Data Processing Addendum (Template)

Version 1.0 — Effective from the date of countersignature; see "Version history" at the end of this document.

This Data Processing Addendum ("DPA") forms part of the agreement between the Customer ("Controller") and Deadlock API Ltd. ("Processor", "we", "us"), with registered office at:

Registered office to be confirmed prior to commercial launch. Email [email protected] for the current registered address.

for the use of the Deadlock Live Events API (the "Service"). It governs the processing of Personal Data carried out by us on the Customer's behalf and gives effect to Articles 28 and 32 of Regulation (EU) 2016/679 ("GDPR") and, where applicable, the equivalent obligations under the United Kingdom Data Protection Act 2018 ("UK GDPR").

This file is a template; we execute and countersign the negotiated copy on request. Nothing here constitutes legal advice. DPA-related correspondence may be sent to [email protected] and data-protection queries to [email protected].

1. Definitions

Capitalised terms not defined here have the meaning given to them in the GDPR. "Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", and "Processing" each carry their GDPR meanings. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021.

2. Roles and scope

The Customer is the Controller of the Personal Data described in Annex I. We act as Processor and process Personal Data only on the documented instructions of the Customer, the principal of which is the written agreement between the parties for the Service.

We are not a Controller of game-event data flowing through the Distribution Plane. Game events are pseudonymous and reference only public in-game identifiers; they are not Personal Data within the meaning of the GDPR.

3. Subject matter, duration, nature, and purpose

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex I.

4. Processor obligations

We will:

1. process Personal Data only on documented instructions from the Customer, including with regard to transfers, unless required to do so by Union or Member State law to which we are subject; in such a case, we will inform the Customer of that legal requirement before processing, unless the law prohibits that notification on important grounds of public interest;
2. ensure that personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. take all measures required pursuant to Article 32 of the GDPR (see § 7 below);
4. respect the conditions referred to in § 6 (Sub-processors);
5. taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR;
6. assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to us;
7. at the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of the Service, and delete existing copies unless Union or Member State law requires storage of the Personal Data; and
8. make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

5. Customer obligations

The Customer warrants that it has obtained, and will maintain throughout the term, all consents and notices required to lawfully transfer the Personal Data described in Annex I to us so that we may lawfully process it for the purposes set out in the agreement.

6. Sub-processors

The Customer grants us a general written authorisation to engage Sub-processors, on condition that:

• the current list of Sub-processors is published at our Sub-processor list;
• we notify the Customer at least thirty (30) days before any addition or replacement of a Sub-processor, giving the Customer the opportunity to object;
• where the Customer objects on reasonable grounds related to the protection of Personal Data, the Customer may terminate the affected Service for convenience without penalty;
• we impose, by contract, data-protection obligations on each Sub-processor that are no less protective than those imposed on us by this DPA; and
• we remain fully liable to the Customer for the performance of each Sub-processor's obligations.

7. Security of processing (Article 32)

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement the technical and organisational measures described in Annex II. These include, at minimum:

• encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• segregation of database roles for the Management API and worker fleet (api_user, worker_user) with least-privilege grants;
• isolation of the PostgreSQL instance in a private subnet with no public IP, with ingress restricted by identity (security-group reference) rather than network address;
• immutable audit logging of all access to systems containing Personal Data, retained for six (6) years for tax and dispute purposes (per Section 886 Taxes Consolidation Act 1997 and Section 84 VAT Act 2010) and then purged automatically;
• a documented breach notification procedure ensuring the seventy-two (72) hour reporting obligation under Article 33 GDPR can be met;
• regular review of Sub-processor security posture.

8. Personal data breach (Articles 33 – 34)

We will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, after becoming aware of a Personal Data Breach affecting Personal Data processed on the Customer's behalf. The notification will, to the extent possible at the time, describe the nature of the breach, likely consequences, the measures taken or proposed to address it, and the contact point for further information.

9. Data Subject requests

Taking into account the nature of the processing, we will assist the Customer by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of the Customer's obligation to respond to requests by Data Subjects under Chapter III GDPR. Customer-account export and deletion are available through the documented data subject request workflow set out in our published Compliance & GDPR documentation.

