Data Processing Addendum
DATA PROCESSING ADDENDUM
Exit Games, Inc., a Delaware corporation, whose principal place of business is at 111 SW 5th Ave. STE 3150, Portland OR 97204, USA ("Exit Games") and the counterparty agreeing to this terms ("Customer") have entered into an Main Agreement, Exit Games' Terms of Use (available at https://dashboard.photonengine.com/en-US/Account/LicenseTerms), or other written or electronic agreement for the provision of Exit Games' networking engine and multiplayer platform (collectively, the "Services") provided by Exit Games (the "Main Agreement"). This Data Processing Addendum, including its Annexes, (the "DPA") forms part of the Main Agreement.
Each of Exit Games and Customer may be referred to herein as a "Party" and together as the "Parties".
This DPA will be effective and replace any previously applicable terms relating to their subject matter (including any data processing agreement or addendum relating to the Services), from the date on which Customer clicked to accept or the Parties agreed to this DPA otherwise.
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.
RECITALS:
(A) In connection with the Services, the Parties anticipate that Exit Games may process outside of the EEA certain Personal Data in respect of which the Customer or any member of the Customer Group may be a Controller under applicable EU Data Protection Laws or UK Data Protection Laws.
(B) The Parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws, UK Data Protection Laws and other applicable data protection laws, to the extent applicable.
1. Definitions
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
(a) "Adequate Country" means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner's Office and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the EU GDPR;
(b) "Affiliate" means, with respect to a Party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such Party (but only for so long as such Control exists;
(c) "Customer Group" means the Customer and/or any entity that, directly or indirectly, controls, is controlled by, or is under common control with the Customer and is Party to this DPA, where "control" means the power (directly or indirectly) to appoint or remove a majority of the directors of that entity and includes Affiliates;
(d) "Data Protection Laws" means (i) all laws and regulations of the European Union, the European Economic Area, their member states, applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data ("EU GDPR"), or (ii) all laws and regulations of the UK, applicable to the processing of Personal Data under the Main Agreement, including the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018 (the "UK GDPR");
(e) "Data Subject Request" means a request from or on behalf of a data subject to exercise any rights in relation to his/her Personal Data under Data Protection Laws;
(f) "EEA" means the European Economic Area;
(g) "EU Clauses" means the standard contractual clauses for international transfers of Personal Data to third countries set out in the European Commission's Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj)
incorporating Module Two for Controller to Processor transfers and which form part of this DPA in accordance with Schedule 2; (h) "Exit Games Group" means Exit Games and any of its Affiliates;
(i) "Personal Data" means personal data or personal information of Customer processed by Exit Games on behalf of Customer under this DPA and as defined in the Data Protection Laws. In accordance with Section 2.1 of this DPA, this may include the Personal Data of a Customer Group Company;
(j) "Restricted Transfer" means a (i) transfer of Personal Data from any Customer Group Company to Exit Games; or (ii) an onward transfer of Personal Data from Exit Games to a sub-processor of Exit Games, in each case, where and to the extent the Party receiving the transferred Personal Data is outside the EEA and such transfer would be prohibited under the EU GDPR or the UK GDPR;
(k) "Security Breach" means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of Exit Games' staff or sub-processors, or any other identified or unidentified third-party;
(l) "Supervisory Authority" means in the UK, the Information Commissioner's Office ("ICO") (and, where applicable, the Secretary of State or the government), and in the EU, an independent public authority established pursuant to the GDPR;
(m) "UK" means the United Kingdom;
(n) "UK Approved Addendum" means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and in force since 21 March 2022; and
(o) "UK Mandatory Clauses" means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any final version published by the Information Commissioner's Office.
1.2 An entity "Controls" another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in "Common Control" if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
1.3 The terms "Controller", "Data Subject", "Processor" and "sub-processor have the meanings ascribed to them in the Data Protection Laws.
1.4 Any defined terms which are not defined in this DPA are as defined in the Main Agreement.
2. Roles and Compliance with Data Protection Laws
2.1 Customer is the Controller of Personal Data, and Exit Games is the Processor of Personal Data. Each Party will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Data Protection Laws applicable to such Party in the processing of Personal Data. As between the Parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.
