跳到主要内容

Data Processing Agreement

This data processing agreement (the “Agreement”) is an annex to and forms part of the Service Agreement between the customer (as identified in the Service Agreement, the “Customer”) and Proxima Beta Pte. Ltd. (“SmartLink”), each, a “Party,” and together, the “Parties.” This Agreement incorporates the terms and conditions set out in the Schedules attached hereto.

In the event of any conflicts between this Agreement and the Service Agreement, this Agreement will govern to the extent of the conflict.

Customer has appointed SmartLink to provide services to Customer and the Parties acknowledge that, for purposes of Applicable Data Protection Laws, Customer is the “controller,” “business” or any other similar term and SmartLink is the “service provider,” “processor,” “contractor” or similar term, each as provided for under the Applicable Data Protection Laws. As a result of it providing such services to Customer, SmartLink will store and Process certain Personal Data of the Customer, in each case as described in further detail in Schedule 2 (Description of Transfers).

SCHEDULE1

Standard Terms For Processing Agreement

BACKGROUND:

Customer wishes to appoint SmartLink to Process Personal Data, as further described in Schedule 2 (Description of Transfers).

The Agreement is being put in place to ensure SmartLink Processes Customer’s Personal Data on Customer’s instructions and in compliance with the Applicable Data Protection Laws (as defined below).

1. Definitions

1.1 For the purposes of this Agreement, the following expressions bear the following meanings, unless the context otherwise requires:

Applicable Data Protection Laws” means (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation, as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the DPA, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”); and (e) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above, or which otherwise relates to data protection, privacy or the use of personal data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;

Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, as described in Schedule 5, in each case as amended, updated or replaced from time to time;

Business”, “Data Controller”, “Data Processor”, “Data Subject”, “Selling”, “Service Provider” and “Sharing” shall have the meaning given to these terms or equivalent concepts in the relevant Applicable Data Protection Laws;

Lawful Export Measure” means a method allowing for the lawful transfer of Personal Data from a data exporter to a data importer, as may be stipulated by Applicable Data Protection Laws or a Regulator from time to time, which may include (depending upon the applicable laws) model transfer terms prescribed by Applicable Data Protection Laws; or prior registration, licensing or permission from a Regulator;

Personal Data” shall have the meaning given to “personal data” and “personal information” and other similar terms in the relevant Applicable Data Protection Laws;

Process”, “Processed” or “Processing” shall have the meaning given to this term or equivalent concept in the relevant Applicable Data Protection Laws;

Processor to Processor Clauses” means, as relevant, (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time;

Regulator” means a data protection supervisory authority which has jurisdiction over Customer’s Processing of Personal Data;

"Service Agreement” means the SmartLink Terms and Conditions available at https://docs.smartlink.intlgame.com/legal/terms, as amended from time to time;

Services” means the services provided by SmartLink to Customer; and

Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country or territory outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries or territories approved as providing adequate protection for Personal Data by the European Commission from time to time; (ii) in relation to Personal Data transfers subject to the UK GDPR, any country or territory outside of the scope of the data protection laws of the UK, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time; and (iv) in relation to Personal Data transfers from any other jurisdiction, any country or territory other than those approved as providing adequate protection for Personal Data by the relevant competent authority of such jurisdiction from time to time.

2. Conditions of Processing

2.1 This Agreement governs the terms under which SmartLink is required to Process Personal Data on behalf of Customer when providing the Services.

3. SmartLink’s Obligations

3.1 SmartLink shall only Process Personal Data on behalf of Customer and in accordance with, and for the limited and specific purposes set out in the documented instructions received from Customer unless required to Process, and/or restricted from Processing, such Personal Data by applicable law to which SmartLink is subject; in each case, SmartLink shall inform Customer of that legal requirement without undue delay, unless that law prohibits such information on important grounds of public interest.

3.2 SmartLink shall notify Customer if SmartLink makes a determination that it can no longer meet its obligations under the CCPA. SmartLink shall grant Customer the right to take reasonable and appropriate steps to help ensure that SmartLink uses the Personal Data in a manner consistent with Customer’s obligations under the CCPA and stop and remediate any unauthorized use of the Personal Data.

