Terms of Service

Last revised: March 2025

General Terms of the Services

PARTICIPATION IN OR ANY OTHER USE OR ACCESS OF THE SERVICES (AS DEFINED BELOW) INDICATES THAT YOU ACCEPT THESE TERMS AND CONDITIONS (“AGREEMENT”). IF YOU DO NOT AGREE TO ALL OF THE TERMS IN THIS AGREEMENT YOU MAY NOT ACCESS OR OTHERWISE PARTICIPATE IN THE SERVICES.

This Agreement shall apply to the Services provided by MY.GAMES B.V., a legal entity duly established and operating under the legislation of the Netherlands, with its registered office: De Entree 256, 1101ee, Amsterdam, the Netherlands (hereinunder “SERVICE PROVIDER”);

to the COMPANY – means any entity identified in an Appendix form to this Agreement, which will be bound by the terms and conditions of this Agreement.

COMPANY represents and warrants that COMPANY is legally permitted to conduct business and is the owner of the Product or have the right to exploit the Product and desire to appoint the Service Provider to provide the Services on and subject to the terms of this Agreement

  1. INTERPRETATION
    1. In this Agreement (including any attachments, schedules and recitals hereto), unless the context otherwise requires, the following words and expressions have the following meanings:
      1. Services mean the services related to, including the provision of Marketing Stat., access to the Creative Toolset, and consulting services or other services that are to the ordered by the Company as defined in this Agreement and Appendix signed by the Parties.
      2. Affiliates means in relation to either Party each and any subsidiary or holding company of that Party and each and any subsidiary of a holding company of that Party or any business entity from time to time controlling, controlled by, or under common control with, either Party. A business entity will be deemed to “control” another business entity if it owns, directly or indirectly, in excess of 50% of the outstanding voting securities or capital stock of such business entity or any other comparable equity or ownership interest with respect to a business entity other than a corporation.
      3. Business Day means a day (other than a Saturday or Sunday or a public holiday) when commercial banks are open for ordinary banking business in the Netherlands.
      4. Fee means the fee as set forth in Clause 3.1. and relevant Appendix.
      5. Appendix means the document that is an integral part of this Agreement and that details the list of Services and other details regarding the Services agreed by the Parties.
      6. Materials means any materials related to the Product including trademarks, trade names, logos, designs, artwork, and other digital assets owned by the Company.
      7. Product means a software product specified in the Appendix with the capability to be installed, free or at cost, on Users devices.
      8. Product Link means the hyperlink via which the User will access the Product installation capability.
      9. Promotional Material and Creative Assets means any product or work (including but not limited to all art, text, videos, and other materials in whatever form) created by or on behalf of the Company, including using the Material with Asset Lab as it defined in this Agreement and relevant Appendix.
      10. Reporting Period means the period equal to one calendar month if otherwise not agreed by the Parties.
      11. MMP means Mobile Measurement Platform such as AppsFlyer, Adjust, or other MMP, agreed by the Parties, if applicable, that allow to collect and process statistics in regard to software applications.
    2. In this Agreement:
      1. in construing this Agreement, the so-called “ejusdem generis” rule does not apply, and in particular, any phrase introduced by the terms “include”, “including”, “in particular” or any similar expression shall be construed as illustrative and without limitation and shall not limit the sense of the words preceding such terms;
      2. a reference to any statute or statutory provision is a reference to that statute or statutory provision as re-enacted, amended, or extended before the Effective Date and includes a reference to any subordinate legislation (as re-enacted, amended, or extended) made under it before the Effective Date;
      3. any reference to “writing” or “written” includes any legible reproduction of words delivered in permanent and tangible form but does not include, unless expressly stated otherwise, e-mail, internet or instant messenger messages, or mobile phone text message (SMS);
      4. if a period of time is specified as from a given day, or from the day of an act or event, it shall be calculated exclusive of that day;
    3. the attachments, Appendixes, and recitals hereto form part of this Agreement and a reference to “this Agreement” includes its attachments, Appendixes, and recitals.
  2. TERMS OF SERVICES

