Legal center

1. Contracting parties

When we say "we" or "Metalab", we mean Metalab SRL, a company registered in Romania, with its principal place of business at Timișoara, 62 Simion Barnutiu Street, 5th floor, 3rd room, Timiș County, registered with the Trade Register under number J35/247/2002, Sole Identification Number 14479966.

When we say "you", we mean the organisation you represent in agreeing to the Contract. If you are not legally affiliated with an organisation, you, as an individual, will be bound by the terms of the Contract. In certain instances, you will be referenced as our "Customer", and together we form the parties to the Contract (hereafter, the "Parties")

2. Providing the Services

Order Forms

Within the context of these Metalab Terms, Order Forms represent the formalized request you submit for specific Metalab Services via the Smilecloud platform. These Order Forms are structured to be comprehensive and clearly outline the services you are requesting.

For example, you may fill out an Order Form to request a 'Motivational Design', 'Functional Design', or 'Restorations', among other available services. Each Order Form will comprehensively detail the specific services to be rendered, clearly stating the particulars of the service, such as the nature of the design, any associated warnings, the necessary prerequisites, and the output you will receive.

Such details may be contained either within the body of the Order Form or by linking to a separate, dedicated webpage for comprehensive understanding. Additionally, each Order Form will explicitly enumerate the respective prices for each service, along with any other relevant information, such as estimated delivery time, and any potential additional costs for revisions or additional features.

Professional Disclamer

Metalab Services are provided by a dedicated team of accredited and experienced dental technicians, well-versed in the Dentcof Institute's methodologies and protocols. This team is skilled in creating precise and functional digital dental designs in accordance with your specifications, detailed within the Order Form.

Please note that while our technicians strive for accuracy, the delivered designs should be thoroughly reviewed by you for applicability and appropriateness to your individual case prior to application. Metalab disclaims any responsibility for the implementation and application of the designs, which solely rests with you as a professional.

Furthermore, while our team adheres to best practices in the field, Metalab does not guarantee that the design will lead to a specific clinical outcome, as individual results may vary based on a multitude of factors beyond our control, including but not limited to, patient health, anatomy, compliance, and other treatment variables. Always use your professional judgment when utilizing Metalab Services.

Reliance on service providers, software, and outsourcing

In order to effectively provide our services, we may rely on the use of service providers, and third-party software, and may subcontract any part of the service provision to qualified partners and collaborators.

For example, we may engage partners with specialised expertise in certain complex dental design processes or use third-party software to enable precise and reliable designs. Notwithstanding any subcontracting arrangements, we retain all liabilities under these Metalab Terms and shall remain responsible for the acts and omissions of subcontractors as though they were our own.

To avoid any uncertainty, please note that Metalab will serve as the primary point of contact for any subcontractors in relation to communication between the subcontractors, Metalab, and you concerning the subcontractor's performance of its obligations. Also, we encourage you to refer to our Privacy Policy to better understand the conditions under which we may transfer your data to third parties.
‍

Communication with Metalab technicians

Once an order is placed, a representative from Metalab will be automatically connected to your case. You can discuss any specific indications that you may have directly with the representative. The assigned technician will communicate with you during the course of treatment through the case chat feature in Smilecloud.

Service completion and download

Upon completion of the service, the technician will upload a preview file for your review. In certain cases, you may request a revision if necessary, according to the revision policy below. Once the preview is approved by you, the final deliverables are uploaded to the case for you to download.

Revision policy

Revision entitlement: Orders placed with Metalab may include a provision for one or more revisions. A revision refers to minor modifications, such as the position and angulation of the digital dental design, in line with the initially approved 2D design with selected shapes. The revision process is designed to ensure that the final output meets your specific needs and the requirements of your dental case.

‍Revision request: If you are not completely satisfied with the initial digital design provided, you may request a revision within 10 days of receiving the initial design (the preview files). To initiate a revision, you must communicate your desired changes clearly and concisely through the case chat feature in Smilecloud, directly to the assigned Metalab representative.

‍Scope of revisions: Please note that revisions are limited to minor modifications of the initial design. Major changes or alterations that significantly deviate from the initially approved 2D design, such as changes to selected shapes, are considered a new design request and will require the placement of a new order.

‍Revision turnaround time: We strive to complete revisions within a reasonable timeframe, without compromising on the quality and precision of our work. The exact turnaround time may vary depending on the complexity of the requested changes and the current workload of our technicians.

‍Revision approval: After the revision has been implemented, a preview file of the revised design will be uploaded for your review. Once approved by you, the design is finalized and the printable or millable file is made available for you to download. Please remember that clear communication and detailed feedback can greatly expedite the revision process and help us better meet your needs.

