Data Processing Addendum

Marvel Prototyping Limited (“Marvel”/ “we”/ “us”/ “our”) has contracted to provide you (“you”, “your(s)”, “user”) with our design, prototyping and collaboration software as a service through the website and/or Marvel mobile application (“Services”).
In relation to the provision of its Services to you, Marvel may process certain personal data of yours, in particular, Content and Tester Content. In order to assist you in complying with your obligations under the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 (GDPR) or its successor or equivalent (Applicable Data Protection Law) we have set out below some additional terms to be incorporated into the agreement under which we have agreed to provide the Services to you (“Terms of Service”). The terms set out below shall take effect from the date you agree to our Terms of Service and shall replace any existing terms relating to the processing of your personal data.
You acknowledge that we may process personal data provided by you to provide the Services. Information regarding our obligations as a ‘data controller’ and your rights as a data subject are set out in the Privacy and Cookie Policy, which are incorporated herein. For personal data that we process under your instructions, we are a ‘data processor’, and you hereby confirm that you have all necessary appropriate consents and notices in place to enable lawful transfer of such personal data to us. We will not access or use such personal data except as necessary to maintain or provide the Services, or as necessary to comply with the law or a binding governmental order. We will, at your cost, assist you in responding to any request from one of your data subjects and help you comply with your obligations under Applicable Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
[In the case of Participant Testers, where the user of Testing Services has not provided a privacy policy, the Participant Tester shall be permitted to rely on the terms of our Privacy and Cookie Policy, but with you, the user of Testing Services, rather than us being deemed the data controller, provided that the parties acknowledge such Privacy and Cookie Policy is supplied “as is” with no warranty that it is suitable for your purposes and you indemnity us fully with respect to any fines, damages, losses or costs (including legal fees) incurred by us as a result of your reliance on our Privacy and Cookie Policy].
Data Protection Terms to be added to Terms of Service:
  • For the purposes of these terms, “Personal Data” means data about an individual who can be identified either from that data or by combining the data with other information which we have access to.
  • Both of us must comply with all Applicable Data Protection Laws relating to the protection of Personal Data which apply to our respective businesses.
  • You warrant that you have the right to transfer your Personal Data to us so that we may lawfully use, process and transfer it in accordance with the Terms of Service on your behalf.
  • To the extent you upload any content onto our Services containing Personal Data and we are deemed to be a processor of such Personal Data, we will:
    1. process such Personal Data to the extent necessary in order to provide our Services to you and accordance with your instructions;
    2. take reasonable appropriate technical and organisational measures against unauthorised or unlawful processing of the Personal Data or its accidental loss, destruction or damage as is appropriate to the harm that might result;
    3. ensure that anyone who has access to and/or processes Personal Data is obliged to keep it confidential;
    4. not transfer the Personal Data outside of the European Economic Area without ensuring adequate measures are in place to protect the Personal Data as required by applicable data protection laws;
    5. notify you promptly and without undue delay if we become aware of a breach of security which has resulted in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data;
    6. if you ask us to and in any event on termination of the Terms of Service, delete or return to you all copies of the Personal Data;
    7. provide you with reasonable assistance and information to allow you to comply with your obligations under Applicable Data Protection Law;
    8. maintain complete and accurate records and information to show we have complied with these terms; and
    9. permit you (or your third party auditor) to audit our compliance with these terms on giving reasonable notice to us, provided that any third party auditor mandated by you to conduct such audit has entered into confidentiality undertakings which are satisfactory to us, the audit is at your expense, and you use reasonable endeavours to ensure that any such audit is designed to minimise disruption to our business.
Schedule 1
  • Scope of processing
  • Processing activities in performance of the Services under the Terms of Service.
  • Purpose of processing
  • The provision of the Services to you, including allowing you to upload content onto the Services, use the interactive features of the Services, and provide Testing Services involving Participant Testers.
  • Duration of processing
  • The duration of the provision of the Services to you.
  • Data Subjects
  • Individuals employed by or who work for you who access the Services. Other individuals who you invite to access the Services, as permitted by the Terms of Service, including Third Party Users and Participant Testers.
  • Categories of Personal Data
  • You and the individuals accessing the Services (“users”) control what content is uploaded onto the Services and therefore what Personal Data is processed by us. This may include images of the users themselves, audio and video recordings, screen recordings, and any user generated content (such as images, messages, posts and comments attributable to the users). Users may also choose to include Personal Data within the user generated content.