AiX User Guides

Appearance

DATA PROCESSING AGREEMENT

This data processing agreement is an annex to and forms part of the Service Agreement between Customer (as identified in the Service Agreement) and Proxima Beta Pte Ltd (“AiX”) and incorporates the terms and conditions set out in the Schedules attached hereto (the “Agreement”).

In the event of any conflicts between this Agreement and the Service Agreement, this Agreement will govern to the extent of the conflict.

Customer has appointed AiX to provide services to Customer and the parties acknowledge that, for purposes of Applicable Data Protection Laws, Customer is the “controller,” “business” or any other similar term and AiX is the “service provider,” “processor,” “contractor” or similar term, each as provided for under the Applicable Data Protection Laws. As a result of its providing such services to Customer, AiX will store and Process certain Personal Data of the Customer, in each case as described in further detail in Schedule2 (Description of Transfers).

SCHEDULE 1

STANDARD TERMS FOR PROCESSING AGREEMENT BACKGROUND:

Customer wishes to appoint AiX to Process Personal Data, as further described in Schedule2 (Description of Transfers).

The Agreement is being put in place to ensure AiX Processes Customer’s Personal Data on Customer’s instructions and in compliance with the Applicable Data Protection Laws (as defined below).

1. Definitions

1.1 For the purposes of this Agreement, the following expressions bear the following meanings, unless the context otherwise requires:

Applicable Data Protection Laws” means(a)the General Data Protection Regulation 2016/679 (the “GDPR”); (b)the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation, as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (together with the DPA, the “UK GDPR”), and the Privacy and Electronic Communications Regulations 2003; (d)the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”) and the Virginia Consumer Data Protection Act (“VCDPA”); and (e) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above, or which otherwise relates to data protection, privacy or the use of personal data, in each case, as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;

Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, as described in Schedule5, in each case as amended, updated or replaced from time to time;

Business”, “Data Controller”, “Data Processor”, “Data Subject”, “Selling”, “Service Provider” and “Sharing” shall have the meaning given to these term or equivalent concepts in the relevant Applicable Data Protection Laws;

Lawful Export Measure” means a method allowing for the lawful transfer of Personal Data from a data exporter to a data importer, as may be stipulated by Applicable Data Protection Laws or a Regulator from time to time, which may include (depending upon the applicable laws) model transfer terms prescribed by Applicable Data Protection Laws; or prior registration, licensing or permission from a Regulator;

Personal Data” shall have the meaning given to “personal data” and “personal information” and other similar terms in the relevant Applicable Data Protection Laws;

Process”, “Processed” or “Processing” shall have the meaning given to this term or equivalent concept in the relevant Applicable Data Protection Laws;

Processor to Processor Clauses” means, as relevant, (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time;

Regulator” means a data protection supervisory authority which has jurisdiction over Customer’s Processing of Personal Data;

"Service Agreement” means the AiX Terms of Service available at https://aix.levelinfinite.com/portal/tos as amended from time to time;

Services” means the reporting and analytics solution provided by AiX to Customer at https://aix.levelinfinite.com/, that helps Customer optimize its ad spend and user acquisition; and

Third Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country or territory outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries or territories approved as providing adequate protection for Personal Data by the European Commission from time to time; (ii) in relation to Personal Data transfers subject to the UK GDPR, any country or territory outside of the scope of the data protection laws of the UK, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time; and (iv) in relation to Personal Data transfers from any other jurisdiction, any country or territory other than those approved as providing adequate protection for Personal Data by the relevant competent authority of such jurisdiction from time to time.

2. Conditions of Processing

2.1 his Agreement governs the terms under which AiX is required to Process Personal Data on behalf of Customer when providing the Services.

3. AiX’s Obligations

3.1 AiX shall only Process Personal Data on behalf of Customer and in accordance with, and for the limited and specific purposes set out in the documented instructions received from Customer unless required to Process, and/or restricted from Processing, such Personal Data by applicable law to which AiX is subject; in each case, AiX shall inform Customer of that legal requirement without undue delay, unless that law prohibits such information on important grounds of public interest.

3.2 AiX shall notify Customer if AiX makes a determination that it can no longer meet its obligations under the CCPA. AiX shall grant Customer the right to take reasonable and appropriate steps to help ensure that AiX uses the Personal Data in a manner consistent with Customer’s obligations under the CCPA and stop and remediate any unauthorized use of the Personal Data.

3.3 AiX shall implement appropriate technical and organisational measures designated to provide a level of security appropriate to the risk, taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purpose of the Processing as set out in Schedule3, or otherwise agreed and documented between Customer and AiX from time to time. The allocation as set out in Schedule3 establishes the responsibilities between the parties to this Agreement to implement such measures.

3.4 AiX shall, without undue delay, notify Customer about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data belonging to Customer (with further information about the breach provided in phases as more details become available).

