This agreement (the “DPA”) is between PlaytestCloud GmbH, a German limited liability corporation (“Processor”, “PlaytestCloud”) and the customer agreeing to these terms (“Controller”, “Client”) and constitutes an agreement in accordance with Art. 28 of the General Data Protection Regulation (“GDPR”).
This DPA supplements and is incorporated into the PlaytestCloud Studio Terms of Service (as updated from time to time) or other written agreement between the Parties under which PlaytestCloud agrees to provide Client with access to PlaytestCloud’s platform and services (the PlaytestCloud Studio Terms of Service or such other agreement, the "Main Agreement").
1. Subject and duration of the assignment
The subject matter and duration of the assignment shall be determined by the Main Agreement concluded between the Parties.
2. Scope, nature, and purpose of data processing
The Processor's data processing activity serves the purpose of providing the Controller with a platform that allows Controller to order and archive user research services such as playtests, usability tests, online surveys, or user research projects with individual user testers that are supplied by Controller to Processor using the Processor’s “Bring Your Own Players” Feature (these user testers, the “Client’s Players”). For this purpose, Client’s Players are supplied by the Controller and the personal data relating to them is imported into the system operated by the Processor and processed there. This DPA applies only to the aforementioned processing of personal data in the course of the Controller's use of the Bring Your Own Player Feature.
3. Types of personal data
The following types of personal data are the subject of this assignment:
Email addresses of Client’s Players
IP addresses of Client’s Players
Audio, screen and video recordings of Client’s Players
Technical log data generated during the use of the software platform by Client’s Players
Survey answers provided by Client’s Players
4. Categories of data subjects
In the course of fulfilling the assignment, the Processor processes personal data of the following groups of persons:
Client’s Players, who are individuals with a relationship to the Controller
5. Subject of this DPA
In the course of the provision of services under the Main Agreement, it is necessary for the Processor to handle personal data of third parties for which the Controller acts as a data controller within the meaning of the provisions of data protection law (hereinafter referred to as "Controller Data"). This DPA specifies the rights and obligations of the Parties under data protection law for the purpose of implementing the Main Agreement.
6. Scope of the assignment
The Processor processes the Controller Data on the Controller's assignment and according to the Controller's instructions within the meaning of Art. 28 GDPR (Data Processing). The Controller remains the Controller in the sense of data protection law.
The Processor is permitted to process Controller Data outside the EEA in compliance with the provisions of this DPA if the Processor informs the Controller in advance of the location of the data processing and the requirements of Articles 44 - 48 GDPR are met or an exemption under Article 49 GDPR applies.
7. Right of the Controller to issue instructions
The Processor may process the Controller Data exclusively on the Controller's assignment and in accordance with the Controller's instructions, unless the Processor is required by law to process them otherwise. In the latter case, the Processor shall notify the Controller of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest
The Controller has a comprehensive right to issue instructions to the Processor regarding the type, scope, purpose, and procedure of the processing of Controller Data. The Controller's instructions are defined and documented conclusively in the provisions of this DPA. Individual instructions which deviate from the provisions of this DPA or which impose additional requirements shall require the prior consent of the Processor and shall be made in accordance with the amendment procedure set forth in the Main Agreement, in which the instruction shall be documented and the assumption of any additional costs incurred by the Processor through the Controller as a result thereof shall be regulated.
The Controller shall give instructions in writing or text form. If necessary, the Controller may also issue instructions orally or by telephone. However, the Controller's authorized representative named in Section 7.4 shall immediately confirm instructions given orally or by telephone in writing or text form.
Only authorized users of the Controller’s account on the Processor’s platform may issue instructions to the Processor. In urgent cases, however, any other employee of the Controller may also issue instructions to any employee of the Processor.
The Processor shall carry out the Controller's instructions without delay. The Controller is entitled to set the Processor a reasonable deadline if deemed necessary.
The Processor warrants that it will process the Controller Data in accordance with the provisions of this DPA and the Controller's instructions. If the Processor is of the reasonable opinion that an instruction of the Controller infringes this DPA or the applicable data protection law, it shall notify the Controller thereof without undue delay. The Processor may suspend the execution of the instruction until the Controller confirms or amends the instruction if the Processor gives the Controller at least 14 days prior notice.
