Data Processing Addendum

Last Rev. June 12, 2025

This Data Processing Addendum (“DPA”) is entered into by and between an applicable subscriber to Pragma’s services (“Subscriber”) and Pragma Platform, Inc. (“Pragma”). This DPA is incorporated into and supplemental to the agreement entered into between the parties which governs the provision of the Pragma services (“Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect. 

1. Definitions

2. Definitions:  Capitalized terms not defined herein shall have the meaning given in the Agreement. In this DPA, the following terms (and derivations of such terms) shall have the following meanings: 

3. “Applicable Data Protection Law” means all privacy and data protection laws that apply to Pragma’s processing of Data under the Agreement (including, where applicable, the California Consumer Privacy Act of 2018 including its associated regulations and as amended (the “CCPA”), and European Data Protection Law).

4. Controller” means the entity that determines the purposes and means of the processing of Personal Data;

5. “Data” means Personal Data provided by Subscriber (directly or indirectly) to Pragma for processing under the Agreement as more particularly identified in Appendix A (Processing Particulars);

6. "European Data Protection Law" means all EU and U.K. regulations or other legislation applicable (in whole or in part) to the processing of Personal Data under the Agreement (such as Regulation (EU) 2016/679 (the "GDPR"), the U.K. GDPR (defined below), and the Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss Addendum”); the national laws of each EEA member state and the U.K. implementing any EU directive applicable (in whole or in part) to the processing of Personal Data (such as Directive 2002/58/EC); and any other national laws of each EEA member state and the U.K. applicable (in whole or in part) to the Processing of Personal Data; in each case as amended or superseded from time to time.

7. "Model Clauses" means the standard contractual clauses attached to the European Commission’s Implementing Decision of 4 June 2021 under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, on standard contractual clauses, selecting Module Two between controllers and processors in any case where Subscriber is a Controller, and Module Three between processors in any case where Subscriber is a Processor, and excluding optional clauses unless otherwise specified),  and any replacement, amendment or restatement of the foregoing, as issued by the European Commission, on or after the effective date of this DPA.

8. "Personal Data" means any information relating to an identified or identifiable natural person (a “Data Subject”), the processing of which is governed by Applicable Data Protection Law; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Where the CCPA applies, ‘Personal Data’ includes “personal information” as defined by the CCPA. Personal Data does not include anonymous or de-identified information or aggregated information derived from Personal Data.

9. “processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

10. "Processor" means an entity that processes Personal Data on behalf of the Controller. Where applicable, Processor includes “service provider” as defined by the CCPA.

11. “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.

12. “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offenses.

13. “Sub-Processor” means an entity engaged by the Processor or any further sub-contractor to process Personal Data on behalf of and under the instructions of the Controller.

14. “U.K. GDPR” means the GDPR, as it forms part of the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

15. Data Protection

16. Relationship of the parties: As between the parties and for the purposes of this DPA, Subscriber appoints Pragma as a Processor to process the Data on behalf of Subscriber. Where applicable, Pragma is a “service provider” as defined in the CCPA. Subscriber shall comply with Applicable Data Protection law, including but not limited to providing notice to Data Subjects, and obtaining and periodically refreshing the consent of Data Subjects, where required, to Subscriber’s use of Pragma’s Services and Subscriber’s own processing of Data. Subscriber represents and warrants it has and will continue to have the right to transfer Data to Pragma for processing in accordance with the Agreement and this DPA. Pragma shall comply with Applicable Data Protection Law and understands and shall comply with the prohibitions on Processors set forth in the CCPA with respect to such Data, including, without limitation and to the extent applicable in each case: (i) selling or sharing any Data (as the terms “sell” and “share” are each defined within the CCPA) where the sale or sharing of such Data is restricted by the CCPA, (ii) disclosing such Data to any party outside of the direct business relationship between Pragma and Subscriber, or (iii) retaining, using or disclosing such Data for a commercial purpose other than performing the Services as set forth in the Agreement with Subscriber, or as otherwise expressly permitted under this DPA or the Agreement.

