DPA Annex 1 - Description of Processing and Subprocessors

Last verified: May 2026
Processor: Stratum1 GmbH, Schubertstrasse 6a, 8010 Graz, Austria

This Annex forms part of the Data Processing Agreement between Stratum1 GmbH and the Controller.

1. Subject Matter of Processing

The processing concerns the provision of Arrival.Space to the Controller, including hosting, storage, rendering, transformation, display, publication, interaction, communication, analytics, support, security, APIs, integrations, AI-assisted features, and related functionality for 3D spaces and user-generated content.

2. Duration of Processing

Processing continues for the duration of the Agreement and for any limited period thereafter required for deletion, export, backup overwrite, security, legal compliance, dispute resolution, legal claims, or agreed transition support.

User Content is generally retained until deleted by the Controller or an authorised user, or until the account or relevant service is terminated, subject to backups, technical limitations, legal retention, and any separately agreed transition or hosting arrangements.

Raw source files used for technical conversion workflows, such as uploaded video used to generate a 3D Gaussian Splat or similar technical output, are retained only for the technical processing window and are normally deleted within a short technical processing period, unless longer retention is required for troubleshooting, support requested by the Controller, security, abuse prevention, or legal reasons.

3. Categories of Data Subjects

The processing may concern, depending on the Services used and the Controller’s configuration:

• authorised users, administrators, employees, contractors, collaborators and other persons acting for or on behalf of the Controller;
• registered users, guests, visitors and other persons accessing or interacting with Controller spaces or content;
• individuals whose personal data is included in user-generated content, uploaded files, communications, prompts, reports, metadata or other materials processed through the Services;
• customers, prospects, partners, end users or other third parties of the Controller;
• persons interacting with external content, Gates, integrations, APIs, MCP tools, plugins, vibes or partner workflows configured by the Controller or authorised users.

The exact categories of data subjects depend on the Controller’s use of the Services, the content uploaded, the access permissions granted, and the integrations or workflows enabled.

4. Categories of Personal Data

The categories of personal data may include, depending on the Services used and the Controller’s configuration:

• account, identity and workspace data;
• profile, avatar and user-setting data;
• user-generated content and related metadata;
• visual, audio, communication and interaction data;
• technical, device, log, telemetry and security data;
• authentication, access-control, permission and audit data;
• usage, analytics, dashboard and performance data;
• AI-related input, output, context and technical metadata where AI-assisted features are used;
• report, support, notice-and-action and compliance-related data;
• licence, transfer, export and administration-related metadata.

The exact data processed depends on the features activated, content uploaded, permissions granted, integrations enabled, and settings selected by the Controller or authorised users.

5. Special Categories and Criminal-Offence Data

The Services are not intended for systematic processing of special categories of personal data under Art. 9 GDPR or criminal-offence data under Art. 10 GDPR.

However, such data may be incidentally included in User Content, images, videos, audio, prompts, external content, reports, or communications uploaded or configured by the Controller or its users. The Controller is responsible for ensuring a valid legal basis and required safeguards where such data is processed.

Safeguards may include purpose limitation, access restrictions, role-based access controls, deletion controls, confidentiality, secure transmission, logging, and restrictions on onward transfer.

Notice-and-action reports may contain allegations of illegal content or suspected criminal offences. Such data is processed only as necessary for legal compliance, platform integrity, abuse prevention, and related purposes.

6. Nature of Processing

The processing may include, depending on the Services used and the Controller’s configuration:

• collection, receipt, import, storage, organisation and hosting of data;
• rendering, display, publication, streaming, transmission and delivery of content and spaces;
• technical processing, conversion, optimisation and generation of platform-compatible assets or outputs;
• provision of communication, collaboration, interaction, presence, dashboard, analytics and access-control functionality;
• processing required for AI-assisted features, APIs, integrations, plugins, MCP tools, partner workflows and similar connected functionality where activated or agreed;
• account, workspace, licence, content and permission management, including transfers, exports, imports and reassignment where enabled or agreed;
• logging, monitoring, debugging, troubleshooting, security, abuse prevention, backups, maintenance, deletion, restoration and support;
• processing required for legal compliance, notice-and-action handling and enforcement of the Agreement.

7. Purposes of Processing

The purposes are, depending on the Services used and the Controller’s configuration:

• to provide, operate, secure and maintain the Arrival.Space Platform for the Controller;
• to enable the Controller and its users to create, host, manage, publish, share, explore and interact with digital spaces and related content;
• to provide communication, collaboration, avatar, presence, analytics, dashboard and access-control functionality;
• to provide technical conversion, optimisation, AI-assisted, API, integration, plugin, MCP, partner, reseller, import, export and transfer functionality where activated or agreed;
• to provide support, troubleshooting, maintenance, reliability, abuse-prevention and security functionality;
• to comply with legal obligations and enforce the Agreement.

8. Processing Instructions and Customer Controls

The Controller’s instructions may include, depending on the Services used and the Controller’s configuration:

• selected account, workspace, space, visibility, access, permission and feature settings;
• content uploaded, imported, linked, embedded, exported, synchronised or otherwise processed through the Services;
• access granted to users, collaborators, partners, resellers, API clients, MCP clients, integrations or other authorised third parties;
• activation or configuration of AI, voice, chat, analytics, dashboards, APIs, integrations, Gates, plugins, vibes, MCP tools, partner workflows or similar functionality;
• account, workspace, licence, content or space transfer instructions where enabled or agreed;
• support requests and other documented instructions.

Customer-authorised partners, resellers, agencies, consultants, service providers, employees, contractors or other third parties accessing or managing the Services on behalf of the Controller are deemed to act under the Controller’s responsibility and instructions, unless Stratum1 has separately engaged them as Subprocessors.

