Data Processing Addendum

Customer is the controller of personal data included in Customer Content or otherwise processed by Provider on Customer's behalf, except where the Parties expressly agree otherwise.

Provider is the processor of personal data it processes on Customer's behalf to provide the Service.

Provider is an independent controller for business contact data, billing records, legal records, security administration, account administration, usage analytics, website and web app data, corporate compliance, and other data processed for Provider's own business purposes.

The subject matter, duration, nature, purpose, personal data types, and data subject categories are described in Annex 1.

Customer instructs Provider to process personal data as necessary to provide, secure, support, operate, monitor, bill, and improve the Service under the Agreement.

Provider will process personal data only on documented instructions from Customer, including the Agreement, the Order Form, Customer's configuration, and Customer's use of the Service, unless applicable law requires otherwise.

Provider will inform Customer if, in Provider's opinion, an instruction infringes applicable data protection law, unless legally prohibited from doing so.

Customer is responsible for:

• determining the lawfulness of personal data submitted to the Service;
• providing all required privacy notices;
• obtaining required consents or establishing another valid legal basis;
• ensuring personal data is accurate, relevant, and limited to what is necessary;
• avoiding submission of special-category, sensitive, regulated, or children's personal data unless expressly agreed in writing;
• responding to data subject requests unless Provider is required by law to respond.

Provider will ensure that persons authorized to process personal data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality obligations.

Provider will implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The current measures are described in Annex 2. Customer acknowledges that the Service is a pilot environment unless the Order Form states otherwise.

Customer grants Provider general written authorization to use subprocessors to provide the Service.

Provider will impose data protection obligations on subprocessors that are materially equivalent to those in this DPA, to the extent applicable to the subprocessor's services.

Provider remains responsible to Customer for the performance of its subprocessors' data protection obligations.

Initial subprocessor categories are listed in Annex 3 and Schedule 4 - Subprocessor List.

Provider will notify Customer of new or replacement subprocessors where reasonably practicable and required by applicable data protection law. Customer may object on reasonable data protection grounds within ten days after notice. If the Parties cannot resolve the objection, Customer may terminate the affected Service.

Provider and its subprocessors may process personal data in the European Economic Area and other countries where Provider or subprocessors operate.

Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision and a transfer mechanism is required, the Parties will use an appropriate transfer mechanism, such as European Commission standard contractual clauses, the UK addendum, a Swiss addendum or adaptation, an adequacy decision, or another lawful mechanism.

Where European Commission standard contractual clauses are required between Customer and Provider, Module Two (controller to processor) applies. Where clauses are required between Provider and a subprocessor, Module Three (processor to processor) applies.

Taking into account the nature of the processing, Provider will provide reasonable assistance to Customer through appropriate technical and organizational measures, insofar as possible, for Customer's response to data subject requests.

If Provider receives a request directly from a data subject relating to Customer personal data, Provider may redirect the requester to Customer unless legally required to respond.

Taking into account the nature of the processing and information available to Provider, Provider will provide reasonable assistance with security obligations, personal data breach notifications, data protection impact assessments, prior consultations with supervisory authorities, and controller audit and accountability requirements.

Customer is responsible for determining whether a DPIA, prior consultation, or other assessment is required for Customer's intended use.

Provider will notify Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on Customer's behalf.

Where applicable data protection law requires a specific timing standard, Provider will use reasonable efforts to notify Customer within the period needed for Customer to meet its own legal obligations, including within 72 hours after awareness where that standard applies and the relevant information is reasonably available.

The notification will include information reasonably available to Provider to help Customer meet its legal obligations.

Unsuccessful access attempts, pings, scans, probes, or other events that do not compromise personal data are not personal data breaches.

Upon termination or expiry of the Service, Provider will delete or return personal data on Customer's reasonable request, unless retention is required or permitted for legal, accounting, compliance, security, backup, archival, or dispute-resolution purposes.

Backup copies may remain in ordinary backup systems until overwritten or deleted under Provider's normal backup cycles, subject to the confidentiality and security obligations in this DPA.

Slack-derived data may also be subject to Slack platform rules, workspace retention settings, Slack app deletion workflows, and the Agreement. OddGameMaker web app data may also be subject to web app account settings, project settings, available deletion or export workflows, browser or device storage behavior, and the Agreement.

Provider will make available information reasonably necessary to demonstrate compliance with this DPA.

Customer may request an audit no more than once in any twelve-month period unless required by a supervisory authority or following a confirmed personal data breach.

Audits must be conducted during normal business hours, with reasonable prior notice, in a manner that does not disrupt Provider's operations, compromise security, or expose confidential information of other customers or third parties.

Customer is responsible for audit costs unless the audit confirms a material breach by Provider.

This DPA remains in effect for as long as Provider processes personal data on Customer's behalf.

Provider's pilot security measures include, as applicable:

• access restricted to authorized personnel and contractors with a need to know;
• confidentiality obligations for personnel and contractors;
• Slack workspace and channel access controls and OddGameMaker account and project access controls;
• individual accounts where supported by relevant systems;
• multi-factor authentication where available and appropriate;
• encryption in transit and at rest where supported by relevant systems and providers;
• operational logging for security, support, troubleshooting, billing, and service operation;
• subprocessor and third-party service review appropriate for pilot operations;
• incident response and escalation procedures;
• backup, retention, and deletion practices appropriate for pilot operations;
• restrictions against submitting sensitive or regulated data without written approval.

Provider may use subprocessors and third-party services in the following categories:

• Slack / Salesforce group companies for Slack workspace, Slack Connect, bot, app, message, file, user, and metadata processing.
• Web application hosting, cloud hosting, compute, queue, storage, logging, monitoring, backup, CDN, and security providers for www.oddgamemaker.com and related Service interfaces.
• Hosted AI model, multimodal model, image generation, video generation, code generation, and media generation providers.
• Analytics, telemetry, product analytics, and error-monitoring providers.
• Customer support, ticketing, email, billing, accounting, document management, e-signature, and business operations providers.

The named list is maintained in Schedule 4 - Subprocessor List.