Data Processing Addendum
Last updated: January 2024
1 Principle
1.1 In the context of the performance of the Agreement on the use of the Services (the «Agreement») with the User («Controller»), the Processor processes personal data on behalf of the Controller.
1.2 This Data Processing Addendum («DPA») is an integral part of the Agreement. Unless otherwise specified in this DPA, the provisions of the Processor’s Terms of Service («ToS») are fully applicable in connection with this DPA.
2 Definitions
2.1 Any terms defined in the ToS and used in this DPA have the same meaning.
2.2 In addition to these terms and the terms defined throughout this DPA, the following terms have the meanings set forth below:
- «GDPR» means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- «UK GDPR» means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
- «FADP» means the Swiss Federal Act of 25 September 2020 on Data Protection (FADP).
- «Standard Contractual Clauses» or «SCCs» are the standard contractual clauses for transfers of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
3 Applicable Data Protection Law
«Applicable Data Protection Law» means:
- for the processing of personal data subject to the FADP: the FADP;
- for the processing of personal data subject to the GDPR: the GDPR;
- for the processing of personal data subject to the UK GDPR: the UK GDPR.
4 Subject Matter, Nature and Purpose of Processing
4.1 Subject matter of processing and therefore this DPA is the personal data of third parties the Processor processes in its software to fulfill the Agreement («Personal Data»).
4.2 This includes the following categories of data:
- Identification and contact data (name, first name, e-mail, login, etc.);
- Communication data (messages, support requests, etc.);
- Technical data (IP address, unique identifiers, general location data, usage data, etc.);
- If applicable, further categories of data necessary for the fulfillment of the Agreement (in particular, other categories of data collected in accordance with the Controller’s specifications).
4.3 The categories of data subjects affected by the processing include:
- software users (the Controller’s employees);
- visitors/players of the mini games.
4.4 The purpose of processing is to provide the Cloud Services and, if applicable, other Services in accordance with the Agreement. This includes the performance of necessary auxiliary functions (e.g., error monitoring). In addition, the Processor analyzes certain technical data of the software users (excluding visitors/players of the mini games) for the purpose of improving its Services. The Processor may also process anonymized data to create aggregated evaluations and statistics, such as target group analyses and ROI studies.
4.5 The type of processing includes the activities necessary to achieve these purposes, in particular the collection, recording, organization, storage, adaptation or alteration, retrieval, use, transmission, provision, reconciliation, linking, erasure or destruction of Personal Data.
5 Processing in Accordance with Controller’s Instructions
5.1 The Processor processes the Personal Data in accordance with the Agreement and any additional documented instructions by the Controller.
5.2 Instructions going beyond the contractual agreements are subject to additional charges. This does not apply if the relevant instructions are demonstrably necessary to prevent or put an end to a breach of Applicable Data Protection Law the Processor is responsible for.
5.3 The Processor will inform the Controller without delay if it believes that any of the Controller’s instructions violate Applicable Data Protection Law.
5.4 If the Processor is legally required to process the Personal Data in a manner inconsistent with the contractual agreements or the Controller’s additional instructions, it will inform the Controller of this legal requirement prior to the processing. Cases in which the applicable law prohibits informing the Controller for important reasons of public interest are reserved.
6 Data Security
6.1 The Processor takes appropriate technical and organizational measures to ensure an adequate level of data security within the meaning of Applicable Data Protection Law.
6.2 For this purpose, the Processor has implemented the technical and organizational measures listed in Annex 1. Technical and organizational measures are subject to technical progress and further development. The Processor therefore reserves the right to adapt, discard or replace the existing measures and to implement additional measures. In doing so, the Processor will ensure that the general level of data security remains at least equivalent. The Processor may request an updated list of the technical and organizational measures at any time.
6.3 The Processor regularly monitors its internal processes and the technical and organizational measures to ensure that an appropriate level of data security within the meaning of Applicable Data Protection Law is maintained with regard to the processing activities in its area of responsibility.
6.4 The Processor ensures that its employees or other persons authorized to process the Personal Data are subject to appropriate contractual or statutory confidentiality requirements.
7 Cooperation
7.1 The Processor will provide the Controller with reasonable support in fulfilling its legal obligations under Applicable Data Protection Law, in particular:
- toward data protection authorities;
- toward data subjects, for example if they exercise their rights in accordance with Applicable Data Protection Law (e.g., right to rectification, deletion or access);
- in case the Controller conducts a data protection impact assessment.
7.2 The Controller will bear the cost of these services to the extent that they exceed the Processor’s contractual obligations. Cases where the support is demonstrably necessary due to a breach by the Processor of Applicable Data Protection Law or of its contractual obligations are reserved.