17. Purpose limitation: Each party acknowledges and agrees that all Data is disclosed by Subscriber hereunder only for those limited and specified purposes set forth in the Agreement and this DPA. Pragma shall process the Data as a Processor only as necessary to perform the Services for Subscriber under the Agreement, and strictly in accordance with the documented instructions of Subscriber (including those in this DPA and the Agreement). In no event shall Pragma process the Data for its own purposes or those of any third party. Pragma may also anonymize or deidentify Data in accordance with Applicable Data Protection Law. Subscriber shall only give lawful instructions that comply with Applicable Data Protection Law and shall ensure that Pragma’s processing of Data, when done in accordance with Subscriber’s instructions, will not cause Pragma to violate Applicable Data Protection Law. Pragma shall inform Subscriber if, in its opinion, an instruction infringes Applicable Data Protection Law. In any case where confirmation of a Controller’s instructions is required by Applicable Data Protection Law, the parties agree that the Agreement, together with this DPA, represents the complete and final documented instructions from the Controller of the Data to Pragma as of the date of this DPA for the processing of Data. Nothing in this DPA shall be read to limit any obligations of Pragma to assist Subscriber with Subscriber’s reasonable and appropriate efforts to ensure that Pragma processes such Data in a manner consistent with each party’s obligations under the CCPA, including (i) the obligation to immediately notify Subscriber if Pragma determines it can no longer meet its obligations under the CCPA with respect to such Data, and (ii) the obligation not to combine any such Data relating to a specific consumer with any other data about the same consumer in Pragma’s possession and/or control, whether received from or on behalf of another person or persons or collected by Pragma from its own interaction(s) with the consumer.

18.  International transfers of Data: Pragma is located in the United States and processes the Data in the United States. For Pragma to perform Services for Subscriber pursuant to the Agreement, Subscriber transfers (directly or indirectly) Personal Data to Pragma in the United States. For Personal Data subject to European Data Protection Law, Pragma agrees to abide by and process the Data in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA. For the purposes of the Model Clauses, the parties agree that: 

    1. Pragma is the "data importer" and Subscriber is the "data exporter" (notwithstanding that Subscriber may itself be located outside the EEA/UK and/or a Processor acting on behalf of a third-party Controller);

    2. Appendix A (Processing Particulars), Appendix B (Specific Security Measures), and Appendix C (Sub-processor List) of this DPA shall form Annex I, Annex II, and Annex III of the Model Clauses, respectively;

    3. Option 2 under clause 9 of the Model Clauses will apply with respect to Sub-Processors. Annex III of the Model Clauses shall be subject to General Written Authorization, where “General Written Authorization” means that Pragma has Subscriber’s general authorization (or the general authorization of the Controller of the Data) for the engagement of sub-processor(s) from the list set forth in Appendix C, which shall be amended from time to time in accordance with the terms of the Agreement, this DPA, and all Applicable Data Protection Law; 

    4. Audits described in clause 8.9 of the Model Clauses shall be carried out in accordance with the audit provisions detailed in Section 2.12 of this DPA;

    5. The option under clause 11 of the Model Clauses shall not apply; 

    6. For purposes of clauses 17 and 18 of the Model Clauses, this DPA shall be governed by the laws of the Republic of Ireland. Any dispute arising from this DPA shall be resolved by the courts of the Republic of Ireland, and each party agrees to submit themselves to the jurisdiction of the same; and

    7. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data processed pursuant to the Model Clauses. Subscriber warrants it will not transfer any Sensitive Data to Pragma.

19. Law enforcement requests.

    1. If Pragma becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Data to such Authority, Pragma shall: 

       1. promptly notify Subscriber of such Authority’s data access request; 

       2. inform the Authority that any and all requests or demands for access to Data should be notified to or served upon Subscriber in writing; and

       3. not provide the Authority with access to Data unless and until authorized by Subscriber. 

    2. If Pragma is under a legal prohibition that prevents it from complying with Section 2.4.1(a)-(c) in full, Pragma shall use reasonable and lawful efforts to challenge such prohibition (and Subscriber acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request). If Pragma makes a disclosure of Data to an Authority (whether with Subscriber’s authorization or due to a mandatory legal compulsion), Pragma shall only disclose such Data to the extent Pragma is legally required to do so.