2.2 For the avoidance of doubt, a Customer Group Company other than the Customer is not and does not become a party to the Main Agreement and, subject to the following, is only a party to this DPA.
2.3 This DPA is without prejudice to the rights and obligations of the Parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
3. Description of Processing
3.1 The subject matter, nature and purposes of the processing, duration, types of Personal Data and categories of Data Subject are as set out in ANNEX I to Schedule 2.
3.2 As a Processor, Exit Games will only process Personal Data (i) in order to provide the Services to Customer as agreed in the Main Agreement or (ii) per Customer's instructions in writing or via email. Exit Games will notify Customer (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to Customer's instructions. As soon as reasonably practicable upon becoming aware, inform the Customer if, in Exit Games' opinion, any instructions provided by the Customer infringe applicable Data Protection Laws. Upon termination of the Main Agreement and upon written request of the Customer, return or delete the Personal Data, unless required by law to continue to store a copy of the Personal Data.
4. Technical and Organisational Security Measures
4.1 Exit Games is responsible for implementing and maintaining commercially reasonable and appropriate technical, physical, and organizational safeguards to protect the confidentiality, availability, and integrity of Personal Data that is maintained and accessed by Exit Games for a Customer using Exit Games' Services pursuant to the Main Agreement. Exit Games' security measures for protecting such personal data while it is Exit Games' possession, custody, or control shall include, as appropriate, the measures described in ANNEX II to Schedule 2 of this DPA. Exit Games may modify or update these measures at its discretion provided that such modification or update does not result in a degradation of its protection of such Personal Data.
4.2 Exit Games will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.
4.3 Customer is responsible for the security of Personal Data throughout the time that such data is in Customer's possession, custody, or control, including while personal data is in transit over the Internet or other third-party network. In furtherance of meeting its security obligations, Customer agrees to employ all physical, administrative, and technical security measures necessary to (i) protect all of its and its Authorized Personnel's access credentials; (ii) protect Customer's information technology infrastructure, including computers, software, databases, electronic systems (including database management systems) and networks whether operated directly by Customer or through the use of third-party services (the
"Customer Systems"); (iii) protect against any unauthorized access to or use of the Services directly or indirectly through Customer Systems or its or its or its Authorized Personnel's access credentials; and (iv) protect the confidentiality, integrity, and availability of all personal data while such data is in transit to Exit Games, including while such data is being uploading or otherwise provided to Exit Games for processing.
4.4 Customer is solely responsible for making an independent determination whether Exit Games' security measures meet Customer's requirements and data protection obligations under applicable laws and regulations. Customer acknowledges and agrees that, taking into account the state of the art, cost of implementation, and the nature, scope, context and purposes of the processing of personal data, as well as the risks to individuals, the security practices and policies implemented and maintained by Exit Games provide a level of security appropriate to the risk with respect to Personal Data.
5. Sub-processing and Audits
5.1 Customer authorizes Exit Games to appoint sub-processors (and permits each sub-processor to appoint additional sub-processors) in accordance with this Section. Customer hereby authorizes and instructs Processor to engage those sub-processors set out at https://download.photonengine.com/subprocessors (the "Sub-Processor List"). The Sub-Processor List may be updated from time to time and shall include the name and location of, and a brief description of the processing undertaken by, each current sub-processor. Customer acknowledges and agrees that Exit Games may engage additional sub-processors. If Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Exit Games of such objections in writing within 15 days of the notification and the Parties will seek to resolve the matter in good faith. If Customer is not reasonably satisfied that the sub-processor meets the security and privacy protections then either Party as its sole remedy may, within such 15-day period, terminate the Main Agreement.
5.2 Exit Games will enter into a written contract with each sub-processor which imposes on such sub-processor terms no less protective of Personal Data than those imposed on Exit Games in this DPA (the "Relevant Terms2). Exit Games shall be liable to Customer for any breach by such sub-processor of any of the Relevant Terms as set out in Section 13.3 unless otherwise required under the Data Protection Laws or any other applicable laws.