    The scope of the Services includes the following

    1. Creative toolset – means Asset Lab and Creative Hub. Creative Toolset is a cloud-based storage solution for managing Promotional Material and Creative Assets. Asset Lab and Creative Hub facilitate the storage, organization, selection, and collaboration of all types of creative materials, including various formats of images, videos, sounds, and archive files.
    2. Marketing Stat. - means the tool for analyzing project marketing performance which shall be based on MMP data, which includes a suite of marketing analytic instruments specifically for mobile (Google Play, AppStore, Samsung store, App Gallery etс.), and additionally WEB and PC measurement. These instruments enable the Company to track and analyze various metrics related to mobile marketing campaigns (organic/paid), including user engagement, app performance, conversion rates, ROI, and predictive ROI modeling for 30-720 days.
    3. The Service Provider grants the Company access to the Creative Toolset and Marketing Stat. by the meaning of creating the Company’s account and/or Dashboard which allows the Company representatives access to the Creative Toolset related to the Product. The Company is solely and fully responsible for granting access to the Company’s account and/or Dashboard only to its authorized users. The Service Provider is entitled to grant access to the Company’s account and/or Dashboard to its representatives for the purpose of technical support. All the data related to the Product shall be owned by the Company. The Сompany undertakes to provide all necessary data and materials to integrate its repository with the Services.
    4. The Service Provider may grant access to the limited functions of the Services listed in clause 2.1. – 2.3 free of charge for the purpose of Demo Demonstration and testing to the Company (hereinunder- Demo access), the duration of Demo access, the Service scope, and its functionality will be based on the Service Provider’s sole discretion.
    5. Account registration. In order to use the Services as per clause 2.3. above, the Company is required to create an Account following the instructions of the Service Provider and, inter alia, provide required information to the Service Provider for registration purposes.
      1. The Company guarantees that all information provided is accurate and up to date. The Company undertakes to update this information on its Account as soon as it is modified so that it always complies with the criteria.
      2. The Service Provider shall reserve the right to change and supplement the means of Account creation.
      3. The Company is informed and accepts that the information provided when creating its Account is presumed to establish its identity.
      4. The Company agrees to refrain from allowing any third party to use its Account.
      5. Information regarding personal data processing during registration of the account can be found at https://documentation.my.games/terms/mygames_privacy.
    6. Service Provider does not store any data and materials produced by the Company as a result of its access to the Services. All the data and materials produced by the Company as a result of using the Services as defined in clauses 2.1. – 2.2. above shall be stored on the Company’s properties and in no event the Service Provider shall be responsible for the storage and safety of such data and/or materials.
    7. The Service Provider shall be solely entitled in its absolute discretion to determine the method and manner in which the Services are rendered so long as those methods and manners are in good faith intended and subject to the terms of this Agreement.
    8. The Service Provider shall not use the Materials for purposes other than for the purpose of this Agreement.
    9. For the purposes of this Agreement (including calculation of Fee), the Company may instruct the Service Provider to use the MMP in the Product as it shall be agreed by the Parties in the relevant Appendix.
    10. The Service Provider shall provide the Services in accordance with the relevant Appendix.
    11. The Company undertakes:
      1. to pay the Fee in a duly and timely manner in accordance with the Agreement and relevant Appendix;
      2. provide the Company with viewing access to the MMP, as defined in the relevant Appendix the Service Provider will provide Services are defined in clause 2.1. herein above only subject to integration of the MMP into the Product unless otherwise agreed by the Parties;
      3. to the extent, it is applicable by the nature of the Services to procure the eligibility of collection and use of personal data by the Service Provider for the purposes of this Agreement in accordance with all applicable privacy and data protection laws, regulations, industry, and government guidelines;
      4. if applicable, to inform end users of the Product in a privacy policy or in a similar document and in accordance with applicable law that the Company may share end user’s data with the Service Provider for the purposes of this Agreement;
      5. to inform end users of the Product about the ability to reject the processing of their data and provide such a refusal by selecting the appropriate settings in the mobile application, and immediately inform the Service Provider about any cases when the end user of the Product withdraws consent to process their data.
      6. to the extent, it is applicable by the nature of the Services to provide in reasonable terms all the Materials necessary for the performance of the Agreement as required by the Service Provider as well as all the information and authorizations in regard to the Materials and their use by the Service Provider. The Service Provider has the right not to accept the above Materials if they do not comply with the applicable laws or the terms of this Agreement;
    12. The Service Provider undertakes to act in good faith, in a reasonable, professional, and consistent manner so as not to frustrate the purpose or intent of this Agreement and in no event distort the healthy image of the Product, damage the reputation of the Company, or conflict with the public moral and ethics and the like.
    13. The Service Provider may perform the Services through its subcontractors being responsible for their actions as for its own to the extent such actions are related to the performance of this Agreement.
    14. The Company agrees that notwithstanding any rights of publicity, privacy or otherwise (whether or not statutory) anywhere in the world, and without any further compensation, the Service Provider may and is hereby authorized to use the Company's name and Company's logo in connection with the promotion of its business, products or services.
    15. To the extent that personal data is shared between the Parties within the scope of the Agreement, the Company and Service Provider agree, as applicable, to the Data Processing Agreement and SCC (means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/915/EC of 4th of June 2021, on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council) incorporated in this Agreement as a Schedule A and Exhibit A thereto.
    16. The Service Provider will perform services subject to the Service Level Agreement which is incorporated as Schedule B into this Agreement.
  3. FEES AND PAYMENT
    1. Fee. As the consideration due to the Service Provider regarding the subject matter of this Agreement, the Company will pay to the Service Provider in accordance with the relevant Appendix.
    2. Any and all payments will be made to the Service Provider in EUR or USD.
    3. The Company shall pay Fees in a manner of a pre-payment within 5 (five) Business Days from the start of the corresponding Reporting Perion based on the invoice issued by the Service Provider on the first day of the Reporting Period.
    4. Taxes. All amounts payable to the Service Provider under this Agreement are exclusive of all VAT and other applicable taxes and duties. Such taxes are added to the amounts payable where applicable. Each Party is liable for the tax withholding in accordance with jurisdiction of the state of residence of the Parties.
    5. Late Payment. For a delay in payment by the Company to the Service Provider by the terms of this Agreement and the relevant Appendix, the Company shall pay liquidated damages to the Service Provider in the amount consisting of (a) the outstanding amount and (b) a late payment interest of 0,1% (one-tenth of the percentage point) of the unpaid amount for each day of delay upon the request of the Developer. The Parties hereto acknowledge that the amount of liquidated damages as defined in this clause 3.5 herein above corresponds to the damages that may be caused to the Party due to the improper fulfillment of its obligations by the other Party taking into account the nature and purpose of the services and the standard practices on the market.
    6. It is acknowledged by the Parties hereto that the Company’s payment obligations accrued and payable up to the termination or expiry date of this Agreement hereof shall survive the termination or expiration of this Agreement, notwithstanding any provisions herein to the contrary.
  4. REFERRAL PROGRAM
    Referral of New Clients.

