Legal

Data Processing Addendum

The DPA defines controller-processor responsibilities, processing instructions, security measures, transfer safeguards, and lifecycle obligations.

Effective date: 2026-02-15

This Data Processing Addendum ("DPA") is between the legal entity that registers for or uses the Service and agrees to the Terms and this DPA ("Customer") and Iridae ApS, Maglebjergvej 6, 2800 Kongens Lyngby, established in Denmark ("Company"). It applies where Company processes Personal Data on behalf of Customer in providing the Service.

If this DPA conflicts with the Terms of Service, this DPA controls for Personal Data processing.

Roles

Customer is the Controller.

Company is the Processor.

Processing details

Processing details are in Annex 1.

Instructions

Company will process Personal Data only on documented instructions from Customer, including as set out in the Terms, this DPA, and Customer's use/configuration of the Service. Company will notify Customer if it believes an instruction violates applicable law (unless prohibited).

Confidentiality

Company ensures persons authorized to process Personal Data are bound by confidentiality obligations.

Security

Company implements appropriate technical and organizational measures as described in Annex 2 and may update them over time provided security is not materially reduced.

Subprocessors

Customer authorizes Company to use Subprocessors to provide the Service.

Current Subprocessor list: https://iridae.com/legal/subprocessors

Company will impose data protection obligations on Subprocessors substantially similar to this DPA.

Company remains responsible for Subprocessors' performance under this DPA.

Changes/objections: Company may update Subprocessors. If Customer reasonably objects on data protection grounds, the parties will try to resolve. If unresolved, Customer may stop using the affected feature or terminate the affected order; fees are handled per the Terms/order form.

International transfers

Where Personal Data is transferred outside the EU/EEA, Company will ensure a valid transfer mechanism (for example, adequacy decision or Standard Contractual Clauses). Where required, the parties are deemed to enter into SCCs (Controller-to-Processor, Module 2), with Customer as exporter and Company as importer, unless another lawful mechanism applies.

Assistance

Taking into account the nature of processing, Company will reasonably assist Customer with:

  • Data Subject requests
  • breach notifications and related compliance needs (and, where applicable, DPIAs/consultations)

To the extent Customer cannot fulfill them via the Service. Company may charge reasonable fees for assistance beyond what the Service normally provides.

Personal data breach

Company will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data and share information reasonably required for Customer's compliance.

Deletion or return

Upon termination/expiry of the Service, Company will delete or return Customer Personal Data within 60 days, unless retention is required by law or necessary for purposes stated in the Terms (for example, dispute resolution and security logs). Backups are deleted per standard rotation cycles.

Audits and compliance

Company will make available information reasonably necessary to demonstrate compliance with this DPA and allow audits:

  • primarily via documentation and reasonable security summaries and Q&A
  • if needed, an on-site audit no more than once per year with reasonable notice, subject to confidentiality and security constraints

Customer bears audit costs and must avoid disruption.

Liability

Liability under this DPA follows the limitations in the Terms, except where prohibited by applicable law.

Order of precedence

If documents conflict: (1) SCCs (if applicable), (2) this DPA, (3) the Terms, (4) other policies.

Annex 1 - Processing details

  • Subject matter: Processing of Personal Data submitted by Customer or accessed via Customer-provided links to provide the Service and generate Outputs.
  • Duration: Term of Customer's use plus the retention period in this DPA/Terms.
  • Nature of processing: Collection, hosting, access, organization, analysis, transformation, generation of Outputs, limited disclosure to Subprocessors; storage and deletion.
  • Purpose(s): (1) Provide the Service and generate Outputs; (2) support, reliability, abuse prevention, debugging; (3) service improvement (including training) if included in the Service and not overridden by a written no-training agreement.
  • Types of Personal Data: Determined by Customer; may include business contact details and free-text content. Company does not require special category data and Customer should avoid submitting it.
  • Categories of Data Subjects: Customer personnel, contractors, playtesters, end users, or others whose data Customer submits.
  • Customer obligations: Ensure lawful basis, required notices, and data minimization; avoid unnecessary Personal Data and special category data unless strictly necessary and lawful.

Annex 2 - Security measures

Company maintains measures appropriate to risk, which may include:

  • access controls and least-privilege; MFA for administrative access where feasible
  • encryption in transit; encryption at rest where applicable
  • secure configuration and environment segregation
  • monitoring and logging for reliability/security (with minimization where feasible)
  • vulnerability management and incident response process
  • Subprocessor due diligence and contractual protections
  • staff confidentiality and security training