5.3 Upon Customer's request, and subject to the confidentiality obligations set forth in the Main Agreement, Exit Games shall promptly make available to Customer information regarding Exit Games' compliance with the obligations set forth in this DPA, which may include one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant executive summaries of the third-party certifications and compliance audits to the extent available; and (iii) a summary of Exit Games' operational practices related to data protection and security. If Customer determines that information provided in accordance with the preceding methods is insufficient, then Customer may contact Exit Games to schedule an on-site audit at Exit Games' designated facility of the procedures relevant to the protection of Customer Personal Data. Customer shall reimburse Exit Games for any time expended for any such on-site audit at the Exit Games' then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Exit Games shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Exit Games with information regarding any non-compliance discovered during the course of an audit. For clarity, the audits referenced hereunder do not apply to audits of Exit Games' sub-processors. Such audits are subject to the Data Protection Laws, to the extent required.
6. Security Breaches, Data Subject Requests and further Assistance
6.1 Exit Games will notify Customer of any Security Breach without undue delay and within 48 hours after becoming aware of the Security Breach.
6.2 To the extent legally permitted, Exit Games will promptly notify Customer if it receives a Data Subject Request. Exit Games will not respond to a Data Subject Request, provided that Customer agrees Exit Games may at its discretion respond to confirm that such request relates to Customer. Customer acknowledges and agrees that the Services may include features which will allow Customer to manage Data Subject Requests directly through the Services without additional assistance from Exit Games. If Customer does not have the ability to address a Data Subject Request, Exit Games will, upon Customer's written request, provide reasonable assistance to facilitate Customer's response to the Data Subject Request to the extent such assistance is consistent with the Data Protection Laws.
6.3 Taking into account the nature of processing and the information available to Exit Games, Exit Games will provide such assistance as Customer reasonably requests in relation to Customer's obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Customer in response to a Security Breach, or (iii) Customer's compliance with its obligations under the EU GDPR or UK GDPR (as applicable) with respect to the security of processing.
6.4 Exit Games shall make available to the Customer such information in Exit Games' possession or control as Customer may reasonably request with a view to demonstrating Exit Games' compliance with the obligations of Processors under Data Protection Laws in relation to its processing of Personal Data.
7. International Transfers
7.1 Customer agrees that its use of the Services can involve the transfer of Personal Data to, and processing of Personal Data in, various countries, including the country in which Exit Games is based and other countries outside the EEA that are not recognized as Adequate Country.
7.2 UK transfers:
7.2.1 To the extent Personal Data is transferred to Exit Games and processed by or on behalf of Exit Games outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by the UK GDPR in the absence of a transfer mechanism, the Parties agree that the EU Clauses subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this DPA.
7.2.2 Schedule 1 references the information required by Tables 1 to 4 inclusive of the UK Approved Addendum.
7.3 EU transfers:
7.3.1 To the extent Personal Data is transferred to Exit Games and processed by or on behalf of Exit Games outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by EU GDPR in the absence of a transfer mechanism, the Parties agree that the EU Clauses will apply in respect of that processing and are incorporated into this DPA in accordance with Schedule 2.
7.3.2 The ANNEXES to Schedule 2 contain the information required by the EU Clauses.
7.4 In case of any discrepancies between the EU Clauses or UK Approved Addendum and the DPA, the EU Clauses or, as the case may be, the UK Approved Addendum shall take precedence when applicable pursuant to Section 7.2 or 7.3.
7.5 Insofar as Customer asserts any rights from the EU Clauses or the UK Approved Addendum against Exit Games, Exit Games may charge a reasonable fee for the services incurred thereby.
7.6 Exit Games may (i) replace the EU Clauses and/or the UK Approved Addendum generally or in respect of the EEA, and/or the UK (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any further or alternative standard contractual clauses approved from time to time and (ii) make reasonably necessary changes to this DPA by notifying Customer of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.
8. CCPA
8.1 The terms set forth in this Section 8 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Information of California Consumers on behalf of Customer; and (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 ("CCPA"), is applicable to Customer at the time of such Processing.