    The Company may refer to the Service Provider potential new clients. For the purposes of this Agreement, a "New Client" shall mean a potential client who:

    • Has not previously used the Services; and
    • Has not been approached by the Service Provider prior to the referral.
    Referral Fee Eligibility.

    The Company shall be entitled to a referral fee ("Referral Fee") provided that all of the following conditions are met and incorporated into an Appendix signed by the Service Provider and the New Client:

    • The service term under the agreement with the New Client is at least twelve (12) months; and
    • The New Client shall either (i) make an advance payment covering the first three (3) months of the Service Fee, (ii) pay the Service Fee monthly for the first three (3) months, or (iii) make an annual advance payment for twelve (12) months of the Service.
    Referral Fee Structure.

    If the conditions outlined in Sections 3A.1 and 3A.2 are satisfied, the Company shall receive a one-time discount applicable to future payments under this Agreement and the corresponding Appendix between the Company and the Service Provider. The discount shall be equivalent to five percent (5%) of the total value of the agreement ("New Agreement") between the Service Provider and the New Client for a twelve (12)-month period.

    Confidentiality.

    All details regarding the New Client, the New Agreement, and any related information shall be deemed confidential and shall be handled by both Parties in accordance withSection 6: Confidentiality of this Agreement.

  5. OWNERSHIP. PERMISSION TO USE MATERIALS
    1. The Service Provider acknowledges the Company’s sole ownership of the Product, the Materials and all associated goodwill.
    2. The Company acknowledges the Service Provider’s ownership of any parts of the Services, excluding the Promotional Materials created by the Company as a result of the Services as defined in the Appendix.
    3. The Company hereby grants to the Service Provider the right and permission to use the Materials provided by the Company in any manner for the purposes of the performance of the Services within the Term of this Agreement.
    4. The Service Provider hereby grants the Company the right and permission to access the Marketing Instruments for the purpose of this Agreement and as it set forth in the relevant Appendix.
  6. LIABILITY. LIMITATION OF LIABILITY. WARRANTIES AND INDEMNIFICATION
    1. Representations and warranties of the Company. On an ongoing basis, the Company represents and warrants that (a) the Company has all the necessary rights, title and interests in the Product and the Materials; (b) the Materials do not infringe any third party rights including intellectual property rights; (c) the Materials comply with all applicable laws and regulations; (d) performance of the Company’s obligations in accordance with the Agreement will not violate applicable legislation and third party’s rights.
    2. Except for any acts of fraud, gross negligence, or willful misconduct, in no event will either Party be liable to the other for any loss of profits, loss of use, loss of revenue, loss of goodwill, any interruption of business, or for any indirect, special, incidental, exemplary, punitive or consequential damages of any kind arising out of or in connection with this Agreement or any Services regardless of the form of action, whether in contract, tort, strict liability or otherwise, even if such Party has been advised or is otherwise aware of the possibility of such damages. Neither Party makes any representation, conditions or warranties of any kind and all implied representations or warranties are excluded to the maximum extent permissible by law. The Service Provider’s aggregate cumulative liability to the Company arising out of or related to this Agreement shall not exceed the total value of the Agreement (including all relevant Appendixes thereto), meaning the total value of the Service Provider’s Fee paid under this Agreement (and all relevant Appendixes thereto).
    3. THE COMPANY ACCEPTS AND ACKNOWLEDGES THAT THE SERVICES PROVIDED «AS IS» AND «AS AVAILABLE». THE SERVICE PROVIDER FURTHER DISCLAIMS ANY WARRANTY THAT THE SERVICES WILL MEET THE COMPANY’S NEEDS, BE ERROR-FREE, OR THAT THE OPERATION OF THE SERVICE WILL BE UNINTERRUPTED. THE FOREGOING EXCLUSIONS AND DISCLAIMERS ARE AN ESSENTIAL PART OF THIS AGREEMENT AND FORM THE BASIS FOR DETERMINING THE PRICE CHARGED FOR THE SERVICES. TO THE EXTENT THAT THE SERVICE PROVIDER CANNOT DISCLAIM ANY WARRANTY AS A MATTER OF APPLICABLE LAW, THE SCOPE AND DURATION OF SUCH WARRANTY SHALL BE THE MINIMUM REQUIRED UNDER SUCH LAW.
    4. The Service Provider shall not be held responsible or liable for any decisions, actions, or outcomes resulting from the Company's reliance on the figures, data, or information displayed in the Company’s account and acquired as a result of the Services. The Company acknowledges that any use of such information is at their own discretion and risk, and the Service Provider does not guarantee the accuracy, completeness, or reliability of the numbers or data displayed in the Company’s account. The Company acknowledges and agrees that the Service Provider shall not be liable for any errors, inaccuracies, or discrepancies in the data presented.
    5. The Company shall fully indemnify, hold harmless, and defend Service Provider and its subsidiaries and affiliates and all of the foregoing entities’ officers, directors, employees, and agents, and its successors and assigns, from and against any and all third party claims, actions, suits, legal proceedings, demands, liabilities, damages, losses, judgments, settlements reasonably approved by the Service Provider, costs and expenses, including, without limitation, reasonable attorneys’ fees, arising out of or in connection with infringement of any breach of intellectual property rights or other proprietary rights of any third Party in connection with Product, and any breach of any warranties, representations, covenants, and obligations set forth in the Agreement without limitation.
  7. CONFIDENTIALITY
    1. Confidential Information means this Agreement and the fact of its conclusion, any trade secrets or other information of a Party, whether of a technical, business, or other nature (including, without limitation, information relating to a Party’s technology, software, products, services, designs, methodologies, business plans, finances, marketing plans, prospects, or other affairs), that is disclosed to a Party during the term of this Agreement and that such Party knows or has reason to know is confidential, proprietary, or trade secret information of the disclosing Party. Confidential Information does not include any information that: (a) was known to the receiving Party prior to receiving the same from the disclosing Party in connection with this Agreement; (b) is independently developed by the receiving Party without use of or reference to the Confidential Information of the disclosing Party; (c) is acquired by the receiving Party from another source without restriction as to use or disclosure; or (d) is or becomes part of the public domain through no fault or action of the receiving Party. Confidential Information will include all items covered by this definition and that are disclosed or embodied in materials delivered in tangible form (including CD, email, and other means of electronic delivery).