3. Intellectual Property
‍

Transfer of New Material

In consideration of the payment made under this Contract, Metalab unconditionally and irrevocably assigns to the Customer all intellectual property rights (excluding the inalienable moral rights of Metalab personnel and any third-party contributors) over the works resulting from the provision of Metalab Services (hereinafter, "New Material"). This assignment extends across all territories and endures for the entire duration of protection of the assigned rights. The assigned rights encompass all forms of exploitation and use thereof as provided by applicable legislation. These rights include but are not limited to: the right to reproduce, modify, create derivative works, multiply in any way, display, transmit, and make public through the internet or any other means of communication.

‍Use of New Material by Metalab: Notwithstanding the above, the Customer grants Metalab a non-exclusive, royalty-free, worldwide license to use, reproduce, display, and distribute the New Material for promotional and research purposes. This license remains in effect even after the termination of this Contract.

Customer Material

To facilitate the provision of the Metalab Services, you may need to provide Metalab with documents, images, video files, information, data, or other materials (in any form) and procedures (hereinafter, "Customer Material") necessary for the proper provision of the services. You bear exclusive responsibility for the accuracy, quality, integrity, legality, reliability, adequacy, and copyright of the Customer Material. You undertake not to transmit to Metalab any Customer Material over which you do not hold the necessary rights to.

‍Licensing of Customer Material: The Customer grants Metalab a non-exclusive, non-transferable, worldwide license to copy, store, record, transmit, display, view, print, and use the Customer Material only to the extent necessary and exclusively for the purpose of providing the Metalab Services. Except as otherwise specified in this contract, the licenses granted by the Customer under these terms will automatically terminate at the end of the contract term or upon earlier termination or when the Customer Material is no longer required for Metalab to fulfill its obligations under this contract.

‍Health data: We acknowledge that Customer Material may contain health data considered a special category of personal data under the General Data Protection Regulation (hereafter, “GDPR”) and other applicable privacy regulations. It remains your responsibility to ensure that any health data you upload, store, or process through our Services is lawfully obtained and processed in compliance with all applicable data protection and privacy laws, including, but not limited to, GDPR. In order to assist you in complying with your obligations under the GDPR we offer a Data Processing Agreement (hereafter, "DPA"), which governs the terms under which we process personal data on your behalf, including health data, and outlines the respective rights and responsibilities of both parties with regard to data protection and privacy.

4. Ordering and Payment
‍

Order placement and acceptance: Our Metalab Services are available on a per-order basis,with each order detailed on individual Order Forms via the Smilecloud platform. An Order Formspecifies the specific services requested, including associated costs. We reserve the right toaccept or reject any Order Form at our sole discretion. Upon acceptance of an Order Form, wewill commence with the provision of the requested Metalab Services.

‍Payment: Payment is due upfront, and is non-refundable and non-cancellable, except asexpressly provided in these Metalab Terms or the Order Form. Any taxes or additional fees, asapplicable, will be your responsibility. Please note that any additional requests that do not qualifyas revisions may incur additional charges and may require the placement of a new order. Youmust provide accurate billing information, and payment will be made to your payment instrument(debit or credit card). Our payment processor (Stripe) is acting as a data controller. Werecommend you read Stripe’s Privacy Policy to learn more about Stripe's processing of yourdata. You may be responsible for paying taxes or other additional fees.

‍Price updates. While Metalab reserves the right to adjust its service pricing as necessary, wecommit to maintaining the stability of prices for orders that have already been placed. Anychanges in pricing, whether they entail new costs or adjustments to existing ones, will not affectorders placed prior to the implementation of such changes. We encourage our customers tostay informed about our current pricing by reviewing the details outlined in the Order Forms.

Your agreement to these Metalab Terms will be indicated by your completion and submission of an Order Form. Such action will mark the commencement of our contractual agreement, referred to herein as the "Effective Date". If you are acting on behalf of an organisation, by accepting these Metalab Terms, you represent and warrant that you are an authorized representative with the requisite authority to enter into this agreement.

Notice for EEA consumers - Inability to withdraw from theContract

If you are a consumer residing in the European Economic Area (EEA), please be aware that under EU law, you have the right to withdraw from a contract within 14 days from the day of conclusion of the contract. However, there are exceptions to this right. In the case of Metalab Services, this exception applies due to the customized nature of the services provided.

Specifically, for service contracts where the service has begun with your prior express consent and you have acknowledged that you will lose your right to withdraw once the service has been fully performed by us, you will not be able to withdraw from the contract or cancel your order. This means that once an order for Metalab services has been placed and the service delivery has started, you lose your right of withdrawal.

Please ensure that you carefully review and confirm all details of your order prior to submission. Once the order has been submitted and we begin the provision of our services, it will not be possible to cancel or modify the order. By submitting an order, you acknowledge your understanding and acceptance of this policy.

5. Confidential Information
‍

The provision of Services under this Contract may involve access by the Parties to Confidential Information. Accordingly, both Parties agree to maintain the confidentiality of the information that will be provided to them, or that has been provided to them in order to conclude the Contract, or that will be generated by the Parties in connection with the performance of this Contract and to disclose such information only to representatives, employees, subcontractors or relevant service providers, if applicable, who directly need such Confidential information to be provided to them in order to fulfill the obligations set forth in this Contract, provided that they are bound by confidentiality obligations similar to those set forth in this Contract.

