Data Processing Addendum for Customers

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Agreement under which Stash agrees to provide Customer with services, which includes the Order and the Stash Developer Terms and Conditions (“Developer Terms”) posted on our Site or separately negotiated with us.  Our services and platform include but are not limited to, our websites and subdomains, application programming interfaces, software development kits and tools for web shops, game launchers, managing payments for online purchases, analytics and reporting, fraud prevention, information security, sales tax compliance, customer support and any other solutions we provide (together, “Services”) to support our Customers’ relationship with and offerings to their end-users (“Consumers”).  The Parties mutually represent and warrant that we each, respectively, have the right, power and authority to enter into this DPA and to perform our respective duties, obligations and covenants outlined in this DPA. References to "you" means Customer and references to "we,'' "us" and "our" means Stash within this DPA. Capitalized terms not defined in this DPA have the meaning given to them in the Developer Terms. To the extent that there is any conflict between this DPA, the Developer Terms, or any other part of the Agreement existing at the time when this DPA is agreed or entered into thereafter, this DPA shall prevail.

definitions

The following definitions shall apply for this DPA:

“Consumer Personal Data” means the Personal Data relating to Data Subjects interacting with Customer Materials that Stash uses and further processes as Controller as set out in Section 2 below.

“Controller” means the natural or legal person who determines the purposes and means of the Processing of Personal Data. The term “Controller” also includes “Business” and analogous terms under Data Protection Laws.

“Customer Personal Data” means the Personal Data contained within Customer Materials available for use within the Service and processed by Stash strictly on behalf of the Customer in connection with the Agreement as set out in Section 3, with Customer acting as the Controller and Stash as the Processor.

“Game Usage Data” means Customer Personal Data collected by Customer and provided or otherwise made available by Customer to Stash as it relates to a Data Subject activities on a Customer Site, including Customer Site login details and in-game information such as player attributes (level/experience points/skills), in-game transactions, history, item inventory, user profile and segmentation data.  

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data, including, but not limited to: i) the General Data Protection Regulation (EU) 2016/679 and any applicable implementations thereof into national law, (“EU GDPR”); ii) the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”); iii) the Swiss Federal Data Protection Act (“FDPA”); and iv) federal or state data protection or privacy laws and regulations in the United States, including but not limited to, the California Consumer Privacy Act (“CCPA”), including as amended by the California Privacy Rights Act of 2020 (“CPRA”). Unless otherwise stated, “GDPR” means both the EU GDPR and the UK GDPR.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates. The term “Data Subject” includes “Consumer,” “Household” and analogous terms under Data Protection Laws.

“Data Subject Request” means requests from Data Subjects to exercise their rights under Data Protection Laws.

“Personal Data” means information defined as personal data, personal information, or analogous terms under Data Protection Laws.

“Process”, “Processes”, “Processed” or “Processing” means any operation or set of operations performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Processor” means the natural or legal person that Processed Personal Data on behalf of the Controller. The term “Processor”  includes “Service Provider” and analogous terms as defined under Data Protection Laws.

“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Personal Data transmitted, stored or otherwise Processed. 

“Stash Account User Data” means any Personal Data that Stash directly collects and further Processes about a Data Subject as a Controller or otherwise outside the instruction of Customer, pursuant to Stash’s Terms of Use and Privacy Policy.

“Stash Usage Data” means Consumer Personal Data collected and further Processed by Stash in connection with a Data Subjects’ use of the Services and related systems and technologies, including but not limited to information regarding an end-user’s device, activity, preferences, operating system and browser information, time zone, location, usernames and purchases or orders made, interests, preferences, feedback, survey responses and operational data. 

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for Controller-to-Controller transfers ("C-to-C Transfer Clauses") and Controller-to-Processor transfers ("C-to-P Transfer Clauses") to third countries as annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, a copy of which is available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN. 

“Transfer Clauses” means the SCCs and the UK Addendum to the extent Personal Data transferred under this DPA originates from the United Kingdom.

