Data Processing Agreement
This Data Processing Agreement ("Agreement") forms part of the Terms of Service or any other agreement between WASD Corporation ("Processor", "Kinn", "we", "us") and the customer ("Controller", "you", "your") who uses Kinn, our web-based feedback analytics platform for video game studios. It governs the processing of personal data by Kinn on behalf of the Controller in compliance with applicable privacy laws, including the GDPR (EU) 2016/679, the UK GDPR, and the CCPA as amended by the CPRA.
1. Introduction
This Agreement governs the processing of personal data by Kinn on behalf of the Controller in compliance with applicable privacy laws, including the GDPR, UK GDPR, and CCPA/CPRA.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, such as collection, recording, storage, alteration, or deletion.
- "Controller" means the entity that determines the purposes and means of processing.
- "Processor" means the entity that processes Personal Data on behalf of the Controller.
- "Subprocessor" means any third party engaged by the Processor to assist in processing activities.
- "Applicable Laws" means all relevant data protection laws, including GDPR, UK GDPR, and CCPA/CPRA.
3. Scope and purpose of processing
Processor agrees to process Personal Data solely to provide and maintain the Kinn platform and related services, analyze and improve product performance, fulfill contractual obligations with the Controller, and comply with applicable legal requirements. Processor shall not process Personal Data for any other purpose except as instructed in writing by the Controller.
4. Roles and responsibilities
Controller: responsible for ensuring that the collection and processing of Personal Data comply with all applicable data protection laws. Processor: will process Personal Data only on documented instructions from the Controller, maintain appropriate security measures, and assist the Controller in fulfilling its legal obligations regarding data subjects' rights.
5. Subprocessors
Processor may engage subprocessors to perform limited processing activities. As of the effective date, Processor uses:
- Render — hosting and infrastructure (United States)
- Amazon Web Services (AWS) — file and media storage (United States)
- Stripe — payment processing (United States)
- PostHog — analytics and user event tracking (United States / EU)
- Google — analytics and advertising (Global)
- Postmark — transactional and notification emails (United States)
- OpenAI — language model analysis for feedback insights (United States)
Processor will ensure each subprocessor provides at least the same level of data protection required by this Agreement, and will inform the Controller of any intended changes to subprocessors and provide the opportunity to object.
6. Data handling and deletion
Processor's handling, retention, and deletion of data are governed by the Data Handling & Deletion Policy. Upon termination of services or upon written request from the Controller, the Processor will delete or return all Personal Data within sixty (60) days, except where retention is required by law.
7. International data transfers
Processor is based in the United States. When processing Personal Data originating from the EEA or the UK, Processor shall ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) and UK Addendum, to maintain an adequate level of data protection.
8. Security measures
Processor shall implement and maintain appropriate technical and organizational measures, including data encryption in transit and at rest, access controls and authentication procedures, regular security assessments and vulnerability testing, data minimization and anonymization where feasible, and incident detection and response mechanisms.
9. Data subject rights
Processor shall assist the Controller in fulfilling obligations related to data subject rights, including access, correction, deletion, objection, and portability. Any data subject request received directly by the Processor will be forwarded to the Controller without undue delay.
10. Audit and compliance
Upon written request and with reasonable notice, Controller may audit Processor's compliance with this Agreement once per year. Audits shall not unreasonably interfere with Processor's operations and may be satisfied through independent third-party certifications or documentation.
11. Confidentiality
Processor shall ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations and are trained in data protection principles.
12. Security breach notification
In the event of a confirmed personal data breach, Processor shall notify the Controller without undue delay and provide sufficient information to allow the Controller to meet any reporting obligations under Applicable Laws.
13. Liability and indemnification
Each party's liability under this Agreement shall be limited to the extent permitted by Applicable Laws and the underlying master agreement between the parties.
14. Term and termination
This Agreement remains in effect for as long as the Processor processes Personal Data on behalf of the Controller or until termination of the services. Upon termination, Processor shall delete all Personal Data in accordance with Section 6.
15. Governing law
This Agreement is governed by the laws of the State of Idaho, United States, without regard to its conflict of law principles. For EU data subjects, this Agreement shall also be interpreted in accordance with the GDPR.
16. Contact
For questions about this Agreement or data protection practices, please contact:
WASD Corporation
1775 W State St #166, Boise, ID 83702, USA
support@kinn.gg