8.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, or the Main Agreement the capitalized terms in this Section of the DPA shall have the meaning given to them under the CCPA, and the CCPA Regulations.
8.3 If the CCPA applies to Customer, and Exit Games Processes Personal Information on behalf of Customer, Customer shall be a Business and Exit Games shall be a Service Provider with respect to the Processing of such Personal Information.
8.4 The Parties agree to comply with their respective obligations under the CCPA and the CCPA Regulations. Exit Games will comply with its obligations under all applicable sections of the CCPA and CCPA regulations and will provide the same level of privacy protection regarding Personal Information it Collects pursuant to the Main Agreement Customer as is required of Customer under the CCPA and CCPA regulations (e.g., cooperating with Customer in responding to and complying with Consumers' requests made pursuant to the CCPA; implementing reasonable security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with California Civil Code section 1798.81.5).
8.5 The limited and specified Business Purposes for which Exit Games is Processing Personal Information pursuant to the Main Agreement include: (i) helping to ensure security and integrity to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes; (i) debugging to identify and repair errors that impair existing intended functionality; (iii) performing the Services and related support services on behalf of Customer, including by maintaining or servicing accounts, providing customer service, providing storage, or providing similar services on behalf of Customer; (iv) undertaking internal research for technological development and demonstration; and (v) undertaking activities to verify or maintain the quality and safety of services controlled by Customer. Personal Information is only disclosed by Customer to Exit Games for limited and specified purposes (i.e., the limited and specified Business Purposes set forth in this provision).
8.6 Exit Games will not retain, use, or disclose the Personal Information that it has Collected pursuant to the Main Agreement for any purpose other than the Business Purposes specified n this DPA or the Main Agreement, which shall include (i) helping to ensure security and integrity to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes; (ii) debugging to identify and repair errors that impair existing intended functionality; (iii) performing the Services and related support services on behalf of Customer, including by maintaining or servicing accounts, providing customer service, providing storage, or providing similar services on behalf of Customer; (iv) undertaking internal research for technological development and demonstration; and (v) undertaking activities to verify or maintain the quality and safety of services controlled by Customer, or (vi) as otherwise permitted by the CCPA and CCPA Regulations. This prohibition extends to the retention, use, or disclosure of Personal Information for a commercial purpose other than the Business Purposes specified in this DPA, the Main Agreement, or as otherwise permitted by the CCPA and CCPA Regulations.
8.7 Exit Games will not retain, use, or disclose Personal Information that it Collects pursuant to the Main Agreement outside of the direct business relationship between Customer and Exit Games, unless expressly permitted by the CCPA and CCPA regulations.
8.8 Exit Games will not combine or update Personal Information that Exit Games Collects pursuant to the Main Agreement or otherwise receives from, or on behalf of, Customer with Personal Information that it received from, or on behalf of, another person or source or from its own interaction with a Consumer, other than combining Personal Information to perform any Business Purpose that is expressly permitted by the CCPA and CCPA Regulations. However, Exit Games will not combine the Personal Information of Consumers who have opted-out of the Sale or Sharing of Personal Information that Exit Games receives from, or on behalf of, Customer with Personal Information that Exit Games receives from, or on behalf
of, another person or collects from its own interactions with Consumers.
8.9 Exit Games will not Sell or Share, as such terms are defined under the CCPA, the Personal Info rmation it Collects pursuant to the Main Agreement.
8.10 Exit Games will enable Customer to comply with Consumer requests made pursuant to the CCPA that involve Personal Information Exit Games has Collected pursuant to the Main Agreement.
8.11 Customer may take reasonable and appropriate steps to help ensure that Exit Games uses Personal Information that is Collected pursuant to the Main Agreement, or otherwise transferred to Exit Games by Customer, in a manner consistent with the obligations imposed on Customer under the CCPA and CCPA Regulations, through the process set forth in Section 5.3 of the DPA.
8.12 In the event Exit Games ever determines that it can no longer meet its obligations under the CCPA and CCPA Regulations, Exit Games will notify Customer of such determination.
