Skip to main content

Even Hub Developer Platform Data Processing Agreement

Last Updated: March 24th, 2026

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Even Hub Developer Platform Terms of Service or other agreement between Developer and Even Realities that references this DPA. This Agreement governs the data processing activities undertaken by Developer in connection with Even Hub Developer Platform Data accessed or acquired via the Even Hub Developer Platform. For the avoidance of doubt, this Agreement does not apply to any data processing activities conducted independently by Even Realities. Such data and activities shall be exclusively governed by the separate policies, rules, or agreements issued or entered into by Even Realities.

Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement. Even Realities may modify the terms of this DPA as provided in the Agreement, in circumstances such as i) if required to do so by a supervisory authority or other government or regulatory entity, ii) if necessary to comply with Data Protection Law, or iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be permitted under Data Protection Law. Even Realities will provide notice of such changes to Developer, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on the Even Hub Developer Platform if not specified in the Agreement.

1. Definitions

"Agreement" means Even Hub Developer Platform Terms of Service, unless a separate agreement governing the use of the Even Hub Developer Platform exists between the parties.

"Applicable Data Protection Laws" means all applicable privacy or data protection laws and regulations relating to the processing of personal data, as may be amended from time to time.

“ Even Hub Developer Platform Data” means any data or information provided to Developer by Even Realities through the Even Hub Developer Platform in any form or method, including but not limited to APIs, databases or documents, which may contain User Data.

"User Data" means personal all data or other information of User collected, processed or generated by Even Products or services.

“Shared Data” means any User data that Even Realities shares with Developers via an Application Programming Interface (API) or any other technical means (including, but not limited to, SDKs, file transfers, or webhooks) for the purpose of enabling the Developer's development and publish of Plug-in and provision of relevant services to User.

“Data Subject Request” means a request from a data subject to exercise their personal data-related rights under Applicable Data Protection Laws, such as rights to access, correct, or delete their personal data.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), a legal framework on data protection enacted by the European Union in 2016, which entered into full force on May 25, 2018.

"Security Incident" means any unauthorized access to any Even Hub Data, or unauthorized access to any equipment or facilities resulting in loss, disclosure, or alteration of Even Hub Developer Platform Data that compromises the privacy, security or confidentiality of such data.

"Controller" means an entity that determines the purposes and means of the processing of data.

"Processor" means an entity that processes data on behalf of a Controller.

"Sub-processor" means any entity engaged by a Controller or Processor to assist in fulfilling its obligations under any applicable terms and conditions, relationship or business or transaction context.

"Standard Contractual Clauses" or “SCCs” means Module One (controller to controller) of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

“UK Addendum” means the International Data Transfer Addendum to the SCCs, issued by the Information Commissioner under S119A(1) Data Protection Act 2018, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).

The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” as used in this DPA have the meanings given by Applicable Data Protection Laws or, absent any such meaning or law, by GDPR.

The terms “controller” and “processor” include “business”, and “service provider”, respectively, as required by Applicable Data Protection Laws.

2. Processing of User Data

Role of the Parties: With respect to the processing activities of the Shared Data under this Agreement, the parties are independent controllers, rather than joint controllers, nor a data processor of the other party.

Even Realities, as the source of the data, independently determines the purposes and means of its initial collection of the data.

After receiving the Shared Data, Developers independently determine the purposes and means of processing the Shared Data in its possession (strictly within the scope of purposes agreed upon in this Agreement) and independently bear the corresponding legal responsibilities.

Developer's Processing of Personal Data. Developer shall:

i) comply and will continue to comply all applicable laws, including Applicable Data Protection Laws, in respect of its provision of Plug-ins;

ii) ensure that any instructions provided to Even Realities are at all times in accordance with Data Protection Laws;

iii) obtain all consents and rights necessary for the Processing of Shared Data;

iv) maintain at all times the accuracy, quality, and legality of Shared Data.

Even Realities Processing of Personal Data. Even Realities shall be solely responsible for complying with its obligations as an Data Controller under applicable Data Protection Legislation in respect of the initial collection and the disclosure of the Shared Personal Data to Developers. During the process of sharing data, Even Realities warrants and represents that:

i) the collection of Shared Data governed by Even Realities Privacy Policyhas a valid legal basis in accordance with Applicable Data Protection Law;

ii) Even Realities has provided all information to the data subjects as required under Applicable Data Protection Law, including, but not limited to, the categories of data processed, the purposes of the processing, the recipients or categories of recipients (including the fact that data will be shared with Developer, an independent Controller), and the existence of the data subjects’ rights.

iii) Even Realities is responsible for ensuring that the Shared Data disclosed to Developer is accurate and, where necessary, kept up to date, taking into account the purpose of the disclosure as set out in Annex I. Party A shall use reasonable endeavors to correct or update any inaccuracies in the data shared with Developer upon becoming aware of them, to the extent necessary for Party B’s processing purposes.

