Welcome to Infinite Reality

With just one click of a button, you can bring your vision to life.

Napster 3D Studio Data Processing Agreement (Processor)

Last updated and effective:

July 10, 2025

This Napster 3D Studio Data Processing Agreement (Processor) (the “DPA”) is between you and Infinite Reality, Inc. (“Napster”), each a “Party” and collectively the “Parties.” All capitalized terms used but not defined herein will have the meanings ascribed to them in the Napster 3D Studio Terms of Service (the “Terms”). In the event of a conflict between the terms of this DPA and the Terms, the terms of this DPA shall prevail. This DPA governs all Processing of Your Personal Data by Napster as a Processor on your behalf in connection with the Terms.

1. Definitions. Unless otherwise defined herein, the capitalized terms used in this DPA shall have the following meaning:

1.1 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.2 “Data Protection Laws” means all applicable laws or regulations throughout the world relating to data protection and privacy and which apply to the Processing of Your Personal Data in connection with the Terms, including without limitation the EU General Data Protection Regulation 2016/679 (“GDPR”) and the Swiss Federal Data Protection Act and its Ordinances, in each case, as may be amended, superseded or replaced.

1.3 “Data Subject” means an identified or identifiable natural person to whom the applicable Personal Data relates.

1.4 “Data Subject Request” means any request from a Data Subject to exercise its rights under applicable Data Protection Laws or your privacy policies or terms of service.

1.5 “De-Identified Data” means data that cannot be used to identify a specific Data Subject through any reasonable means.

1.6 “Personal Data” means any information relating to an identified or identifiable natural person where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws. “Personal Data” does not include De-Identified Data.

1.7 “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data. The terms “Process,” “Processes,” and “Processed” will be construed accordingly.

1.8 “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

1.9 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Napster in connection with the Services.

1.10 “Services” means the products and services that Napster has agreed to provide pursuant to the Terms that involve the Processing of Your Personal Data.

1.11 “Sub-Processor” means any natural or legal person, public authority, agency or other body engaged by or on behalf of Napster or Napster’s affiliates to Process Personal Data in connection with the Terms.

1.12 “Your Personal Data” means any Personal Data Processed by Napster on your behalf in connection with your use of the Services.

2. Details of Processing.  

2.1 Subject Matter. The subject matter of the Processing under this DPA is Your Personal Data. As between you and Napster, you shall be the Controller (either as the Controller, or acting in the capacity of a Controller, as a Processor, on behalf of another Controller) and Napster shall be the Processor with respect to Your Personal Data.

2.2 Categories of Data Subjects and Types of Personal Data. Any Personal Data, including the types of Personal Data and the categories of Data Subjects, submitted in the course of using the Services, is solely determined and controlled by you in your sole discretion.

2.3 Duration. The duration of the Processing corresponds to the duration of the Terms, unless otherwise agreed by the Parties in writing.

2.4 Nature and Purpose of the Processing. The purpose of the Processing under this DPA is the provision of the Services. Napster may Process Your Personal Data as is reasonably required to provide the Services or as may otherwise be required by applicable law.

3. Processing of Your Personal Data.

3.1 Napsterwill Process Your Personal Data only upon documented instructions from you, or as otherwise described in the Terms, this DPA, or as required by law.

3.2 You will ensure that your Processing instructions to Napster do not violate any applicable laws, including Data Protection Laws. You will notify Napster without undue delay if you are unable to comply with any of your obligations under this Section 3 or any Data Protection Laws.

3.3 Napster shall comply with all requirements under Data Protection Laws that apply to Napster's Processing of Your Personal Data under the Terms. You shall refrain from any action that would prevent Napster from fulfilling its obligations under any applicable Data Protection Law. If Napster, in its sole discretion, (a) believes that an instruction from you violates any applicable Data Protection Law or (b) determines that it is unable to comply with any instruction from you or its obligations under this DPA, then Napster will notify you without undue delay and, in its sole discretion, stop all Processing. Napster is not liable to you for any failure to perform under the Terms that results from the invocation of this Section 3.3.

3.4 You shall comply with all requirements under Data Protection Laws that apply to your Processing of Personal Data under the Terms. You expressly acknowledge that Napster is not responsible for determining which laws or regulations are applicable to your business. You are solely responsible for determining that the Services and the terms of this DPA meet your contractual and legal obligations.

3.5 You (a) are solely responsible for the accuracy of Your Personal Data, and if you become aware that any of Your Personal Data that you have transferred or received is inaccurate, or has become outdated, you shall inform Napster without undue delay, and (b) have all necessary authority, rights, and permissions to transfer or provide access to Your Personal Data to Napster for Processing in accordance with the terms of the Terms.