    3. Section 2.4.1 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Pragma has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Pragma shall notify Subscriber as soon as possible following such Authority’s access and provide Subscriber with full details of the same, unless and to the extent that Pragma is legally prohibited from doing so;

    4. Solely with respect to Data that is subject to the GDPR, and/or where Data whose disclosure is otherwise restricted by Applicable Data Protection Law, Pragma shall not knowingly disclose Data to an Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society. Pragma shall have in place, maintain and comply with a policy governing Personal Data access requests from Authorities which at minimum prohibits:

       1. massive, disproportionate or indiscriminate disclosure of Personal Data relating to Data Subjects in the EEA and the United Kingdom; and

       2. disclosure of Personal Data relating to data subjects in the EEA, and the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such Personal Data.

20. Confidentiality of processing: Pragma shall ensure that any person that it authorizes to process the Data (including Pragma's staff, agents and subcontractors) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Data who is not under such a duty of confidentiality.

21. Security: Pragma shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data. At a minimum, such measures shall include the security measures identified in Appendix B. With respect to evaluation of the appropriate level of security for the processing of the Data, each party represents and warrants that:

22. It has taken due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the Data; and

23. It has evaluated the use of encryption and/or pseudonymization for the Data and has determined that the level provided by Pragma is appropriate for the Data. 

24. To the extent that the CCPA applies to the processing of the Data, the party has determined that the technical and organizational measures provided by Pragma is no less than the level of security required by the CCPA.

25. Subcontracting: Pragma shall not subcontract any processing of the Data to a third-party Sub-Processor unless: (i) Pragma provides to Subscriber an up-to-date list of its then-current Sub-Processors upon request; and (ii) Pragma provides at least thirty (30) days’ prior notice of the addition or removal of any Sub-Processor (including the details of the processing it performs or will perform, and the location of such processing). If Subscriber objects to Pragma’s appointment of a third-party Sub-Processor on reasonable grounds relating to the protection of the Data, then either Pragma will not appoint the Sub-Processor, or Subscriber may elect to suspend or discontinue the affected Services by providing written notice to Pragma. Subscriber shall notify Pragma of its objection within ten (10) business days after its receipt of Pragma’s notice, and Subscriber’s objection shall be sent to  and explain the reasonable grounds for Subscriber’s objection. If a timely objection is not made, Pragma will be deemed to have been authorized by Subscriber (or, if Subscriber is a Processor of the Data, by the Controller of the Data) to appoint the new Sub-Processor. Pragma shall impose the same data protection terms on any Sub-Processor it appoints as those provided for by this DPA and Pragma shall remain fully liable for any breach of Pragma’s obligations under this DPA that is caused by an act, error or omission of its Sub-Processor. 

26. Cooperation and individuals’ rights: Subscriber is responsible for responding to Data Subject requests using Subscriber’s own access to the relevant Data. Pragma shall provide all reasonable and timely assistance to enable Subscriber to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law, and (ii) any other correspondence received from a regulator or public authority in connection with the processing of the Data. In the event that any such communication is made directly to Pragma, Pragma shall promptly (and in any event, no later than within forty-eight (48) hours of receiving such communication) inform Subscriber providing full details of the same and shall not respond to the communication unless specifically required by law or authorized by Subscriber.

27. Data Protection Impact Assessment: Taking into account the nature of the processing and the information available to Pragma, Pragma shall provide Subscriber with reasonable and timely assistance with any data protection impact assessments as required by Applicable Data Protection Law and, where necessary, consultations with data protection authorities. 

28. Security Incidents: Upon becoming aware of a Security Incident involving disclosure of Subscriber Data, Pragma shall inform Subscriber as appropriate without undue delay and shall provide all such timely information and cooperation to enable Subscriber to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Pragma shall further take such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Subscriber informed of all material developments in connection with the Security Incident. Pragma shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) Subscriber has agreed to such notification, and/or (b) notification is required to be made by Pragma under Applicable Data Protection Law.