    2. During and after the term of this Agreement, each Party will: (a) use the other Party’s Confidential Information solely for the purpose for which it is provided; (b) not disclose the other Party’s Confidential Information to a third party unless the third party must access the Confidential Information to perform in accordance with this Agreement and the third party has executed a written agreement that contains terms that are substantially similar to the terms contained in this Section 6; and (c) protect the other Party’s Confidential Information from unauthorized use and disclosure to the same extent (but using no less than a reasonable degree of care) that it protects its own Confidential Information of a similar nature.
    3. Upon the termination of this Agreement, or upon earlier request, each Party will deliver to the other all Confidential Information that they may have in its possession or control. Notwithstanding the foregoing, neither Party will be required to return materials that it must retain in order to receive the benefits of this Agreement or properly perform in accordance with this Agreement.
  8. TERM AND TERMINATION
    1. This Agreement shall commence on the Effective Date and shall be effective for the period as specified in the corresponding Appendix thereto (initial term). If neither Party sends to the other Party a notice of termination thirty (30) calendar days prior to the date of expiration of the Initial Term, the Agreement will be deemed to renew for the same period for which it was originally signed (each, a “Renewal Term” and together with the Initial Term, the “Term”).
    2. This Agreement may be terminated by each Party for convenience upon thirty (30) days’ written notice to the other Party.
    3. In the event of delay of the payment as defined in clause 3.4. for more than 30 (thirty) calendar days Service Provider is entitled to terminate the Agreement unilaterally with 5 days’ notice.  The clause 3.5. and 3.6. shall apply in this event.
    4. Each and any Appendix may be terminated by the Service Provider upon 30 (thirty) calendar days prior written notice to the Company.
    5. Effect of termination. Subject to Clause 7.5. below, following expiry or termination of the Agreement and/or Appendix for any reason, the Parties’ rights and obligations under the Agreement and/or Appendix correspondingly will end immediately, but not their accrued rights and obligations and any provisions of this Agreement and/or Appendix necessary for its interpretation or enforcement. In addition:
      1. the Service Provider will immediately cease the provision of the Services; and
      2. the Parties will return all property of the other Party to that Party.
    6. Ongoing Service Provider Fee. In case of expiration or termination of the Agreement and/or Appendix, the Company shall to pay the Fee to the Service Provider in full as set forth in Section 3 of this Agreement.
  9. MISCELLANEOUS
    1. Notices. All notices under this Agreement shall be sent to a Party at the email address indicated in this Agreement and Appendix hereto.
    2. Disputes, Governing Law and Jurisdiction. Any issue, dispute, or disagreement arising out of or in connection with this Agreement will in the first instance be referred by the addressing a complaint to the other Party, if the matter is not resolved at this stage within 30 days since the day the complaint has been sent to the other Party, all disputes arising out of or in connection with the Agreement, including but not limited to the formation, performance, breach, termination or invalidity thereof, will be solved by International Court of Arbitration of the International Chamber of Commerce and shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce, which Rules are deemed to be incorporated by reference into this clause 8.2. The Parties further agree that: (a) The number of arbitrators shall be one (1), (b) The place of arbitration shall be London, England, (c) The language to be used in the arbitral proceedings shall be English. The law applicable to this arbitration clause shall be the substantial law of England. The governing law of the Agreement will be the law of England and Wales
    3. Severability. If any court or competent authority finds that any provision of this Agreement (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this Agreement will not be affected. If any invalid, unenforceable or illegal provision of this Agreement would be valid, enforceable and legal if some part of it were deleted, the Parties will negotiate in good faith to amend such provision such that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the Parties' original commercial intention.
    4. Force Majeure Events . Neither Party shall be liable for any failure to perform any of its obligations under this Agreement which results from acts of God, the elements, fire, flood,force majeure, riot, insurrection, industrial dispute, accident, war, embargoes, legal restrictions or any other cause beyond the control of the Party.
    5. No Assignment. Neither Party will assign, novate, sub-license, transfer, charge, or deal in any other manner with this Agreement or any rights under it without the prior written consent of the other Party (without which any such purported steps will confer no rights), except for the right of the Server Provider to assign the Agreement or any part of it to its Affiliates with 7 (seven) days prior written notice (email is sufficient) of such assignment to the Company, or except as part of a company amalgamation, reorganization, reconstruction or rearrangement (where for the avoidance of doubt no such prior written consent of the other Party is required).
    6. No Agency or Partnership. This Agreement does not create any exclusive relationship between the Parties nor any partnership, joint venture, employment or agency between them.
    7. Entire Agreement; Modifications; Counterparts. This Agreement contains the entire understanding of the Parties with respect to the matters contained herein. There are no promises, covenants or undertaking other than those expressly set forth herein, and any other terms and conditions are rejected regardless of content, timing or method of communication. Any deviations from or additions to the terms of this Agreement must be in writing and will not be valid unless confirmed in writing by duly authorized officers of the Company and the Service Provider. This Agreement may be executed in two or more counterparts, each of which shall be deemed an original and all of which together shall constitute one instrument.
    8. Survivals. The provisions of Sections 4, 5, 6, 7.5, 8 shall survive any expiration or termination of this Agreement.