“Subprocessor” means any third party engaged by Stash, in its capacity as Processor,  to carry out specific Processing activities on behalf of a Customer acting as the Controller for such Processing activities.

“UK Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 in force per 21 March 2022. 

1. General

1.1.  Each Party undertakes to comply with Data Protection Laws and will not knowingly cause the other to breach Data Protection Laws. 

1.2. Outside the scope of Processing within the Agreement, including this DPA is: i) any user data that is anonymous, de-identified or aggregated which Stash may use, without limitation, for purposes including research and marketing, to provide technical support and to further develop and improve the Services. 

1.3.  For the purposes of Data Protection Laws Stash: i) Processes Customer Personal Data as a Controller (not a joint controller) for the purposes set out in Section 2; and ii) Processes Customer Personal Data as a Processor for the purposes set out in Section 3.

2. controller responsibilities of stash

2.1. Stash as Controller. Stash collects and further Processes Personal Data, including, but not limited to, Stash User Account Data and Stash Usage Data, as a Controller for the following purposes in accordance with the Stash Privacy Policy and with Data Protection Laws: i) facilitating and enabling online financial transactions and Sales Activity through its Services; ii) providing, operating, maintaining and monitoring the performance of any type of Stash account and the Services; iii) detecting, investigating and preventing fraud and other illegal or unwanted activities in the context of the Services; iv) maintaining security of Personal Data and the Services ensure business continuity; v) communicating with Customers and Consumers according to their preferences; vi) creating and disclosing insights to Customer and other users of the Services in connection with each’s respective use of the Services; vi) informing Stash’s business strategy, such as marketing our business, improving the Services and develop new products and offerings; and viii) enforcing our agreements, complying with legal and regulatory obligations and handling legal claims and disputes. 

3. processor responsibilities of stash

3.1. Limited Scope of Processing.  Stash will only Process Customer Personal Data in accordance with the Agreement and documented instructions received from Customer. If Stash is required by law to Process Customer Personal Data otherwise than as instructed by Customer, it will inform Customer of that legal requirement prior to such Processing, unless the law prohibits this on important grounds of public interest. Customer may also give subsequent instructions to Stash throughout the duration of this DPA. Customer shall always document such instructions.  Stash will inform Customer if, in its opinion, instructions given by Customer infringe Data Protection Laws. 

3.2. Details of Customer Personal Data Processed by Stash as Processor.

• Subject matter, nature and purpose. Stash Processes Customer Personal Data to facilitate and enable an e-commerce experience for Sales Activities between Customers and their end-users through its Services as set out in the Agreement.
• Duration. The term of the Agreement and any additional period specified by Customer or as otherwise agreed in writing between Parties. 
• Types of Customer Personal Data. Customer Materials and Game Usage Data.
• The Categories of Data Subjects. Data Subjects who purchase Customer Content through Stash’s Services or interact with the Services.

3.3. Assistance to Customer. If Stash receives a Data Subject Request, Stash shall: i) advise the Data Subject to submit the request to Customer directly;  ii) promptly notify Customer of the request; and iii) assist Customer in fulfilling its obligations to respond to Data Subject Requests, taking into account the nature of the processing. If Customer requires assistance from Stash in responding to a Data Subject Request, Customer must provide all necessary details to enable Stash to reasonably assist Customer upon written request. Stash shall provide reasonable assistance to Customer to ensure compliance with its obligations pursuant to Data Protection Laws considering the nature of Processing and the information available to Stash. Customer shall be responsible for all reasonable costs and fees incurred by Stash in connection with any assistance provided by Stash pursuant to this Section 3.3.

