Data Processing Addendum (DPA)
Effective Date: January 15, 2025
Version: 3.0
Last Updated: January 15, 2025
GDPR Compliance: This Data Processing Addendum (DPA) is designed to meet the requirements of the EU General Data Protection Regulation (GDPR) Article 28 for data processing activities between Beemi (Processor) and Studio Creators (Controllers) regarding player data.
This Data Processing Addendum ("DPA") forms part of the Developer Agreement and Terms of Service between you ("Developer," "Data Controller") and Qene Games Inc ("Beemi," "Data Processor," "we") to reflect the parties' agreement with regard to the processing of Personal Data.
1. Definitions
Terms used in this DPA have the meanings set forth in the GDPR:
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Controller" means the entity that determines the purposes and means of Processing Personal Data (You, the Developer, for certain data)
- "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller (Beemi)
- "Sub-processor" means any Data Processor engaged by Beemi
- "Data Subject" means the individual to whom Personal Data relates (Players using your games)
- "Supervisory Authority" means an independent public authority established by an EU Member State
2. Scope and Application
2.1 When This DPA Applies
This DPA applies when:
- You (Developer) publish games through Beemi Studio that collect or process Personal Data from players
- Players from the European Union use your games
- You act as Data Controller and Beemi acts as Data Processor
2.2 Roles and Responsibilities
| Data Type |
Controller |
Processor |
| Player account data (email, name, auth) |
Beemi |
N/A (Beemi is Controller) |
| General platform analytics |
Beemi |
Third-party processors (Amplitude, Firebase) |
| Game-specific player data (scores, progress, choices) |
Developer (You) |
Beemi (on your behalf) |
| Developer account and project data |
Beemi |
Third-party processors (Google Cloud) |
2.3 Subject Matter and Duration
- Subject Matter: Hosting and processing of game data for players
- Duration: For the term of the Developer Agreement and until data deletion
- Nature and Purpose: Enabling game functionality and providing game analytics
- Type of Personal Data: Game progress, scores, choices, usage patterns (no direct PII like email/name unless you specifically collect it)
- Categories of Data Subjects: Players who use games published by you
3. Data Processing Instructions
3.1 Processing Activities
Beemi will Process Personal Data only:
- As necessary to provide the game hosting and analytics services
- In accordance with your documented instructions
- To comply with applicable laws (EU or Member State law)
- As specified in this DPA and the Developer Agreement
3.2 Your Instructions
You instruct Beemi to:
- Store game state and player data necessary for game functionality
- Process analytics data to provide you with aggregated statistics
- Transmit data between players in multiplayer games
- Retain data in accordance with our retention policies
- Delete data upon your request or player deletion
3.3 Unauthorized Processing
If Beemi believes any Processing instruction violates GDPR or other data protection laws:
- We will immediately inform you
- We may suspend the Processing until the instruction is modified or confirmed
- We will not be liable for following unlawful instructions you provide
4. Security Measures
4.1 Technical and Organizational Measures
Beemi implements appropriate security measures including:
| Category |
Measures |
| Encryption |
TLS 1.3 in transit; AES-256 at rest |
| Access Control |
Role-based access; MFA for admin; least privilege |
| Network Security |
Firewalls; intrusion detection; DDoS protection |
| Monitoring |
24/7 security monitoring; audit logs |
| Incident Response |
Documented procedures; notification within 72 hours |
| Data Minimization |
Collect only necessary data; anonymization where possible |
| Staff Training |
Regular privacy and security training |
| Vendor Management |
Due diligence on sub-processors; contractual protections |
4.2 Security Audits
Beemi conducts:
- Annual third-party security assessments
- Regular vulnerability scans
- Penetration testing (annually)
- Compliance reviews
5. Sub-processors
5.1 Authorized Sub-processors
You authorize Beemi to engage the following sub-processors:
| Sub-processor |
Service |
Location |
Processing Activity |
| Google Cloud Platform |
Cloud hosting and storage |
US, EU |
Data hosting, storage, computing |
| Firebase (Google) |
Authentication and analytics |
US, EU |
User authentication, analytics |
| Amplitude |
Analytics |
US |
Usage analytics (anonymized) |
| Agora |
Real-time communication |
Global |
Livestream connectivity (metadata only) |
Current List: An up-to-date list of sub-processors is available at: https://legal.beemi.app/subprocessors
5.2 Sub-processor Requirements
Beemi ensures that all sub-processors:
- Provide sufficient guarantees of GDPR compliance
- Implement appropriate security measures
- Are bound by written contracts imposing data protection obligations
- Process data only for authorized purposes
5.3 Changes to Sub-processors
If Beemi engages a new sub-processor:
- We will notify you at least 30 days in advance via email
- We will update the sub-processor list on our website
- You may object if you have reasonable data protection concerns
- If you object and we cannot accommodate, you may terminate the Developer Agreement