If, in the opinion of the Processor, an instruction of the Controller deviates substantially from the subject matter of the Main Agreement or if, in the opinion of the Processor, the scope of the Processor's duties is substantially extended, the parties shall attempt to reach an agreement on the additional expenses incurred by the Processor as a result of the instruction. If the Parties cannot reach an agreement within a reasonable period of time, the Processor shall have the right to terminate the Main Agreement extraordinarily.
8. Legal Responsibility of the Controller
The Controller is solely responsible for the permissibility of the processing of the Controller Data and for the protection of the rights of the Data Subjects. Should third parties assert claims against the Processor due to the processing of Controller Data in accordance with this DPA, the Controller shall indemnify the Processor against such claims.
The Controller is responsible for the quality of the Controller Data. The Controller shall inform the Processor without undue delay if, during the review of the Processor's processing results, it discovers errors or irregularities with regard to data protection provisions or its instructions.
9. Requirements for personnel and systems
The Processor shall impose confidentiality obligations on all persons engaged in processing Controller Data with respect to the processing of Controller Data.
10. Security of processing
In accordance with Article 32 of the GDPR, the Processor shall take the necessary, appropriate technical and organizational measures which are required in order to ensure a level of protection for the Controller Data which is appropriate to the risk, taking into account the state of the art, the implementation costs and the nature, scope, circumstances, and purposes of the processing of the Controller Data as well as the varying likelihood and severity of the risk to the rights and freedoms of the Data Subjects. The technical organizational measures implemented by the Processor at the time of the conclusion of this DPA are described in Appendix 2.
The Processor may change or adapt technical and organizational measures during the term of the contract as long as they continue to meet the legal requirements.
11. Engagement of sub-processors
The Controller grants the Processor general authorization to use sub-processors to fulfill its contractual obligations under the Main Agreement. The sub-processors engaged at the time of the conclusion of this DPA are shown in Appendix 1. No authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other supplemental services, even if access to Controller Data cannot be excluded, as long as the Processor takes reasonable steps to protect the confidentiality of the Controller Data.
The Processor shall notify the Controller of any intended changes with regard to the addition or replacement of sub-processors. If Controller has a reasonable objection to any new or replacement sub-processor, the Controller shall notify Processor in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith. If the Controller does not raise an objection within ten (10) after receipt of the notification, Controller’s right to object to the respective assignment expires. If Processor is reasonably able to provide the service to the Customer in accordance with the Main Agreement without using the sub-processor and decides to do so, then the Customer shall have no further rights under this clause 11.2 in respect to the proposed use of the sub-processor. If Processor requires use of the sub-processor and is unable to satisfy the Controller as to the suitability of the sub-processor, the Processor may terminate the portion of the Main Agreement for which the sub-processor in question is used with a notice period of 3 months. If the Controller does not raise an objection within ten (10) after receipt of the notification, Controller’s right to object to the respective assignment expires.
Processor shall enter a written agreement with the sub-processors it engages containing data protection obligations no less protective than those in this DPA. The parties agree that this requirement is met if the written agreement between Processor and its sub-processors provides a level of protection equivalent to this DPA or imposes the obligations set forth in Article 28(3) of the GDPR on the sub-processor.
Subject to the requirements of Section 6.2 of this DPA, the provisions in this Section 11 shall also apply if a sub-processor in a third country is engaged. The Controller hereby authorizes the Processor, on behalf of the Controller, to enter into a contract with a sub-processor incorporating the EU Standard Contractual Clauses for the Transfer of Personal Data to Processors in Third Countries of Feb. 5, 2010. The Controller declares its willingness to cooperate, if necessary, in fulfilling the requirements pursuant to Art. 49 GDPR to the extent required.
12. Data subject rights
Upon Controller’s request, the Processor will provide reasonable support to the Controller to assist Controller in complying with its data protection obligations regarding the processing under this DPA with respect to data subject’s rights.
If a data subject submits a request for the exercise of their rights directly to the Processor, the Processor will forward this request to the Controller in a timely manner.
The Processor shall provide the Controller with information about the stored Controller Data, the recipients of Controller Data to whom the Processor will disclose it in accordance with this DPA, and the purpose of the storage, unless the Controller has this information itself or is able to obtain it itself.
The Processor shall enable the Controller to rectify, delete or restrict further processing of Controller Data. If doing so is impossible for the Controller itself, the Processor will carry out the rectification, deletion or restriction of further processing for the Controller at its request within the scope of what is reasonable and necessary.