The obligation provided for above will not apply to information:
(i) which was known to the Parties, as it appears from their written records, before the time of its receipt;
(ii) which is in the public domain or which reached the public domain through no fault, direct or indirect, of the Parties or their personnel; or
(iii) which is received in good faith by the Parties, not having an obligation to keep the respective information confidential, from a third person who was legally in possession of the information and had the right to disclose it. The Parties will maintain their confidentiality obligations outlined in this clause even after the termination of the Contract.

Your agreement to these Metalab Terms will be indicated by your completion and submission of an Order Form. Such action will mark the commencement of our contractual agreement, referred to herein as the "Effective Date". If you are acting on behalf of an organisation, by accepting these Metalab Terms, you represent and warrant that you are an authorized representative with the requisite authority to enter into this agreement.

Mandatory Disclosure

Notwithstanding any provision of the confidentiality obligations set forth above, in the event that you or us (collectively, the "Receiving Party") are required by law, regulation, court order, or any other legal process to disclose any confidential information received from the other party (the "Disclosing Party"), the Receiving Party shall:

(1)  Promptly notify the Disclosing Party, in writing, of the requirement for such disclosure, to the extent legally permissible and practicable, prior to making the disclosure so that the Disclosing Party may seek a protective order or another appropriate remedy to protect the confidentiality of the information;
(2)  Cooperate with the Disclosing Party, at the Disclosing Party's expense, in seeking a protective order or another appropriate remedy to protect the confidentiality of the information;
(3)  Disclose only that portion of the confidential information that the Receiving Party is legally required to disclose, as determined in consultation with the Receiving Party's legal counsel; and
(4)  Use reasonable efforts to obtain assurances from the applicable legal authority that the disclosed confidential information will be afforded confidential treatment and protection to the extent possible under the circumstances.
‍
The Receiving Party's obligations under this clause shall not apply to any confidential information that is required to be disclosed pursuant to a validly issued subpoena or another compulsory process, provided that the Receiving Party has used reasonable efforts to comply with the provisions of this clause and to minimize the extent of the required disclosure.

6. Acceptable use Policy
‍

Prohibited activities

You agree not to engage in any of the following prohibited activities:
●  Misuse or attempt to circumvent the Order Forms or the services provided to you;
●  Probe, scan, or test the vulnerability of our systems or processes;
●  Introduce malware or disrupt the normal functioning of our services;
●  Send unauthorized or unsolicited promotional communications;
●  Violate or circumvent any security or authentication measures;
●  Access, modify or use non-public areas or parts of our services that you are not entitled
to access;
●  Transfer files, software, or links that contain harmful components or illegally access
content within our services;
●  Attempt to copy, modify, reverse engineer, or disrupt the functions, functionality, integrity, or performance of our services;
●  Upload or distribute data that violates the law or the intellectual property rights of others;
●  Encourage or support others in behaviors that violate this policy.

Customer Obligations

Along with refraining from prohibited activities, you are also required to fulfill the following obligations when using our services:
●  Contract Compliance: You must comply with all the terms and conditions set forth in the Contract, including this Policy and any other applicable terms or policies.
●  Rights to Customer Material: You must ensure that you have all the necessary rights, permissions, and consents to submit, transmit, or otherwise make available any Customer Material.
●  Legal Compliance: You must adhere to all applicable laws, regulations, and industry standards when using our services. This includes, but is not limited to, data protection and privacy laws, intellectual property rights, and export control regulations.
●  Security Measures: You must implement reasonable security measures to protect your account and Customer Material from unauthorized access, use, or disclosure. This includes safeguarding your account details and promptly notifying us of any suspected or actual security breach.
●  Cooperation with Investigations: You must cooperate with us in the investigation of any suspected or actual violation of this policy, including by providing us with any information or assistance reasonably requested by us.
●  Reporting Violations: You must promptly report any known or suspected violations of this policy to us, including any unauthorized access to, use of, or disclosure of our services or Customer Material.

7. Term, termination, modification
‍

Term

This Contract commences on the Effective Date and continues until the services are delivered or until terminated by either party as detailed below. Regardless of the reason for contract termination, you will not be exempt from your obligation to pay any amounts due for services provided before the effective termination date. This section does not infringe on your rights concerning withdrawal from distance contracts with consumers.
‍

Termination

Both parties have the right to seek termination of the Contract in the event of non-fulfillment ofobligations by the other party. Regarding non-fulfillment of obligations specifically mentioned inour Acceptable Use Policy, the Contract will be considered null and void based on a commissarypact of the highest degree, without delay, without the need for court intervention, with or withouta termination notice from the creditor. The creditor reserves the right not to invoke the pact,pursuing the execution of the obligation instead.