6. Data Subject Rights
6.1 Assisting with Data Subject Requests
If a player exercises their GDPR rights regarding data in your games, Beemi will:
- Access Requests: Provide technical means for you to export player data
- Rectification: Allow you to update or correct data
- Erasure: Delete player data upon your instruction
- Data Portability: Provide data in machine-readable format
- Restriction: Temporarily suspend processing if requested
6.2 Your Responsibilities
You are responsible for:
- Receiving and validating data subject requests
- Determining the appropriate response
- Instructing Beemi on required actions
- Responding to the data subject within legal timeframes (typically 30 days)
6.3 Direct Player Requests to Beemi
If players contact Beemi directly:
- We will redirect them to you (the Developer) for game-specific data
- We will handle requests regarding Beemi-controlled data (account, platform data)
- We will notify you of any requests we receive
7. Data Breach Notification
7.1 Notification to Developer
If Beemi becomes aware of a Personal Data Breach affecting your game data:
- We will notify you without undue delay and within 72 hours of discovery
- Notification will include:
- Nature of the breach
- Categories and approximate number of affected Data Subjects
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact point for more information
7.2 Your Obligations
Upon notification, you must:
- Assess whether notification to players is required under GDPR
- Notify affected players if required
- Report to relevant Supervisory Authorities if required
- Cooperate with Beemi on breach investigation and remediation
7.3 Beemi's Response
We will:
- Investigate the breach immediately
- Contain and remediate the issue
- Provide reasonable assistance to you
- Document the incident for compliance
8. International Data Transfers
8.1 Standard Contractual Clauses
For transfers of Personal Data from the EU to countries without adequacy decisions, Beemi relies on:
- Standard Contractual Clauses (SCCs): EU Commission-approved clauses (2021/914)
- Google's Data Processing Terms: For transfers via Google Cloud Platform
- Supplementary Measures: Additional technical and organizational safeguards
8.2 Data Storage Locations
- EU Players: Data stored in EU regions (Google Cloud Europe)
- Non-EU Players: Data stored in US regions with SCC protections
- Backups: May be replicated to multiple regions for redundancy
8.3 Supplementary Measures
Additional protections for international transfers:
- End-to-end encryption
- Pseudonymization where possible
- Access controls and audit logs
- Contractual restrictions on government access
9. Audit Rights
9.1 Information and Audit
Upon reasonable written notice, Beemi will:
- Provide information necessary to demonstrate compliance with this DPA
- Make available security documentation and certifications
- Allow audits or inspections (subject to reasonable limitations)
9.2 Audit Procedures
- Frequency: No more than once per year (unless required by law or following a breach)
- Notice: At least 30 days' advance written notice
- Scope: Limited to data protection and security matters
- Confidentiality: Auditors must sign confidentiality agreements
- Cost: You bear costs of audits unless breach is discovered
9.3 Alternative to Audits
Instead of on-site audits, you may accept:
- Third-party security certifications (SOC 2, ISO 27001)
- Audit reports from our external auditors
- Detailed security questionnaire responses
10. Data Deletion and Return
10.1 Upon Termination
When your Developer Agreement terminates or you unpublish a game:
- 30 days: Grace period for orderly transition
- Within 60 days: Delete or return all Personal Data as you instruct
- Certification: Provide written certification of deletion upon request
10.2 Exceptions
Beemi may retain data if:
- Required by applicable law (e.g., tax records)
- Necessary for legal claims or disputes
- Retained in encrypted backups (deleted within 6 months)
- Aggregated and anonymized (no longer Personal Data)
10.3 Player-Initiated Deletion
If a player deletes their account:
- Game-specific data is deleted within 90 days
- You will be notified of deletion requests affecting your games
- Analytics data is anonymized
11. Liability
11.1 Limitation
Each party's liability under this DPA is subject to the limitation of liability provisions in the Developer Agreement, except where EU law prohibits such limitations.
11.2 GDPR Liability
Under GDPR Article 82:
- You (Controller) are liable for damages caused by Processing that violates your obligations
- Beemi (Processor) is liable for damages caused by Processing that violates our processor obligations
- Each party is liable only for damages caused by its own actions or inactions
- If both parties are responsible, liability is allocated proportionally
12. Changes to This DPA
Beemi may update this DPA to reflect:
- Changes in data protection laws
- Guidance from Supervisory Authorities
- Changes to our services or sub-processors
Material changes will be notified 30 days in advance via email.
13. Contact Information
For DPA-related inquiries:
- Data Protection Officer: dpo@qenetech.com
- Data Subject Requests: dpo@qenetech.com
- Data Breach Notification: security@qenetech.com + dpo@qenetech.com
- General Privacy: privacy@qenetech.com
Company Address:
Qene Games Inc
Data Protection Officer
2035 Sunset Lake Road, Suite B-2
Newark, DE 19702
United States