3.6 Upon termination or expiration of the Services, Napster will delete or return all Your Personal Data (including copies thereof), unless Napster is required to maintain Your Personal Data pursuant to applicable law, provided that nothing herein shall require Napster to delete any Your Personal Data archived on back-up systems.

4. Data Security.

4.1 Napster shall take all commercially reasonable steps, at your expense, to enable you to comply with your obligations as a Controller under applicable Data Protection Laws, taking into account the nature of the Processing and the information available to Napster, provided that nothing herein shall require Napster to make the Services compliant for your specific use.

4.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Napster shall in relation to Your Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, the measures described in Annex I to this DPA. Notwithstanding anything to the contrary herein, Napster may modify or update the security measures described in Annex I at its discretion provided that such modification or update does not result in a material degradation in the protection offered by such security measures described in Annex I. You are responsible for independently determining whether the data security provided for in the Services adequately meets your obligations under applicable Data Protection Laws. You expressly acknowledge that Napster provides security features and functionality that you can use to protect Your Personal Data.

4.3 You shall implement and maintain appropriate technical and organizational measures to ensure the security of Your Personal Data, including protection against Security Incidents, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purpose of Processing.

4.4 Napster shall grant access to Your Personal Data to members of its personnel only to the extent necessary for the implementation, management and monitoring of the Terms. Napster shall ensure that persons authorized to Process Personal Data on behalf of Napster are subject to appropriate confidentiality obligations (whether a contractual or statutory duty).

4.5 If Napster becomes aware of a Security Incident, it shall (a) use commercially reasonable efforts to notify you without undue delay and (b) take appropriate measures to address the Security Incident as may be required by applicable law. At your request and expense, Napster will provide you with reasonable assistance as necessary to enable you to comply with applicable Data Protection Laws, including notifying competent authorities and/or affected Data Subjects about relevant Security Incidents, if you are required to provide such notice under applicable Data Protection Laws.

4.6 Napster's obligation to report or respond to a Security Incident under this Section 4 is not and will not be construed as an acknowledgement by Napster of any fault or liability with respect to the Security Incident.

5. Documentation and Compliance.

5.1 Each Party shall make available, upon request, to the other Party all information reasonably necessary to demonstrate such Party’s compliance with its obligations under this DPA. At your request, Napster shall allow for and contribute to audits, including inspections, conducted by you or your auditor to assess compliance with your obligations under this DPA. For the avoidance of doubt, nothing in this DPA gives you the right to conduct an audit of Napster's business, systems, or services.

5.2 Taking into account the nature of the Processing and the information available to Napster, Napster shall reasonably assist you in complying with your obligations with respect to data protection impact assessments and prior consultations under applicable Data Protection Laws.

6. Use of Sub-Processors.

6.1 You generally authorize Napster to engage Sub-Processors. Napster's current Sub-Processors are listed in Annex II to this DPA. Napster shall provide you with advanced notice in writing of any intended changes to that list through the addition or replacement of Sub-Processors, giving you the opportunity to object to such changes prior to the engagement of the Sub-Processor(s). Napster shall provide you with the information necessary to enable you to exercise your right to object. If you object to the engagement of a new Sub-Processor, the Parties will discuss your concerns in good faith to identify a commercially reasonable resolution. If no such resolution can be reached, Napster may either, in its sole discretion, not engage the new Sub-Processor or permit you to suspend or terminate the affected Service in accordance with the termination provisions of the Terms without liability to either Party (but without prejudice to any fees incurred by you prior to suspension or termination).

6.2 If Napster engages a Sub-Processor to carry out specific Processing activities on your behalf, Napster shall enter into a written contract with such Sub-Processor that is at least as protective of Your Personal Data as in this DPA. Napster shall remain responsible for the Sub-Processor’s compliance with its applicable data protection obligations under this DPA.

7. Data Subject Rights.

7.1 Napster shall notify you of any Data Subject Request it has received from a Data Subject. You shall be solely responsible for responding substantively to any such request. You authorize on your behalf, and on behalf of your Controllers when you are acting as a Processor, Napster to respond to any Data Subject who makes a request to Napster to confirm that Napster has forwarded the request to you and/or to advise the Data Subject to submit their request to you.

7.2 To the extent you are unable to independently address a Data Subject Request, Napster shall provide, upon written request from you and at your expense, commercially reasonable assistance to you as is necessary to allow you to respond to a request from a Data Subject.