Unilateral Denouncement:
‍There are also exceptional situations in which we might unilaterally denounce the Contract, such as:
●  If we have a justified reason to believe that the continued provision of services is harmful to us, our third-party providers, external collaborators, or affiliated entities, or if we believe it could cause harm to our image or business reputation. In this situation, for security reasons, we reserve the right not to disclose the specific reason behind our decision to unilaterally denounce the contract.
●  If we are obligated to do so to comply with a regulatory act or court decision.
Before resorting to unilateral denouncement, we will send you a notification at the email address you have provided, offering you an opportunity to remedy the cause of the notification. The denouncement will take effect if you do not take necessary remedial actions within a reasonable timeframe, not exceeding 5 business days from the date of notification.
We will not provide prior notification if this:
●  Could compromise, interfere with, or affect the security of us, our third-party providers, external collaborators, or affiliated entities.
●  Is not permitted for legal reasons.
●  Could cause harm or endanger a third party.

Modification of the Contract

Metalab reserves the right to update, modify, or otherwise change the terms of this Contract at its sole discretion. However, it's important to note that such changes will not apply retroactively. They will only affect new customers who place an order after the terms have been changed. For existing customers, the terms and conditions in effect at the time of your order placement will govern the provision of services for that specific order.
‍
If you continue to use the Metalab Services for new orders after modifications have been made to the terms, it will constitute your acceptance of the new terms. Therefore, we strongly encourage you to review the terms periodically to ensure you are aware of any changes.

8. In case of Missunderstandings
‍

Limitation of liability

The provisions of this section do not limit the Parties' liability for death, bodily injury, fraud, gross negligence, or intent. Up to the extent permitted by law, Metalab will not be liable for loss of profits, income, or data, for the loss of any opportunity or any type of financial loss, and neither for any type of direct or indirect damages resulting from the provision or impossibility of provision of the Metalab Services. The Parties expressly declare that, in any situation, neither of them will be responsible for the losses that they could not reasonably anticipate at the time of the conclusion of the Contract, or for events that are beyond their reasonable control. Metalab's total liability regarding the breach of the Contract is limited to the amount paid by the Customer for the provision of the Metalab Services. Metalab will not be held liable in the event of non-compliance by the Customer's employees, collaborators, or contractors with the technical and/or organizational indications transmitted by Metalab's representatives for the successful provision of the Services.

‍Delay in Service Provision. While Metalab makes every effort to adhere to the agreed-upon timeframe for the provision of Services, there may be circumstances beyond our control that cause delays. If we find ourselves unable to provide the Services within the designated time frame, we will inform you as soon as reasonably possible and propose a revised timeframe for the completion of the Services. Please note that this does not constitute a contract breach, and Metalab shall not be liable for any damages, losses, or expenses incurred as a result of such delay. This clause does not impact your statutory rights or any other rights provided to you under applicable law.

No Warranties

Excluding the provisions of the Contract (for example, your right to request revisions) and to the extent permitted by law, Metalab makes no warranty regarding the content, availability, or reliability of the Metalab Services, the features available, or their ability to meet your requirements. The Metalab Services are provided “AS IS” and “AS AVAILABLE”. We do not warrant that the Services will be uninterrupted, timely, secure, or error-free. We expressly disclaim all warranties, including, but not limited to, any implied warranties of merchantability, fitness for a particular purpose, and non-infringement. If during use, you encounter errors and limitations of the Services, you undertake to notify us of these, and we will work with you to remedy the problem
‍

Force Majeure

Neither party shall be liable for its inability to comply with Contract terms due to events beyondits control. Such events may include but are not limited to denial-of-service attacks, a failure bya third party provider or utility provider, strikes, shortages, riots, fires, acts of God, war, terrorism,and governmental action. We will make reasonable efforts to resume performance as eventsmay allow. However, if the events continue for more than 60 (sixty) days, either Party may sendnotice regarding the termination of the Contract.

Indemnification

You will indemnify us, our administrators, agents, employees and contractors against anyclaims, complaints, demands, liabilities, damages, losses, and costs, including fines or actionsby government authorities, incurred as a result of your breach of the terms of the Contract orillegal use of the Services.

Disputes and Applicable Law

The Parties shall attempt to resolve any dispute in connection with the Contract amicably. If the Parties fail to reach an agreement on the dispute within a period of 30 days, it shall be finally settled by the competent courts. The contract is governed by Romanian law. Romanian courts will be competent to judge any disputes related to the Contract.

9. Miscellaneous
‍

This Contract constitutes the entire agreement between the Parties with respect to the subject matter hereof, and supersedes all prior and contemporaneous understandings, agreements, negotiations, and communications, whether written or oral, between the Parties concerning the subject matter. No modification, amendment, or waiver of any provision of this Contract shall be effective unless in writing.