29. Deletion or return of Data: Upon termination or expiry of the Agreement, Pragma shall (at Subscriber’s election) delete or return all Data, including copies in Pragma’s possession or control no later than within sixty (60) days of Subscriber’s election. This requirement shall not apply to the extent that Pragma is required by applicable laws to retain some or all of the Data, in which event Pragma shall isolate and protect the Data from any further processing except to the extent required by such law, shall only retain such Data for as long as it is required under applicable laws, and shall continue to ensure compliance with all Applicable Data Protection Law during such retention.  

30. Audit: If necessary to enable Subscriber to comply with its obligations with respect to the processing of Data under Applicable Data Protection Law (such as Article 28(3)(h) of GDPR where applicable), Pragma shall permit Subscriber to audit Pragma's compliance with this DPA using an independent third party and shall make available all such information, systems and staff reasonably necessary to conduct such audit. Subscriber shall not exercise its audit rights more than once per year except following a Security Incident or following an instruction by a regulator or public authority. Subscriber shall give Pragma thirty (30) days prior written notice of its intention to audit, conduct its audit during normal business hours, take all reasonable measures to prevent unnecessary disruption to Pragma's operations, restrict findings to only data relevant to Subscriber, and provide Pragma with a copy of the auditor’s report. Pragma and Subscriber shall mutually agree in advance on the date, scope, duration, and security and confidentiality controls applicable to the audit. Subscriber shall reimburse Pragma for actual expenses and costs incurred to allow for and contribute to Subscriber’s audit.     

31. Miscellaneous

    1. The obligations placed upon each party under this DPA shall survive so long as Pragma and/or its Sub-Processors process Data on behalf of Subscriber.

    2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict. 

    3. It is not the intention of either party, nor shall it be the effect of this DPA, to contradict or restrict any provision of the Model Clauses and/or any Applicable Data Protection Law. To the extent that any provision of the Model Clauses conflicts with this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data which is subject to the Model Clauses. In no event shall this DPA restrict or limit the rights of any Data Subject or of any Authority. If there is a change in law requiring any change to this DPA to enable either party to continue to comply with Applicable Data Protection Law, the parties will negotiate in good faith to amend this DPA to the extent reasonably necessary to comply with Applicable Data Protection Law. To the extent permitted under applicable Data Protection Law, Pragma’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement.

    4. If any provision of this DPA is deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible; or (ii) if that is not possible, then construed in a manner as if the invalid or unenforceable part had never been included herein. 

    5. The term of this DPA will terminate automatically without requiring any further action by either party upon the later of (i) the termination of the Agreement, or (ii) when all Personal Data is removed from Pragma’s systems and records, and/or is otherwise rendered unavailable to Pragma for further Processing.

APPENDIX A – PROCESSING PARTICULARS

A.   LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Data importer(s): 

B.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Subscriber may submit Personal Data, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

• Employees, agents, advisors, freelancers of Subscriber (who are natural persons); and

• Subscriber’s users, partners, and customers and the users and employees of those entities.

Categories of personal data transferred

Subscriber may submit Personal Data, the extent of which is determined and controlled by Subscriber (including Subscriber’s users, partners, and customers, in each case as applicable) in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:

• Identification and contact data (name, title, address, phone number, email address); 

• Employment data (employer, job title, academic and professional qualifications, geographic location, area of responsibility, affiliated organization, area of responsibility and industry); 

• Purchase and usage history data; 

• IT related data (IP addresses of visitors to data exporter's customer's websites, online navigation data, browser type, language preferences, pixel data, cookies data, web beacon data); 

• IT information (computer ID, user ID and password, domain name, IP address, log files, software and hardware inventory, software usage pattern tracking information (i.e. cookies and information recorded for operation and training purposes); and

• If the parties mutually agree on expanded use case, financial information (account details, payment information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Controller does not anticipate any sensitive data to be processed, however, this would ultimately be determined by the information that Controller chooses to collect.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Data is transferred on a continuous basis during the term of the Pragma Platform Subscription Agreement and this DPA.

