Draft: pending legal review. Not yet in effect.
This Data Processing Agreement (“DPA”) applies where Virsion processes personal data on behalf of a customer organization in the course of providing Gameheim Hub. It forms part of the agreement between the customer and Virsion.
1. Roles of the parties
For personal data that a customer organization puts into Gameheim Hub, the customer acts as the data controller and Virsion acts as the data processor. Virsion processes that data only on the customer’s documented instructions, of which this DPA and the Terms of Service form a part.
2. Subject matter and scope of processing
The processing covers the personal data the customer chooses to put into Gameheim Hub, for the duration of the customer’s subscription. Typically:
- Categories of data subjects: the customer’s team members and collaborators.
- Categories of data: names, usernames, email addresses, and content created in the product.
- Purpose: providing the Gameheim Hub service to the customer.
3. Obligations of Virsion as processor
Virsion will:
- process personal data only on the customer’s documented instructions;
- ensure that personnel authorised to process the data are bound by confidentiality;
- implement appropriate technical and organisational security measures;
- assist the customer, as far as reasonably possible, with data subject requests and with the customer’s own compliance obligations.
4. Sub-processors
The customer authorises Virsion to engage sub-processors to provide the service. Current sub-processors include Microsoft Azure (hosting) and [TBD: email/SMTP provider]. Virsion will inform customers of intended changes to its sub-processors and remains responsible for their performance.
5. Personal data breach
Virsion will notify the customer without undue delay after becoming aware of a personal data breach affecting the customer’s data, and will provide the information the customer reasonably needs to meet its own notification duties.
6. Data subject requests
Taking into account the nature of the processing, Virsion will assist the customer with appropriate measures to respond to requests from data subjects exercising their rights.
7. Security measures
Virsion maintains technical and organisational measures including encryption of sensitive data at rest, access controls, isolation between organizations, hardened authentication and audit logging. [TBD: attach a detailed security measures annex for legal review].
8. Audits
Virsion will make available to the customer the information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits as required by applicable law. [TBD: audit scope and procedure].
9. Return and deletion of data
On termination of the service, Virsion will, at the customer’s choice, delete or return the customer’s personal data, except where retention is required by law.
10. International transfers
Where personal data is transferred outside [TBD: EEA / Switzerland], the transfer is made under an appropriate safeguard such as Standard Contractual Clauses.
11. General
This DPA is governed by the law stated in the Terms of Service. In case of conflict on data protection matters, this DPA prevails over the Terms of Service. [TBD: liability, order of precedence and signature mechanism, to be set with legal review].