The details and specifics of Data Processing Activities under this DPA are clarified in Annex I of the DPA.

3. Third-party Service Provider

The Developer, as an independent controller, is entitled to engage third-party service providers to process User Data in connection with its provision of Plug-ins to Users. Developers shall remain fully responsible for ensuring that any such third-party service provider complies with the terms of this Agreement and all applicable data protection laws.

To maintain the integrity, security, and stability of the Even Hub Developer Platform, Developers shall, upon Even Realities' reasonable request, provide accurate, complete, and up-to-date information regarding any third-party service provider that processes User Data originating from the Even Hub Developer Platform. Developers agree to complete any mandatory review forms or questionnaires provided by Even Realities regarding such third-party engagements.

Developers warrant and ensure that any third-party service provider engaged:

i) is bound by a written contract that includes data protection obligations no less protective than those imposed on the Developer under this Agreement; and

ii) implements and maintains appropriate technical and organizational security measures in accordance with applicable data protection laws to protect the Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

4. Data Subject Requests

Data Subject Right Exercise mechanisms: As an data controller, Developers shall implement and maintain within its Plug-in appropriate mechanisms that enable data subjects to effectively exercise their rights under Applicable Data Protection Laws, including the rights to access, rectification, erasure, restriction of processing, data portability, and to object to processing.

Forwarding of Requests: Even Realities will forward to Developers promptly any Data Subject Request received by Even Realities relating to the Developers’ data processing activities and may advise the Data Subject to submit their request directly to Developers.

Cooperation: Even Realities will, taking into account the nature of the processing, provide Developers with reasonable and timely assistance as necessary for Developers to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.

5. Security

Developers shall comply with its data security obligations of Applicable Data Protection Laws, and shall implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for the User Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall be at least equivalent to, and no less protective than, the security measures implemented by the Even Products for the Shared Data, as described in the Even Realities Privacy Policy (which may be updated from time to time).

Upon the Even Realities’ request and to the extent necessary for the review and approval of the Developer's Plug-in for publication on the Platform, Developers shall provide accurate and complete information regarding its security measures, including but not limited to details of its technical and organizational safeguards, security certifications, and compliance attestations. Developers shall cooperate with the Even Realities reasonable inquiries and assessments related to such security measures.

6. Compliance and Audits

Right to Audit. Without prejudice to any other rights of Even Realities under this Agreement, Even Realities may, upon reasonable notice and during normal business hours, conduct audits of the Developer's application to verify compliance with this Agreement and applicable security standards in accordance with the Agreement. Such audits may include, but are not limited to, assessments of data security measures implemented by Developers.

Nature of Audit. Any audit conducted under this Section shall be deemed an exercise of the Even Realities rights as the operator of the Even Hub Developer Platform and shall not:

  • alter or modify the roles of Developer as the Controller and Even Realities as the Processor with respect to the processing activities governed by this DPA; or
  • impose any additional data protection obligations on either party beyond those set forth in this Agreement, unless otherwise agreed in writing.

Cooperation. Developers shall reasonably cooperate with the Even Realities in connection with any such audit, including by providing access to relevant information and personnel, subject to appropriate confidentiality protections.

7. Security Breaches

Even Realities will assist Developers in ensuring appropriate security of the data in accordance with Section 5 of this DPA. In case of a Security Incident occurs involving the Shared Data, and such incident could have an actual impact on the developers, Even Realities will notify Developer without undue delay after becoming aware of it and assist the Developer in addressing the breach.

Regarding any data security breach occurring within the Plug-in, Developers shall be exclusively liable for, and shall indemnify and hold harmless Even Realities from and against any and all claims, damages, liabilities, costs, and expenses arising therefrom. Even Realities may, in its sole discretion and without assuming any obligation, notify the Developer of any third-party reports or complaints regarding a suspected Security Incident involving the Developer's Plug-in. Where Even Realities, in its sole discretion and without assuming any obligation, determines that a Security Incident within Developer's Plug-in may:

  • compromise the security or functionality of the Even Hub Developer Platform;
  • negatively impact the reputation of Even Realities or the Platform; or
  • may affect other developers or users of the platform,

Even Realities may request, and the Developer shall provide, all information necessary to enable the Even Realities to assess, mitigate, and respond to such potential impacts, including but not limited to detailed incident reports, remediation plans, and status updates.