Nature of the processing

The Processor provides a backend game engine license and service called the Pragma Platform which the Controller utilizes for the purpose of running its free-to-play multiplayer game. The Pragma Platform contains (1) account services, (2) game loop, (3) player data services, (4) social systems and achievements, (5) telemetry, (6) platform service and (7) store integration. The nature of the processing of Subscriber Data is further described in the Pragma Platform Subscription Agreement and this DPA.

To the extent the Subscriber utilizes FirstLook’s online services as may be set forth in an applicable ordering document (the “FirstLook Services”), Pragma processes personal data as necessary to perform the FirstLook Services and only performs the type(s) of processing as instructed by the data exporter and/or data subject and only pursuant to the Agreement, the DPA and this DPA.

Purpose(s) of the data transfer and further processing

Personal data is processed only for the purpose of providing service to the Controller, which may include storage, authentication, controller communications with their users, to facilitate player interactions with Controller and Controller’s game.  Controller determines the purposes to which it puts this data.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For the duration of the business relationship, or as otherwise configured by Controller through its use of the service.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Pragma transfers the Personal Data listed above to certain Sub-Processors (listed in Appendix C) for the sole purpose of facilitating Pragma’s provision of services under the Pragma Platform Subscription Agreement. Sub-Processors have been instructed to retain any Personal Data processed by Pragma for no longer than necessary to render sub-processing services for Pragma.

APPENDIX B – SPECIFIC SECURITY MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Pragma has implemented and maintains a formal Information Security program (“Program”) consisting of internal security administration and operations policies in accordance with relevant industry standards as appropriate to Pragma. Such policies shall be updated from time to time. 

The Information Security Program accounts for Pragma’s hiring and termination of employees. Pragma follows a disciplinary process for when employees violate its security policies.

 Pragma shall implement the following administrative, technical and organizational safeguards, and ensure that such measures are implemented by its sub-processors (if any) to protect the confidentiality, integrity and availability of Personal Data in Pragma’s possession or control or to which Pragma has access as well as the resilience of its systems and services necessary for the processing of Personal Data. These measures are designed to safeguard Personal Data from any actual or potential third-party threats, attacks or any other security gaps and to comply with applicable data protection laws. This Policy applies to all Pragma employees and subcontractors (if any) participating in the administration of Pragma’s production system security operations, whether directly as part of the Pragma IT or Security teams or via their assigned job duties.

Access Control

Pragma shall take measures to ensure that authorized parties can only access the Personal Data which they are entitled to access. Such measures may include: 

A.   Company will maintain access controls to restrict access to Customer data, content and systems to only authorized users and authorized devices that include separation of duties, role-based access, on a need-to-know and least privilege basis.

B.  Company will maintain the following practices regarding password management and user account management for all users. This includes using a company administrated password manager with MFA, using MFA whenever available for services providing access to Personal Data, and using SSO whenever available for user account management. When possible, Company will require passwords with an expected entropy of at least 50 bits that are validated against dictionary attacks.

C.  System privileges: giving out limited and appropriate rights to systems; granting privileges, revoking access and change control;

D.   Recommendation by Pragma to Customer to use encryption, of commercially reasonable strength when sending all Customer Data

E.   When Pragma controls the transmission of information electronically, encryption is used for Customer Personal Data at rest and in transit over public electronic communication networks.

F.  Security policies for employees relating to the access of data;

G.  In the event of disciplinary action, separation, leave or termination of an employee or contractor, Logon IDs and passwords will be deactivated so that access to information systems and Personal Data is taken away as soon as reasonably possible;

H.   Overseeing subcontractors (if any) by taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect data consistent with Pragma’s obligations under this policy. 

I.   Reviews of the scope of the security measures whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing Personal Data;

J.   Systems are monitored for unauthorized use of or access to data through the services and capabilities offered by cloud services and other service providers.

