Data Processing Agreement

[insert date] · Version 0.1 (draft — pending legal review)

This is a template made available for transparency. It is a draft and not legal advice; it must be reviewed by a qualified data-protection lawyer before being relied upon or signed. The binding version is the copy executed between the parties.

This Data Processing Agreement ("DPA") forms part of the agreement between Evaveo, a French société par actions simplifiée (SAS) registered under SIREN 822 798 344, with its registered office at Parc d'Affaires de Crécy, 17 avenue Charles de Gaulle, 69370 Saint-Didier-au-Mont-d'Or, France, operator of the OsaDex platform ("Processor", "we"), and the customer ("Controller", "you") for use of the OsaDex platform (the "Services"). It governs personal data processed by Evaveo on your behalf under Article 28 of the UK GDPR and the EU GDPR.

1. Roles

You are the Controller of the personal data processed through the Services; Evaveo is the Processor acting on your behalf. Each party complies with its own obligations under applicable data protection law ("Data Protection Law": the UK GDPR, the Data Protection Act 2018, and where applicable the EU GDPR).

2. Scope and instructions

Evaveo processes personal data only on your documented instructions, including as set out in this DPA and the Services documentation, unless required by law (in which case we inform you first, unless legally prohibited). We notify you if, in our opinion, an instruction infringes Data Protection Law.

3. Details of the processing

The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.

4. Processor obligations (Art. 28(3))

Evaveo shall:

• (a) process the personal data only on your documented instructions;
• (b) ensure persons authorised to process the data are bound by confidentiality;
• (c) implement appropriate technical and organisational measures under Article 32 (see Annex 2);
• (d) respect the conditions for engaging sub-processors (Clause 6 and Annex 3);
• (e) assist you, by appropriate measures, in responding to data-subject requests;
• (f) assist you in ensuring compliance with Articles 32–36 (security, breach notification, data-protection impact assessments, prior consultation), taking into account the nature of processing and the information available to us;
• (g) at your choice, delete or return all personal data at the end of the Services and delete existing copies, unless storage is required by law;
• (h) make available all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate (subject to reasonable notice and confidentiality).

5. Personal data breach

We notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide the information you reasonably need to meet your own notification obligations.

6. Sub-processors

You give general authorisation for Evaveo to engage the sub-processors listed in Annex 3. We impose data-protection obligations on each sub-processor equivalent to those in this DPA, and remain liable for their performance. We inform you of any intended addition or replacement of a sub-processor and give you the opportunity to object on reasonable data-protection grounds.

7. International transfers

Personal data is hosted in the European Union (see Annexes 2 and 3). Where any transfer outside the UK/EEA occurs, it is carried out under an appropriate transfer mechanism (e.g. UK IDTA or EU Standard Contractual Clauses) and supplementary measures as required.

8. Liability, term and governing law

This DPA takes effect when the Services start and remains in force for as long as we process personal data on your behalf. Liability is as set out in the main agreement. This DPA is governed by [the laws of England and Wales] unless the main agreement states otherwise.

Annex 1 — Details of the processing

• Roles: Controller = the customer (game studio); Processor = Evaveo (operating the OsaDex platform).
• Subject-matter: orchestration of online-safety (UK OSA) compliance and generation of a tamper-evident compliance dossier.
• Duration: the term of the Services.
• Nature and purpose: resolving policy decisions, recording compliance events, age-assurance orchestration, parental-consent orchestration, and producing evidence dossiers.
• Categories of data subjects: the Controller's end users (players), including children.
• Types of personal data: pseudonymised end-user identifiers; age signals (age band / assurance level); compliance event metadata.
• Not processed by Evaveo: identity documents and biometric data — these are handled by the Controller's chosen age-assurance provider as a separate processor of the Controller, not of Evaveo.
• Special category data: none processed by Evaveo.

Annex 2 — Technical and organisational measures (Art. 32)

• Pseudonymisation: end-user references are never stored in clear; lookups use a per-app blind index, and the reidentifying link is held separately.
• Crypto-shredding erasure: erasure destroys the reidentifying key/link so the subject can no longer be resolved.
• Data minimisation: no PII in clear in event payloads — only pseudonyms and non-identifying metadata.
• Tenant isolation: row-level security per app enforced at the database; an isolation test is part of the build.
• Tamper-evidence: append-only, hash-chained audit log; integrity verifiable off-platform.
• Encryption: secrets (including customer-provided provider credentials) encrypted at rest; transport over TLS.
• Hosting: European Union (Scaleway, fr-par region).
• Access control: role-based access, least privilege, and audit of administrative actions.

Annex 3 — Authorised sub-processors

• Scaleway SAS — cloud hosting and storage — European Union (fr-par).
• [Qualified timestamping authority (eIDAS TSA)] — trusted timestamps for audit anchors — EU.
• [Transactional email provider] — operational emails — [region].

The Controller's age-assurance / parental-consent provider (e.g. Yoti, Stripe Identity) is engaged under the Controller's own contract and acts as the Controller's processor, not Evaveo's. Evaveo (via the OsaDex platform) orchestrates and stores only the result (age band / consent status), never identity documents or biometrics.