SCHEDULE A
TO THE GENERAL TERMS OF THE SERVICES
DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) is effective as of theEffective Date as defined in the relevant Appendix to the Agreement and is by and between:

PARTIES

MY.GAMES (hereinafter, or the Processor), and
COMPANY (hereinafter, the Controller).

WHEREAS:

  1. DEFINITIONS AND INTERPRETATIONS.

    Services means the services provided to the Controller by the Processor as specified in this Appendix and the Agreement.

    Controller Data means personal data of the Controller or the Controller’s Processors, provided to or available for the Processor by the Controller.

    Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

    EU Data Protection Laws means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

    Product shall have a meaning defined in the Agreement and the relevant Appendix thereto.

    GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

    SCC means the Standard Contractual Clauses annexed to the European Commission's Implementing Decision 2021/915/EC of 4th of June 2021, on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council)

    Personal Data means any information relating to an identified or identifiable natural person (as defined in the GDPR) that the Controller provides to the Processor in the process of provision of the Services.

    Process or Processing means any operation or set of operations which is performed by the Processor as part of the Services on Personal Data or on sets of Personal Data, whether or not by automated means.

    Processor and Controller shall have the meanings given in the GDPR.

    Capitalized terms used but not defined in this Addendum will have the meanings provided in the Agreement.

  2. PROCESSING OF PERSONAL DATA.
    1. This Addendum applies when Personal Data is Processed by Processor on behalf of Controller. The control of Controller’s Personal Data remains with the Controller.
    2. The subject matter of the Processing under this Addendum is Personal Data.

      The duration, purpose, type of the data, and data subjects are defined in Annex IIto the SCC.

    3. Processor will only Process Personal Data in accordance with the provisions of this Addendum and the Controller’s instructions. Any instructions provided by the Controller to the Processor with respect to the Processing of Personal Data shall comply with all applicable Data Protection Laws relating to privacy and data protection. Controller further agrees that any instructions it provides to Processor with respect to the processing of Personal Data shall not cause Processor to be in breach of any applicable Data Protection Laws. Processor shall not process the Personal Data for purposes other than to provide the Processor Services. Processor will Process Personal Data in accordance with the EU Data Protection Laws requirements directly applicable to the Processor’s provision of the Services.
    4. Transfer of Personal Data which is governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) is made in accordance with the EU Standard Contractual Clauses (“EU SCCs”) as specified in Exhibit A to this DPA.
  3. INTERNATIONAL TRANSFERS OF PERSONAL DATA.

    Personal Data that Processor processes on Controller’s behalf won’t be transferred to, and stored and processed in outside the EEA or Switzerland. If Controller is transferring Personal Data from the European Economic Area or Switzerland, or if the Processor intends to transfer Personal Data received by the Controller outside the EU and Switzerland, then the EU Standard Contractual Clauses for the transfer of the personal data to the third countries shall be concluded and shall apply to that Personal Data.

  4. THIRD PARTY REQUESTS AND CONFIDENTIALITY.
    1. Processor will not disclose Personal Data to any individual or a third party other than: (i) at the request of Controller; (ii) as provided in this Addendum; (iii) as necessary to provide the Services; or (iv) as required by applicable law or a valid and binding order of a law enforcement agency.
    2. Processor will ensure that all employees (if any) or those who have the authority to access or Process the Personal Data are bound by obligations of confidentiality with respect to Personal Data. Processor will ensure that its employees or those who have the authority to process Personal Data do not process it except on the instructions of the Controller. Processor will ensure all employees have undertaken training in the laws relating to the handling of Personal Data; and are aware both of Processor’s duties and their personal duties and obligations under such laws and this Addendum.
  5. PERSONAL DATA ACCESS.

    Processor will promptly notify Controller if Processor receives a request from the data subject to exercise the data subject’s rights under the GDPR, (including right of access, rectification, objection, erasure, data portability, restriction of Processing, or right not to be subject to an automated individual decision making). Processor shall provide all reasonable and timely assistance to Controller, including appropriate technical and organizational measures, insofar as this is possible, to enable Controller to respond to any such request from a Data Subject. In the event that any request from a Data Subject is made directly to the Processor, Processor shall promptly inform the Controller and provide the full details of the request to the Controller.