Insofar as the data subject has a right to data portability with respect to the Controller Data pursuant to Art. 20 GDPR, the Processor shall assist the Controller to the extent reasonable and necessary in providing the Controller Data in a common and machine-readable format if the Controller cannot obtain the data otherwise.
13. Notification and support obligations of the Processor
If the Processor becomes aware of any reportable events in its area of responsibility regarding Controller Data and which could reasonably cause Controllers statutory notification obligation pursuant to Art. 33, 34 GDPR, the Processor will inform the Controller immediately. Upon Controller’s request, the Processor will assist the Controller in fulfilling the notification obligations to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Processor as a result thereof.
If the Controller requests assistance with a data protection impact assessment or, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR, the Processor will assist the Controller to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Processor as a result thereof.
14. Deletion and return of Controller Data
The Processor shall delete the Controller Data upon termination of this DPA if the Controller has previously consented to such deletion, unless the Processor is legally obligated to continue storing the Controller Data.
The Processor may keep records that serve as evidence of the orderly and accurate processing of Controller Data during the term of the DPA and also after the termination of the DPA.
15. Compliance and audits
Upon Controller’s Request, the Processor will provide the Controller with all information necessary and available to the Processor to demonstrate compliance with its obligations under this DPA.
The Controller shall be entitled to audit the Processor with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organizational measures; including by means of inspections.
In order to carry out inspections pursuant to Section 15.2, the Controller shall be entitled to enter the Processor's business premises where Controller Data is processed during normal business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) after timely advance notice pursuant to Section 15.5 at Controller’s own expense, without disrupting the course of operations and subject to strict confidentiality of the Processor's trade and business secrets.
The Processor may, in its sole discretion and taking into account the Controller's legal obligations, decide not to disclose information that is sensitive with respect to the Processor's business or if the Processor would violate any legal or other contractual provisions by disclosing it. The Controller shall not be entitled to access data or information concerning other customers or partners of the Processor, information regarding costs and prices, quality assurance and business reports, and any other confidential data of the Processor that is not directly relevant to the agreed upon review purposes.
The Controller must inform the Processor in due time (usually at least two weeks in advance) about all circumstances related to the performance of the audit. The Controller may conduct one review per calendar year. Further inspections may be carried out after coordination with the Processor in return for reimbursement of the expenses and costs incurred by the Processor as a result of such audit.
If the Controller commissions a third party to carry out the inspection, the Controller shall oblige the third party in writing in the same way as the Controller is obliged to the Processor on the basis of Section 15 of this DPA. In addition, the Controller shall bind the third party to secrecy and confidentiality, unless the third party is subject to a professional duty of confidentiality. Upon request of the Processor, the Controller shall promptly submit the obligation agreements with the third party to the Processor. The Controller may not commission a competitor of the Processor with the inspection.
At the discretion of the Processor, proof of compliance with the obligations under this DPA may be provided, instead of an inspection, by submitting an appropriate and current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by an IT security or data protection audit – e.g. according to BSI-Grundschutz – (”Audit Report‟), if the Audit Report makes it possible for the Controller to convince itself of compliance with the contractual obligations in an appropriate manner.
16. Contract term and termination
The term and termination of this DPA shall be governed by the provisions governing the term and termination of the Main Agreement, unless otherwise provided in this DPA. Termination of the Main Agreement shall automatically result in termination of this DPA. An isolated termination of this Agreement is not possible.
17. Liability
The exclusions and limitations of liability under the Main Agreement shall apply to the Processor's liability under this DPA. Insofar as third parties assert claims against the Processor which have their cause in a culpable breach by the Controller of this DPA or of one of the Controller's duties as a Data Controller, the Controller shall indemnify the Processor against such claims.
The Controller undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Controller´s part of responsibility for the infringement sanctioned by the fine.
18. Final provisions
In case individual provisions of this DPA are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties undertake to replace the ineffective provision by a legally permissible provision that comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.
If any of the provisions of this DPA conflict with the provisions of any other written or oral agreement concluded between the Parties, then the provisions of this DPA shall prevail, unless the other agreement specifically mentions this DPA and the Parties agreed to changes to this DPA.
Appendix 1
Sub-processors
At the time of the conclusion of the DPA, the Processor uses the following sub-processors to provide its services:
Sub-processor
Explanation and purpose
Data transfer; if yes, to which country
Legal basis for the Data transfer
Twilio Inc.
