VR Oxygen Data Processing Agreement Annexes (SCC Compliance)
This document constitutes Annexes I, II, and III of the Standard Contractual Clauses (SCCs) as adopted by the European Commission, which are incorporated by reference into the VR Oxygen Data Processing Agreement (DPA).
ANNEX I: List of Parties and Description of the Transfer
A. LIST OF PARTIES
|
Role
|
Name
|
Address
|
Contact Details
|
|
Data Exporter
|
The Customer (as defined in the Agreement)
|
The Customer's address as set out in the Agreement or Order Form.
|
The Customer's primary contact person as defined in the Agreement.
|
|
Data Importer
|
VR Oxygen, Inc.
|
16192 Coastal Highway, Lewes, DE 19958, Attn: Legal
|
privacy@vroxygen.com
|
B. DESCRIPTION OF THE PROCESSING
The description of the processing operations is provided as set forth in Schedule 1 of the DPA:
|
Element
|
Description
|
|
Subject Matter
|
Provision of VR Oxygen’s all-in-one cloud-based secured software solution to manage digital customer experience insights and/or conduct user testing.
|
|
Categories of Data Subjects
|
Customer’s Contributors, which may include: employees, customers, contractors, website visitors, and other users invited by the Customer.
|
|
Categories of Personal Data
|
Personal data collected or stipulated by those creating studies or sourcing Contributors on behalf of the Customer, which may include (but is not limited to) Contributors’ video and audio while taking a Test, visited URLs, screen recording, demographic information, and user ID.
|
|
Purpose of Processing
|
To improve the user experience for the Customer’s users by providing behavioral insights, analysis, and data on user intent and friction points within immersive environments.
|
|
Duration of Processing
|
The duration of the Agreement, unless otherwise defined in the Agreement or terminated earlier in accordance with the DPA.
|
C. COMPETENT SUPERVISORY AUTHORITY
The competent Supervisory Authority shall be determined in accordance with Clause 13 of the SCCs, which generally defaults to the Supervisory Authority of the Data Exporter's habitual residence, or as mutually agreed upon by the parties.
ANNEX II: Technical and Organizational Measures (TOMs)
VR Oxygen implements and maintains the following technical and organizational security measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
|
Measure Category
|
Description
|
|
1. Access Control
|
Principle of Least Privilege (PoLP): Access to Personal Data is granted strictly on a need-to-know, role-based basis. Strong password and multi-factor authentication (MFA) requirements are enforced for all systems processing Personal Data.
|
|
2. Data Security & Storage
|
Encryption: Personal Data is encrypted in transit (using TLS/SSL) and at rest (using AES-256 or equivalent standards) on secure servers (e.g., Google Cloud, Amazon Web Services).
|
|
3. System Integrity
|
Secure Servers & Cloud Hosting: All platform data is hosted on secure cloud infrastructure (AWS/Google Cloud). Regular vulnerability scanning and patching cycles are maintained.
|
|
4. Confidentiality & Training
|
Employee Training: All employees handling Personal Data undergo mandatory data protection and security awareness training upon hire and annually thereafter. Confidentiality agreements are in place for all personnel.
|
|
5. Incident Response
|
Monitoring and Reporting: Dedicated security monitoring systems are in place. A defined and documented Data Breach Response Plan is maintained and tested to ensure timely notification as required by GDPR (within 72 hours).
|
|
6. Data Retention
|
Retention Policy: Data retention and deletion policies are defined by the Agreement and internal policies, ensuring Personal Data is deleted or anonymized when no longer necessary for the stated purpose.
|
ANNEX III: List of Sub-Processors
VR Oxygen may engage the following Sub-processors to provide the Services. The Customer provides a general written authorization for the use of these Sub-processors and the process for informing the Customer of changes is set out in the DPA.
|
Vendor (Sub-processor)
|
Purpose of Processing
|
Location Where Data is Stored
|
|
VR Oxygen, Inc. (Affiliate)
|
IT, system administration, and Business Support Services.
|
United States
|
|
Amazon Web Services (AWS)
|
Platform hosting and use of third-party tools (via Amazon Bedrock) and general cloud infrastructure.
|
United States/European Union
|
|
Stripe
|
Processing payments to test participants (Contributors) and customer credit card payment processing.
|
United States
|
|
OpenAI OPCO LLC
|
Artificial intelligence features and specialized analysis within the platform.
|
United States
|
|
Zoom
|
Live Conversation and user-interview support functionality.
|
United States
|
|
Google Cloud
|
Cloud-based storage provider and additional infrastructure support.
|
USA
|
|
Google Analytics
|
Use of tracking technologies to improve the VR Oxygen website user's experience.
|
USA
|
|
Postmark
|
Email delivery platform for transactional and platform communications.
|
USA
|
Effective January 12, 2026