This Contract only governs the relationship between the Parties. You may not transfer any rights or obligations to third parties without our written consent, and they will have no rights under the Contract. Either party may assign the rights and obligations conferred based on the Contract, without the other party's consent or notice, to a corporate affiliate or if the assignment is related to a merger, acquisition, or corporate reorganization or sale of assets. The inability or delay of either party to exercise a right provided for in the Contract will not constitute a waiver of that right.

Any notification addressed by one party to the other is validly fulfilled if it is communicated in writing by mail, e-mail, or courier. Notices addressed to you may be sent to the applicable email address of the account and are considered communicated when sent. Notices to us will be sent to support@metalab.one. If any terms of this Contract were to be found invalid or unenforceable under applicable law, the rest of the Contract would remain unaffected. We agree to modify such terms in the spirit they were initially created.

Appendix 1 - Data Processing Agreement
‍

This Data Processing Agreement (hereafter, the "DPA") sets forth the terms and conditions regarding the processing of personal data (including data concerning health) by Metalab on behalf of its Customers (as identified in the Metalab Terms) in connection with the provision of the Metalab Services. The purpose of the DPA is to ensure the protection and security of personal data processed by Metalab in compliance with applicable Data Protection Laws. The DPA is incorporated into the Contract, and its provisions apply to the Parties upon acceptance of the Contract.

‍1. Definitions
‍The terms used in this DPA shall have the same meaning as those defined in the Metalab Terms, unless otherwise specified herein. Additionally, the following terms shall have the meanings set forth below: "Data Protection Laws" means all applicable data protection and privacy laws, regulations of the European Union, the European Economic Area and their Member States, Switzerland, and the United Kingdom, including the GDPR and the UK GDPR. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as may be amended or replaced from time to time. “Customer Personal Data” means any Customer Material that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws. "Subprocessor" refers to any third-party entity engaged by Metalab to conduct specific Customer Personal Data processing tasks under Metalab's direction. Additionally, the following terms, as defined in the GDPR, shall have the meanings ascribed to them in the regulation: controller, processor, processing, data subject, personal data, data concerning health, special categories of personal data, personal data breach.

‍2. Details of data processing Metalab as processor.
‍When Metalab processes Customer Personal Data on behalf of the Customer in connection with the Metalab Services, Metalab will act as a processor or sub-processor on behalf of the Customer (who, in turn, processes such personal data as a controller or processor), and this DPA will apply accordingly. A description of such processing is set out in Schedule 1.
‍
Instructions. Metalab shall process Customer Personal Data only in accordance with the lawful documented instructions of the Customer, as set forth in the Contract, this DPA, or as directed by the Customer or Customer's authorized representatives (hereinafter, the “Instructions”). Metalab shall inform the Customer without undue delay if it becomes aware that the Customer's processing Instructions infringe Data Protection Laws.

‍Customer's Role and Responsibilities in Data Processing. The Customer shall act as the controller or processor of the Customer Personal Data processed by Metalab pursuant to the Contract and this DPA. The Customer shall be responsible for ensuring compliance with all Data Protection Laws, including obtaining any necessary consents and providing any required notices in relation to its processing of Customer Personal Data (including but not limited to any special categories of personal data). Furthermore, the Customer warrants on an ongoing basis that the relevant controller has authorized: (i) the Instructions, (ii) Customer’s appointment of Metalab as a processor, and (iii) Metalab’s engagement of Subprocessors as described in Section 6 (Subprocessors);

‍Cooperation. The parties agree to cooperate in good faith and provide assistance to each other, as reasonably necessary, to fulfill their respective obligations under this DPA and Data Protection Laws. This includes providing reasonable assistance to each other in relation to data subject requests, data protection impact assessments, and any other requirements arising from Data Protection Laws, in accordance with the provisions of this DPA.

‍Description of Processing Activities. The details of the processing activities carried out by Metalab on behalf of the Customer, including the subject matter, duration, nature, and purpose of the processing, as well as the categories of data subjects and types of personal data, are described in Schedule 1 of this DPA.

‍Updates to Processing Activities. Metalab may update the description of processing activities in Schedule 1 from time to time to reflect changes in the Services, such as the introduction of new features or functionalities. Metalab shall inform the Customer of any significant changes to the processing activities, and the Customer shall have the opportunity to object to such changes, in accordance with the terms set forth in this DPA.


‍3. Special Categories of Personal Data Customer Responsibility. The Customer acknowledges and agrees that it is responsible for determining whether it processes any special categories of personal data (especially data concerning health) in connection with the Services. In such case, the Customer shall comply with any additional obligations and requirements under Applicable Data Protection Law, including obtaining necessary consents and providing appropriate notices, when processing such special categories of personal data.
‍
‍Metalab's Processing. If the Customer processes special categories of personal data in connection with the Services, Metalab shall process such data in strict accordance with the Instructions. Metalab shall not process special categories of personal data for any other purpose, unless otherwise required by law or with the Customer's explicit consent.
‍
‍Additional Safeguards. In the event that Metalab processes special categories of personal data on behalf of the Customer, Metalab shall implement additional appropriate technical and organizational measures to ensure the protection of such data in accordance with Data Protection Laws. These measures may include, but are not limited to, enhanced access controls, encryption, pseudonymization, and secure storage and transmission methods.