10. International transfers

Where the processing of Personal Data under this DPA involves a transfer to a country outside the European Economic Area that is not covered by an adequacy decision of the European Commission, the parties agree that the Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference into this DPA and apply to the transfer.

For each such transfer:

• the Customer acts as data exporter and we act as data importer (Module 2 — Controller to Processor);
• where we transfer Personal Data onward to a Sub-processor outside the EEA, the appropriate module of the SCCs (Module 3 — Processor to Processor) applies between us and that Sub-processor;
• the optional docking clause in Clause 7 applies;
• the option in Clause 9(a) selected is option 2 (general written authorisation) and the time period referenced in Clause 9(a) is thirty (30) days;
• Clause 11(a)'s independent dispute resolution option is not selected;
• the governing law in Clause 17 is the law of Ireland;
• the competent supervisory authority for Clause 13 is the Data Protection Commission (Ireland);
• the courts in Clause 18(b) are the courts of Ireland.

For transfers to or from the United Kingdom, the parties further incorporate the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office, and the UK references in Tables 1 to 4 of that Addendum are completed using the particulars in Annex I.

The current Sub-processors and their transfer mechanisms are listed in our Sub-processor list.

11. Audits

The Customer may, no more than once per twelve (12) month period and on at least thirty (30) days' written notice, audit our compliance with this DPA. The Customer's audit right is satisfied in the first instance by the most recent third-party assurance reports we hold (e.g. SOC 2 Type II, ISO/IEC 27001) covering the systems used to provide the Service. On-site audits are reserved for cases where those reports do not address the Customer's specific concern.

12. Term and termination

This DPA enters into force on the same date as the underlying agreement and remains in force for as long as we process Personal Data on the Customer's behalf. On termination of the underlying agreement, the obligations in §§ 4(7), 7, 8, and 11 survive for as long as we hold any Personal Data of the Customer.

13. Order of precedence

In the event of a conflict between this DPA and the underlying agreement, this DPA prevails on matters of data protection. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.

Annex I-A — List of parties

Data exporter (Controller) — the Customer.

• Name: as set out in the executed signature block of the underlying agreement.
• Address: the Customer's registered office as recorded in the underlying agreement.
• Contact person: the Customer's named billing or data-protection contact recorded in the underlying agreement.
• Activities relevant to the data transferred under these Clauses: receipt of authentication tokens and subscription records produced by the Service in order to consume Deadlock match events.
• Role: Controller.
• Signature and date: per the signature block of the underlying agreement.

Data importer (Processor) — Deadlock API Ltd..

• Name: Deadlock API Ltd..
• Address: Registered office to be confirmed prior to commercial launch. Email [email protected] for the current registered address. .
• Contact person: Data Protection Officer, [email protected]. Legal correspondence: [email protected]. Security notifications: [email protected].
• Activities relevant to the data transferred under these Clauses: authenticating Customer requests, allocating match slots, minting Centrifugo connection JWTs, recording subscription audit entries, reporting metered usage to Stripe, and operating the Distribution Plane.
• Role: Processor.
• Signature and date: per our countersigned copy of the underlying agreement.

Annex I-B — Description of transfer

Categories of Data Subjects

• The Customer's authorised users of the Service (operator account holders, billing and technical contacts).

Categories of Personal Data

• Account identifiers: business email address, company name, VAT identifier where applicable.
• Authentication artefacts: API key hash (Argon2id), API key prefix fingerprint.
• Billing identifiers: Stripe customer ID, Stripe subscription ID, Stripe usage record IDs.
• Subscription audit log entries: timestamp, customer hash, match ID, granted scope, JWT subject claim, request IP.
• Operational telemetry: structured trace and metric attributes attached to API and Worker spans. Bodies of API requests and game payloads are never recorded; cardinality discipline forbids attributes (such as raw email or IP) that would re-identify a Data Subject in observability tooling.

Sensitive categories

• None. The Service does not process special categories of personal data within the meaning of Article 9 GDPR.

Frequency of transfer

• Continuous, for the duration of the underlying agreement.

Nature of processing

• Storage, retrieval, transmission, audit logging, billing, and deletion of the Personal Data above as required to deliver the Service.