9. Data Visibility, Partner Workflows and Third-Party Content

Personal data may be visible to other users or guests within shared virtual environments depending on the Controller’s configuration, user permissions, and the nature of the Services. Such visibility is inherent to the Platform’s functionality.

Personal data may also be processed through APIs, MCP tools, integrations, plugins, vibes, partner systems, reseller workflows, or automated and real-time data exchange mechanisms. The Controller is responsible for configuring such features lawfully and ensuring that any persons acting on its behalf are properly authorised.

A partner, reseller, agency, or similar service provider may create, configure, purchase, manage, or prepare an account, workspace, licence, or space for transfer to an end client. Such party is responsible for ensuring that it has the necessary authority, rights, permissions, consents, and legal bases to act for that end client and to process or transfer any related personal data.

After a transfer of an account, workspace, licence, or space, continued access by the partner, reseller, agency, or similar service provider depends on the permissions granted or maintained by the new account holder or Controller.

External content embedded or linked through Gates may be provided by third parties that are not Subprocessors of Stratum1. Those providers are generally independent controllers for their own processing once the external content is activated by a user.

Nothing in this Annex creates joint controllership or joint ownership of data. Joint controllership applies only where expressly agreed in a separate written arrangement identifying the relevant processing activity and allocating responsibilities under Art. 26 GDPR.

10. Subprocessors Authorised for Controller Data

The following Subprocessors may process Controller Data depending on the Services used, configuration, and feature activation. Not all Subprocessors are used for every Controller or every feature.

Subprocessors are engaged under written or electronic terms that impose data protection obligations substantially consistent with Art. 28 GDPR, where applicable.

Where the Controller or an authorised user connects an external service, AI provider, API, MCP client, integration, or other third-party tool using the Controller’s own account, API key, token, credentials, or external configuration, such third party is generally not a Subprocessor of Stratum1.

10.1 Amazon Web Services (AWS)

Location / contracting entity: AWS EMEA SARL, Luxembourg, and AWS affiliates.
Purpose: Hosting, compute, storage, databases, load balancing, security, backups, content delivery, and infrastructure.
Categories of data: Account data, content, logs, technical data, and metadata.
Transfer safeguards: EU/EEA processing where configured; SCCs or other safeguards for third-country access or transfers.

10.2 Hetzner Online GmbH

Location / contracting entity: Germany.
Purpose: Hosting, infrastructure, storage, or EU-based operational services where used.
Categories of data: Hosted data, technical data, logs, and operational data.
Transfer safeguards: EU/EEA.

10.3 Cloudflare, Inc.

Location / contracting entity: United States / global network.
Purpose: Security, DDoS protection, CDN, DNS, traffic management, and bot protection.
Categories of data: IP address, request data, traffic data, and security logs.
Transfer safeguards: SCCs or other safeguards.

10.4 Hyperbeam Inc.

Location / contracting entity: Canada / United States where applicable.
Purpose: User-activated browser streaming and embedded cloud-browser experiences.
Categories of data: IP address, session data, connection data, and interaction metadata.
Transfer safeguards: Adequacy, SCCs, or other safeguards as applicable.

10.5 LiveKit, Inc.

Location / contracting entity: United States / global infrastructure.
Purpose: WebRTC, voice, audio, video, or real-time communication features.
Categories of data: IP address, connection data, media data, and technical metadata.
Transfer safeguards: SCCs or other safeguards.

10.6 atmoky GmbH

Location / contracting entity: Austria.
Purpose: Spatial audio and voice communication features where used.
Categories of data: Audio data, technical metadata, and device/connection data.
Transfer safeguards: EU/EEA unless otherwise configured.

10.7 Twilio SendGrid

Location / contracting entity: United States / global infrastructure.
Purpose: Transactional emails, account emails, notifications, and marketing emails where enabled.
Categories of data: Email address, email content, delivery data, and interaction data where tracking is enabled.
Transfer safeguards: SCCs or other safeguards.

10.8 OpenAI, LLC

Location / contracting entity: United States.
Purpose: AI-powered features such as prompts, content generation, coding assistance, agents, and vibe-coding where enabled by Stratum1 as part of the Services.
Categories of data: Prompts, inputs, context, uploaded data, outputs, and technical metadata.
Transfer safeguards: SCCs, data processing terms, and account-level controls where available.

10.9 Anthropic PBC

Location / contracting entity: United States.
Purpose: AI-powered assistance and content generation where enabled by Stratum1 as part of the Services.
Categories of data: Prompts, inputs, context, outputs, and technical metadata.
Transfer safeguards: SCCs, data processing terms, and account-level controls where available.

10.10 Appzi Inc.

Location / contracting entity: United States.
Purpose: Feedback, bug reports, content reports, or surveys where enabled.
Categories of data: User input, report data, interaction data, and technical data.
Transfer safeguards: SCCs or other safeguards.

10.11 Screenshot Machine, Hinterland Software 

Location / contracting entity: United States or provider location.
Purpose: Server-side generation of static preview images for external websites where used.
Categories of data: URL requested for preview and server-side request metadata.
Transfer safeguards: SCCs or other safeguards where required.

11. International Transfers

Personal data may be transferred outside the EU/EEA, including to the United States, Canada, Japan, or other countries depending on provider infrastructure, user location, customer configuration, or feature use. Where required, transfers are safeguarded by adequacy decisions, EU Standard Contractual Clauses, supplementary measures, or other lawful transfer mechanisms. Transfers to countries covered by an adequacy decision, such as Japan where applicable, may take place on the basis of that adequacy decision.