‍Notification of Special Categories of Personal Data Processing. The Customer shall notify Metalab in writing of any special categories of personal data that it intends to process in connection with the Services, and the nature and purposes of such processing. Metalab shall have the right to review and assess the appropriateness of the Customer's proposed processing activities, and may request further information or clarification from the Customer in order to ensure compliance with Data Protection Laws.


‍4. Security Security Measures. Metalab will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage (hereinafter, the “Security Measures”). Security Measures shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk and severity for the rights and freedoms of data subjects.

‍Confidentiality of Processing. Metalab will ensure that any person authorized to process Customer Personal Data on its behalf (including Metalab employees, contractors, or Subprocessors) will be subject to appropriate confidentiality obligations (whether contractual or statutory).

‍Customer Responsibility. The Customer acknowledges its own responsibility to implement appropriate security measures to protect its systems, networks, and devices used to access, transmit, or process Customer Personal Data. The Customer is responsible for ensuring the security of its own data processing environment and the secure transmission of data to and from Metalab's systems.

‍Security Incident Response. In the event of a personal data breach, Metalab will, without undue delay and in any event within 72 hours, notify the Customer and provide relevant details about the incident. Metalab will cooperate with the Customer in investigating and resolving the incident, including providing reasonable assistance in notifying affected data subjects and relevant authorities, where required by Data Protection Laws. Metalab’s notification of or response to a personal data breach under this section shall not be construed as an acknowledgment by Metalab of any fault or liability with respect to such an incident.

‍Security Updates. Metalab will regularly review and update its Security Measures to ensure the continued protection of Customer Personal Data. The Customer acknowledges that Metalab may make changes to its Security Measures from time to time as part of its ongoing commitment to maintaining a high level of data protection. In the event of any material changes to the security measures, Metalab will use reasonable efforts to ensure that the updated measures continue to provide an appropriate level of protection for Customer Personal Data, in accordance with Data Protection Laws and industry standard practices.


‍5. Audits Compliance Verification and Audit Access. Metalab acknowledges the importance of verifying its compliance with Data Protection Laws and this DPA. In order to facilitate audits and inspections, Metalab commits to providing the Customer with reasonable access to relevant information and documentation, subject to the signing of a Non-Disclosure Agreement (NDA) to protect the confidentiality of Metalab's proprietary and sensitive information.

‍Provision of Compliance Information and Documentation. Upon the Customer's written request and subject to the NDA, Metalab shall provide the Customer with: (a) relevant information and documentation demonstrating its compliance with its obligations under this DPA and Applicable Data Protection Law; and (b) any available third-party audits, certifications, or attestations related to its data protection practices and security measures.

‍Audit Procedure, Scope, Frequency. If the Customer, after reviewing the information provided by Metalab, reasonably believes that an audit is necessary to comply with Data Protection Laws and is not satisfied with the information provided, the Customer shall notify Metalab of its intention to conduct an audit. The Customer shall bear all costs associated with the audit, including any expenses incurred by Metalab, and may be required to provide upfront payment for such expenses. The parties shall mutually agree on the timing and duration of any audits, which shall not be conducted more frequently than once per year, unless required by Data Protection Laws or a competent supervisory authority. The Customer shall provide Metalab with reasonable advance notice of any intended audits.

‍Audit Scope and Limitations. Any audits shall be conducted in a manner that minimizes disruption to Metalab's business operations and shall not interfere with Metalab's ability to provide services to its other customers. The audit shall be limited in scope, duration, and frequency as required by Data Protection Laws and to address the specific concerns raised by the Customer.

‍Confidentiality and Security During Audits. The Customer must ensure that its representatives conducting an audit safeguard the confidentiality of all information obtained during the audit in accordance with the Contract and NDA, sign an enhanced mutually agreeable non-disclosure agreement if requested by Metalab, and adhere to Metalab's security policies while on Metalab's premises.

‍Sharing Audit Results and Non-Compliance. The Customer must promptly share with Metalab any written audit report generated and any instances of noncompliance discovered as a result of the audit. If the Customer is required to disclose the audit results to a competent supervisory authority or as otherwise required by law, the Customer shall notify Metalab and provide a copy of the intended disclosure, giving Metalab an opportunity to review and propose modifications to protect its proprietary and sensitive information. If the audit reveals any non-compliance by Metalab with its obligations under this DPA or Applicable Data Protection Law, Metalab shall promptly take necessary corrective actions and provide the Customer with an appropriate remediation plan.