8. Deletion and Return

Developers’ Responsibility. Developers acknowledge and agree that, upon receipt of Shared Data from the Even Hub Developer Platform, Developers act as an independent Controller with respect to such Shared Data. Developers shall establish and implement a reasonable data retention policy that complies with Applicable Data Protection Laws and shall disclose such policy to data subjects in its privacy policy or equivalent notice.

Deletion and Return of Confidential Information. Notwithstanding the foregoing, any data that constitutes Confidential Information defined in the Agreement shall be subject to the confidentiality obligations set forth in the Agreement.

9. International Data Transfer

Applicability. This Section shall apply if the Developer is located in a third country or territory for the purposes of the jurisdiction(s) governing the data processing activities under this DPA.

Appropriate Safeguards. Where the data sharing under this DPA constitutes International, both parties shall implement appropriate safeguards in accordance with Applicable Data Protection Law to ensure that such cross-border transfers comply with legal requirements.

GDPR Compliance. Without prejudice to the generality of above Clauses, if the data transfers under this Agreement are subject to the GDPR, the parties agree to implement the European Commission's Standard Contractual Clauses ("SCCs") as the compliance mechanism for such transfers, unless:

  • The recipient country benefits from an adequacy decision adopted by the European Commission pursuant to Article 45 of the GDPR ;
  • The recipient has implemented other legal and valid cross-border transfer tools under Chapter V of the GDPR (including but not limited to Binding Corporate Rules, approved codes of conduct, or certification mechanisms) ; or
  • The conditions for applicable derogations under Article 49 of the GDPR are satisfied.

Incorporation of SCCs. Where the parties are required to enter into the SCCs under this Section, the SCCs shall be deemed incorporated into and form an integral part of this Agreement. The parties agree that:

  • For the purposes of the SCCs, Even Realities shall act as the "data exporter" and the Developer shall act as the "data importer";
  • The applicable module shall be Module 4 (Controller to Controller) or such other module as corresponds to the parties' roles under this Agreement ;
  • The parties shall complete the annexes to the SCCs as set out in Annex II to this Agreement.

10. General Terms

This DPA shall commence on the earlier of (a) the effective date of the Agreement and (b) the date Even Realities share or transfer the Shared Data in connection with the Agreement, and will continue for the duration of the Agreement.

The DPA is incorporated into the Agreement by reference and forms an integral part of the Agreement. In the event of any conflict between the terms of the DPA and the remainder of the Agreement, the terms of the DPA shall prevail to the extent of such conflict.

The liability of each Party and each Party’s affiliates under this DPA is subject to the exclusions and limitations of liability set out in the Agreement.

Annex I Details of Data Processing

Subject Matter: The subject matter of the Processing under this DPA is the Personal Data.

Duration: On a continuous basis, for the duration of the Agreement.

Nature and Purpose(s) of the Processing: Developers’ use of the Even Hub Platform, development, publish or release of Plug-in and provision of Plug-in to Users, as stated in applicable Plug-in Privacy Policy or equivalent policy document

Categories of Data Subjects: Users that access and use Developers’ Plug-in.

Categories of Personal Data:

  • Account Information: name, email, UID, country;
  • Device Information: device model, Serial Number;
  • Device Setting Information: language,
  • Device Status: connect type, battery level, wearing status, charging status;
  • Voice Recording: Voice recording captured by microphone

Special categories of personal data (if applicable): N/A

Retention and Deletion: In accordance with Developer’s retention policy.

Annex II International Data Transfer Appendix

1. EU SCCs

1.1 Selection of Optional Provisions.

The Parties hereby select and agree to the following optional provisions of the SCCs:

(a) Clause 7 (Docking Clause): ☐ The optional docking clause shall apply / ☒ The optional docking clause shall not apply.

(b) Clause 9 (Use of Sub-processors): ☒ Option 2 (General written authorization) shall apply. The data importer shall inform the data exporter of any intended changes concerning the addition or replacement of sub-processors, thereby providing the data exporter with the opportunity to object to such changes, in accordance with Section [X] of this Agreement .