3.4. Audits. Upon Customer's written request, Stash shall make available to Customer relevant information that is not otherwise in its possession to demonstrate compliance with Stash’s obligations when acting as Processor on behalf of Customer as set out in this Section 3 and shall allow for and contribute to audits, including on-site inspections, by Customer or its designated auditor, provided that:

• Customer or its designated auditor conducting the audit on behalf of Customer gives advance notice of 60 days to Stash; 
• before the commencement of any audit, Customer and Stash shall mutually agree on the scope, timing, duration, control and evidence requirements; 
• the audit shall be conducted without unreasonable interference with Stash’s business activities, during regular business hours, and subject to Stash’s (or any applicable Subprocessors) reasonable security policies and confidentiality procedures; 
• Stash shall not, except as required by law, be required to provide: i) access to its premises; ii) any information to any individual without reasonable evidence of that individual’s identity and authority; iii) access to any information relating to Stash’s other customers or to Stash’s systems or facilities not involved in the Services provided to Customer; or iv) assistance with more than one audit in any three (3) calendar year period unless an additional audit is required by applicable law.

Before carrying out an audit, Customer shall first request the necessary information from Stash on the basis of Section 3.4. The audit shall only occur if Customer – even after answering the request for information referred to in Section 3.3. – has reasonable doubts about the performance of the obligations by Stash under Section 3, or if Customer is legally required to carry out an audit based on a statutory duty or an order by a supervisory authority.  All costs and fees in connection with any audit shall be borne by Customer (both Customer’s own costs and Stash’s costs), including all reasonable costs and fees incurred by Stash in connection with any audit. 

3.4. Subprocessors. Customer hereby provides general authorization to Stash for the engagement of the Subprocessors from the agreed list. Stash agrees to:  i) enter into a written agreement with Subprocessors that imposes on such Subprocessors data protection requirements for Customer Personal Data that are consistent with the obligations imposed on Stash in this DPA; and ii) remain responsible to Customer for the Subprocessors’ failure to perform their obligations, to the extent required by applicable Data Protection Laws. 

3.5. Objection. Upon Customer's request, Stash shall make available to Customer an up-to-date list of the Subprocessors it has appointed as of the date of this DPA (“Current Subprocessors”). Customer will be given the opportunity to object to the engagement of new Subprocessors (“Replacement Subprocessors”) on reasonable grounds relating to the protection of Personal Data within 30 days of notifying Customer. If Customer does not notify Stash with sufficient details to support such an objection, Stash will discuss Customer’s concerns in good faith to achieve a commercially reasonable resolution. If no such resolution is feasible, Stash will, at its sole discretion, either not appoint the Replacement Subprocessor, or permit Customer to terminate the Services in accordance with the Agreement. If Customer chooses to terminate this DPA based on an objection to a Replacement Subprocessor, nothing in this provision shall relieve Customer from any payment and/or repayment obligations to Stash under the Agreement. Customer’s sole and exclusive remedy is the right to terminate the Platform Account and Agreement. These termination rights apply only to objections to Replacement Subprocessors that are not remedied in accordance with the terms and shall not apply in relation to Current Subprocessors. 

3.6. Deletion of Customer Personal Data. At Customer’s written direction, Stash will return, delete, or destroy (at Customer's election) Customer Personal Data to Customer as requested at the end of the provision of the Services, unless retention of the Personal Data is required by law. Stash will make a copy of such Customer Personal Data reasonably available to Customer for a period of ninety (90) days following termination of the Agreement or expiration of the Term. After this ninety (90) day period, Stash will delete all Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Stash’s data retention schedule), unless Stash is required to retain copies under applicable laws, in which case Stash will isolate that Customer Personal Data from any further Processing.

3.7. Authorized Users. Notwithstanding any contrary provision in this DPA, for the Processing of Personal Data of Customer’s employees and staff (authorized user), Stash acts as a Data Controller and therefore processes the Personal Data for the purpose of assisting Customer.  