8.13 Upon Customer's receipt of notice from Exit Games that it can no longer meet its CCPA obligations or Customer's provision of Exit Games with notice that it will be taking steps to stop and remediate any unauthorized use of Personal Information, Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.
8.14 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CCPA, including any applicable regulatory or self-regulatory guidance.
9. VCDPA
9.1 The terms set forth in this Section 9 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Virginia Consumers on behalf of Customer; and (ii) the Virginia Consumer Data Protection Act ("VCDPA") is applicable to Customer at the time of such Processing.
9.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section of the DPA shall have the meaning given to them under the VDCPA.
9.3 If the VCDPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
9.4 The Parties agree to comply with their respective obligations under the VDCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the VDCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
9.5 Exit Games agrees to adhere to the Processing instructions of Customer.
9.6 Exit Games agrees to assist Customer in meeting Customer's obligations under the VDCPA with respect to any Personal Data of Virginia Consumers that Exit Games Processes on behalf of Customer. Such assistance will include (i) assisting Customer in fulfilling its obligation to respond to Consumer rights requests through Exit Games' implementation of appropriate technical and organizational measures, insofar as is reasonably practicable (taking into account the nature of the Processing and the information available to Exit Games); (ii) assisting Customer in meeting Customer's obligations in relation to the security of Processing the Personal Data and in relation to the notification of a breach of security system of Exit Games (taking into account the nature of Processing and the information available to Exit Games); and (iii) providing necessary information to enable Customer to conduct and document data protection assessments relating to Personal Data of Virginia Consumers that is Processed by Exit Games through the measures set forth in Section 5.3 of the DPA.
9.7 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.
9.8 Exit Games will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
9.9 Upon the reasonable request of Customer, Exit Games will make available to Customer all information in its possession necessary to demonstrate Exit Game's compliance with its obligations under the VCDPA through the process set forth in Section 5.3 of the DPA.
9.10 Exit Games will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the obligations of Exit Games with respect to the Personal Data. Such contract shall not relieve the Parties of their respective liabilities under the VCDPA.
9.11 Exit Games will allow, and cooperate with, reasonable assessments by Customer or the Customer's designated assessor through the process set forth in Section 5.3 of the DPA.
9.12 At Customer's direction, Exit Games will either delete or return all Personal Data to Customer as requested at the end of the provision of services, unless retention of the Personal Data is required by law.
9.13 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the VCDPA, including any applicable regulatory or self-regulatory guidance.
10. CPA
10.1 The terms set forth in this Section 10 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Colorado Consumers on behalf of Customer; and (ii) the Colorado Privacy Act ("CPA") is applicable to Customer at the time of such Processing.
10.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section of the DPA shall have the meaning given to them under the CPA and the CPA Rules.
10.3 If the CPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
10.4 The Parties agree to comply with their respective obligations under the CPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the CPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
10.5 The type of Personal Data being Processed, the duration of such Processing, and the processing instructions, including the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2of this DPA and in the Main Agreement.
10.6 Exit Games will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
10.7 After providing Customer an opportunity to object, Exit Games will engage each of its subcontractors pursuant to a written contract in accordance with the CPA that requires the subcontractor to meet the obligations of Exit Games with respect to the Personal Data.
10.8 Upon request, Exit Games will make available to Customer all information necessary to demonstrate its compliance with the CPA in accordance with the process set forth in Section 5.3 of the DPA.
10.9 Exit Games will allow for, and contribute to, reasonable audits and inspections by Customer or Customer's designated auditor through the process set forth in Section 5.3 of the DPA.
10.10 At the choice of Customer, Exit Games will delete or return all Personal Data to Customer as requested by Customer at the end of the provision of services described in the Main Agreement, unless retention of the Personal Data is required by law.
10.11 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CPA, including any applicable regulatory or self-regulatory guidance.
11. CTDPA
11.1 The terms set forth in this Section 11 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Connecticut Consumers on behalf of Customer; and (ii) the Connecticut Data Privacy Act ("CTDPA") is applicable to Customer at the time of such Processing.