8. Data Transfers.

8.1 You acknowledge and agree that Napster may access and Process Your Personal Data on a global basis as necessary to provide the Services in accordance with the Terms. If Your Personal Data that is subject to GDPR is transferred to any country outside of the European Economic Area (EEA) that is not recognized by the European Commission as providing an adequate level of protection for Personal Data, either directly or via onward transfer (each a “Data Transfer”), then Module Two terms (to the extent you are a Controller of Your Personal Data) or Module Three terms (to the extent you are a Processor of Your Personal Data) of the Standard Contractual Clauses shall apply, provided, however, the Standard Contractual Clauses will not apply to a Data Transfer if (a) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the Processing in question, (b) the Data Transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or (c) the Data Transfer is necessary in order to protect the vital interests of the Data Subject or of another natural person.

8.3 If the Module Two or Module Three terms apply, (a) in Clause 7, the optional docking clause shall not apply, (b) in Clause 9, Option 2 will apply and the process for providing notice for Sub-Processor changes will be as set forth in Section 6 of this DPA, and the time period for objections will be thirty (30) days, (c) in Clause 11, the optional language will not apply, (D) in Clause 17, the EU Standard Contractual Clauses will be governed by the laws of the Federal Republic of Germany, and (e) in Clause 18(b), disputes relating to this DPA shall be resolved in the courts of the Federal Republic of Germany.

9. General Provisions.

9.1 Entire Terms; Severability. This DPA constitutes the entire agreement between the Parties concerning the subject matter hereof and supersedes any and all oral or written agreements or understandings between the Parties, as to the subject matter of this DPA. In the event of a conflict between this DPA and the Terms, this DPA will govern and control with respect to the subject matter of this DPA. If any term of this DPA is deemed invalid or unenforceable, such term shall be deemed reformed or deleted, as the case may be, but only to the extent necessary to comply with the applicable law, rule or regulation, and the remaining provisions of this DPA shall remain in full force and effect.

9.2 Waiver. The waiver of a breach of any provision of this DPA will not operate or be interpreted as a waiver of any other or subsequent breach.

9.3 Amendment. Notwithstanding anything to the contrary herein, Napster reserves the right to amend or modify this DPA, in its sole discretion, by posting a revised version, which shall become effective and binding the next business day after it is posted.  

9.4 Liability. This DPA does not provide any basis for you or any other person to recover damages of any type other than those set forth in the Terms and subject to all limitations set forth therein.

9.5 Governing Law. This DPA is governed by the law stipulated in the Terms, except to the extent required by applicable Data Protection Laws, in which case the jurisdiction set forth in the applicable Data Protection Law applies.

9.6 Notices. All notices and communications given under this DPA (a) to Napster shall be provided in accordance with the notice requirements set forth in the Terms and (b) to you shall be provided by email sent to the address related to your use of the Services under the Terms.

9.7 Authorization. You represent that you are authorized to agree to and enter into this DPA for and on behalf of yourself, and as applicable, your affiliates.

ANNEX I: TECHNICAL AND ORGANIZATIONAL MEASURES

Napster has implemented and maintains appropriate technical and organizational measures, which include those measures described below:

  • Organizational management and dedicated staff responsible for the development, implementation and maintenance of Napster’s information security program.
  • Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Napster’s organization, monitoring and maintaining compliance with Napster’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
  • Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable media (i.e. laptop computers).
  • Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
  • Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Napster’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Napster’s computer systems; (iii) must have defined complexity; and (iv) newly issued passwords must be changed after first use.
  • Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Napster’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
  • Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Napster’s possession.
  • Change management procedures designed to test, approve and monitor all material changes to Napster’s technology and information assets.
  • Incident management procedures designed to allow Napster to investigate, respond to, mitigate and notify of events related to Napster's technology and information assets.
  • Network security controls designed to protect systems from intrusion and limit the scope of any successful attack.
  • Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
  • Disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.

ANNEX II: LIST OF SUB-PROCESSORS

The Sub-Processors listed below have been engaged by Napster on or before the Effective Date, and may assist in Processing Your Personal Data.

Sign up for Updates

Send me updates including industry white papers, news and product info.

Thank you! We’ll be in touch soon.
Oops! Something went wrong while submitting the form.

Napster Brands

Napster 3D Studio
Enterprise
Napster Spaces
Napster Companion
Napster Music
Thunder Studios
DRL
TalentX

Resources

Retail Report
Case Studies
Blogs
3D Engine
3D Studio Documentation
3D Studio FAQ

Enterprise Offerings

Immersive Worlds
Immersive Units
AI Assistants
Sports Solutions
Retail Solutions

Company

Newsroom
About
Careers
Team
Investor Relations
Contact Us

About Napster

Napster powers the future of digital experiences through spatial computing and AI. Our innovative software, production, and marketing solutions help brands and creators build immersive experiences that drive engagement, data ownership, and brand value. About Napster
Privacy  Policy
Terms of Service
CCPA Notice
Copyright © 2025 Infinite Reality, Inc. All rights reserved.