  6. SECURITY

    Processor has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines to ensure a level of security appropriate to the risk of the accidental loss, destruction, alteration, unauthorized disclosure or access, or the unlawful destruction of Personal Data.

  7. SECURITY INCIDENT NOTIFICATION

    In the event of any unlawful access to any Personal Data resulting in loss, disclosure, or alteration of Personal Data (each a “Security Incident”), Processor will notify Controller without undue delay from when Processor becomes aware of the Security Incident. In addition, the Processor will investigate the Security Incident and provide the Controller with detailed information about the Security Incident in order for the Controller to comply with any data breach notification requirements under the GDPR. The Processor will also take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Processor’s obligation to report or respond to a Security Incident as provided herein is not and will not be construed as an acknowledgment by Processor of any fault or liability with respect to the Security Incident.

  8. SUBPROCESSORS.

    The Processor may authorise any third party or sub-processor to access and/or otherwise process the Personal Data on behalf of the Controller.

  9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION.

    Upon the Controller’s request, the Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with supervisory authorities, which the Controller reasonably considers to be required of the Controller by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Personal Data by and taking into account the nature of the Processing and information available to, Processor.

  10. TERMINATION.
    1. This Addendum shall continue in full force until the expiration or termination of the Agreement.
    2. Within thirty (30) days from the expiration or termination of the Agreement, Processor will delete Personal Data, except as may be required by law.
  11. MISCELLANEOUS.

    Controller will treat the terms and conditions of this Data Processing Addendum as confidential and shall not disclose them to any third party except for Controller’s auditors or consultants that need access to this information for the purpose of this business relationship as articulated in this Data Processing Addendum and the Agreement. If there is a conflict between any provision in this Data Processing Addendum and any provision in the Agreement, this Data Processing Addendum shall control. This Data Processing Addendum shall not restrict any applicable data protection laws, rules or regulations. If any provision in this Data Processing Addendum is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith. In case of conflict, the order of precedence in respect of the Processing of Personal Data shall be: this Data Processing Addendum and then the Agreement. The Exhibit A to this Data Processing Addendum is integrated part of it.

EXHIBIT A to the SCHEDULE A
DATA PROCESSING ADDENDUM
Standard contractual clauses
between controllers and processors
under Article 28(7) of Regulation (EU) 2016/679
of the European Parliament and of the Council

SECTION I

Clause 1
Purpose and scope

  1. The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
  3. These Clauses apply to the processing of personal data as specified in Annex II.
  4. Annexes I to IV are an integral part of the Clauses.
  5. These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  6. These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  7. The controller warrants and represents that any and all personal data that is made available to the processor for processing on behalf of the controller:
    1. has been collected and processed by the controller for lawful and legitimate purposes and in accordance with Regulation (EU) 2016/679; and
    2. may be made lawfully available to the processor in accordance with Regulation (EU) 2016/679 (including, without limitation, the controller having ensured (and continuing to ensure) that all necessary appropriate consents have been obtained and notices are in place).
  8. The controller acknowledges that the processor is reliant on the controller’s representations regarding the extent to which the controller is entitled to process personal data and make it available to the processor for processing.

Clause 2
Invariability of the Clauses

  1. The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
  2. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3
Interpretation

  1. Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
  2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
  3. These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4
Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5
Docking clause

  1. Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.
  2. Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.
  3. The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

SECTION II
OBLIGATIONS OF THE PARTIES

Clause 6
Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7
Obligations of the Parties

Instructions
  1. The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.
  2. The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

Security of processing
  1. The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
  2. The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

Documentation and compliance
  1. The Parties shall be able to demonstrate compliance with these Clauses.
  2. The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.
  3. The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the controller’s lawful and reasonable request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, provided that, the controller any third-party auditor will comply with the processor’s standard safety, confidentiality, and security procedures in conducting such audit. The controller shall give (or shall ensure that the processor is given) reasonable notice of any audit to be conducted. Except as otherwise required by Regulation (EU) 2016/679 or a relevant supervisory authority/ies, any audit or inspection will be conducted within normal business hours no more than once in any given calendar year or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.
  4. The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.
  5. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
Use of sub-processors
  1. GENERAL WRITTEN AUTHORISATION: The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least ten (10) business days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.
  2. Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  3. At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.
  4. The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.
  5. The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
International transfers
  1. Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
  2. The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8
Assistance to the controller

  1. The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.
  2. The processor shall provide reasonable assistance to the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s lawful and reasonable instructions.
  3. In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore provide reasonable assistance to the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:
    1. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
    2. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
    3. the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
    4. the obligations in Article 32 of Regulation (EU) 2016/679.
  4. The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9
Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to the processor.

Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

  1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  2. in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:
    1. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    2. the likely consequences of the personal data breach;
    3. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  3. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

  4. in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

  1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
  2. the details of a contact point where more information concerning the personal data breach can be obtained;
  3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

To the extent permitted by applicable law, the processor's total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of these Clauses or Regulation (EU) 2016/679 shall be limited to an amount equal to the lesser of: (a) fee paid by the controller to the processor under the related agreement between the Parties in the six (6) months preceding the date of the event that is the basis for the first claim; or (b) one million dollars (USD $1,000,000).