3.3 SmartLink shall implement appropriate technical and organisational measures designated to provide a level of security appropriate to the risk, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the Processing as set out in Schedule 3, or otherwise agreed and documented between Customer and SmartLink from time to time. The allocation as set out in Schedule 3 establishes the responsibilities between the Parties to this Agreement to implement such measures.

3.4 SmartLink shall, without undue delay, notify Customer about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data belonging to Customer (with further information about the breach provided in phases as more details become available).

3.5 SmartLink shall, upon reasonable written request from Customer, from time to time (but no more than once annually), provide Customer with such documentation in its possession as is reasonably necessary to demonstrate compliance with the obligations laid down in this Agreement. SmartLink shall allow, and cooperate with, reasonable annual assessments by Customer, or Customer’s designated auditor, of SmartLink’s compliance with its obligations under Applicable Data Protection Laws. Alternatively, SmartLink may arrange for a qualified and independent auditor to conduct, no more than once annually at Customer’s expense, an assessment of SmartLink’s policies and technical and organisational measures in support of its obligations under Applicable Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. SmartLink shall provide a report of such assessment to Customer upon reasonable request.

3.6 Where:

  • (i) a Data Subject exercises his or her rights under the Applicable Data Protection Laws in respect of Personal Data Processed by SmartLink on behalf of Customer (such as rights to rectification, erasure, blocking, access, objection, restriction of processing, data portability and the right not to be subject to automated decision-making);

  • (ii) Customer is required to deal or comply with any assessment, enquiry, notice or investigation by the Regulator; or

  • (iii) Customer is required under the Applicable Data Protection Laws to carry out a mandatory data protection impact assessment or consult with the Regulator prior to Processing Personal Data entrusted to SmartLink under this Agreement,

then upon Customer’s reasonable request to SmartLink, SmartLink will provide reasonable assistance to Customer to enable Customer to comply with obligations which arise as a result thereof.

3.7 When SmartLink Processes Personal Data in the United States, SmartLink is expressly prohibited from:

  • (i) Selling the Personal Data;

  • (ii) Sharing the Personal Data for cross-context behavioural advertising purposes;

  • (iii) retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services that are to be provided to Customer;

  • (iv) retaining, using or disclosing the Personal Data outside of the direct business relationship between SmartLink and Customer; or

  • (v) combining the Personal Data received from Customer with any Personal Data that may be collected from SmartLink’s separate interactions with the individual(s) (if applicable) to whom the Personal Data relates to or from any other sources.

3.8 To the extent SmartLink Processes Personal Data in a Third Country, and it is acting as data importer, SmartLink shall:

  • (i) in respect of the Processing of Personal Data in a Third Country that is not subject to the GDPR or UK GDPR, and to the extent required by Applicable Data Protection Laws, ensure such transfer is carried out using a Lawful Export Measure. To the extent such Lawful Export Measure requires (a) a contract imposing appropriate safeguards on the transfer and processing of such Personal Data (which is not otherwise satisfied by this Agreement); (b) a description of the Processing of Personal Data contemplated under this Agreement; and (c) a description of technical and organisational measures to be implemented by the data importer, the Parties agree that the Controller to Processor Clauses, the description of processing activities set out in Schedule 2 (Description of Transfers) and the description of technical and organisational measures set out in Schedule 3 (Technical and Organisational Security Measures), shall apply mutatis mutandis for the benefit of such transfer, and in relation to any onward transfer of the Personal Data by that data importer to another person, the other person shall comply with the same importer obligations, mutatis mutandis;

  • (ii)in respect of the Processing of Personal Data in a Third Country that is subject to the GDPR or UK GDPR, comply with the data importer’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this Agreement; Customer will comply with the data exporter’s obligations in such Controller to Processor Clauses; and:

    • (A) for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, the Parties and Processing details set out in Schedule 2 (Description of Transfers) shall apply, and the Start Date is the effective date of the Agreement, and the signature(s) (in any form) given in connection with the execution of this Agreement by a Party and the date(s) of such signature(s) shall apply as the dated signature required from that Party;
    • (B) if applicable, for the purposes of Part 1 of such Controller to Processor Clauses, the relevant Addendum EU SCCs (as such term is defined in the applicable Controller to Processor Clauses) are the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2), as incorporated into this Agreement by virtue of this Clause 3.7;
    • (C) for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organisational security measures set out in Schedule 3 (Technical and Organisational Security Measures) shall apply; and
    • (D) if applicable, for the purposes of: (i) Clause 9 of such Controller to Processor Clauses, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Clause 6.2 shall apply; (ii) Clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the authority identified by Customer as its competent supervisory; (iv) Clause 17, Option 2 is deemed to be selected and the governing law shall be separately agreed between the Parties; (v) Clause 18, the competent courts shall be the competent courts of the Netherlands; (vi) Part 1 of such Controller to Processor Clauses, SmartLink, as Importer may terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor Clauses.

