EU Data Processing Addendum

Last updated: 6th July, 2023

This EU Data Processing Addendum (including its Exhibits) (“Addendum”) forms part of and is subject to the terms and conditions of the GameAnalytics Software as a Service License Agreement, Terms of Service available at https://gameanalytics.com/terms/ (the “Agreement”) by and between the customer named in such Agreement or identified within GameAnalytics systems upon creating a GameAnalytics Account (“Customer”) and GameAnalytics ApS and its Affiliates (“GameAnalytics”).

1. Subject Matter and Duration. 

(a) Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Customer Personal Data in connection with GameAnalytics’ execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.

(b) Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that Customer creates a GameAnalytics Account, if it is created after the effective date of the Agreement. GameAnalytics will Process Customer Personal Data until the relationship terminates as specified in the Agreement.

2. Definitions. 

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.

(a) “Ad Network Terms” means all terms, conditions, and/or policies applicable to any advertising activities on or in connection with any third-party advertising network through which Customer intends to place advertisements or has otherwise integrated.

(b) “Authorized User” means Customer’s employees that Customer has expressly authorized to use and access the Services through Customer’s GameAnalytics account.

(c) “Customer Personal Data” means Personal Data made available to GameAnalytics or the Services by or on behalf of Customer or any Authorized User or via Customer’s use of the Services including, but not limited to, advertising campaign data.

(d) “Data Protection Laws” means the applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).

(e) “Marketing Channels” means engines, platforms and services integrated with Custemer’s GameAnalytics account.

(f) “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.

(g) “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

(h) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to GameAnalytics.

(i) “Services” means the services that GameAnalytics performs under the Agreement, or any GameAnalytics Purchase Orders related to the DataSuite Service.

(j) “Subprocessor(s)” means GameAnalytics’ authorized vendors and third-party service providers that Process Customer Personal Data.

3. Processing Terms for Customer Personal Data.

(a) Documented Instructions. GameAnalytics shall Process Customer Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. GameAnalytics will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.

(b) Authorization to Use Subprocessors. To the extent necessary to fulfill GameAnalytics’ contractual obligations under the Agreement, Customer hereby authorizes GameAnalytics to engage Subprocessors.

(c) GameAnalytics and Subprocessor Compliance. GameAnalytics shall (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Customer Personal Data that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with this Addendum; and (ii) remain responsible to Customer for GameAnalytics’ Subprocessors’ failure to perform their obligations with respect to the Processing of Customer Personal Data.

(d) Right to Object to Subprocessors. Where required by Data Protection Laws, GameAnalytics will notify Customer via email prior to engaging any new Subprocessors that Process Customer Personal Data and allow Customer ten (10) days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.

(e) Confidentiality. Any person authorized to Process Customer Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.

(f) Personal Data Inquiries and Requests. Where required by Data Protection Laws, GameAnalytics agrees to provide reasonable assistance and comply with reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Data Protection Laws.

(g) Sale of Customer Personal Data Prohibited. GameAnalytics shall not sell Customer Personal Data as the term “sell” is defined by the CCPA.

(h) Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, GameAnalytics agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgment, the type of Processing performed by GameAnalytics requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.

(i) Demonstrable Compliance. GameAnalytics agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Customer’s reasonable request.

(j) Service Optimization. Where permitted by Data Protection Laws, GameAnalytics may Process Customer Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.

(k) Aggregation and De-Identification. GameAnalytics may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Customer or any data subject to whom Customer Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.

4. Information Security Program.

(a) Security Measures. GameAnalytics shall use commercially reasonable efforts to implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Data.

5. Security Incidents.

(a) Notice. Upon becoming aware of a Security Incident, GameAnalytics agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.

6. Cross-Border Transfers of Customer Personal Data. 

GameAnalytics may share personal data with Controllers, third-party Processors and/or Service Providers located in countries that are outside of the EU/UK. These countries may not have data protection laws equivalent to those within the EU/UK, and therefore, we will only transfer personal data if it is absolutely necessary.

Restricted Transfers

To safeguard the personal data transfers, where no other safeguard mechanism is available, e.g., an adequacy decision, we will use either the EU Standard Contractual Clauses (for transfers out of the EU) attached hereto as Exhibit B, the UK IDT Addendum to the EU Standard Contractual Clauses or the UK International Data Transfer Agreement (for transfers out of the UK). These measures provide GameAnalytics with a transfer tool for ensuring compliance with Article 46 of the EU/UK GDPR, when making restricted transfers. The measures will also contractually oblige those in receipt of personal data to adhere to the same data protection standards expected within the EU/UK.