SECTION III
FINAL PROVISIONS

Clause 10
Non-compliance with the Clauses and termination

  1. Without prejudice to any provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall as soon as reasonably possible inform the controller in case it is unable to comply with these Clauses, for whatever reason.
  2. The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
    1. the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
    2. the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
    3. the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
  3. The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.
  4. Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.

ANNEX I

List of parties

Controller(s): [Identity and contact details of the controller(s), and, where applicable, of the controller’s data protection officer]

COMPANY

Processor(s): [Identity and contact details of the processor(s) and, where applicable, of the processor’s data protection officer ]

MY.GAMES

ANNEX II

Description of the processing

Categories of data subjects whose personal data is processed

Users of data controller’s Product

Categories of personal data processed

  1. Data about data subject’s account and game progress;
  2. Data about data subject’s device, such as device name and operating system, system version, device model, memory, browser type and system language, system country, display width/height, device time zone;
  3. Data which data controller collects with cookies and similar technologies: general location data, precise geo-location data (GPS, with data subject’s consent);
  4. Data about data subject’s usage of data controller’s applications and games, such as gameplay data and data subject’s interactions with other game players inside data controller’s applications and games;
  5. Data about purchases which data subject makes in data controller’s application and games (which purchase was made by data subject, purchase price, purchase date, currency of payment, payment amount);
  6. Data subject’s Facebook, Apple game Center ID, GPGS identificators, identifierForVendor, advertising Identifier (with data subject’s consent);
  7. Data which data controller receives if data subject links a third party tool with data controller’s application and games (such as Facebook, WeChat, Google etc.);
  8. Geographic data (such as to determine the coarse location of data subject’s IP address);
  9. Data subject’s in-game ID, support ID;
  10. Data about data subject’s usage of data controller’s applications and games, such as profile creation date, first login, last login of data subject inside data controller’s applications and games.
  11. Information from a profile on social networks with which data subject is authorized in data controller’s applications and games or which are linked to data subject’s account in data controller’s applications and games (such as profile photo, date of birth, name in social network);
  12. Data subject’s messages to data controller’s applications and games (such as chat logs and player support tickets);
  13. In game data subject’s IP address and mobile device identifiers with data subject uses in data controller’s applications and games (such as device ID, advertising ID, MAC address, IMEI, Carrier, device token).

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not applicable

Nature of the processing

Controller instructs Processor to process personal data of users of Controller’s Product and will process Personal Data specified above within the scope of the services to be rendered for Controller under the terms and conditions of the Agreement and relevant Appendix signed by the Parties.

Purpose(s) for which the personal data is processed on behalf of the controller

Processor will process Personal Data specified above to provide Controller with the advertising services under the terms and conditions of the Agreement and relevant Appendix signed by the Parties.

Duration of the processing

Processing shall continue until further notice but no longer than the term of the Agreement and Appendix thereto.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

Processing shall continue until further notice but no longer than the term of the Agreement and Appendix thereto.

ANNEX III

Technical and organisational measures including technical and organisational measures to ensure the security of the data

EXPLANATORY NOTE:

The technical and organisational measures need to be described concretely and not in a generic manner.

Description of the technical and organisational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

Measures of pseudonymisation and encryption of personal data and Measures for the protection of data during transmission

Communication and transport control

Measures to ensure that data cannot be read, copied, modified or deleted without authorization during electronic transmission, including:

  1. Transport encryption HTTPS/TLS;
  2. Session management with TTL and logout functions;
  3. Network segmentation and firewall protection;
  4. Internal separation of access to infrastructure and management of SSH access;
  5. Secure Socket Shell (SSH) with key based authentication;
  6. Traffic and service monitoring by dedicated operations team.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Availability control

Measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical), including:

  1. Distributed high-availability service architecture;
  2. Backup procedures;
  3. Mirroring of hard disks (e.g. RAID technology);
  4. Uninterruptible power supply (UPS);
  5. Remote storage.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Measures for user identification and authorisation

Access restriction mechanisms

Measures to prevent data processing systems from being used by unauthorized persons, including:

  1. Multi-layered network/systems access restriction architecture;
  2. User identification and authentication procedures;
  3. Strong ID/password security policy (special characters, minimum length, change of password);
  4. Two-factor authentication;
  5. Automatic blocking (e.g. password or timeout);
  6. Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous attempts.

Measures for the protection of data during storage

Data access control.

Measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, including:

  1. Internal logical access control policies and procedures;
  2. Control authorization schemes;
  3. Differentiated access rights via roles and permissions;
  4. Logging of accesses;
  5. Limiting and monitoring of privileged access;
  6. Reports of access;
  7. Centralized procedures for access granting, revoking and regular review.

Measures for ensuring physical security of locations at which personal data are processed

Physical access control

Measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where data are processed, including:

  1. Defined security areas with restricted access (data centers, server rooms);
  2. Access authorizations for employees and third parties, visitor registration;
  3. Access control system (via magnetic cards);
  4. Door locking (electric door openers etc.);
  5. Security staff;
  6. Surveillance, video/CCTV monitor, alarm system.

Measures for ensuring events logging

Entry control

Measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems via logging and reporting capabilities.

Measures for ensuring system configuration, including default configuration

Measures for ensuring system configuration via change management controls with appropriate change validation and approvals. Deployment of changes under control of configuration management systems.

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products

Measures for ensuring data minimisation

Using a risk-based approach to determining the minimum sufficient amount of data to be processed in the course of data protection impact assessments.