7.3 If a data subject or an authority contacts the Processor with an inquiry regarding the Personal Data, the Processor will not respond to the request on its own authority, but immediately forward it to the Controller. The Processor will not be liable if the Controller does not answer the request or answers it incorrectly or not in a timely manner.
8 Sub-processors
8.1 The Controller consents to the use of the sub-processors specified in annex 1 for the processing of the Personal Data.
8.2 The Processor may, to the extent necessary for the performance of the Agreement, engage additional sub-processors. The Processor maintains a list of such sub-processors, which the Controller may review at any time. If the Controller rejects an additional sub-processor for factual reasons and the Processor cannot offer an appropriate alternative, the Controller may terminate the Agreement without respecting the ordinary requirements for termination.
8.3 The Processor imposes essentially the same data protection obligations on the sub-processors as are set out in this DPA.
9 International Transfers
9.1 The Processor will only transfer Personal Data to organizations abroad in compliance with the provisions of Applicable Data Protection Law on international data transfers. Prior consent or instructions to the contrary by the Controller are reserved.
9.2 In countries without a level of data protection recognized by Switzerland or the EU, respectively, adequate protection of Personal Data is typically ensured by concluding Standard Contractual Clauses between the Processor and the relevant sub-processor.
10 Proof of Compliance and Inspections
10.1 Upon request, the Processor will provide appropriate proof of compliance with the obligations under this DPA to the Controller.
10.2 If an inspection by the Controller or an external auditor commissioned by the Controller is required, it will be conducted during normal business hours without undue disruption of operations. As a rule, the Controller will notify the Processor prior to the inspection and give it reasonable lead time. The Controller bears the cost of the inspection unless the inspection is demonstrably necessary due to a breach by the Processor of Applicable Data Protection Law or of its contractual obligations.
10.3 The Processor may refuse an inspection by an external auditor if the external auditor is not appropriately qualified or independent, is in a direct competitive relationship with the Processor, or is otherwise obviously unsuited.
10.4 The Processor will in no event be required to disclose the following data to the Controller or its external auditor:
- data of the Processor’s other customers;
- internal accounting or financial data;
- trade secrets;
- data the disclosure of which is not permitted for legal reasons;
- data the disclosure of which is not necessary for the exercise of the rights set forth in this clause.
11 Data Breach
11.1 The Processor will notify the Controller without delay if it becomes aware of a data breach in its area of responsibility. The Processor will provide the Controller with sufficient information to enable the Controller to comply with its obligations to notify the competent authorities and/or inform affected data subjects.
11.2 The Processor will, in cooperation and consultation with the Controller, take appropriate measures to investigate and remedy the breach.
12 Surrender and Deletion of Personal Data
12.1 Without the Controller’s knowledge, the Processor will not create copies or duplicates of the Personal Data. This does not include backup copies required to ensure proper data processing, data protection and data security, or archiving of data required to comply with legal obligations for data retention.
12.2 Unless otherwise agreed by the parties and to the extent permitted by law, the Processor will delete or anonymize the Personal Data stored in its software 6 months after the end of the Agreement. The Controller may also request the deletion of the Personal Data in writing (text form is sufficient) at any time before this point in time.
12.3 Until deletion, the Controller may at any time request in writing (text form is sufficient) that the Processor surrender to the Controller a complete copy of the stored Personal Data. The Personal Data will be surrendered in a commonly used format at the Processor’s discretion. If the Controller requests a different format and as a result, the Processor is faced with a significant additional expense, the Controller will compensate the Processor for the additional expense incurred.
13 Liability
Liability will be governed by the relevant provisions of the ToS. Art. 82 GDPR or other compulsory legal provisions to the contrary remain reserved, insofar as they are applicable.
14 Term and Termination
14.1 The term of this DPA concurs with the term of the Agreement.
14.2 Nevertheless, the provisions of this DPA will apply to any data processing within its meaning taking place after the end of the Agreement for as long as such data processing continues.