In addition to the above, our service providers and suppliers are data processors and may only use the data in line with our instructions and not for any other purpose. This and other obligations are agreed in a data processing contract, which will be in place between GameAnalytics and any third-party Processor or Service Provider, prior to any transfer of personal data.

Where GameAnalytics processes Customer Personal Data on behalf of Customer in connection with the Services, GameAnalytics will process such personal data as a processor or sub-processor on behalf of Customer (who, in turn, processes such personal data as a controller or processor) and this DPA will apply accordingly. A description of such processing is set out in Exhibit A.

The parties therefore agree that when the transfer of personal data from Customer (as “data exporter”) to GameAnalytics (as “data importer”) is a restricted transfer and applicable Data Protection Law requires that appropriate safeguards are put in place, the transfer will be subject to the EU Standard Contractual Clauses, which are deemed incorporated into and form a part of this DPA, as follows:

(a) In relation to transfers of Customer Personal Data protected by the EU GDPR, from either Customer to GameAnalytics or from GameAnalytics to sub processor, the EU SCCs will apply, completed as follows:

  1. Module Two or Module Three will apply (as applicable);
  2. in Clause 7, the optional docking clause will not apply;
  3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Section 3 of this DPA;
  4. in Clause 11, the optional language will not apply;
  5. in Clause 17, Option 1 will apply, and the EU SCCs be governed by the laws of Denmark;
  6. in Clause 18(b), disputes will be resolved before the courts of Denmark;
  7. Subject to Section 4 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out here;

(b) In relation to transfers of personal data protected by the EU GDPR, from GameAnalytics to Customer (where Customer is the Controller), the EU SCCs apply, completed as follows:

  1. Module Four will apply;
  2. in Clause 7, the optional docking clause will not apply;
  3. in Clause 11, the optional language will not apply;
  4. in Clause 17, Option 1 will apply, and the EU SCCs be governed by the laws of Denmark;
  5. in Clause 18(b), disputes will be resolved before the courts of Denmark;
  6. Annex I of the EU SCCs is deemed completed with the information set out in Section 12 and Exhibit A to this DPA, as applicable.

(c) In relation to transfers of personal data protected by UK Data Protection Law, the EU SCCs: (i) apply as completed in accordance with paragraphs (a) and (b) above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the parties and incorporated into and forming an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed respectively with the information set out in Section 12, as well as Exhibit A of this DPA; Table 4 in Part 1 is deemed completed by selecting “neither party.” Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

(d) In relation to transfers of personal data protected by the Swiss DPA, the EU SCCs will also apply in accordance with paragraphs (a) and (b) above, with the following modifications:

  1. any references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss DPA;
  2. references to “EU”, “Union”, “Member State” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be, and will not be interpreted in such a way as to exclude data subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs;
  3. Clause 13 of the EU SCCs are modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland will have authority over data transfers governed by the Swiss DPA. Subject to the foregoing, all other requirements of Clause 13 will be observed;
  4. references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland;
  5. in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and
  6. Clause 18(b) states that disputes will be resolved before the applicable courts of Switzerland.

The parties agree that:

  1. the certification of deletion required by Clause 8.5 and Clause 16(d) of the Standard Contractual Clauses will be provided upon Customer’s written request;
  2. the measures GameAnalytics is required to take under Clause 8.6(c) of the Standard Contractual Clauses will only cover GameAnalytics’ impacted systems;
  3. the audit described in Clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 7 of this Addendum;
  4. GameAnalytics may engage sub processors using EU Standard Contractual Clauses or any other safeguard mechanism provided that such safeguard mechanism complies with applicable Data Protection Laws and such use of sub processors shall not be deemed to comply with Clause 9 of the EU Standard Contractual Clauses;
  5. the termination right contemplated by Clause 14(f) and Clause 16(c) of the Standard Contractual Clauses will be limited to the termination of the Standard Contractual Clauses, in which case, the corresponding Processing of Customer Personal Data affected by such termination shall be discontinued unless otherwise agreed by the parties;
  6. unless otherwise stated by GameAnalytics, Customer will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Standard Contractual Clauses;
  7. the information required under Clause 15.1(c) will be provided upon Customer’s written request; and
  8. notwithstanding anything to the contrary, Customer will reimburse GameAnalytics for all reasonable costs and expenses incurred by GameAnalytics in connection with the performance of GameAnalytics’ obligations under Clause 15.1(b) and Clause 15.2 of the Standard Contractual Clauses, without regard for any limitation of liability set forth in the Agreement. Each party’s signature to this Addendum shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

(e) It is not the intention of either party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA), the Standard Contractual Clauses prevail to the extent of such conflict;

(f) If GameAnalytics adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses adopted pursuant to Applicable Data Protection Law) for the transfer of personal data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism will apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which personal data is transferred).

