Data Processing Agreement

• "Controller" means the Customer who determines the purposes and means of processing personal data by using the Analyse service. The Controller is the game server operator who integrates the Analyse plugin or SDK.
• "Processor" means VertCode Development E.E. (GEMI: 186520701000, AFM: 802973201), which processes personal data on behalf of the Controller to provide the Analyse service.
• "Data Subjects" means the players of the Controller's game server(s) whose personal data is processed through the Analyse service.
• "Personal Data" means any information relating to an identified or identifiable natural person (Data Subject), as defined in GDPR Art. 4(1).
• "Sub-processor" means any third party engaged by the Processor to assist in processing personal data on behalf of the Controller.
• "Supervisory Authority" means the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), or any other competent supervisory authority under GDPR Art. 51.

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Analyse service as described in the Terms of Service.

The nature of processing includes the collection, storage, analysis, aggregation, and visualization of player analytics data transmitted from the Controller's game server(s) through the Analyse plugin or SDK.

The Processor shall not process the personal data for any purpose other than as specified in this DPA and the documented instructions of the Controller, unless required to do so by Union or Member State law to which the Processor is subject.

The following categories of personal data are processed through the Analyse service:

• Player UUIDs (unique identifiers assigned by Mojang/Microsoft or platform provider)
• Player usernames
• Platform type (Java Edition or Bedrock Edition)
• Connection hostnames (the server address used by the player to connect)
• Country of origin (derived from IP address at the time of connection; the IP address itself is not stored)
• Session timestamps and duration (join time, leave time, play time)
• Purchase data (transaction information received via Tebex webhook integration, if enabled by Controller)

The data subjects are the players of the Controller's Minecraft or Hytale game server(s) who connect to a server that has integrated the Analyse plugin or SDK.

The Processor shall process personal data for the duration of the service agreement between the Controller and the Processor, as defined in the Terms of Service.

Upon termination of the service agreement, the Processor shall continue to store personal data only for the data retention and deletion period specified in Section 13 of this DPA.

The Processor shall, in relation to the processing of personal data on behalf of the Controller:

• Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required by Union or Member State law (GDPR Art. 28(3)(a))
• Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Art. 28(3)(b))
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Art. 32
• Respect the conditions for engaging sub-processors as set out in Section 08 of this DPA (GDPR Art. 28(3)(d))
• Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to data subject requests under GDPR Chapter III (GDPR Art. 28(3)(e))
• Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Art. 32–36, including data protection impact assessments where required (GDPR Art. 28(3)(f))
• At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage (GDPR Art. 28(3)(g))
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Art. 28, and allow for and contribute to audits and inspections (GDPR Art. 28(3)(h))
• Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes GDPR or other Union or Member State data protection provisions (GDPR Art. 28(3), last subparagraph)

The Controller shall, in relation to the processing of personal data under this DPA:

• Ensure there is a lawful basis for the processing of personal data under GDPR Art. 6, such as legitimate interest (Art. 6(1)(f)) or consent (Art. 6(1)(a))
• Inform data subjects (players) about the processing of their personal data through the Analyse service, including the identity of the Controller and Processor, in accordance with GDPR Art. 13 and Art. 14
• Comply with all obligations applicable to controllers under GDPR, including responding to data subject requests and notifying the supervisory authority of breaches where required
• Provide the Processor with documented instructions regarding the processing of personal data, and ensure that any instruction given does not cause the Processor to infringe GDPR or applicable Member State law

The Controller provides general written authorisation for the Processor to engage sub-processors. The following sub-processors are currently engaged:

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

If the Controller objects on reasonable grounds related to data protection, the parties shall discuss the matter in good faith. If the objection cannot be resolved, the Controller may terminate the service agreement without penalty.

The Processor shall impose on each sub-processor, by way of contract, the same data protection obligations as set out in this DPA. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

Where personal data is transferred to sub-processors located outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Art. 46(2)(c), as applicable
• Adequacy decisions issued by the European Commission pursuant to GDPR Art. 45, where available (e.g., the EU-U.S. Data Privacy Framework)

The Processor shall inform the Controller of the specific transfer mechanism relied upon for each sub-processor and provide copies of the relevant safeguards upon request.

In accordance with GDPR Art. 32, the Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

The Processor shall regularly review and update these measures to ensure continued appropriateness in light of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

The Processor shall cooperate with and assist the Controller in fulfilling the Controller's obligation to notify the supervisory authority within 72 hours (GDPR Art. 33(1)) and to communicate the breach to data subjects where required (GDPR Art. 34).

The Processor shall document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken, in accordance with GDPR Art. 33(5).

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations laid down in GDPR Art. 28 and this DPA.

If an audit is conducted by a third-party auditor, such auditor must be bound by appropriate confidentiality obligations and shall not be a competitor of the Processor.

Upon termination of the service agreement:

• The Controller may export their data through the Analyse dashboard or API within a period of 30 days following termination
• After the 30-day export period, the Processor shall delete all personal data processed on behalf of the Controller from its primary systems
• Personal data contained in backup systems shall be purged within 90 days following termination
• The Processor shall provide written confirmation of the deletion of all personal data upon request by the Controller

The obligation to delete does not apply where Union or Member State law requires the Processor to retain the personal data. In such cases, the Processor shall inform the Controller of the legal requirement and continue to protect the data in accordance with this DPA.

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with GDPR Art. 82.

The Processor shall be liable for damages caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions (GDPR Art. 82(2)).

A party shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage (GDPR Art. 82(3)).

This DPA is governed by and construed in accordance with the laws of the Hellenic Republic (Greece), in particular the GDPR as supplemented by Greek Law N.4624/2019.

Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Athens, Greece.

The competent supervisory authority for the Processor is the Hellenic Data Protection Authority (HDPA), Kifisias 1-3, Athens 115 23, Greece — www.dpa.gr.

For questions about this Data Processing Agreement, contact us at contact@vertcodedevelopment.com