3.5 AiX shall, upon reasonable written request from Customer, from time to time (but no more than once annually), provide Customer with such documentation in its possession as is reasonably necessary to demonstrate compliance with the obligations laid down in this Agreement. AiX shall allow, and cooperate with, reasonable assessments by Customer, or Customer’s designated auditor, of AiX’s compliance with its obligations in Applicable Data Protection Laws. Alternatively, AiX may arrange for a qualified and independent auditor to conduct, at least annually at Customer’s expense, an assessment of AiX’s policies and technical and organizational measures in support of obligations under Applicable Data Protection Laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. AiX shall provide a report of such assessment to Customer upon request.

3.6 Where:

(i) a Data Subject exercises his or her rights under the Applicable Data Protection Law in respect of Personal Data Processed by AiX on behalf of Customer, including Data Subjects exercising rights under Applicable Data Protection Laws (such as rights to rectification, erasure, blocking, access their personal data, objection, restriction of processing, data portability and the right not to be subject to automated decision-making);

(ii) Customer is required to deal or comply with any assessment, enquiry, notice or investigation by the Regulator; or

(iii) Customer is required under the Applicable Data Protection Laws to carry out a mandatory data protection impact assessment or consult with the Regulator prior to Processing Personal Data entrusted to AiX under this Agreement, then upon Customer’s reasonable request to AiX, AiX will provide reasonable assistance to Customer to enable Customer to comply with obligations which arise as a result thereof.

3.7 When AiX Processes Personal Data in the United States, AiX is expressly prohibited from:

(i) Selling the Personal Data;

(ii) Sharing the Personal Data for cross-context behavioural advertising purposes;

(iii) retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services that are to be provided to Customer;

(iv) retaining, using or disclosing the Personal Data outside of the direct business relationship between AiX and Customer; or

(v) combining the Personal Data received from Customer with any Personal Data that may be collected from AiX’s separate interactions with the individual(s) (if applicable) to whom the Personal Data relates to or from any other sources.

3.8 To the extent AiX receives de-identified data (as such term is defined under Applicable Data Protection Laws) from Customer, AiX shall: (i) take reasonable measures to ensure that the data cannot be associated with an identified or identifiable individual; (ii) publicly commit to maintain and use the data only in a de-identified fashion; and (iii) not attempt to re-identify the data.

3.9 To the extent AiX Processes Personal Data in a Third Country, and it is acting as data importer, AiX shall:

(i) in respect of the Processing of Personal Data in a Third Country that is not subject to the GDPR or UK GDPR, and to the extent required by Applicable Data Protection Laws, ensure such transfer is carried out using a Lawful Export Measure. To the extent such Lawful Export Measure requires (a) a contract imposing appropriate safeguards on the transfer and processing of such Personal Data (which is not otherwise satisfied by this Agreement); (b) a description of the Processing of Personal Data contemplated under this Agreement; and (c) a description of technical and organisational measures to be implemented by the data importer, the parties agree that the Controller to Processor Clauses, the description of processing activities set out in Schedule2 (Description of Transfers) and the description of technical and organisational measures set out in Schedule3 (Technical and Organisation Security Measures), shall apply mutatis mutandis for the benefit of such transfer, and in relation to any onward transfer of the Personal Data by that data importer to another person, the other person shall comply with the same importer obligations,mutatis mutandis;

(ii) in respect of the Processing of Personal Data in a Third Country that is subject to the GDPR or UK GDPR, comply with the data importer’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this Agreement; Customer will comply with the data exporter’s obligations in such Controller to Processor Clauses; and:

(A) for the purposes of Annex I or Part 1 (as relevant) of such Controller to Processor Clauses, the Parties and Processing details set out in Schedule 2 ( Description of Transfers) shall apply, and the Start Date is the effective date of the Agreement, and the signature( s) (in any form) given in connection with the execution of this Agreement by a party and the date(s) of such signature(s) shall apply as the dated signature required from that party;

(B) if applicable, for the purposes of Part 1 of such Controller to Processor Clauses, the relevant Addendum EU SCCs (as such term is defined in the applicable Controller to Processor Clauses) are the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2), as incorporated into this Agreement by virtue of this Clause3.7;

(C) for the purposes of Annex II or Part 1 (as relevant) of such Controller to Processor Clauses, the technical and organisational security measures set out in Schedule 3 ( Technical and Organisation Security Measures) shall apply; and

(D) if applicable, for the purposes of: (i) Clause 9 of such Controller to Processor Clauses, Option 2 (“ General written authorization”) is deemed to be selected and the notice period specified in Clause6.2 shall apply; (ii) Clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the authority identified by Customer as its competent supervisory; (iv) Clause 17, Option 2 is deemed to be selected and the governing law shall be separately agreed between the Parties; ( v) Clause 18, the competent courts shall be the competent courts of the Netherlands; (vi) Part 1 of such Controller to Processor Clauses, AiX, as Importer may terminate the Controller to Processor Clauses pursuant to Section 19 of such Controller to Processor Clauses.