15 Annexes
The following annexes form an integral part of this DPA:
- Annex 1: Technical and organizational security measures
- Annex 2: Sub-processors
Annex 1: Technical and organizational security measures
| Personnel access control | What measures are taken to prevent unauthorized persons from accessing data processing systems? ☒ Security locks / doors/windows ☒ Alarm system ☒ Video surveillance ☒ Magnetic / chip cards ☒ Visitor access control ☒ Key management /documentation Brame does not operate its own servers, but exclusively relies on servers in the cloud at AWS in Germany. With this in mind, there are no rooms to be specially secured. |
| System access control / Data access control | What measures are taken to prevent data processing systems from being used by unauthorized persons? ☒ Password authentication ☒ Secure passwords / password requirements ☒ Two-factor authentication ☒ Encryption of data carriers / data ☒ Authorization / role concepts ☒ Access blocking by screen saver / lock screen ☒ Access logs ☒ Logging of failed access attempts ☒ Up-to-date virus protection ☒ Up-to-date software versions ☒ Firewall ☒ Secure destruction of data carriers |
| Transfer control | Protection against unauthorized reading, writing, copying, modification, removal of personal data during electronic transmission. ☒ Identification and documentation of the recipients ☒ Documentation of data transfers (logging entries) ☒ Encryption of data carriers / data and connections ☒ Sharing permissions ☒ Regulation for the destruction of data carriers ☒ Regulation for secure deletion from the storage medium ☒ Regulation for the secure storage and shipping of data carriers ☒ Regulation on the use of mobile data carriers (CDs, USB drives…) Brame only uses physical data carriers such as USB drives in exceptional cases and only under strict rules for secure data destruction after use. The transfer authorizations are defined organizationally for the entire Brame AG. On transfer protocols: All data is stored in the Amazon Cloud or OneDrive cloud storage. These cloud systems provide data logging (when a file uploaded, by whom, deleted, etc.). Beyond that, data transfer logs are not used by Brame. |
| Input control | Determining whether and by whom which personal data have been entered, modified, removed or accessed in data processing systems and when. ☒ Logging of data entries, changes, deletions ☒ Authorization concept for assigning rights to enter, modification and deletion of data Brame works exclusively with electronic data processing, therefore the retention of paper forms does not apply. |
| Separation control | Measures suitable to ensure that data collected for different purposes can be processed separately. ☒ Logical separation of data (on the software side) ☒ Separation productive / test system |
| Pseudonymization and encryption | Pseudonymization: Processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the use of additional information, whereby this additional information is stored separately and is subject to appropriate technical and organizational measures. ☒ File encryption ☒ Encryption of mobile end devices (smartphones, laptops etc.) ☒ Secure data transfer (SSL, FTPS, TLS, etc.) ☒ Secured WLAN |
| Availability control | Protection against accidental or deliberate alteration, destruction or loss of personal data. ☒ Back-up strategy (online/offline, on-site/off-site) ☒ Uninterruptible power supply ☒ Emergency plan ☒ Fast recoverability ☒ Procedures / processes for recovery |
| Order control | Measures suitable to ensure that personal data processed on behalf of the client can only be processed in accordance with the client’s instructions. ☒ Selection of contractors only after due diligence ☒ Clear, written contracts and instructions ☒ Process for forwarding requests from affected parties ☒ Control of contractors ☒ Ensuring the destruction of data after end of the contract ☒ Formalized order management |
| Other procedures | Procedures for regular review, assessment and evaluation. ☒ Data protection management ☒ Incident-Response-Management ☒ Privacy-friendly default settings |
| Accompanying measures | |
| Data protection at employee level | ☒ Confidentiality / non-disclosure obligations ☒ Home office regulations ☒ Regulation on the use of private mobile devices ☒ Regulation on Internet / e-mail usage ☒ Data protection training ☒ Procedure for changing, correcting, blocking and destroying of data for employees |
| Archiving, deletion, disposal | ☒ Archiving, deletion and disposal concept with defined responsibilities ☒ Informing employees about legal requirements, deletion deadlines and requirements for device disposal |
| Emergency plan | ☒ Concept according to the legal requirements about immediate response to breaches in the protection of personal data (verification, documentation, notification). |
Annex 2: Sub-processors
| Sub-processor | Address | Service | Country of processing | Comments |
| Brame Switzerland AG | Herostrasse 7, Zürich, Switzerland | General services | Switzerland | |
| Brame R&D d.o.o | Narodnog fronta 21, Novi Sad, Serbia | Software development and support | Serbia | Wholly owned subsidiary. Basis for international transfer: Standard Contractual Clauses and transfer impact assessment |
| Amazon Web Services EMEA SARL | 38 Avenue John F. Kennedy, Luxemburg | Cloud provider, e-mail sending service, hosting-partner |
Germany | |
| Mixpanel, Inc. | 1 Front St #28th, San Francisco, USA | App analytics | Netherlands | No transfer of mini game visitors’/players’ data. Used for statistical analysis of technical data (events) of the software users. |
| Atlassian Pty Ltd | Level 6, 341 George Street, Sydney NSW 2000, Australia | Support desk for software users | Germany | No transfer of mini game visitors’/players’ data. Used for software support. |