(g) The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

Data Transfer Impact Assessment Questionnaire

GameAnalytics agrees that it has provided true, complete, and accurate responses to the Data Transfer Impact Assessment Questionnaire attached hereto as Exhibit A.

Taking into account the information and obligations set forth in this Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the attached EU Standard Contractual Clauses or UK IDT Addendum to the EU Standard Contractual Clauses/UK International Data Transfer Agreement, to a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, is afforded a level of protection that is essentially equivalent to that guaranteed by applicable Data Protection Laws.

7. Audits. 

(a) Customer Audit. Where Data Protection Laws afford Customer an audit right, Customer (or its appointed representative) may carry out an audit of GameAnalytics’ policies, procedures, and records relevant to the Processing of Customer Personal Data. Any audit must be: (i) conducted during GameAnalytics’ regular business hours; (ii) with reasonable advance notice to GameAnalytics; (iii) carried out in a manner that prevents unnecessary disruption to GameAnalytics’ operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction.

8. Customer Personal Data Deletion.

(a) Data Deletion. GameAnalytics will delete all Customer Personal Data at the expiry of the GameAnalytics retention period, in accordance with the GameAnalytics’ Data Retention Schedule (Clause 8, letter b), except where GameAnalytics is required to retain copies under applicable laws, in which case GameAnalytics will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.

(b) GameAnalytics’ Data Retention Schedule

Data description Retention requirements
Player Warehouse 1 year
Player Lookups – for annotated data to calculate game retention 18 months
Raw and annotated data 1 month

9. Customer’s Obligations. 

(a) Customer’s Obligations. Customer represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Customer Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that allows for the Processing of Customer Personal Data as contemplated herein and complies with all Ad Network Terms; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Customer Personal Data as contemplated by the Agreement; and (iv) the Processing of Customer Personal Data as contemplated by the Agreement will not violate Data Protection Laws, the right of any third party (including, without limitation, any intellectual property right or right of privacy), or cause a breach of any agreement or obligations between Customer and any third party (including, without limitation, any Ad Network Terms).

(b) No Selling of Customer Personal Data. Customer may not use the Services to facilitate the sale of Customer Personal Data (unless the data subjects to whom Customer Personal Data relates have given Customer specific consent to sell their Customer Personal Data).

(c) Additional Terms for DataSuite Service. If Customer uses GameAnalytics’ DataSuite, Customer represents and warrants that any Customer Personal Data was obtained, and is being stored, with the informed consent of the data subject. Customer also represents and warrants that it will not use DataSuite and the Customer Personal Data contained therein for any purpose that violates any Data Protection Laws.

10. Miscellaneous.

(a) Customer Data. Customer acknowledges and agrees that GameAnalytics may Process Personal Data about Customer’s Authorized Users (“Account Data”) in accordance with its privacy notice available at: https://www.GameAnalytics.com/privacy. Account Data is not Customer Personal Data.

(b) Third-Party Services. Certain features and functionalities within the Services may allow Customer or its Authorized Users to interface or interact with, access, use, and/or disclose Customer Personal Data to compatible third-party services, products, technology, content, and Marketing Channels (collectively, “Third-Party Services”) through the Services. For clarity, GameAnalytics may send Customer Personal Data including, but not limited to, device information such as advertising ID, to certain Marketing Channels that Customer integrates with Customer’s GameAnalytics account for the purposes of analytics and other aspects of the Service. GameAnalytics will do so via Customer’s agreement with the Marketing Channels and according to the applicable Terms of Service. Customer represents and warrants that all Marketing Channels that Customer adds to Customer’s account are compliant with all Data Protection Laws and there is a legally valid basis for the transfer of Customer Personal Data. GameAnalytics does not provide any aspect of the Third-Party Services and is not responsible for any compatibility issues, errors or bugs in the Services or Third-Party Services caused in whole or in part by the Third-Party Services or any update or upgrade thereto. Customer is solely responsible for maintaining the Third-Party Services and obtaining any associated licenses and consents necessary for Customer to use the Third-Party Services in connection with the Services.