11.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section 11 of the DPA shall have the meaning given to them under the CTDPA.
11.3 If the CTDPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
11.4 The Parties agree to comply with their respective obligations under the CTDPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the CTDPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
11.5 Exit Games agrees to adhere to the Processing instructions of Customer.
11.6 Exit Games agrees to assist Customer in meeting Customer's obligations under the CTDPA with respect to any Personal Data of Connecticut Consumers that Exit Games Processes on behalf of Customer. Such assistance will include (i) assisting Customer in fulfilling its obligation to respond to Consumer rights requests through Exit Games' implementation of appropriate technical and organizational measures, insofar as is reasonably practicable (taking into account the nature of the Processing and the information available to Exit Games); (ii) assisting Customer in meeting Customer's Personal Data security obligations and obligations for notification of any breach of security of a system of Exit Games (taking into account the nature of Processing and the information available to Exit Games); and (iii) providing necessary information to enable Customer to conduct and document data protection assessments relating to Personal Data of Consumers that is Processed by Exit Games through the measures set forth in Section 5.3 of the DPA.
11.7 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.
11.8 Exit Games will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to the Personal Data.
11.9 Upon the reasonable request of Customer, Exit Games will make available to Customer all information in its possession necessary to demonstrate Exit Game's compliance with the CTDPA in accordance with the process set forth in Section 5.3 of the DPA.
11.10 After providing Customer an opportunity to object, Exit Games will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the obligations of Exit Games with respect to the Personal Data.
11.11 Exit Games will allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor through the process set forth in Section 5.3 of the DPA.
11.12 At Customer's direction, Exit Games will either delete or return all Personal Data to Customer, as requested, at the end of Exit Games' provision of services, unless retention of the Personal Data is required by law.
11.13 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CTDPA, including any applicable regulatory or self-regulatory guidance.
12. UCPA
12.1 The terms set forth in this Section 12 of the DPA shall only apply to the extent that (i) Exit Games Processes Personal Data of Utah Consumers on behalf of Customer; and (ii) the Utah Consumer Privacy Act ("UCPA") is applicable to Customer at the time of such Processing.
12.2 With the exception of party and agreement references (e.g., references to "Customer" and the "Main Agreement"), which are separately defined in the DPA, the capitalized terms in this Section 12 of the DPA shall have the meaning given to them under the UCPA.
12.3 If the UCPA applies to Customer, and Exit Games Processes Personal Data on behalf of Customer, Customer shall be a Controller and Exit Games shall be a Processor with respect to the Processing of such Personal Data.
12.4 The Parties agree to comply with their respective obligations under the UCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the UCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.
12.5 Exit Games will adhere to the Processing instructions of Customer.
12.6 Taking into account the nature of the Processing and information available to the Exit Games, by appropriate technical and organizational measures, insofar as reasonably practicable, Exit Games will assist Customer in meeting Customer's obligations under the UCPA, including obligations relating to the security of Processing Personal Data and notification of a breach of system security of Exit Games.
12.7 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.
12.8 Exit Games will ensure that each person Processing Personal Data is subject to a duty of confidentiality with respect to the Personal Data.
12.9 Exit Games will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the same obligations as Exit Games with respect to such Personal Data.
12.10 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the UCPA, including any applicable regulatory or self-regulatory guidance.
13. General
13.1 The Parties will cooperate in good faith to enter into additional or modified contract terms to address future data protection and privacy laws and regulations.
13.2 This DPA sets out all of the terms that have been agreed between the Parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
13.3 This DPA is without prejudice to the rights and obligations of the Parties under the Main Agreement which shall continue to have full force and effect.
13.4 In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms (including definitions and the Schedules) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. In the event of an inconsistency between the DPA and the EU Clauses (or, as the case may be, the EU Clauses subject to the UK Approved Addendum) the latter, including the UK Approved Addendum, if applicable, will prevail.
13.5 To the extent allowed under the applicable laws, Exit Games' maximum aggregate liability to Customer under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of Exit Games to the Customer as set out in the Main Agreement.
