GameLayer Data Processing Addendum (DPA)
Last updated: 01.12.25
This Data Processing Addendum ("DPA") forms part of the Terms of Service between GameLayer Oy ("GameLayer", "Processor") and the customer entity agreeing to the Terms of Service ("Customer", "Controller").
This DPA applies only where GameLayer processes Personal Data on behalf of the Customer in the course of providing the Services. In most cases, the Services are designed to operate using pseudonymous or anonymous identifiers that are not directly associated with real-world individuals.
1. Definitions
Terms not defined here have the meaning given in the GDPR or the Terms of Service.
- "GDPR" means Regulation (EU) 2016/679.
- "Personal Data" means any personal data processed by GameLayer on behalf of Customer.
- "Processing" has the meaning given in Article 4 of the GDPR.
- "Sub‑processor" means any third party engaged by GameLayer to process Personal Data.
2. Roles of the Parties
- Customer acts as the Data Controller.
- GameLayer acts as the Data Processor.
GameLayer shall process Personal Data only on documented instructions from the Customer, unless required by applicable law.
3. Scope and Purpose of Processing
GameLayer processes Personal Data solely for the purpose of providing, operating, maintaining, and supporting the Services, including:
- Account management
- API operation and analytics
- Customer support
- Security and fraud prevention
4. Types of Personal Data and Data Subjects
Data Subjects may include:
- Customer employees and contractors
- End users of Customer applications
Types of Personal Data may include (where applicable):
- Pseudonymous identifiers (e.g. internal user IDs)
- Usage and event data linked to such identifiers
- Technical data (IP address, device metadata)
In typical implementations, Customer configures the Services so that no directly identifiable personal data (such as names or email addresses) is processed by GameLayer.
5. Confidentiality
GameLayer ensures that persons authorised to process Personal Data are bound by confidentiality obligations.
6. Security Measures
GameLayer implements appropriate technical and organisational measures to protect Personal Data, including:
- Access controls and authentication
- Encryption in transit
- Logical separation of customer data
- Regular security reviews
7. Sub‑processors
Customer authorises GameLayer to engage Sub‑processors to provide the Services.
GameLayer shall:
- Maintain a list of Sub‑processors
- Impose equivalent data protection obligations on Sub‑processors
- Remain responsible for Sub‑processor performance
8. International Data Transfers
Where Personal Data is transferred outside the EU/EEA, GameLayer ensures appropriate safeguards are in place, including Standard Contractual Clauses where required.
9. Assistance to Customer
GameLayer shall assist Customer, taking into account the nature of processing, with:
- Responding to data subject requests
- Data protection impact assessments (DPIAs)
- Regulatory inquiries
10. Personal Data Breach
GameLayer shall notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data and provide relevant information as required by GDPR.
11. Deletion or Return of Data
Upon termination of the Services, GameLayer shall, at Customer's choice:
- Delete Personal Data, or
- Return Personal Data and delete existing copies, unless retention is required by law.
12. Audits
Upon reasonable notice, Customer may audit GameLayer's compliance with this DPA, subject to confidentiality and security constraints.
13. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service.
14. Governing Law
This DPA is governed by the laws of Finland.
15. Contact
GameLayer Oy
Company ID: 2503589-1
Finland
Email: legal@gamelayer.co