data Breach results from Client’s actions or omissions. AV Tech Global’s obligation to report or respond to a Personal Data Breach will not be construed as an acknowledgment by AV Tech Global of any fault or liability for the Personal Data Breach.

4.4 Data Subject Rights Requests. If AV Tech Global receives a Data Subject Request and can identify that the request is from or related to a Data Subject for whom Client is the relevant Controller, AV Tech Global will advise the Data Subject to submit their request to Client and Client will be responsible for responding to that request including, where necessary, by using the functionality of the Services. AV Tech Global shall, at Client’s request and considering the nature of the Processing, apply appropriate technical and organizational measures to help Client in complying with its obligation to respond to Data Subject Requests where possible, on condition that (i) Client itself cannot respond to the Data Subject Request without AV Tech Global’s help, and (ii) AV Tech Global can provide that help in accordance with all laws. Client will be responsible for any expenses arising from any such help by AV Tech Global. For the Standard Contractual Clauses, AV Tech Global shall notify Client (only) and not the Data Subject in case of government access requests and Client will be solely responsible for promptly notifying the Data Subject as necessary.

4.5 Data Protection Impact Assessments. AV Tech Global shall, considering the nature of the Processing and the information available to AV Tech Global, provide Client with reasonable cooperation and help where necessary for Client to comply with its obligations under Applicable Data Protection Laws to conduct a data protection impact assessment or to consult with Supervisory Authorities or both for AV Tech Global’s Processing of Client Personal Data, on condition that Client does not otherwise have access to the relevant information. Client will be responsible for any expenses arising from any such assistance by AV Tech Global.

4.6 Audit Rights. AV Tech Global shall maintain accurate records for AV Tech Global’s performance as a Processor of Client Personal Data under this DPA. On Client’s request, AV Tech Global shall, no more than once a calendar year, either (i) make available for Client’s review copies of certifications or reports demonstrating AV Tech Global’s compliance with prevailing data security standards applicable to its Processing of Client Personal Data, or (ii) if the provision of reports or certifications under (i) is not reasonably sufficient under Applicable Data Protection Laws, allow Client or its authorized representative, on reasonable notice and at a mutually agreeable date and time, to conduct an audit or inspection of AV Tech Global’s data security infrastructure and procedures that is sufficient to demonstrate AV Tech Global’s compliance with its obligations under this DPA, on condition that Client shall provide reasonable prior notice of any such request for an audit and that inspection will not be unreasonably disruptive to AV Tech Global’s business. Client will be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to AV Tech Global for any time expended for on-site audits. Under the Standard Contractual Clauses, the audit measures described under the Standard Contractual Clauses will be carried out in accordance with this section 4.6.

4.7 Deletion on Termination. On termination of the Agreement, AV Tech Global shall, where requested by Client and at Client’s election, delete or return all Client Personal Data (including copies of it) in its possession or control except that this requirement will not apply to the extent AV Tech Global is required by law to retain some or all of the Client Personal Data or to Client Personal Data that AV Tech Global has archived on back-up systems. The certification of deletion that is described in Clause 8.5 and 16(d) of the Standard Contractual Clauses will be provided by AV Tech Global to Client only on Client’s written request.

4.8 CCPA. Where AV Tech Global acts as Service Provider, the parties acknowledge that AV Tech Global does not receive any Client Personal Data from Client as consideration for any services or other items provided to Client. Except as set out in the Agreement or this DPA, or as otherwise necessary to perform the Services or as permitted by the CCPA, AV Tech Global shall not (i) retain, use, or disclose any Client Personal Data for its own purposes (including its own commercial purposes); or (ii) “sell” any Client Personal Data within the meaning of the CCPA.

5. International Transfers.

5.1 Processing Locations. AV Tech Global may transfer and Process Client Personal Data anywhere in the world where AV Tech Global, its affiliates, or Sub-processors maintain data Processing operations. AV Tech Global shall at all times ensure that Client Personal Data is adequately protected in accordance with the requirements of Applicable Data Protection Laws and this DPA.

5.2 Standard Contractual Clauses. To the extent that the transfer of Client Personal Data from Client to AV Tech Global involves a Restricted Transfer, the Standard Contractual Clauses will apply as follows:

(a) As to Client Personal Data that is subject to the GDPR, (i) AV Tech Global will be deemed the “data importer” and Client will be deemed the “data exporter”; (ii) the Module Two (Controller to Processor) terms will apply; (iii) in Clause 7, the optional docking clause will apply; (iv) in Clause 9, Option 2 will apply and the list of Sub-processors and period for notice of changes will be as agreed under section 4.2 of the DPA; (v) in Clause 11, the optional language will be deleted; (vi) in Clause 17, Option 1 will apply and the Standard Contractual Clauses will be governed by the laws of the Netherlands; (vii) in Clause 18(b), disputes will be resolved before the courts of the Netherlands; (viii) Annex I and Annex II will be deemed completed with the information set out in annex 1 and annex 2 of this DPA respectively; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA), the Standard Contractual Clauses will prevail to the extent of that conflict.

(b) As to Client Personal Data that is subject to UK Data Protection Laws, the Standard Contractual Clauses will apply in accordance with section 5.2(a) with the following modifications: (i) the Standard Contractual Clauses will be amended as specified by the UK DPA; (ii) Tables 1 to 3 in Part 1 of the UK DPA will be deemed completed using the information contained in annex 1 and annex 2 of this DPA; (iii) Table 4 in Part 1 of the UK DPA will be deemed completed by selecting “importer”; and (iv) any conflict between the Standard Contractual Clauses and the UK DPA will be resolved in accordance with Section 10 and Section 11 of the UK DPA.