Measures for ensuring data quality and Measures for allowing data portability and ensuring erasure

Measures for ensuring data quality, allowing data portability and erasure via self-service tools and/or dedicated support procedures.

Measures for ensuring limited data retention

Application of data retention policies.

Measures for ensuring accountability

Processing control.

Measures to ensure that data are processed solely in accordance with the instructions of the Controller, including:

  1. Clear and detailed wording of the contract and DPA;
  2. Imposition of the obligation to adhere to the data secrecy requirements on the contractor’s employees;
  3. Confidentiality agreements/clauses with employees and (sub)contractors.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller

The (sub-) processors (if any) shall at least implement the technical and organisational measures specified above to ensure the security of the personal data.

Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller.

ANNEX IV

List of sub-processors

EXPLANATORY NOTE:

Not applicable due to the general written authorisation of sub-processors options chose (Clause 7.7(a)).

SCHEDULE B
TO THE
GENERAL TERMS OF THE SERVICES

During the Term of the Agreement (as defined in the GENERAL TERMS OF THE SERVICES and the relevant Appendix thereto), the Service Provider will use reasonable commercial efforts to provide to the Customer a Monthly Service Uptime Percentage of at least 99.9% (Guaranteed Uptime Service Percentage or GUSP). Capitalized terms not defined in this Service Level Agreement (hereinunder – SLA) will have the meanings given to them in the Agreement.

Service Provider fails to deliver the Monthly Service Uptime Percentage of at least 99.9%, except for the cases described below, the Customer shall become entitled to the Service Credit specified in the table set out below.

Monthly Uptime PercentageService Credit
99.0% - < 99.9%10%
95.0% - < 99.0% 25%
< 95.0%50%

This SLA states the Customer's sole and exclusive remedy for any failure by the Service Provider to meet the GUSP.

Service Credit shall be calculated from the monthly value of the Services that fail to meet GUSP and shall be calculated towards the future billing period as defined below. For the yearly prepaid Services, the Service Credit will be calculated as a sum of the values of the Services that fail to meet GUSP for each month during the year. The monthly value of the Service in this event shall be equal to the yearly value divided by 12. The Customer shall apply for Service Credit via email at billing@adsadvisor.io no later than 30 days after the Customer becomes eligible for the Service Credit. If Customer does not comply with this requirement, Customer will forfeit its right to receive a Service Credit for this period.

When requesting Service Credit, the Customer must provide the Service Provider with date and time information regarding the Downtime for a specific Service as per the relevant Appendix.  The Customer acknowledges and agrees that the Service Provider will assess and determine whether the specified Service failed to meet the GUSP, and that Service Credits are eligible.  If a dispute arises concerning this SLA, the Service Provider will decide in good faith based on the available information, which the Service Provider may make available for auditing by the Customer at the Customer's request.

Maximum Service Credit.

The aggregate maximum number of Service Credits to be issued by the Service Provider to the Customer for any and all Downtime Periods that occur in a single calendar month will not exceed 50% of the amount due by the Customer for the Services for the applicable month. Service Credits will be made in the form of a monetary credit applied to future use of the Service and will be applied within 60 days after the Service Credit was requested.

SLA Exclusions.

The SLA does not apply to any performance issues or errors: (i) caused by factors outside of the Service Provider’s reasonable control, such as any downtime: (a) caused by outages to any public Internet backbones, networks, or servers; (b) caused by any failures of Customer’s Application, as result of Customer’s integration of MMP, Customer’s integration equipment, systems or local access services; or (c) strikes, riots, insurrection, fires, floods, explosions, war, governmental action, labour conditions, earthquakes or natural disasters; (ii) that resulted from any actions or inactions of Customer or any third parties; (iii) that resulted from Customer's or a third party’s software or hardware, including MMP downtime, updates of MMP integrated by the Customer, which requiring undated in the Services; (iv) that resulted from abuses or other behaviours that violate the Agreement or (v) that resulted from Customer use of the Service inconsistent with the Documentation, including but not limited to invalid requests, unauthorized use, or inaccessible data.

Definitions

The following definitions apply to this SLA:

Service” means the Services listed in the relevant Appendix to the General Terms of the Services.

Downtime” means the average server-side response time for a Valid Request is greater than 60 (sixty) seconds. Downtime is measured for each Covered Service based on the global server-side response time thresholds.

Downtime Period” means a period of 30 (thirty) consecutive minutes of Downtime, for any Service. Intermittent Downtime for a period of less than thirty minutes, for any Service, will not be counted towards any Downtime Periods. Downtime as part of Scheduled Maintenance, for any Service, will not be counted towards any Downtime Periods. Downtime Periods that occur for any one Service will not apply to any other Service Downtime Periods.

Service Credit” means the following: Percentage of the monthly fee for the Service which does not meet GUSP that will be credited to future monthly invoices of Customer.

Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered from all Downtime Periods in a calendar month, divided by the total number of minutes in a calendar month.

Scheduled Downtime” means those times when the Service Provider notifies the Company of periods of Downtime 24 hours prior to the commencement of such Downtime. There will be no more than twelve hours of Scheduled Downtime per calendar month. Scheduled Downtime is not considered Downtime for purposes of this SLA, and will not be counted towards any Downtime Periods and GUSP calculation.

Valid Requests” are requests to the Services, and that would normally result in a non-Error response.