3.10 Customer acknowledges and agrees that AiX may appoint an affiliate or a third-party subcontractor to Process Customer’s Personal Data in a Third Country, in which case, AiX shall, to the extent required under Applicable Data Protection Laws, execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Customer.

4. Customer’s Obligations

4.1 Customer represents, warrants and undertakes that: (i)the legislation applicable to it does not prevent AiX from fulfilling the instructions received from Customer and performing AiX’s obligations under this Agreement; and (ii) it has complied, and continues to comply, with the Applicable Data Protection Laws, in particular, that it has obtained any necessary consents and given any necessary notices, and otherwise has a legitimate ground to disclose the data to AiX and enable the Processing of the Personal Data by AiX, as set out in this Agreement.

4.2 Customer is solely liable for its compliance with (i) Applicable Data Protection Laws and (ii) any rules, terms, requirements or guidelines of third-party services and platforms (including but not limited to any ad platforms that Customer gathers, processes or transfers data from and/or that AiX processes or receives data from upon the direction or instruction of Customer), in its use of the Services.

4.3 Customer agrees that it will indemnify and hold harmless AiX on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation, and all interest, penalties and legal and other professional costs and expenses) incurred by AiX arising directly or indirectly from a breach of Applicable Data Protection Laws or this Agreement.

5. Changes in Applicable Data Protection Laws

5.1 The parties agree to negotiate in good faith modifications to this Agreement if changes are required for AiX to continue to process the Personal Data, as contemplated by this Agreement in compliance with the Applicable Data Protection Laws, or to address the legal interpretation of the Applicable Data Protection Laws, including: (i)to comply with the GDPR or any national legislation implementing it, or the UK General Data Protection Regulation or the DPA, and any guidance on the interpretation of any of their respective provisions; (ii) if the Controller to Processor Clauses or the Processor to Processor Clauses, or any other mechanisms or findings of adequacy, are invalidated or amended; (iii)if changes to the membership status of a country in the European Union or the EEA require such modification.

6. Sub-Contracting

6.1 Customer hereby grants AiX general written authorisation to engage, and consents to the use of the subcontractor(s) in Schedule4* (Authorised Subcontractors), for the purposes further described in Schedule4* (Authorised Subcontractors), and subject to this Clause6.

6.1 If AiX appoints a new subcontractor or intends to make any changes concerning the addition or replacement of the subcontractors set out in Schedule4* (Authorised Subcontractors), it shall provide Customer with twenty (20) business days’ prior written notice, which may be fulfilled by posting an updated list of sub-processors at the link referred to in Clause6.1 above, during which Customer can object against the appointment or replacement. If Customer does not object, AiX may proceed with the appointment or replacement.

6.2 AiX shall ensure it has a written agreement in place with all subcontractors which contains obligations on the subcontractor that are no less onerous on the relevant subcontractor than the obligations on AiX under this Agreement.

7. Confidentiality

7.1 Each party (the “Recipient”) undertakes to the other party (the “Discloser”) to:

(i) hold all Personal Data of the Discloser which it obtains in relation to this Agreement, in strict confidence; and

(ii) ensure that employees, agents, officers, consultants, sub-processors, subcontractors, and advisers authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.2 The obligation in Clause7.1 will not apply to a disclosure of Personal Data that is:

(i) required by any law or regulation of any country with jurisdiction over the affairs of AiX; and

(ii) required by any order of any court of competent jurisdiction.

7.2 The obligation in Clause7.1 shall apply to the provision of any document or information that states a party’s approach to security by AiX to Customer.

8. Termination

8.1 Termination of this Agreement shall be governed by the Terms of Service governing Customer’s use of the Services.

9. Consequences of Termination

9.1 Upon termination of this Agreement in accordance with Clause8 (Termination), AiX shall:

(i) destroy all Personal Data it has Processed on behalf of Customer after the end of the provision of services relating to the Processing, and destroy all copies of the Personal Data, unless it will violate any applicable law; and

(ii) cease Processing Personal Data on behalf of Customer.

10. Law and Jurisdiction

10.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of Singapore and shall be deemed to have been made in Singapore, and each party hereby submits to the jurisdiction of the courts of Singapore.

10.2 Any dispute shall be referred to, and finally resolved by, arbitration administered by the Singapore International Arbitration Centre (“SIAC”) in accordance with the Arbitration Rules of the SIAC for the time being in force when the notice of arbitration is submitted. The tribunal shall consist of one arbitrator. The seat of arbitration shall be Singapore and the language to be used in the arbitral proceedings shall be English.