‍6. Subprocessors General Written Authorization. The Customer grants Metalab a general written authorization to engage new subprocessors in the provision of the Services. Metalab will provide the Customer with a 10-day prior notice via email before appointing any new subprocessor, giving the Customer an opportunity to object. If the Customer objects within 7 days of receiving the notice, the parties will engage in good-faith discussions to explore alternative options. If no agreement can be reached within a period of thirty (30) days, the Customer may terminate the Contract without penalty, and Metalab will refund any prepaid fees covering the remainder of the contract term.

‍Current Subprocessors. The Customer acknowledges that Metalab has already engaged subprocessors as of the Effective Date. A list of the current subprocessors, their roles, and locations can be found below. The Customer authorizes the engagement of these subprocessors in accordance with this DPA.

Subprocessor name: Smilecloud SRL
Location: Romania
Role: General operations infrastructure
‍
‍Subprocessor Agreements. Metalab will enter into a written agreement with each subprocessor, which imposes data protection obligations on the subprocessor that are at least as protective as those set forth in this DPA. Metalab will be responsible for the subprocessors' compliance with the data protection obligations specified in their respective agreements.
‍
‍Subprocessor Updates. Metalab will regularly review and update the subprocessor list as necessary. The Customer will have the opportunity to review any changes made to the list and follow the same objection process as described in the first section of this clause.


‍7. Customer Assistance Data Subject Requests. Metalab will collaborate with the Customer to ensure compliance with data subject rights under Data Protection Laws. Metalab will provide reasonable assistance to the Customer in fulfilling its obligations to respond to data subject requests, considering the nature of Metalab's processing activities and the information available to Metalab. The Customer is responsible for handling data subject requests it receives directly. If Metalab receives any information or requests from a data subject related to the processing of their personal data under the Contract, Metalab will promptly forward such requests or information to the Customer and await further instructions. If a data subject submits a request directly to Metalab regarding their personal data processed by Metalab as a processor on behalf of the Customer, Metalab will promptly inform the Customer of such a request and cooperate with the Customer to help facilitate an appropriate response. Metalab may acknowledge receipt of the data subject's request and inform the data subject that it is working on the matter; however, Metalab will not provide a final resolution to the data subject's request without obtaining the Customer's prior written consent, unless required by Data Protection Laws.

‍Assistance in Compliance. Metalab will provide reasonable assistance to the Customer, at the Customer's expense, in conducting any data protection impact assessments, consulting with supervisory authorities, and implementing any required measures, to the extent applicable to Metalab's role as a processor.

‍Time and Cost of Assistance. Metalab's assistance in handling data subject requests and complying with the Customer's obligations under this clause will be provided at the Customer's expense, based on Metalab's reasonable fees for such services. The Parties agree to discuss and agree upon the scope of assistance and associated costs before Metalab begins providing the requested assistance.


‍8. Return and Deletion of Data:
Customer’s Choice and Return of Data. Upon termination of the Contract, or upon the Customer's written request, Metalab will, at the Customer's choice, either return all Customer Personal Data in its possession or control to the Customer or securely delete the Customer Personal Data. Metalab will provide the returned data in a commonly used and machine-readable format.

‍Deletion of Data. If the Customer requests the deletion of Customer Personal Data, Metalab will securely delete the Customer Personal Data from its systems and any storage media, along with any existing copies, in accordance with industry-standard practices and Data Protection Laws. Metalab may provide the Customer with written confirmation of the deletion upon request.

‍Retention of Data for Compliance Purposes. Notwithstanding the foregoing, Metalab may retain a copy of the Customer Personal Data to the extent required by Applicable laws Data Protection Law or for compliance with Metalab's legal obligations, provided that such retained data will continue to be subject to the confidentiality and security obligations set forth in the Contract and this DPA.

‍Subprocessors. Metalab will ensure that any Subprocessors engaged by Metalab will comply with the obligations in this clause regarding the return and deletion of Customer Personal Data. Metalab will remain responsible for the acts and omissions of its Subprocessors in relation to their compliance with this clause.

‍Certification and Audit. Upon the Customer's reasonable request and at the Customer's expense, Metalab will provide the Customer with a written certification, signed by an authorized representative of Metalab, attesting to Metalab's compliance with the obligations set forth in this clause regarding the return and deletion of data. The Customer shall have the right to audit Metalab's compliance with its obligations under this clause, subject to the audit provisions set forth in the DPA.

9. International Data Transfers Adequate Countries. Metalab may transfer Customer Personal Data to a country outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland without any further safeguards being necessary, provided that the relevant Data Protection Authority has determined that such a country ensures an adequate level of protection for personal data in accordance with Data Protection Laws.

‍Other Countries. For transfers of Customer Personal Data to countries outside the EEA, the UK, or Switzerland that do not provide an adequate level of protection, Metalab will ensure that such transfers are subject to the Standard Contractual Clauses or other data transfer mechanism approved by the relevant Data Protection Authority.