Encryption

Company maintains the following practices for encryption of data in transit and at rest. All internet facing services are protected by TLS, ensuring data encryption in transit over public networks. Data is encrypted at rest using AES 256 or similar encryption. Whenever possible Company will utilize solutions for encryption provided by cloud providers and other operational service providers (eg. Cloudflare).

Physical and Environmental Security

A.  Company secures physical access to facilities using keys, key cards, and key fobs as provided by the landlord or building manager.

B.  During Services provided to Customer, Pragma uses Amazon Web Services (AWS) servers located in a region specified by the Customer as a hosting provider for its storage of Personal Data. Amazon provides highly secure data centers with a strong combination of controls, including physical, environmental, technical and administrative. AWS has a built-in, regularly patched and updated “AWS Shield”  which provides web application level security and always-on network flow monitoring which inspects incoming traffic to AWS and uses a combination of traffic signatures, anomaly algorithms and other analysis techniques to detect malicious traffic in real-time.  

Please refer to Amazon for Terms and Conditions regarding the host level security, http://aws.amazon.com/security as well as https://aws.amazon.com/compliance/data-center/controls/. AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Please see https://aws.amazon.com/compliance/programs/ for more information on AWS compliance.

C.  Remote access to the Company’s Network must be approved and restricted to authorized personnel. Remote access must be controlled by secure access control protocols, encryption, and authentication.

D.  Network traffic shall be appropriately segregated with routing and access controls separating traffic on internal networks from public or other untrusted networks.

E.  Company computer hardware will utilize disk encryption, antivirus and firewall capabilities made available by the hardware Operating System.

F.  Automatic virus and malware scanning checks must be carried out on all e-mail attachments that are sent to or received from external sources. Attachments that are identified as containing malicious code must be removed.

Incident Response

Pragma has implemented an IT Incident Management Program that includes procedures in the event of a Security Breach. In the event of a Security Breach (defined below) or actual non-compliance by Pragma of any applicable data protection law or any provision of this Policy, Pragma shall notify Customer as soon as reasonably possible after becoming aware of such Security Breach or actual non-compliance and document responsive actions taken in connection with any incident involving a Security Breach and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of data. Upon request, Pragma will share its remediation with Customers if Customer’s Personal Data was affected by the Security Breach.

A “Security Breach” shall mean any actual or reasonably suspected unauthorized use of, loss of, access of or disclosure of, Customer Data; provided that an incidental disclosure of Customer Data to an Authorized Party or Pragma, or incidental disclosure of Customer Data by an Authorized Party or Pragma where no reasonable suspicion exists that such disclosure of access involves theft, or is fraudulent, criminal or malicious in nature, shall not be considered a “Security Breach” for purposes of this definition, unless such disclosure triggers a notification obligation under applicable law and (ii) any security breach or substantially similar term as defined by applicable law. “Authorized Party” means Customer’s employees and third-party providers authorized to access Customer Data and Customer’s Pragma instance (including tenants).

Secure Disposal

Personal Data is only used on an as-needed basis and is only provided to employees with a need to know basis to perform applicable Services. After transferring Personal Data to a secure tenant or server during the provision of Services, Personal Data is immediately removed from Pragma computers. Personal Data may be deleted at any time upon client request or upon completion of the project.

Assigned Security Responsibility

Pragma has designated a security official with overall responsibility for the Program and Policy and to monitor compliance with applicable data protection laws. 

Policy and Systems Review

Pragma performs regular review of key controls, systems and procedures of its Program to validate they are properly implemented and effective in addressing threats and risks.

To the extent Subscriber utilizes the FirstLook Services, the various measures taken to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons, are outlined in the FirstLook security policy as updated from time to time and accessible at firstlook.gg/legal/security.