SCHEDULE 2

DESCRIPTION OF TRANSFERS

A. LIST OF PARTIES

Data exporter(s) – Data Controller: Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

  • Name: Customer
  • Address: As specified by Customer at registration to the Services and/or in the admin console on the Services (as applicable).
  • Contact person’s name, position and contact details: As specified by Customer at registration to the Services and/or in the admin console on the Services (as applicable).
  • Activities relevant to the data transferred under these Clauses: As specified by Customer at registration to the Services and/or in the admin console on the Services (as applicable).
  • Role (controller/processor): Controller

Data importer(s) – Data Processor:

  • Name: AiX
  • Address: 10 Anson Road, #21-07, International Plaza, Singapore 079903
  • Contact person’s name, position and contact details: DPO, dpo_aix@proximabeta.com
  • Activities relevant to the data transferred under these Clauses: Processing of data for the provision of the Services.
  • Role (controller/processor): Processor

B.PROCESSING DETAILS / DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is processed / transferred

End users of games published and/or developed by Customer.

Categories of personal data processed / transferred

  • Account registration information, including name, email address and password;
  • Data regarding interactions with game storefronts, including number of visits to the storefront, products wishlisted and wishlist conversions, products purchased and purchase conversions, and game key activations;
  • Device information, including user ID, IP address, operating system information, platform, login channels, country code, language, device model and brand, CPU information, GPU name, RAM, ROM, screen size
  • Game information;
  • Event information, including in-game activity information such as transaction/purchase information;
  • Data regarding interaction with advertisements, including the time of interaction, the details of any items purchased, and any referral codes used by the data subject;
  • Information from ad platforms relating to individuals that are provided or submitted to AiX via the Services by (or at the direction of) the Customer, including date, account ID and name, campaign information, ad group information, platform, type, audiences, status, objective, country, device, keywords, search term, match type, cost, impressions, clicks, conversions, video views percentage, interactions and actions; and
  • Any other personal data submitted to the Services by (or at the direction of) Customer within the scope of this Agreement.

Sensitive data processed / transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous basis.

Nature of the processing

Processing in connection with the Services.

Purpose(s) of the data processing / data transfer and further processing

Data is transferred and processed to provide the Services.

Duration of the processing / the period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

End User personal data will be Processed for the duration of Customer’s use of Services, or as otherwise instructed by Customer. Such personal data will be deleted upon completion of the processing for the purposes of providing the Services to the Customer.

**For processing by / transfers to (sub-)processors, also specify subject matter, nature and duration of the processing **

As above.

C. COMPETENT SUPERVISORY AUTHORITY

The authority identified by the data exporter (Customer) as its competent supervisory authority.

SCHEDULE 3

TECHNICAL AND ORGANISATION SECURITY MEASURES

Description of the technical and organisational measures implemented by the data importer( s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-)processors, also describe the specific technical and organisational measures to be taken by the (sub-)processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

  • Private encryption algorithms are applied when data is transferred between servers;
  • Access to data is limited to designated servers and ports;
  • Security scanning tools are installed in servers.

SCHEDULE 4

AUTHORISED SUBCONTRACTORS

SubcontractorsServices providedContact Details
GCPBig Query: Enterprise data warehouse that helps to manage and analyze data with built-in features like machine learning, geospatial analysis, and business intelligence.https://support.google.com/policies/contact/general_privacy_form?sjid=2398137265371408906-AP
Cloud Run: Managed compute platform that let businesses run containers directly on top of Google’s infrastructure.
Kubernetes: Build cloud-native microservices-based apps and supports containerization of existing apps.
Cloud SQL: Database service that helps businesses set up, maintain, manage and administer relational databases on GCP.
VPC: Provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) clusters, and the App Engine flexible environment.
Cloud CDN: Cloud CDN (Content Delivery Network) uses Google's global edge network to serve content closer to users, which accelerates businesses’ websites and applications.
Artifact Registry: Provides a single location for storing and managin packages and docker container images.
Cloud Storage: Cloud Storage is a service for storing objects in Google Cloud.
Mongo DB: Cloud computing service.
Redis: Real-time database as a service and cache.

SCHEDULE 5

INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES

This Addendum has been issued by the UK Information Commissioner’s Office for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Table 1: Parties

Start dateSee effective date of the Agreement
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties’ detailsSee the Agreement
Key ContactSee the Agreement

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCsThe standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021 (Module 2)

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: See the Agreement
Annex 1B: Description of Transfer: See Schedule 2 to the Agreement
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Schedule 3 to the Agreement
Annex III: List of Sub processors (Modules 2 and 3 only): See Schedule 4 to the Agreement

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum as set out in Section 19:
[x] Importer
[ ] Exporter
[ ]neither Party

AiX front develop team

Tencent Group