Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PlayerGames, LLC ("Processor," "we," "us," or "our") and the Customer ("Controller," "you," or "your").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any processor engaged by PlayerGames to process Personal Data.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by PlayerGames in connection with providing game server hosting services.

3. Data Processing

3.1 Processing Activities

We process Personal Data for the following purposes:

  • Account management
  • Service provision
  • Payment processing
  • Customer support
  • Analytics
  • Security monitoring

3.2 Categories of Data

The Personal Data processed includes:

  • Account information
  • Payment information
  • Server configuration data
  • Usage data
  • Technical data

4. Sub-processors

4.1 Authorized Sub-processors

We use the following primary Sub-processors:

  • PhoenixNap (Game server hosting)
  • Vercel (Website hosting)
  • Clerk (Authentication)
  • Stripe (Payment processing)
  • Klaviyo (Email marketing)
  • Google Analytics (Analytics)

4.2 Sub-processor Requirements

All Sub-processors are required to:

  • Comply with data protection laws
  • Implement appropriate technical and organizational measures
  • Process Personal Data only as instructed by PlayerGames
  • Maintain confidentiality

5. Security Measures

5.1 Technical Measures

We implement appropriate technical measures including:

  • Industry-standard encryption for data in transit and at rest
  • Access control and authentication systems
  • Firewalls and security monitoring
  • Regular security updates and patches
  • Secure data backup systems

5.2 Organizational Measures

We maintain organizational security through:

  • Access control policies
  • Employee training
  • Security procedures and policies
  • Regular security assessments
  • Incident response procedures

6. Data Breach Procedure

6.1 Internal Response

In the event of a data breach, we will:

  1. Immediately initiate our incident response plan
  2. Form an incident response team
  3. Investigate the breach and its scope
  4. Take immediate steps to contain and mitigate the breach
  5. Document all findings and actions taken

6.2 Notification

We will notify affected parties of a data breach:

  1. Without undue delay and within 72 hours of discovery
  2. Provide details about:
    • Nature of the breach
    • Categories of data affected
    • Approximate number of affected Data Subjects
    • Likely consequences
    • Measures taken or proposed to address the breach
  3. Provide regular updates as new information becomes available

6.3 Post-Breach Actions

Following a breach, we will:

  1. Conduct a thorough investigation
  2. Implement necessary security improvements
  3. Update security procedures as needed
  4. Provide a detailed post-mortem report
  5. Take steps to prevent similar incidents

7. Data Subject Rights

7.1 Support for Data Subject Requests

We will assist you in responding to Data Subject requests for:

  • Access to Personal Data
  • Correction of Personal Data
  • Copies of Personal Data

7.2 Response Timeline

We will respond to Data Subject requests within 60 days.

8. Data Retention and Deletion

8.1 Retention Period

  • Active account data is retained indefinitely
  • Redundant data is deleted after 30 days
  • Backup data is retained according to our backup rotation policy

8.2 Deletion Procedures

Upon termination of services, we will:

  • Delete or return Personal Data as requested
  • Ensure deletion from backup systems according to backup rotation
  • Require Sub-processors to delete relevant Personal Data

9. Audit Rights

9.1 Audit Cooperation

We will:

  • Provide information necessary to demonstrate compliance
  • Allow for and contribute to reasonable audits
  • Make available our security documentation

9.2 Audit Conditions

  • Audits must be conducted with reasonable notice
  • Audits must not disrupt normal business operations
  • Audit findings must be treated as confidential

10. Data Transfer

10.1 Data Location

  • All data processing occurs within the United States
  • Game servers are hosted in PhoenixNap data centers in the United States
  • Website hosting through Vercel with POPs in the United States

10.2 Transfer Safeguards

  • Appropriate safeguards are in place for all data transfers
  • Sub-processors are required to maintain similar safeguards

11. Liability and Indemnity

Each party shall be liable for its own actions and shall indemnify the other party for damages caused by breaching this DPA.

12. Term and Termination

12.1 Duration

This DPA remains in effect as long as we process Personal Data under the Terms of Service.

12.2 Survival

Obligations regarding confidentiality and data protection survive termination.

13. Governing Law

This DPA is governed by the laws of the State of South Carolina.

14. Contact Information

For privacy-related inquiries: PlayerGames, LLC legal@player.games