3.9 Customer acknowledges and agrees that SmartLink may appoint an affiliate or a third-party subcontractor to Process Customer’s Personal Data in a Third Country, in which case, SmartLink shall, to the extent required under Applicable Data Protection Laws, execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer.

4. Customer’s Obligations

4.1 Customer represents, warrants and undertakes that: (i) the legislation applicable to it does not prevent SmartLink from fulfilling the instructions received from Customer and performing SmartLink’s obligations under this Agreement; and (ii) it has complied, and continues to comply, with the Applicable Data Protection Laws, in particular, that it has obtained any necessary consents and given any necessary notices, and otherwise has a legitimate ground to disclose the data to SmartLink and enable the Processing of the Personal Data by SmartLink, as set out in this Agreement.

4.2 Customer is solely liable for its compliance with (i) Applicable Data Protection Laws and (ii) any rules, terms, requirements or guidelines of third-party services and platforms (including but not limited to any services or platforms that Customer gathers, processes, or transfers data from and/or that SmartLink processes or receives data from upon the direction or instruction of Customer), in its use of the Services.

4.3 Customer agrees that it will indemnify and hold harmless SmartLink on demand from and against all claims, liabilities, costs, expenses, loss, or damage (including consequential losses, loss of profit and loss of reputation, and all interest, penalties and legal and other professional costs and expenses) incurred by SmartLink arising directly or indirectly from a breach of Applicable Data Protection Laws or this Agreement.

5. Changes in Applicable Data Protection Laws

5.1 The Parties agree to negotiate in good faith modifications to this Agreement if changes are required for SmartLink to continue to process the Personal Data, as contemplated by this Agreement in compliance with the Applicable Data Protection Laws, or to address the legal interpretation of the Applicable Data Protection Laws, including: (i) to comply with the GDPR or any national legislation implementing it, or the UK General Data Protection Regulation or the DPA, and any guidance on the interpretation of any of their respective provisions; (ii) if the Controller to Processor Clauses or the Processor to Processor Clauses, or any other mechanisms or findings of adequacy, are invalidated or amended; (iii) if changes to the membership status of a country in the European Union or the EEA require such modification.

6. Sub-Contracting

6.1 Customer hereby grants SmartLink general written authorisation to engage, and consents to the use of the subcontractor(s) in Schedule 4 (Authorised Subcontractors), for the purposes further described in Schedule 4 (Authorised Subcontractors), and subject to this Clause 6.

6.2 If SmartLink appoints a new subcontractor or intends to make any changes concerning the addition or replacement of the subcontractors set out in Schedule 4 (Authorised Subcontractors), it shall provide Customer with twenty (20) business days’ prior written notice, which may be fulfilled by posting an updated list of sub-processors on this page, during which Customer can object against the appointment or replacement. If Customer does not object, SmartLink may proceed with the appointment or replacement.

6.3 SmartLink shall ensure it has a written agreement in place with all subcontractors which contains obligations on the subcontractor that are no less onerous on the relevant subcontractor than the obligations on SmartLink under this Agreement.

7. Confidentiality

7.1 Each Party (the “Recipient”) undertakes to the other Party (the “Discloser”) to:

  • (i) hold all Personal Data of the Discloser which it obtains in relation to this Agreement, in strict confidence; and

  • (ii) ensure that employees, agents, officers, consultants, sub-processors, subcontractors, and advisers authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.2 The obligation in Clause 7.1 will not apply to a disclosure of Personal Data that is:

  • (i) required by any law or regulation of any country with jurisdiction over the affairs of SmartLink; and

  • (ii) required by any order of any court of competent jurisdiction.

7.3 The obligation in Clause 7.1 shall apply to the provision by SmartLink to Customer of any document or information that states a Party’s approach to security.