4. international data transfers

4.1.  If a Party transfers Personal Data from the European Economic Area (“EEA”), Switzerland or the UK to the other Party that is established in a territory outside of the EEA, UK, or Switzerland that has not been the subject of a finding of an adequate level of protection under Data Protection Laws and another transfer mechanism or derogation under Data Protection Laws can be relied upon, the Parties agree to comply with and enter into the Transfer Clauses as appropriate to the role of the Parties transferring Personal Data (e.g. as a Controller or Processor), which are incorporated by reference into and form an integral part of this DPA, as follows:  i) the Parties agree to observe the terms of the Transfer Clauses without modification, unless stated otherwise in this DPA;  ii) the names and addresses of the Parties shall be considered to be incorporated into the Transfer Clauses;  iii) Sections 3.1 and 3.2 shall together serve as Annex 1 to the Transfer Clauses, and Annex A shall serve as Annex 2 to the Transfer Clauses; iv) the governing law and forum in clauses 17 and 18 of the SCCs, shall be the law and courts of the EU Member State where Customer is established; v) Stash may appoint Subprocessors under the SCCs as set out in this Section 4; vi) each Party’s signature to the Agreement shall be considered as signature to the Transfer Clauses. If needed by a supervisory authority or by Data Protection Laws, the Parties will cooperate and sign the Transfer Clauses separately; and vii) if any provision of the DPA is inconsistent with any terms in the SCCs or UK Addendum, the SCCs or UK Addendum will prevail as appropriate. The terms of this DPA shall not vary the SCCs in any way. 

4.2. To the extent that Customer Personal Data is transferred from the UK, the following additional provisions shall apply to the Transfer Clauses the SCCs shall apply in accordance with the sections above, but as modified and interpreted by the Part 2 of the mandatory clauses of the UK Addendum.

4.3. To the extent that Personal Data is transferred from Switzerland, the SCCs shall be amended and subject to the following additional provisions:“FDPIC” means the Swiss Federal Data Protection and Information Commissioner; i) references to the GDPR are to be interpreted as references to the FDPA; ii) references to “Union”, “EU”, and “EU Member State” shall be interpreted to mean Switzerland; iii) the FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FDPA;  iv) clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland”; v) clause 18 is replaced to state: “Any dispute arising from these Clauses relating to the FDPA shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The parties agree to submit themselves to the jurisdiction of such courts”. 

5. security

5.1. Technical and Organizational Security Measures. The Parties shall implement appropriate technical and organizational security measures to ensure a level of security in relation to Personal Data appropriate to the risks that are presented by the Processing and the nature of Personal Data to be protected, and will at a minimum implement the measures described in Annex A.  TheParties shall grant access to Personal Data to members of its personnel only to the extent necessary for implementing, managing and monitoring of the Agreement and shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 5.2.  Security Incidents. If Stash in its role as Processor, becomes aware of a Security Incident that relates to Customer Personal Data, Stash will provide written notice without undue delay and within the time frame and in the manner required under Data Protection Laws.  If Customer becomes aware of a Security Incident that relates to Customer Personal Data Processed by Stash or Personal Data provided or otherwise made available to Customer by Stash, Customer shall notify Stash in writing without undue delay. Customer shall provide Stash with relevant information regarding the Security Incident to enable Stash to comply with its obligations under Data Protection Laws and to investigate and, where appropriate, remedy the Security Incident.

6. customer responsibilities

6.1. Compliance with Data Protection Laws. Customer is responsible for compliance with its obligations under Data Protection Laws. Customer warrants acknowledge and agree that it is solely responsible for: i) the accuracy, quality, and legality of Customer Materials and the means by which Customer acquired Customer Personal Data; ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes and providing, within Customer Site or otherwise and notices allowing Customer to legitimately disclose Personal Data to Stash and allow Stash to process Customer Personal Data in accordance with the Agreement). Customer warrants that Stash’s Processing of Customer Personal Data as Processor in accordance with the Agreement will not render Stash in breach of Data Protection Laws.