11. Processing Details. 

(a) Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.

(b) Duration. The Processing will continue until the expiration or termination of the Agreement and according to the GameAnalytics’ Data Retention Schedule.

(c) Categories of Data Subjects. Data subjects whose Customer Personal Data will be Processed pursuant to the Agreement.

(d) Nature and Purpose of the Processing. The purpose of the Processing of Customer Personal Data by GameAnalytics is the performance of the Services.

(e) Types of Customer Personal Data. Customer Personal Data that is Processed pursuant to the Agreement.

12. Contact Information.

(a) Customer and GameAnalytics agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for both parties are:

  • Customer Designated POC: Customer POC named in the Agreement or identified within GameAnalytics systems upon creating a GameAnalytics Account.
  • GameAnalytics Designated POC: Francesco Perrone, Head of Data Security & Compliance, francesco@GameAnalytics.com.

 


EXHIBIT A TO THE DATA PROCESSING ADDENDUM

DATA TRANSFER IMPACT ASSESSMENT QUESTIONNAIRE

This Exhibit A forms part of the Addendum. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.

1. What countries will Customer Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from? If this varies by region, please specify each country for each region.

Answer: U.S. – AWS us-east-1 Region.

2. What are the categories of data subjects whose Customer Personal Data will be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

Answer: End users of Customer’s mobile app and/or games.

3. What are the categories of Customer Personal Data transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

Answer: Customer Personal Data that is Processed under the Agreement including, but not limited to, in-game events, advertising ID, vendor ID, IP address, device type, device model, device locale, device country and OS platform, as well as information about an end user’s use of Customer’s mobile app.

4. Will any Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom? If so, are there any restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures?

Answer: Not to GameAnalytics’ knowledge.

5. What business sector is GameAnalytics involved in?

Answer: Software as a Service for game players behavior analytics.

6. Broadly speaking, what are the services to be provided and the corresponding purposes for which Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?

Answer: GameAnalytics provides analytics services. Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom in order to provide the Services.

7. What is the frequency of the transfer of Customer Personal Data outside or outside of the European Economic Area, Switzerland, and/or the United Kingdom? E.g., is Customer Personal Data transferred on a one-off or continuous basis?

Answer: Customer Personal Data is transferred to GameAnalytics on a continuous basis.

8. When Customer Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom to GameAnalytics, how is it transmitted to GameAnalytics? Is the Customer Personal Data in plain text, pseudonymized, and/or encrypted?

Answer: Data collected via GameAnalytics’ SDK and server-to-server integrations. Data is encrypted in transit and at rest.

9. What is the period for which the Customer Personal Data will be retained, or, if that is not possible, the criteria used to determine that period?

Answer: Customer Personal Data will be retained in accordance with the Addendum.

10. Please list the Subprocessors that will have access to Customer Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom:

 

Name of Subprocessor Subject matter, nature, and duration of processing Location (Country) Adequacy Mechanism Supporting Transfer
AWS Cloud IAAS, on a continuous basis U.S.A. SCC
GCP Cloud IAAS, on a continuous basis U.S.A. SCC
Imply Analytical engine – database – on a continuous basis U.S.A. SCC
CloudMax Limited Analytical engine – User Analysis – on request Hong Kong SCC

11. Is GameAnalytics subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where Customer Personal Data is stored or accessed from that would interfere with GameAnalytics fulfilling its obligations under the attached Standard Contractual Clauses? For example, FISA Section 702. If yes, please list these laws.

Answer: As of the effective date of the Addendum, no court has found GameAnalytics to be eligible to receive process issued under the laws contemplated by Question 11, including FISA Section 702 and no such court action is pending.

12. Has GameAnalytics ever received a request from public authorities for information pursuant to the laws contemplated by Question 11 above (if any)? If yes, please explain.

Answer: No.

13. Has GameAnalytics ever received a request from public authorities for Personal Data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain.

Answer: No.

 


EXHIBIT B TO THE DATA PROCESSING ADDENDUM

 

This Exhibit B forms part of the Addendum.

STANDARD CONTRACTUAL CLAUSES