‍Subprocessors. Where Metalab engages subprocessors located in countries outside the EEA, the UK, or Switzerland that do not provide an adequate level of protection, Metalab will enter into written agreements with such subprocessors that include Standard Contractual Clauses or another data transfer mechanism approved by the relevant Data Protection Authority.

‍Customer Obligations. The Customer agrees to provide any assistance, information, or documentation necessary for Metalab to comply with its obligations under this International Data Transfers clause, including cooperating in the execution of the Standard Contractual Clauses or other data transfer mechanism approved by the relevant Data Protection Authority.

‍Updates to Data Transfer Mechanisms. Metalab may update the data transfer mechanisms used to comply with its obligations under this International Data Transfers clause, provided that such updates do not materially reduce the level of protection afforded to Customer Personal Data. Metalab will notify the Customer of any updates to the data transfer mechanisms and provide the Customer with the opportunity to review and object to such updates. If the Customer objects to the updates, the parties will discuss the objection in good faith and attempt to reach a mutually agreeable resolution. If the parties cannot reach a resolution, Customer may terminate the Contract without penalty, and Metalab will refund any prepaid fees covering the remainder of the contract term.


‍10. Final provisions Suspension of processing. In the event that Metalab doesn't meet its obligations under this DPA, the Customer can ask Metalab to suspend processing Customer Personal Data until Metalab starts complying with the DPA again or until the Contract is terminated. Metalab shall promptly inform the Customer in case it is unable to comply with this DPA, for whatever reason.

‍Termination by Customer. The Customer can terminate the Contract insofar as it concerns the processing of Customer Personal Data under this DPA if: 1) The Customer has requested Metalab to suspend the processing of Customer Personal Data according to the first section of this clause, and Metalab hasn't started complying with the DPA again within a reasonable time - at most one month following suspension.
2) Metalab is in substantial or persistent breach of this DPA or its obligations under applicable Data Protection Law 3) Metalab fails to comply with a decision of a competent court or supervisory authority regarding its obligations under this DPA or applicable Data Protection Law

‍Termination by Metalab. Metalab shall be entitled to terminate the Contract insofar as it concerns the processing of Customer Personal Data under this DPA where, after having informed the Customer that its Instructions infringe applicable legal requirements, the Customer insists on compliance with the Instructions.

‍Superseding Clause. This DPA supersedes and replaces all previous data processing agreements between the Parties in connection with the Services.

‍Relationship with Contract. The terms and conditions of the Contract remain in full force and effect. In the event of any conflict or inconsistency between the provisions of the Contract and this DPA in relation to data processing, the provisions of this DPA shall take precedence.

‍Liability. The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability set out in the Contract.

‍Choice of Law and Jurisdiction. This Data Processing Agreement shall be governed by and construed in accordance with the governing law and jurisdiction stipulated in the Contract unless otherwise required by applicable Data Protection Laws. Schedule 1

‍DESCRIPTION OF PROCESSING ACTIVITIES
1. Categories of data subjects whose personal data is processed The Customer may transfer personal data to Metalab related to the following categories of data subjects: -  Customer clients or patients;
-  Customer employees;
-  consultants, vendors, and other third parties with whom the Customer is engaged in
business relations (who are natural persons);
-  other natural persons with whom Customer may communicate through the Services
2. Categories of personal data processed
Customer Personal Data may include, at Customer's sole discretion and control, the following categories of personal data: (1)

‍Non-special categories of personal data, such as
(a) personal details: name, address, email, telephone number, profile image; (b) identifiers: IP address, location, language, device IDs;
(c) employment details: employer name, job title, work address, work email; (d) educational details: qualifications, skills;
(e) financial information: bank account details;
(f) contractualdetails:detailsabouttheproductsorservicesprovided;
(g) customer history: purchases, customer service interactions;
(h) personal data included in user-generated content. (2)

‍Special categories of data
(a) genetic or biometric data; (b) health.
No other special categories of personal data shall be transferred by the Customer without prior written authorization from Metalab.

‍3. Nature of processing The nature of the processing of Customer Personal Data by Metalab in providing its Services involves the following: (1) collection and recording;
(2) storage and organization;
(3) retrieval, use, and consultation; (4)  adaptation or alteration;
(5)  disclosure by transmission;
(6)  alignment and combination;
(7)  restriction, erasure, and destruction.

4. Purpose of Processing The processing of Customer Personal Data by Metalab is limited to the following purposes: (1)  performance of the Contract;
(2)  provision, maintenance, and update of the Services provided to the Customer and
support regarding such Services;
(3)  support of the Customer's compliance with their obligations under applicable Data
Protection Laws in relation to the processing of personal data within the Services;
(4)  e processing of personal data within the Services;
(5)  compliance with applicable Data Protection Laws

5. Duration of Processing The processing of Customer Personal Data by Metalab under this DPA will commence on the Effective Date of the Contract and will continue until termination unless otherwise agreed in writing by the Parties or required by applicable Data Protection Laws.