6.2. Customer shall: i) inform Stash, in writing, as soon as is reasonably practicable if it becomes aware that Customer Personal Data requires to be corrected or updated; ii) provide Stash with any reasonable assistance Stash requires to comply with its obligations under Data Protection Laws and will not perform its obligations under the Agreement in such a way as to cause Stash to breach any of its obligations under Data Protection Laws; and iii) inform Stash immediately if it becomes aware of any fact or event (including any change in the law) which is likely to have a substantial adverse impact on the warranties and undertakings in this Agreement.

7. general provisions

7.1. Conflicts and Severability. In the event of any conflict or inconsistency between this DPA and any data privacy provisions set out in the Agreement, the Parties agree that the terms of this DPA shall prevail. However, if Customer and Stash have individually negotiated data processing terms that meet the requirements of applicable Data Protection Laws in their entirety, those negotiated terms shall supersede this DPA. If one or more provisions of the applicable DPA between you and us are held or declared to be invalid, unlawful or unenforceable by a competent authority or court, the remainder of this DPA shall remain valid and such invalidity, unlawfulness or unenforceability shall have no effect on the other provisions and conditions of this DPA to the maximum extent permitted by law. The provision or condition affected shall be construed either: i) to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the Parties' intentions; or  ii) if that is not possible as if the invalid, unlawful or unenforceable part had never been contained in this DPA. 

7.2. Modification. This DPA may not be modified except by a subsequent written instrument signed by both parties. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected. By continuing to use the Services after the effective date of any modification to this DPA, Customer agrees to be bound by the modified DPA. The Parties acknowledge and agree that the mere issuing of amendments and modifications to the Data Protection Laws and Transfer Clauses shall not grant either Party the unilateral right to terminate any part of this DPA. 

7.3. Governing Law and Jurisdiction. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions set forth in the Agreement, unless otherwise required by Data Protection Laws.

7.4. Remedies. Notwithstanding anything to the contrary in the Addendum, including this DPA, Stash and its Affiliates will not be liable for any claim made by a Data Subject arising from or related to Stash’s acts or omissions to the extent that Stash was acting in accordance with your Instructions. In no event will either party’s liability be limited with respect to any individual’s data protection rights under this DPA (including any other DPAs between the parties and the Transfer Clauses, where applicable) or otherwise.

Annex A: Technical and Organizational Security Measures

The Parties agree to implement the following security measures on all Personal Data processed in relation to its Services under an Order. All capitalized terms not otherwise defined herein will have the meanings as set forth in the Agreement. Stash and Customer both agree to implement and maintain the following technical and organizational security controls:

1. Appropriate organization, technical and administrative controls for all Personal Data that we process.
2. Logical access security software, infrastructure and architecture over protected information assets to protect them from security events.
3. Prior to issuing system credentials and granting system access, register and authorize new internal and external users and remove user system credentials when user access is no longer authorized.
4. Encrypt or pseudonymize Personal Data where possible to protect the Personal Data processed, and where encryption or pseudonymization are not possible, implement alternative, equivalent controls to protect the Personal Data.
5. Restrict access to all Personal Data to only those employees, Processors or Subprocessors who need to know or access the data.
6. Restrict physical access to our facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel.
7. Provide logical access security measures to protect against threats from sources outside its system boundaries.
8. Restrict the transmission, movement and removal of information to authorized internal and external users and processes, and protect it during transmission, movement, or removal.
9. Create controls to prevent or detect and act upon introducing unauthorized or malicious software.
10. Monitor system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting our ability to meet our objectives; anomalies are analyzed to determine whether they represent security events.
11. Respond to Security Incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents as appropriate.
12. Identify, develop, and implement activities to recover from identified Security Incidents.
13. Assess and manage risks associated with our vendors and business partners and execute required agreements and data transfer provisions where required by applicable law.
14. Delete or destroy data in accordance with our internal records retention policies or as soon as it is no longer needed for business purposes.
15. Require Processors and Subprocessors to implement security measures at least as strictly as provided in this Annex.