Purpose of processing

• Performance of the contract between the Customer and us, including authentication, authorisation, metered billing, dispute resolution, fraud prevention, and statutory record retention.

Retention period

• For the term of the underlying agreement, then per the retention schedule in the Privacy Policy § 9, namely:
  • account and billing records: duration of contract, then six (6) years from termination or invoice date for Irish accounting and tax records;
  • subscription audit log: six (6) years from the audited event for tax and dispute purposes, then purged automatically;
  • match-event channel history (Centrifugo): one hundred sixty-eight (168) hours from match start;
  • operational telemetry (traces, metrics): thirty (30) day rolling window.
• Account data is deleted on documented data subject request, subject to any overriding legal-hold obligation.

Onward transfers to Sub-processors

• For the subject matter, nature, and duration of the processing, see Annex III. Each Sub-processor is bound by the obligations described in § 6 of this DPA.

Annex I-C — Competent supervisory authority

The competent supervisory authority for the data exporter, in accordance with Clause 13 of the SCCs, is the Data Protection Commission (Ireland) (Irish Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland; www.dataprotection.ie).

Where the Customer is established outside the European Union but within the European Economic Area, the competent supervisory authority is the supervisory authority of the Customer's place of establishment in accordance with Clause 13(a)(ii) of the SCCs.

Annex II — Technical and organisational measures (Article 32)

The technical and organisational measures we implement to ensure a level of security appropriate to the risk include, at minimum, the following.

Encryption.

• Personal Data in transit is encrypted with TLS 1.2 or higher.
• Personal Data at rest is encrypted with AES-256 or equivalent on the cloud-host volumes used for the database, backups, and audit log.
• Secrets (API key material, signing keys, Stripe credentials, Centrifugo credentials, database passwords) are held in a managed secret store and injected at runtime; they are never committed to source control, never written to logs, and held in memory using redacted credential types.

Access control.

• Database roles are segregated by binary: api_user for the Management API and worker_user for the Worker fleet, each granted only the minimum privileges required (least-privilege grants).
• Personnel access to production systems is restricted to named individuals, gated by single sign-on with multi-factor authentication, and logged.
• Authentication artefacts are hashed with Argon2id; key prefixes alone are stored for diagnostic display.

Network and host isolation.

• The PostgreSQL instance is deployed in a private subnet with no public IP. Ingress is restricted by identity (security-group reference) rather than network address, so only the Management API and Worker fleet can reach it.
• Outbound traffic from production hosts is restricted to the endpoints of authorised Sub-processors (see Annex III).
• Production and non-production environments are isolated; non- production environments do not contain Customer Personal Data.

Logging and monitoring.

• Every access to systems containing Personal Data is recorded in an immutable audit log retained for six (6) years for tax and dispute purposes (per Section 886 Taxes Consolidation Act 1997 and Section 84 VAT Act 2010), then purged automatically.
• Structured tracing and metrics are emitted by both binaries with cardinality discipline that forbids identifiers (raw email, raw IP, customer ID) from being attached as attributes in observability tooling.

Software supply chain.

• Dependencies are pinned and reviewed for security advisories on every CI run.
• Production builds run a code-quality gate (formatting, lint at warning-as-error, full test suite) before deployment.

Incident response and breach notification.

• A documented breach-notification procedure ensures the seventy-two (72) hour reporting obligation under Article 33 GDPR can be met.
• Security contact: [email protected].

Business continuity and disaster recovery.

• The PostgreSQL instance is backed up continuously, with backups replicated to a second EU region. Recovery procedures are tested periodically.
• The Worker fleet is horizontally redundant: a malformed packet kills the active Worker so a peer takes over without operator intervention; in-flight matches are not abandoned on graceful shutdown.

Sub-processor governance.

• See § 6 and Annex III. We review each Sub-processor's security posture before engagement and on a periodic basis thereafter.

Annex III — Sub-processors

The current list of Sub-processors authorised to process Personal Data on the Customer's behalf — including each Sub-processor's name, registered address, processing purpose, categories of personal data, storage region, and international-transfer mechanism — is published at our Sub-processor list.

Version history

Last reviewed: 2026-05-03.