Data Processing Addendum
Last updated: July 2026
This addendum applies where Gamivate processes personal data on behalf of a brand (the controller) and forms part of your agreement with us.
Roles
The brand is the controller of its players’ data; Gamivate is the processor, processing only on documented instructions.
Security
- Tenant data is isolated at the database layer (row-level security).
- Encryption in transit and at rest; hashed IPs; least-privilege access.
- Audit logging of sensitive actions.
Sub-processors
We engage sub-processors (hosting, storage, email, analytics) under equivalent obligations and maintain a current list available on request.
Data subject requests
We provide tooling for access, export, and deletion so controllers can fulfil data-subject requests within statutory timeframes.
International transfers
Where data is transferred across borders, we rely on appropriate safeguards and document the transfer basis. Default hosting region is the EU (Frankfurt).
Return & deletion
On termination, data is returned or deleted per the controller’s instructions.