8. Termination

8.1 Termination of this Agreement shall be governed by the Service Agreement governing Customer’s use of the Services.

9. Consequences of Termination

9.1 Upon termination of this Agreement in accordance with Clause 8 (Termination), SmartLink shall:

  • (i) destroy all Personal Data it has Processed on behalf of Customer after the end of the provision of services relating to the Processing, and destroy all copies of the Personal Data, unless it will violate any applicable law; and

  • (ii) cease Processing Personal Data on behalf of Customer.

10. Law and Jurisdiction

10.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the governing law of the Service Agreement.

10.2 Any dispute shall be referred to, and finally resolved by, the dispute resolution process and forum specified in the Service Agreement

SCHEDULE2

Description of Transfers

A. LIST OF PARTIES

Data exporter(s) – Data Controller:

  • Name: Customer

  • Address: As specified by Customer at registration to the Services and/or in the admin console on the Services (as applicable).

  • Contact person’s name, position and contact details: As specified by Customer at registration to the Services and/or in the admin console on the Services (as applicable).

  • Activities relevant to the data transferred under these Clauses: As specified by Customer at registration to the Services and/or in the admin console on the Services (as applicable).

  • Role (controller/processor): Controller

Data importer(s) – Data Processor:

  • Name: SmartLink

  • Address:
    10 Anson Road, #21-07, International Plaza
    079903
    Singapore
    Contact person’s name, position and contact details:
    International Privacy & Data Protection Centre
    dpo_smartlink@proximabeta.com

  • Activities relevant to the data transferred under these Clauses: Processing of data for the provision, security and monitoring of the Services.

  • Role (controller/processor): Processor

B. PROCESSING DETAILS / DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is processed / transferred

End users of products published and/or developed by Customer.

Categories of personal data processed / transferred

  • Player segmentation data, including email address, Open ID, and any Customer-defined fields/data;

  • Marketing data, including email address and subscription status;

  • Performance analysis data, including:

    • email address,
    • email events (such as send, reject, bounce, complaint, delivery delay, delivered, subscribe, unsubscribe, open, click, and event time), and
    • in-game data, including registration information (such as registration time, Open ID, country, language, and email address), login information (such as login time, Open ID, country, language, and level), and purchase information (such as payment time, Open ID, billing ID, and payment amount); and

  • Any other Personal Data submitted to the Services by (or at the direction of) Customer or its end users within the scope of this Agreement or derived from that data through the Customer’s or its end users’ use of the Services.

Sensitive data processed / transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous basis.

Nature of the processing

Processing in connection with the Services.

Purpose(s) of the data processing / data transfer and further processing

Data is transferred and processed to provide, secure and monitor the Services.

Duration of the processing / the period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of Customer’s use of Services and until deletion of all Customer’s Personal Data, or as otherwise instructed by Customer.

For processing by / transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

As above.

C. COMPETENT SUPERVISORY AUTHORITY

The authority identified by the data exporter (Customer) as its competent supervisory authority.

SCHEDULE3

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-)processors, also describe the specific technical and organisational measures to be taken by the (sub-)processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

  • Data anonymisation where appropriate;

  • Active backup disaster recovery and regular backups;

  • Database can only be accessed via intranet server;

  • Data transfer is secured with HTTPS protocol;

  • Access to servers is secured with a firewall;

  • Other measures described in this Agreement.

SCHEDULE4

AUTHORISED SUBCONTRACTORS

SubcontractorsProcessing ActivityLocation
Google Cloud Platform and its subprocessors as listed on its website (currently posted at https://cloud.google.com/terms/subprocessors)Cloud storageGermany
Amazon Web Services and its subprocessors as listed on its website (currently posted at https://aws.amazon.com/compliance/sub-processors/)Cloud email servicesSingapore and the United States

SCHEDULE5

INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES

This Addendum has been issued by the UK Information Commissioner’s Office for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Table 1: Parties

Start dateSee effective date of the Agreement
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties’ detailsSee the Agreement
Key ContactSee the Agreement

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCsThe standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2)

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties:See the Agreement
Annex 1B: Description of Transfer:See Schedule 2 to the Agreement
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:See Schedule 3 to the Agreement
Annex III: List of Sub processors (Modules 2 and 3 only):See Schedule 4 to the Agreement

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19:
Importer
Exporter
neither Party