APPENDIX C - LIST OF SUB-PROCESSORS

If controller uses Pragma’s Engine products and services, the controller authorizes the use of the following sub-processors in the provision of Pragma Engine and its associated service:

If controller uses Pragma FirstLook playtesting service, the controller authorizes the use of the following sub-processors in the provision of FirstLook and its associated service:

APPENDIX D – COMPETENT SUPERVISORY AUTHORITY

For the purposes of any Personal Data subject to the GDPR and/or the GDPR as implemented in the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018, where such personal data processed in accordance with the Model Clauses, the competent supervisory authority shall be as follows: 

1. where Subscriber is established in an EU member state, the supervisory authority with responsibility for ensuring Subscriber’s compliance with the GDPR shall act as competent supervisory authority;

2. where Subscriber is not established in an EU member state, but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU member state in which Subscriber’s representative is established shall act as competent supervisory authority; or

3. where Subscriber is not established in an EU member state but falls within the extra-territorial scope of the GDPR without however having to appoint a representative, the supervisory authority of the EU member state in which the Data Subjects are predominantly located shall act as competent supervisory authority.  

In relation to Personal Data that is subject to the U.K. GDPR, the competent supervisory authority is the United Kingdom Information Commissioner’s Office, subject to the additional terms set forth in the International Data Transfer Addendum to the EU Model Clauses attached hereto as “Appendix E”.

In relation to Personal Data that is subject to the data privacy laws of Switzerland, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner. 

APPENDIX E – U.K. INTERNATIONAL DATA TRANSFER ADDENDUM

This U.K. INTERNATIONAL DATA TRANSFER ADDENDUM (“IDTA”) forms a part of the Data Processing Addendum (“DPA”) entered into by and between Pragma, Inc. (“Pragma”) and the party identified as the Subscriber in the DPA (“Subscriber”). Unless otherwise specified, all capitalized terms used in this IDTA have the meanings provided in the DPA.

1. Scope of IDTA. The obligations set forth in this IDTA apply solely to Personal Data subject to the U.K. GDPR that is processed under the DPA (“U.K. Personal Data”).

2. Incorporation of the U.K. Addendum. The parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the U.K. Information Commissioner’s Office under s.119A (1) of the U.K. Data Protection Act 2018 (“U.K. Addendum”) is incorporated by reference into and forms a part of this IDTA as if fully set forth herein. Each party agrees that execution of the DPA (to which this IDTA is attached as an appendix and incorporated by reference) shall have the same effect as if the parties had simultaneously executed a copy of the U.K. Addendum.

3. Interpretation of the Model Clauses. For purposes of Processing U.K. Personal Data, any references in the DPA to the Model Clauses shall be read to incorporate the mandatory amendments to the Model Clauses set forth in the U.K. Addendum.

4. Addendum Terms. Tables 1 through 4 of the U.K. Addendum shall be completed as follows:

   1. In Table 1 of the U.K. Addendum, the “Start Date” shall be the Effective Date of the DPA, and the details and contact information for the “data exporter” and the “data importer” shall be as specified in Appendix I of the DPA.

   2. In Table 2 of the U.K. Addendum:

      1. The version of the Model Clauses incorporated by reference into the DPA shall be the version applicable to this IDTA.

      2. Those provisions of the Model Clauses applicable under Module Two shall apply to this IDTA.

      3. The optional clauses and provisions of the Model Clauses applicable to this IDTA shall be those clauses and provisions specified in Section 2.3 of the DPA.

   3. In Table 3 of the U.K. Addendum, the information required in Annexes I (both 1A and 1B), II, and III shall be as provided in Appendices A, B, and C of the DPA, respectively.

   4. In Table 4 of the U.K. Addendum, if the ICO issues any revisions to the U.K. Addendum after the Effective Date (“ICO Revision”), Subscriber and Pragma shall each have the right to terminate this IDTA in accordance with the U.K. Addendum, the DPA, and the Agreement.. Upon such termination of this IDTA:

      1. Pragma shall cease its Processing of the U.K. Personal Data; and

      2. Each party shall follow the processes described in Section 2.11 of the DPA with respect to the U.K. Personal Data. 

Notwithstanding the foregoing, termination of this IDTA in the event of an ICO Revision shall not terminate the DPA, the Agreement, and/or the obligations of either party arising thereunder with respect to Personal Data other than U.K. Personal Data, except and unless expressly agreed by and between the parties.

1. No Amendments. The terms of the U.K. Addendum have not been amended in any way except as expressly stated herein.