UF Online — Data Processing Agreement
A customer-facing DPA where DaemonForge Development ("we", the Processor) processes End-User/Player personal data on behalf of the Customer (server owner, the Controller), as required by GDPR Art. 28(3). Where transfers require them, the current SCCs (Commission Decision 2021/914) are attached. This DPA forms part of the Terms of Service.
Effective date: 7 July 2026
1. Roles
The Customer is the controller (or processor for an onward controller) of Player personal data; DaemonForge Development is the processor. For our own account/billing data we are an independent controller (see Privacy Policy) — that data is outside this DPA.
2. Subject-matter & details of processing (Art. 28(3))
- Subject-matter: providing the UF Online hosted backend.
- Duration: for the term of the Terms of Service + the deletion/return period in §10.
- Nature & purpose: storage, retrieval, transmission, querying, and AI processing of Player data to provide the features the Customer enables.
- Types of personal data: player identifiers (DayZ/Steam/BattlEye GUIDs), Discord identifiers/ usernames/avatars (if linked), in-game/player records, AI chat content, generated voice/images, and pseudonymous (hashed) IP-derived identifiers.
- Categories of data subjects: the Customer's End Users / Players.
3. Processor obligations
We will:
- Process only on the Customer's documented instructions (the ToS, portal configuration, and written instructions), including for transfers, and tell the Customer if an instruction appears to infringe data-protection law.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational security measures (Art. 32) — see §7.
- Assist the Customer (taking into account the nature of processing): (a) to respond to data-subject rights requests; and (b) with security, breach notification, DPIAs, and prior consultation (Arts. 32–36).
- Notify the Customer without undue delay after becoming aware of a personal-data breach, with the information the Customer needs to meet its own obligations.
- At the Customer's choice, delete or return all Player personal data at the end of the service and delete existing copies, unless law requires retention (§10).
- Make available information necessary to demonstrate compliance and allow for and contribute to audits (reasonable, proportionate, on notice, subject to confidentiality).
4. Sub-processors
The Customer provides general authorisation for us to engage sub-processors. Our current sub-processors are listed at SUBPROCESSORS.md. We will give prior notice of any intended addition or replacement and allow the Customer to object on reasonable data-protection grounds within 14 days. We impose data-protection obligations equivalent to this DPA on each sub-processor by contract and remain fully liable for their performance.
5. International transfers
Where processing involves transferring Player data outside the EEA/UK, we rely on a valid transfer mechanism — an adequacy decision (e.g. our own location, Canada), the EU-US Data Privacy Framework where the sub-processor is certified, or SCCs (Decision 2021/914) + a transfer impact assessment. Transfer bases per sub-processor are in SUBPROCESSORS.md.
6. Restriction on use
We process Player data only to provide the Service on the Customer's instructions. We do not sell it, and we do not use it for our own purposes — including not training AI models on it. (If this ever changed, we would become a controller for that use and would seek a separate basis.)
7. Security measures (Art. 32 — summary)
Encryption in transit and at rest; access control and least privilege; per-hive logical isolation of data; IP hashing; secrets management; audit logging; backups; vulnerability management; and a documented breach-response process. Full current measures available on request.
8. Data-subject requests
If we receive a request directly from a Player, we will, unless legally prohibited, forward it to the Customer and not respond ourselves except on the Customer's instructions, and we will assist the Customer in responding.
9. Liability
Each party is liable for its own breaches of GDPR per Art. 82; the liability caps in the Terms of Service apply to the extent permitted by law.
10. Deletion / return
On termination, the Customer may export data during the window in the ToS; thereafter we delete Player data per our retention schedule, except where law requires longer retention (e.g. limited billing records, which are our controller data, not Player data).
11. Order of precedence
If this DPA conflicts with the Terms of Service on data-protection matters, this DPA prevails. The attached SCCs prevail over this DPA on transfer matters.