375 Beale Street, Suite 300
San Francisco, CA 94105
USA
Sending and tracking of email notifications send to players
Yes
USA: Binding Corporate Rules; Art. 47 GDPR
Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy L-1855
Luxemburg
Storage of audio and video material that is recorded during a playtest
Yes
USA: EU Standard Contractual Clauses; Art. 46 Abs. 2 lit. c) GDPR
Cloudflare Inc.
101 Townsend Street
San Francisco, CA 94107
USA
Security and load balancing service to safeguard PlaytestCloud’s platform
Yes
USA: EU Standard Contractual Clauses; Art. 46 Abs. 2 lit. c) GDPR
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
Machine-based transcription of audio material that is recorded during a playtest
Yes
USA: EU Standard Contractual Clauses; Art. 46 Abs. 2 lit. c) GDPR
Rapid7 LLC
120 Causeway Street
Suite 400
Boston, MA 02114
USA
Technical logging of server access requests and errors resulting from the use of PlaytestCloud’s service by players
Yes
USA: EU Standard Contractual Clauses; Art. 46 Abs. 2 lit. c) GDPR
Rollbar Inc.
665 3rd Street #150
San Francisco, CA
USA
Error logging of software errors caused by the use of PlaytestCloud’s service by players
Yes
USA: EU Standard Contractual Clauses; Art. 46 Abs. 2 lit. c) GDPR
Salesforce.com Germany GmbH
Erika-Mann-Str. 31
80636 München
Deutschland
Heroku Platform: Hosting of PlaytestCloud’s platform, storage of players personal data and processing of audio and video material recorded during a playtest
Yes
USA: Binding Corporate Rules; Art. 47 GDPR
Agora Lab, Inc.
2804 Mission College Blvd., Suite 110
Santa Clara, CA 95054
USA
Real-time video and audio communication, text chat and screen sharing with players during some playtests
Yes
USA: EU Standard Contractual Clauses; Art. 46 Abs. 2 lit. c) GDPR
Functional Software Inc. (d/b/a Sentry)
45 Fremont St, 8th Floor
San Francisco, CA 94105
USA
Error logging of software errors caused by the use of PlaytestCloud’s service by players
Yes
USA: Adequacy Decision; Art. 45 GDPR
Appendix 2
Technical and organizational measures according to Art. 32 GDPR
At the time of the conclusion of the DPA, the Processor has implemented the following technical and organizational measures:
Technical Measures
Authorization & access control. PlaytestCloud employs authorization to ensure that only users that have the right to access personal data can do so and to limit their access to only the data they are authorized to see and edit.
Encryption. PlaytestCloud always uses securely encrypted connections such as HTTPS when transferring personal data between systems to prevent eavesdropping and ensure integrity of the transferred data.
Endpoint security. PlaytestCloud employs mobile device management for its mobile hardware including remote shutdown and wipe capabilities. Where available, full disk encryption is required to be enabled. PlaytestCloud employees regularly install software updates and security patches on all devices that handle personal data.
Secure password storage. PlaytestCloud uses one-time hashing (bcrypt2) to store user passwords in our database.
Business Continuity Management. PlaytestCloud employs redundant storage and its procedures for recovering data are designed to attempt to reconstruct Controller data in its original state from before the time it was lost or destroyed.
Data integrity. PlaytestCloud uses storage systems that can detect data corruption. PlaytestCloud’s software uses constraints as a safety measure to ensure data integrity.
Multifactor authorization. Administrator access to PlaytestCloud is secured by 2-Factor Authentication.
Dependency Management. PlaytestCloud updates software libraries weekly to benefit from the newest security patches.
Durability. PlaytestCloud backs up important data for up to one month so that in case of a system failure data can be safely restored.
Reliability. PlaytestCloud has reporting mechanisms and processes in place to quickly react to software problems and outages and correct them as quickly as possible.
Organizational measures
PlaytestCloud limits access to facilities where information systems that process Controller data are located to identified authorized individuals who require such access for the performance of their job function. We terminate the physical access of individuals promptly following the date of the termination of their employment.
PlaytestCloud company policies require the use of strong and unique passwords for each account.
PlaytestCloud informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.
PlaytestCloud reviews and updates their data privacy and security guidelines every 6 months.