13.6 This DPA and any action related thereto shall be governed by and construed in accordance with the laws of the State of New York, without giving effect to any conflicts of laws principles. The Parties consent to the personal jurisdiction of, and venue in, the courts of New York City.
13.7 This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the Parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
13.9 This DPA is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless submitted electronically and electronically confirmed by each Party.
13.11 Each Party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such Party's obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such Party, enforceable in accordance with its terms.
13.12 This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement.
SCHEDULE 1: UK TRANSFERS
For the purposes of the UK Approved Addendum,
1. the information required for Table 1 is contained in ANNEX I of Schedule 2 of this DPA and the start date shall be deemed dated the same date as the EU Clauses;
2. in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor;
3. in relation to Table 3, the list of Parties and description of the transfer are as set out in ANNEX I of Schedule 2 of this DPA, Exit Games' technical and organisational measures are set
in ANNEX II of Schedule 2 of this DPA, and the list of Exit Games' sub-processors shall be provided pursuant to ANNEX III of Schedule 2 of this DPA; and
4. in relation to Table 4, neither Party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.
SCHEDULE 2: EU CLAUSES
1. For the purposes of this Schedule 2, the EU Clauses (Module II), currently available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by
reference to this Schedule and the DPA and shall be considered an integral part thereof, and the Parties' signatures in the DPA shall be construed as the Parties' signature to the EU Clauses. In the event of an inconsistency between the DPA and the EU Clauses, the latter will prevail.
2. For the purposes of the EU Clauses, the following shall apply:
- Customer shall be the data exporter and Exit Games shall be the data importer. Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the EU Clauses.
- Clause 7 (Docking clause) shall be deemed as included.
- Clause 9 (Use of sub-processors): OPTION 2 - GENERAL WRITTEN AUTHORISATION shall apply. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance.
- Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
- Clause 13 (a) (Supervision):
o Where Customer is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I. C, shall act as competent supervisory authority.
o Where Customer is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I. C, shall act as competent supervisory authority.
o Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I. C, shall act as competent supervisory authority.
- Clause 17 (Governing law): These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.
- Clause 18 (b) (Choice of forum and jurisdiction): The Parties agree that any dispute between them arising from the EU Clauses shall be resolved by the courts of Germany.
ANNEX I to Schedule 2
A. LIST OF PARTIES
Data exporter(s): is the agreeing Party to this DPA (Customer, as described in the DPA above), providing multiplayer games or other services, as controller.
Data importer(s):
Name: Exit Games, Inc.
Address: 111 SW 5th Ave. STE 3150, Portland OR 97204, USA
Contact person's name, position and contact details: Christof Wegmann, CTO,
[email protected]
Activities relevant to the data transferred under these Clauses: Provision of online services for multiplayers (Photonengine)
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose Personal Data is transferred
- Networking Online Players
- Application Users
Categories of Personal Data transferred
- User ID
- IP address
- Chat content (while using optional filter)
Sensitive data transferred (if applicable) and applied restrictions or safeguards
- None.
The frequency of the transfer (eg. whether the data is transferred on a one-off or continuous basis).
Continuous while providing the Services.
Nature of the processing
Provision of the Services.
Purpose(s) of the data transfer and further processing
- Providing Photoengine Services:
o Routing user to/ processing user on current Name-, Lobby- and Game-Server
o Analyzing Photonengine.com errors
- Children's Online Protection Act (COPPA) and GDPR compliant chat content filtering
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of the Main Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Auxiliary services.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
The competent supervisory for the Customer, depending on whether Option (A), (B) or (C) applies according to the specifications with regard to Clause 13 of the EU Clauses, as described in Schedule 2.
ANNEX II to Schedule 2 - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing (see Annex I) as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Exit Games implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
o the pseudonymization and encryption of Personal Data;
o the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
o the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
o a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Exit Games will provide a list of the actual technical and organizational measures on request of the Customer.
ANNEX III to Schedule 2 - LIST OF SUB-PROCESSORS
The controller / data exporter has authorised the use of the following sub-processors:
https://download.photonengine.com/subprocessors