(c) Clause 11 (Redress): ☐ The optional language requiring independent dispute resolution bodies shall apply / ☒ The optional language shall not apply.

(d) Clause 13 (Supervision): The competent supervisory authority shall be Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

(e) Clause 17 (Governing Law): The Parties agree that the SCCs shall be governed by the law of Germany.

(f) Clause 18 (Choice of Forum and Jurisdiction): Any dispute arising from the SCCs shall be resolved by the courts of Germany.

1.2 Supplementary of the Annexes.

The Annexes to the SCCs, which form an integral part thereof, are completed as follows and attached hereto

A.List of Parties

Data Exporter: Even Realities defined in the Agreement

Data Importer: The Developer

B. Description of Processing

Subject Matter: The subject matter of the Processing under this DPA is the Personal Data.

Duration: On a continuous basis, for the duration of the Agreement.

Nature and Purpose(s) of the Processing: Developers’ use of the Even Hub Platform, development, publish or release of Plug-ins and Provision of Plug-ins to Users.

Categories of Data Subjects: Users that access and use Developers’ Plug-ins.

Categories of Personal Data:

  • Account Information: name, email, UID, country;
  • Device Information: device model, Serial Number;
  • Device Setting Information: language,
  • Device Status: connect type, battery level, wearing status, charging status;
  • Voice Recording: Voice recording captured by microphone

Special categories of personal data (if applicable): N/A

Retention and Deletion: In accordance with Developer’s retention policy.

C. Competent Supervisory Authority:Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)

D.Technical and Organizational Measures: As set forth in Security Measures Documents submitted to Even Hub Developer Platform by Developers

2. UK Addendum

This UK Addendum will apply to any processing of Customer Personal Data that is subject to the UK GDPR or both the UK GDPR and the GDPR. For the purposes of this UK Addendum:

“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses.

“UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

“Mandatory Clauses” means “Part 2: Mandatory Clauses” of the Approved Addendum.

With respect to any transfers of Customer Personal Data falling within the scope of the UK GDPR from Even Realities (as data exporter) to Developer (as data importer):

  • to the extent necessary under Applicable Data Protection Law, the Approved Addendum as further specified in this UK Addendum of this Annex II will be incorporated into and form part of this DPA;
  • for the purposes of Table 1 of Part 1 of the Approved Addendum, the parties’ details are as set out in Point A of "Supplementary of the Annexes" of EU SCCs Section of Annex II;
  • for the purposes of Table 2 of Part 1 of the Approved Addendum, the version of the Approved EU SCCs as set out in the EU SCCs of this Annex II including the Appendix Information are the selected SCCs; and
  • for the purposes of Table 4 of Part 1 of the Approved Addendum, Even Realities (as data Exporter) may end the Approved Addendum.

3. Swiss Addendum

This Swiss Addendum will apply to any processing of Customer Data that is subject to Swiss Data Protection Laws (as defined below) or to both Swiss Data Protection Laws and the GDPR.

3.1 Interpretation of this Addendum

  1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
  2. This “Addendum” means this Addendum to the Clauses.
  3. “Clauses” means the Standard Contractual Clauses as further specified in this Schedule.
  4. “Swiss Data Protection Laws” means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.
  5. This Addendum will be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
  6. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
  7. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.

3.2 Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects will prevail.

3.3 Incorporation of the Clauses

  1. In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA the Standard Contractual Clauses to the extent necessary so they operate:
  2. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and
  3. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
  4. To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in this Schedule and as required by Section 3(a) of this Swiss Addendum, include (without limitation):
  5. References to the "Clauses" or the "SCCs" mean this Swiss Addendum as it amends the SCCs.
  6. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer."
  7. References to "Regulation (EU) 2016/679" or "that Regulation" or “GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws to the extent applicable.
  8. References to Regulation (EU) 2018/1725 are removed.
  9. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
  10. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data Protection Laws;
  11. Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws".
  12. Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The parties agree to submit themselves to the jurisdiction of such courts."

Until the entry into force of the revised Swiss Data Protection Laws, the Clauses will also protect the personal data of legal entities and legal entities will receive the same protection under the Clauses as natural persons.

To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA (including the Clauses as further specified in this Schedule) will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by Sections 1 and 3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs will not be replaced as stipulated under Section 3(b)(vii) of this Swiss Addendum.

Developer warrants that it has made any notifications to the FDPIC which are required under Swiss Data Protection Laws.

Related articles