(c) As to Client Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with section 5.2(a) with the following modifications: (i) references to ‘Regulation (EU) 2016/679’ will be interpreted as references to the Swiss DPA; (ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be replaced with the equivalent article or section of the Swiss DPA; (iii) references to ‘EU,’ ‘Union,’ and ‘Member State’ will be replaced with ‘Switzerland’; (iv) Clause 13(a) and part C of annex 1 will not be used and the ‘competent supervisory authority’ will be the Swiss Federal Data Protection Information Commissioner; (v) references to the ‘competent supervisory authority’ and ‘competent courts’ will be replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’; (vi) in Clause 17, the Standard Contractual Clauses will be governed by the laws of Switzerland; and (vii) in Clause 18(b), disputes will be resolved before the courts of Switzerland.

5.3 Alternative Transfer Mechanism. To the extent that AV Tech Global adopts an alternative data transfer mechanism to the Standard Contractual Clauses as implemented in accordance with section 5.2 of this DPA (including any new version of or successor to the Privacy Shield), that alternative transfer mechanism will apply instead of the Standard Contractual Clauses, on condition that the alternative transfer mechanism complies with Applicable Data Protection Laws and extends to the territories in which Client Personal Data is Processed, and Client shall sign those other and further documents and take those other and further actions as might be reasonably necessary to give legal effect to that alternative transfer mechanism.

6. Limitation of Liability. The total and combined liability of each of the parties (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence), or any other theory of liability, will be subject to the exclusions and limitations of liability set out in the Agreement.

7. Miscellaneous. AV Tech Global may amend or adjust any of the terms of this DPA as might be required from time-to-time to comply with any laws or regulations. This DPA will be governed by the law of the same jurisdiction as the Agreement, except where and to the extent that Applicable Data Protection Laws or the Standard Contractual Clauses require that the DPA be governed by the law of another jurisdiction.


Annex 1
Details of Processing

Annex 1(A): List of Parties
Client (Data Exporter) AV Tech Global (Data Importer)
Name: The entity identified as the “Client” in this DPA. AV Tech Global LLC
Contact Person’s Name, position, and contact details: The contact details associated with Client’s account. Shawn Evans, Chief Privacy Officer, privacy@adultvi.com
Activities relevant to the transfer: The activities described in annex 1(B). The activities described in annex 1(B).
Signature and date: Client’s registration and date of registration for the Services constitutes signature and date here. AV Tech Global’s acceptance of Client’s registration and date of acceptance of Client’s registration for the Services constitutes signature and date here.
Role: Controller Processor

Annex 1(B): Description of the Processing
Categories of data subjects: Individuals whose data is contained in Client Personal Data provided by Client with the Services. The categories of Data Subjects are determined by Client in its sole discretion and (unless otherwise expressly specified by Client) may include (i) authorized users and other employees, agents, advisors, and freelancers of Client; (ii) Client’s end users or customers; or (iii) other non-party individuals whose Personal Data is contained in Client Personal Data.
Categories of personal data: Personal Data contained in Client Personal Data provided by the Client with the Services. The categories of Personal Data are determined by Client in its sole discretion and (unless otherwise expressly specified by Client) may include (i) images and video; (ii) texts; (iii) geolocation and other metadata; (iv) biometric data; and (v) labels, tags, and annotations.
Sensitive data: Client may choose to include sensitive data in Client Personal Data provided by the Client with the Services. The sensitive data that Client may submit is determined and controlled by Client in its sole discretion and (unless otherwise expressly specified by Client) may include, for example, biometric data. The applied restrictions and safeguards for sensitive data are set out in annex 2 of this DPA.
Frequency: Continuous
Nature, subject matter, and purpose(s): AV Tech Global is a US-based company that provides a machine learning and artificial intelligence platform for computer vision, natural language processing, and more. The subject matter of the Processing is Personal Data that is contained in the images, videos, text, audio, and other data that Client, its authorized affiliates, or its authorized users submit to AV Tech Global for Processing with the Services and under the Agreement between the parties. AV Tech Global shall Process Client Personal Data for the Permitted Purposes as described in section 4.1 of the DPA.
Duration and retention period: AV Tech Global shall Process Client Personal Data until it is required to delete or return the Client Personal Data on termination of the Agreement and in accordance with the Agreement and this DPA.

Annex 1(C): Competent Supervisory Authority

For the purposes of Clause 13 of the Standard Contractual Clauses, the competent Supervisory Authority will be determined in accordance with the GDPR.


Annex 2
Technical and Organizational Security Measures

The following technical measures are in place to protect the Client Personal Data handled by AV Tech Global:

Encryption of personal data

Measures for ensuring the ability to timely restore the availability and access to personal data in the event of a physical or technical incident

Measures for user identification and authorization

Measures for the protection of Data during transmission

Measures for the protection of Data during storage

Measures for ensuring physical security of locations at which personal data are Processed

Measures for ensuring events logging

Measures for ensuring system configuration, including default configuration

Measures for internal IT and IT security governance and management

Measures for ensuring data minimization limited data retention

Measures for ensuring Data quality

Measures for allowing data portability and ensuring erasure