Data Processing Addendum (Template)

This Data Processing Addendum ("DPA") forms part of the agreement between the Playtcha customer named in the applicable order or signup flow ("Customer") and Playtcha ("Processor"). It applies where Processor processes personal data on Customer’s behalf in connection with the Playtcha verification service.

• Customer is the controller for Customer Personal Data processed through the service.
• Playtcha acts as processor for that Customer Personal Data.
• Subject matter: anti-bot verification, token issuance, verification logging, and related support.
• Duration: for as long as Playtcha processes Customer Personal Data for the service, plus any limited retention period described in the Privacy Policy and this DPA.

Playtcha will process Customer Personal Data only on documented instructions from Customer, including the instructions Customer gives through product configuration and API use, unless law requires otherwise. Customer instructs Playtcha to process data as needed to provide, secure, and support the service.

Playtcha applies technical and organizational measures appropriate to the risk, including encryption in transit, access controls, least-privilege internal access, masked IP storage, single-use token enforcement, and audit logging for operational access where available.

A summary of current measures is listed in Annex II below. These measures may evolve provided the overall level of protection is not materially reduced.

Customer authorizes Playtcha to use the sub-processors listed at /legal/subprocessors. Playtcha remains responsible for its sub-processors to the extent required by applicable data protection law.

For material additions, Playtcha will aim to provide at least 14 days’ prior notice by updating the public list and notifying customer admins, unless shorter notice is required for security or legal reasons.

Where Playtcha transfers Customer Personal Data outside the EEA, UK, or Switzerland, the parties will rely on the European Commission Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum or equivalent lawful transfer mechanism.

Taking into account the nature of the processing, Playtcha will provide reasonable assistance to Customer with data subject requests, regulator inquiries, DPIAs, and breach response where required by applicable law.

If Playtcha confirms a personal-data breach affecting Customer Personal Data, Playtcha will notify Customer without undue delay and include the information reasonably available at the time.

On termination of the service, Playtcha will delete or return Customer Personal Data unless applicable law requires continued retention. Limited retention may continue for security logs, fraud-prevention history, tax records, or backup cycles where legally permitted and proportionate.

Playtcha will make available information reasonably necessary to demonstrate compliance with this DPA. If a formal audit is needed, the parties will scope it in good faith to avoid unreasonable operational risk, duplicative requests, or access to other customers’ confidential information.

• Encryption in transit for dashboard, API, and widget requests.
• Hashed secret-key storage and short-lived signed tokens.
• Masked IP storage instead of full raw IP retention in verification rows.
• Least-privilege operational access and environment-scoped secrets.
• Rate limiting, replay prevention, and single-use token redemption.
• Production change control through versioned source and deployment review.

For a signed version of this DPA template, email support@playtcha.com.